基于MPLS的VPN网络设计

基于MPLS的VPN网络设计基于MPLS的VPN网络设计基于MPLS的VPN网络设计摘要采用MPLS技术组建的IP主干网对VPN有着有力的支持,MPLS技术可以在二、三层上实现VPN，但两种方法各有优缺点.文中描述了MPLS隧道技术的主要思想，分析了基于MPLS技术的二、三层VPN工作机制，比`较了MPLS二、三层VPN的工作特点．提出了要根据VPN网络设计性能和目标。合理选择基于MPLS技术的VPN方案组建所需要的VPN。关键词：MPLS；隧道技术；二层VPN；三层VPN

AbstractIPbackbonenetworkbasedonMPLSprovidesapowerfulbackingforVPN．ThoughaVPNcouldbesetupinlayer2orlayer3，therealeadvantagesanddisadvantagesforboth。DescribesthemainideaofMPLStunneltechnology．AnalyzesthemechaIlismoflayer2andlayer3VPNbasedonMPLS．Comparesthecharacteristicswhichalepossesdbyhyer2andhyer3VPN．ProposesthatonthebasisofthepropertyandtargetofnetworkdesignaplanmaybereasonablychoosedtocornstructtheMPLSVPNneededbycustomers．KeyWords：MPLS；tunneltechnology；layer2VPN;layer3VPN目录TOC\o"1-3”\h\z\u1。可行性分析 5HYPERLINK\l”_Toc420308214”1.1需求分析 5HYPERLINK\l”_Toc420308215”1。2经济可行分析 6HYPERLINK\l”_Toc420308216"2.MPLS网络架构设计与关键技术研究 7_Toc420308218”2.3网络设计拓扑 8HYPERLINK\l”_Toc420308219"2.4MPLS 9HYPERLINK\l”_Toc420308220”2。4.1MPLS架构中的设备分类 10HYPERLINK\l”_Toc420308221”LSR: 10LER： 10ATM-LSR： 11HYPERLINK\l”_Toc420308224”ATM-LER： 11HYPERLINK\l”_Toc420308225"FEC： 11LSP： 11HYPERLINK\l”_Toc420308228"2.4.2MPLS标签栈头部 11_Toc420308230"2.4。4标签的绑定与分发 13HYPERLINK\l”_Toc420308231”2.4。5倒数第二跳弹出(PHP,PenultimateHopPopping) 14HYPERLINK\l”_Toc420308232"2。5VRF 152.6RT 15_Toc420308236”2.9MP-BGP 172.9.1RR 18HYPERLINK\l”_Toc420308238"2。9。2Cluster-id 18_Toc420308241"2.12RIP 21HYPERLINK\l”_Toc420308242”3MPLS网络配置与实现 22HYPERLINK\l”_Toc420308243”3.1IP地址规划 22HYPERLINK\l”_Toc420308244"3.2PE—CE运行OSPF 24HYPERLINK\l”_Toc420308245"3。3PE—CE运行RIP 253.4PE—CE运行EIGRP 26HYPERLINK\l”_Toc420308247"3.6配置核心网MPLS 27HYPERLINK\l”_Toc420308248"3.7配置BGPVPNV4 283.8配置VRF 33HYPERLINK\l”_Toc420308250”3。9.配置L2VPNEompls 34HYPERLINK\l”_Toc420308251"3。10路由过滤 35HYPERLINK\l”_Toc420308252"4MPLSVPN网络测试 37HYPERLINK\l”_Toc420308253"4。1三层VPN连通性测试 37HYPERLINK\l”_Toc420308254”4。2二层VPN连通性性测试 38HYPERLINK\l”_Toc420308255"结论 39HYPERLINK\l”_Toc420308256"致谢 40的协议.这时候只需要邻居之间交换Hello数据包称为Keepalive,并且每个30min重传一次LSA，如果网络拓扑稳定，那么网络中将不会有什么活动或行为发生。2。12RIPRIP协议的处理是通过UDP520端口操作的.所有RIP消息都被封装在UDP用户数据包协议中，源和目的端口字段的值被设置为520。RIP定义了两种消息类型：请求消息（requestmessages）和（responsemessages）响应消息。请求消息用来向邻居路由器发送一个更新，响应消息用来传递路由更新。RIP的度量是基于“跳"数（hopcount）的，1跳表示是与发出通告的路由器相直连的网络，16跳表示不可达。开始时，RIP从每个启用RIP协议的接口广播带有请求消息的数据包。接着，RIP程序进入一个循环状态，不断地侦听来自其他路由器的RIP请求消息或响应消息，而接收请求的邻居路由器则回送包含它们的路由表的响应信息。当发出请求的路由器接收到响应信息时，它将开始处理附加在响应消息中的路由更新信息。如果路由更新中的路由条目是新的,路由器则将新的路由连通通告路由器的地址一起加入到自己的路由表中，这里通告路由器的地址可以从更新数据包的源地址字段读取.如果网络的RIP路由已经在路由表中，那么只有在新的路由拥有更小的跳数时才能替换原来存在的下一跳路由器，那么该路由更新通告的跳数大于路由表记录的跳数,并且更新来自于记录条目的下一跳路由器，那么该路由将在一个指定的抑制时间段（holddownperoiod）内被标记为不可达.如果抑制时间超时后，同一台邻居路由器仍然通告这个有较大条数的路由，路由器则接受该路由新的度量值。3MPLS网络配置与实现3.1IP地址规划设备名接口号IP地址R1FastEthernet0/013。13.13.1/24R1FastEthernet1/014.14.14.1/24R1FastEthernet2/015.15。15.1/24R1FastEthernet3/016。16.16.1/24R1Loopback11。1。1。1/32R2FastEthernet0/024。24。24。2/24R2FastEthernet1/023。23.23。2/24R2FastEthernet2/025。25.25.2/24R2FastEthernet3/026。26。26.2/24R2Loopback12.2。2.2/32R3FastEthernet0/013。13.13。3/24R3FastEthernet1/023.23。23.3/24R3FastEthernet2/0100.0。0。2/30R3Loopback13.3。3。3/32R4FastEthernet0/014.14.14.4/24R4FastEthernet1/024.24.24。4/24R4FastEthernet2/0104。0。0。2/30R4Loopback14.4。4.4/32R5FastEthernet0/015。15。15.5/24R5FastEthernet1/025。25。25.5/24R5FastEthernet2/0102.0.0.2/30R5Loopback15。5.5.5/32R6FastEthernet0/026。26.26。6/24R6FastEthernet1/016.16.16。6/24R6Loopback16.6.6。6/32R7FastEthernet0/0172.16.1.2/24R7Loopback17.7.7.7/32R8FastEthernet0/0100.0.0.1/30R8Loopback18.8.8。8/32R8Loopback100172.16。1.1/12R9FastEthernet0/0102.0.0。1/30R9Loopback19.9.9。9/32R9Loopback10010。1。1.1/8R10FastEthernet0/0172.16.1.1/24R10Loopback110。10。10。10/32R11FastEthernet0/0104.0.0。1/30R11Loopback111。11.11。11/32R11Loopback100192。168.1.1/243。2PE—CE运行OSPF如图3—1所示R5上输入命令routerospf101vrfvpn1log—adjacency—changesredistributebgp100metric10subnetsnetwork102.0.0。20.0.0。0area1R9上输入命令routerospf101log-adjacency-changesnetwork10。1。1.10.0。0。0area1network102。0。0.10。0。0.0area13。3PE-CE运行RIP如图3-2所示R4输入命令routerripversion2noauto—summary!address—familyipv4vrfvpn1redistributebgp100metric5network104。0.0。0noauto-summaryexit—address—familyR11输入命令routerripversion2network104。0.0.0network192。168.1.0noauto—summary3。4PE—CE运行EIGRP如图3-3所示R3输入命令routereigrp100auto-summary!address—familyipv4vrfvpn1redistributebgp100metric1000010025511500network100。0。0。20。0。0。0auto-summaryautonomous-system100exit—address-familyR8输入命令routereigrp100network100.0.0。10.0。0.0network172.16.1。10。0。0.0noauto-summary3.6配置核心网MPLS如图3-4所示在核心网路由器R1、R2、R3、R4、R5、R6输入命令ipcefmplsipmplslabelprotocolldpmplsldprouter-idloop1mplslabelrange［〈16—1048575〉Minimumlabelvalue]（）在所有内部接口输入mplsip3.7配置BGPVPNV4R1输入命令routerbgp100bgprouter-id1.1.1。1nobgpdefaultipv4—unicastbgpcluster—id12。12.12.12bgplog-neighbor-changesneighbor3。3.3.3remote—as100neighbor3。3.3。3passwordcisconeighbor3。3.3.3update-sourceLoopback1neighbor4。4。4.4remote-as100neighbor4。4.4.4passwordcisconeighbor4。4。4。4update-sourceLoopback1neighbor5。5.5。5remote—as100neighbor5.5.5.5passwordcisconeighbor5。5。5.5update—sourceLoopback1neighbor6。6.6。6remote—as100neighbor6.6.6.6passwordcisconeighbor6.6.6。6update—sourceLoopback1!address-familyvpnv4neighbor3。3。3.3activateneighbor3.3。3。3send—communityextendedneighbor3。3.3。3route-reflector—clientneighbor4。4。4.4activateneighbor4.4.4。4send—communityextendedneighbor4。4。4。4route—reflector—clientneighbor5。5.5.5activateneighbor5。5。5。5send—communityextendedneighbor5.5.5。5route-reflector—clientneighbor6。6。6.6activateneighbor6。6。6。6send-communityextendedneighbor6。6。6.6route—reflector-clientexit-address—familyR2命令输入routerbgp100bgprouter-id2.2。2。2nobgpdefaultipv4-unicastbgpcluster—id12.12.12.12bgplog—neighbor—changesneighborvpnv4peer-groupneighborvpnv4remote-as100neighborvpnv4passwordcisconeighborvpnv4update-sourceLoopback1neighbor3。3.3。3peer—groupvpnv4neighbor4。4.4。4peer—groupvpnv4neighbor5.5。5。5peer—groupvpnv4neighbor6。6。6。6peer-groupvpnv4！address-familyipv4neighborvpnv4route-reflector-clientneighbor3.3。3。3activateneighbor4.4。4。4activateneighbor5。5.5.5activateneighbor6。6。6。6activatenoauto—summarynosynchronizationexit-address—family!address-familyvpnv4neighborvpnv4send-communityextendedneighborvpnv4route—reflector-clientneighbor3。3。3.3activateneighbor4.4。4.4activateneighbor5。5.5。5activateneighbor6.6.6。6activateexit—address—familyR3输入命令routerbgp100bgprouter-id3。3.3.3nobgpdefaultipv4-unicastbgplog—neighbor-changesneighbor1。1.1。1remote—as100neighbor1。1.1.1passwordcisconeighbor1.1。1。1update—sourceLoopback1neighbor2。2。2.2remote—as100neighbor2。2。2。2passwordcisconeighbor2.2。2.2update—sourceLoopback1！address—familyipv4neighbor1。1。1.1activateneighbor1.1.1。1next-hop—selfneighbor2。2。2.2activateneighbor2。2.2。2next—hop-selfnoauto-summarynosynchronizationexit-address-family！address-familyvpnv4neighbor1。1.1.1activateneighbor1.1。1。1send—communityextendedneighbor2。2.2.2activateneighbor2.2。2.2send—communityextendedexit-address—family!address-familyipv4vrfvpn1redistributeeigrp100metric10000route—mapvrf_vpn1nosynchronizationexit—address-familyR4输入命令routerbgp100bgprouter-id4。4.4.4nobgpdefaultipv4-unicastbgplog—neighbor-changesneighbor1.1.1.1remote-as100neighbor1。1。1。1passwordcisconeighbor1。1。1。1update—sourceLoopback1neighbor2.2。2.2remote-as100neighbor2。2。2。2passwordcisconeighbor2.2。2.2update-sourceLoopback1！address-familyipv4nosynchronizationneighbor1。1.1.1activateneighbor2。2.2.2activatenoauto—summaryexit-address-family!address-familyvpnv4neighbor1.1。1。1activateneighbor1.1。1.1send—communityextendedneighbor2。2.2.2activateneighbor2。2.2.2send-communityextendedexit—address—family！address-familyipv4vrfvpn1nosynchronizationredistributeripmetric100route-mapvrf_vpn1exit—address-familyR5输入命令routerbgp100bgprouter—id5。5.5。5nobgpdefaultipv4—unicastbgplog—neighbor-changesneighbor1。1。1.1remote-as100neighbor1.1.1.1passwordcisconeighbor1.1。1.1update—sourceLoopback1neighbor2.2.2。2remote-as100neighbor2。2。2。2passwordcisconeighbor2.2。2。2update-sourceLoopback1！address—familyipv4neighbor1.1.1.1activateneighbor2.2。2。2activatenoauto-summarynosynchronizationexit-address-family!address—familyvpnv4neighbor1.1.1。1activateneighbor1。1.1。1send—communityextendedneighbor2.2。2.2activateneighbor2.2。2。2send-communityextendedexit—address-family！address—familyipv4vrfvpn1redistributeospf101vrfvpn1matchinternalexternal1external2route—mapvrf_vpn1nosynchronizationexit-address-family3.8配置VRF在R3、R4、R5输入ipvrfvpn1rd100:1route-targetexport100：1route-targetimport100:1在连接CE的接口输入命令ipvrfforwardingvpn1(接口与VPN关联）3.9.配置L2VPNEompls如图3-5所示R4输入命令pseudowire—classL2VPN_EoMPLSencapsulationmplsinterfaceFastEthernet2/0noipaddressduplexfullxconnect6.6。6。664pw-classL2VPN_EoMPLSR6输入命令pseudowire—classL2VPN_EoMPLSencapsulationmplsinterfaceFastEthernet2/0noipaddressduplexfullxconnect4。4.4。464pw-classL2VPN_EoMPLSR7输入命令interfaceFastEthernet0/0ipaddress172.16.1。2255。255.255。0duplexautospeedautoR10输入命令interfaceFastEthernet0/0ipaddress172.16。1.1255。255。255.0duplexautospeedauto3.10路由过滤R3输入命令ipaccess—listextendedvrf_vpn1permitip100。0。0。00.0.0。255anyroute-mapvrf_vpn1deny10matchipaddressvrf_vpn1route—mapvrf_vpn1permit20redistributeeigrp100metric10000route—mapvrf_vpn1（在BGPipv4vrfvpn1重分布时调用）R4输入命令ipaccess-listextendedvrf_vpn1permitip192。168.1。00.0。0。255anyroute-mapvrf_vpn1permit10matchipaddressvrf_vpn1redistributeripmetric100route—mapvrf_vpn1（在BGPipv4vrfvpn1重分布时调用)R5输入命令ipaccess-listextendedvrf_vpn1permitip102.0。0。00。0.0。3anyroute-mapvrf_vpn1deny10matchipaddressvrf_vpn1route-mapvrf_vpn1permit20redistributeospf101vrfvpn1matchinternalexternal1external2route-mapvrf_vpn1(在BGPipv4vrfvpn1重分布时调用)

4MPLSVPN网络测试4。1三层VPN连通性测试R8pingR9R8TracerouteR9R8pingR11R8TracerouteR11R9pingR11R9Trace