跨域VPN的解决方案主要是为了解决客户不同AS之间的站点的互通问题,即客户的VPN路由可以在两个AS之间进行传递。RFC4364介绍了三种解决方案,我会在接下来的文章中一一介绍。本文先说第一种解决方案:Option A,这种解决方案需要在两个AS之间的ASBR上使用专门的接口去传递路由信息,所以我们也称这种为VRF-to-VRF。
写在最前面
配置步骤如下:
- 配置IP地址以及VRF
- 配置两个AS中的IGP协议_ISIS
- 配置AS中的标签分配协议(LDP)
- 配置CE与PE,PE与ASBR之间的BGP邻居
- 配置ASRB之间路由互相引入
- 验证连通性
配置IP地址以及VRF
```
R1:
interface Loopback0
ipv4 address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.12.1 255.255.255.0
```
```
R2:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.2.2 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.12.2 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.2 255.255.255.0
```
```
R3:
interface Loopback0
ipv4 address 10.1.3.3 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.3 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.23.3 255.255.255.0
```
```
R4:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.4.4 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.34.4 255.255.255.0
interface GigabitEthernet0/0/0/1 <<<这个就是前文所说的ASBR上特殊的接口
vrf VIP
ipv4 address 10.1.45.4 255.255.255.0
```
```
R5:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.5.5 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.5 255.255.255.0
interface GigabitEthernet0/0/0/1
vrf VIP
ipv4 address 10.1.45.5 255.255.255.0
```
```
R6:
interface Loopback0
ipv4 address 10.1.6.6 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.56.6 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.6 255.255.255.0
```
```
R7:
vrf VIP
address-family ipv4 unicast
import route-target
100:100
export route-target
100:100
interface Loopback0
ipv4 address 10.1.7.7 255.255.255.255
interface GigabitEthernet0/0/0/0
vrf VIP
ipv4 address 10.1.78.7 255.255.255.0
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.67.7 255.255.255.0
```
```
R8:
interface Loopback0
ipv4 address 10.1.8.8 255.255.255.255
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.78.8 255.255.255.0
```
配置两个AS中的IGP协议_ISIS
```
R2:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0001.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
```
```
R3:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0002.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
```
```
R4:
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!
```
```
R5:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0005.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
!
```
```
R6:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0006.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/0
point-to-point
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
```
```
R7:
router isis 1
is-type level-2-only
net 49.0001.0000.0000.0007.00
address-family ipv4 unicast
metric-style wide
!
interface Loopback0
passive
address-family ipv4 unicast
!
!
interface GigabitEthernet0/0/0/1
point-to-point
address-family ipv4 unicast
!
!
!
```
配置AS中的标签分配协议(LDP)
```
R2:
mpls ldp
log
neighbor
!
router-id 10.1.2.2
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!
```
```
R3:
mpls ldp
log
neighbor
!
router-id 10.1.3.3
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!
```
```
R4:
mpls ldp
log
neighbor
!
router-id 10.1.4.4
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!
```
```
R5:
mpls ldp
log
neighbor
!
router-id 10.1.5.5
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
!
```
```
R6:
mpls ldp
log
neighbor
!
router-id 10.1.6.6
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/0
!
interface GigabitEthernet0/0/0/1
!
!
```
```
R7:
mpls ldp
log
neighbor
!
router-id 10.1.7.7
address-family ipv4
label
local
allocate for host-routes
!
!
!
interface GigabitEthernet0/0/0/1
!
!
```
配置CE与PE,PE与ASBR之间的BGP邻居
需要提前了解到的是,在IOS XR中, IBGP可以不用配置router-policy,但是对于EBGP,一定需要配置router-policy,入向和出向都需要配置,即使router-policy只有一个关键字pass.入向不配置,会drop对端发来的update;出向不配置,不会发布update
```
R1:
route-policy EBGP_PASS
pass
end-policy
!
router bgp 65000
bgp router-id 10.1.1.1
address-family ipv4 unicast
network 10.1.1.1/32
!
neighbor 10.1.12.2
remote-as 1
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
```
```
R2:
router bgp 1
bgp router-id 10.1.2.2
address-family vpnv4 unicast
!
neighbor 10.1.4.4
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.12.1
remote-as 65000
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!
```
```
R4
router bgp 1
bgp router-id 10.1.4.4
address-family vpnv4 unicast
!
neighbor 10.1.2.2
remote-as 1
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP <<<配置VRF的原因是为了能让受到的VPNv4路由加入路由表,否则我们只会在BGP 路由表中看到
rd auto
address-family ipv4 unicast
!
!
!
```
```
R5:
router bgp 2
bgp router-id 10.1.5.5
address-family vpnv4 unicast
!
neighbor 10.1.7.7
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
!
!
```
```
R7:
router bgp 2
bgp router-id 10.1.7.7
address-family vpnv4 unicast
!
neighbor 10.1.5.5
remote-as 2
update-source Loopback0
address-family vpnv4 unicast
next-hop-self
!
!
vrf VIP
rd auto
address-family ipv4 unicast
!
neighbor 10.1.78.8
remote-as 65001
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
!
```
```
R8:
router bgp 65001
bgp router-id 10.1.8.8
address-family ipv4 unicast
network 10.1.8.8/32
!
neighbor 10.1.78.7
remote-as 2
address-family ipv4 unicast
route-policy EBGP_PASS in
route-policy EBGP_PASS out
!
!
!
```
配置ASRB之间路由互相引入
```
R4:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 1
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 1
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!
```
```
R5:
router ospf VIP
vrf VIP
capability vrf-lite
redistribute bgp 2
area 0
interface GigabitEthernet0/0/0/1
!
!
!
!
router bgp 2
vrf VIP
rd auto
address-family ipv4 unicast
redistribute ospf VIP
!
!
!
```
验证连通性
```
RP/0/0/CPU0:R1#traceroute 10.1.8.8 source 10.1.1.1
Mon Jun 24 01:24:28.393 UTC
Type escape sequence to abort.
Tracing the route to 10.1.8.8
1 10.1.12.2 0 msec 0 msec 0 msec
2 10.1.23.3 [MPLS: Labels 24001/24002 Exp 0] 9 msec 19 msec 9 msec
3 10.1.34.4 [MPLS: Label 24002 Exp 0] 19 msec 19 msec 9 msec
4 10.1.45.5 9 msec 9 msec 9 msec
5 10.1.56.6 [MPLS: Labels 24000/24002 Exp 0] 29 msec 19 msec 29 msec
6 10.1.67.7 [MPLS: Label 24002 Exp 0] 29 msec 19 msec 29 msec
7 10.1.78.8 29 msec * 19 msec
RP/0/0/CPU0:R1#
Q&A
为什么需要配置这个命令”capability vrf-lite”?
主要目的是为了能将收到的路由顺利加表,原理如下:R4对于R5而言是个PE设备,PE在决定将Type3, 5, 7的LSA发布给对端的CE时,都会置为一个DN bit,如下所示,对端CE收到DN bit的LSA是不会加表的,主要目的是为了防止环路。所以在这种情景下,使用这条命令可以不产生DN bit,使收到的路由能顺利的加表.
```
RP/0/0/CPU0:R4#show ospf vrf VIP database external
Sat Jun 22 13:53:37.752 UTC
OSPF Router with ID (10.1.4.4) (Process ID VIP, VRF VIP)
Type-5 AS External Link States
LS age: 28
Options: (No TOS-capability, DC, DN)
LS Type: AS External Link
Link State ID: 10.1.1.1 (External Network Number)
Advertising Router: 10.1.4.4
LS Seq Number: 80000004
Checksum: 0xaf8e
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 3489660929
```
配置文件:
https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA
No comments
Comments feed for this article