基于Cisco技术的MPLS原理以及应用实现(二)
本部分将要讲述基本的MPLS VPN的基本架构和基本实现。仍然是基于frame-mode讲解MPLS VPN的实现。
如下图所示,虚拟路由器VRF在路由器IOS软件中的出现。VRF实现的虚拟路由器将会维护自身独立的路由表和转发表,这些是独立于全局路由表的。就好像一台物理上独立的路由器。这样一台边界路由器(PE)可以接入多台客户边界路由器(CE)而不存在复杂的部署和维护。
下面的6台路由器构成的拓扑将是要讲解并实现MPLS-VPN的环境。
IPS1与Border1的VRF 12之间运行OSPF协议,Border1与Border2之间运行多协议BGP-VPN4(MBGP-VPN4),IPS2与Border2的VRF 56之间运行OSPF协议。Border1, Core1, Core2, Border2的接口之间运行LDP/TDP协议,并且这些接口之间还要运行OSPF协议。
基本配置如下所示:
r1#sh run
Building configuration...
Current configuration : 966 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 172.16.1.1 255.255.0.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 1
log-adjacency-changes
network 10.10.10.10 0.0.0.0 area 0
network 172.16.1.1 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r1#
r1#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r2#
r2#sh run
Building configuration...
Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 12
rd 12:12
route-target export 12:12
route-target import 56:56
!
ip cef
mpls label range 200 299
mpls label protocol ldp
tag-switching tdp router-id Loopback1
!
!
interface Loopback0
ip vrf forwarding 12
ip address 20.20.20.20 255.255.255.255
!
interface Loopback1
ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip vrf forwarding 12
ip address 172.16.2.2 255.255.0.0
duplex half
!
interface Ethernet1/1
ip address 10.2.2.2 255.255.255.0
duplex half
tag-switching ip
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 2 vrf 12
log-adjacency-changes
redistribute bgp 200 subnets
network 20.20.20.20 0.0.0.0 area 0
network 172.16.2.2 0.0.0.0 area 0
!
router ospf 22
log-adjacency-changes
network 10.2.2.2 0.0.0.0 area 0
network 22.22.22.22 0.0.0.0 area 0
!
router bgp 200
bgp router-id 22.22.22.22
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 50.50.50.50 remote-as 200
neighbor 50.50.50.50 update-source Loopback1
!
address-family vpnv4
neighbor 50.50.50.50 activate
neighbor 50.50.50.50 send-community extended
exit-address-family
!
address-family ipv4 vrf 12
redistribute ospf 2 match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r2#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r3#
r3#sh run
Building configuration...
Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 300 399
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
ip address 30.30.30.30 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
ip address 10.2.2.3 255.255.255.0
duplex half
tag-switching ip
!
interface Ethernet1/2
ip address 10.3.3.3 255.255.255.0
duplex half
tag-switching ip
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 3
log-adjacency-changes
network 10.2.2.3 0.0.0.0 area 0
network 10.3.3.3 0.0.0.0 area 0
network 30.30.30.30 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r3#
r3#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r4#
r4#sh run
Building configuration...
Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 400 499
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
ip address 40.40.40.40 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
no ip address
shutdown
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
ip address 10.3.3.4 255.255.255.0
duplex half
tag-switching ip
!
interface Ethernet1/3
ip address 10.4.4.4 255.255.255.0
duplex half
tag-switching ip
!
router ospf 4
log-adjacency-changes
network 10.3.3.4 0.0.0.0 area 0
network 10.4.4.4 0.0.0.0 area 0
network 40.40.40.40 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r4#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r5#
r5#sh run
Building configuration...
Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 56
rd 56:56
route-target export 56:56
route-target import 12:12
!
ip cef
mpls label range 500 599
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!
interface Loopback0
ip address 50.50.50.50 255.255.255.255
!
interface Loopback1
ip vrf forwarding 56
ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip vrf forwarding 56
ip address 172.17.5.5 255.255.0.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
ip address 10.4.4.5 255.255.255.0
duplex half
tag-switching ip
!
router ospf 55
log-adjacency-changes
network 10.4.4.5 0.0.0.0 area 0
network 50.50.50.50 0.0.0.0 area 0
!
router ospf 5 vrf 56
log-adjacency-changes
redistribute bgp 200 subnets
network 55.55.55.55 0.0.0.0 area 0
network 172.17.5.5 0.0.0.0 area 0
!
router bgp 200
bgp router-id 50.50.50.50
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 22.22.22.22 remote-as 200
neighbor 22.22.22.22 update-source Loopback0
!
address-family vpnv4
neighbor 22.22.22.22 activate
neighbor 22.22.22.22 send-community extended
exit-address-family
!
address-family ipv4 vrf 56
redistribute ospf 5 match internal external 1 external 2
no auto-summary
no synchronization
exit-address-family
!
ip classless
no ip http server
no ip http secure-server
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r5#
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
r6#
r6#sh run
Building configuration...
Current configuration : 938 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 172.17.6.6 255.255.0.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
router ospf 6
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
network 172.17.6.6 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
r6#
重点我们首先可以看一下Border1(PE1)上的配置。
(1) vrf的配置
ip vrf 12
rd 12:12
route-target export 12:12
route-target import 56:56
interface Loopback0
ip vrf forwarding 12
ip address 20.20.20.20 255.255.255.255
!
interface Ethernet1/0
ip vrf forwarding 12
ip address 172.16.2.2 255.255.0.0
duplex half
vrf接口也需要挂在vrf下面。基本操作也必须挂vrf。比如,sh ip route vrf 12, ping 6.6.6.6 vrf 12, sh ip cef vrf 12等等.
(2) rd与rt的概念
rd是用于区分不同CE传递到PE1的相同网段路由。因此PE的vrf与CE之间路由是由rd与32位路由前缀构成。所以rd是本地unique的。
rt的动作有export和import。rt的作用在于控制路由的导入与导出。导出的概念是vrf路由可以导出到多协议BGP的ipv4 vrf协议族中。导入是指允许导入通过多协议BGP-VPNV4学习到的路由到MBGP-VPNV4路由表。rt是会随MBGP extended community传递的扩展属性。
r2#sh ip bgp vpnv4 rd 12:12 10.10.10.10
BGP routing table entry for 12:12:10.10.10.10/32, version 8
Paths: (1 available, best #1, table 12)
Advertised to non peer-group peers:
50.50.50.50
Local
172.16.1.1 from 0.0.0.0 (22.22.22.22)
Origin incomplete, metric 11, localpref 100, weight 32768, valid, sourced, best
Extended Community: RT:12:12 OSPF DOMAIN ID:0x0005:0x000000020200 OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:20.20.20.20:512,
mpls labels in/out 205/nolabel
r2#
r2#sh ip bgp vpnv4 *
BGP table version is 13, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 12:12 (default for vrf 12)
*>i6.6.6.6/32 50.50.50.50 11 100 0 ?
*> 10.10.10.10/32 172.16.1.1 11 32768 ?
*> 20.20.20.20/32 0.0.0.0 0 32768 ?
*>i55.55.55.55/32 50.50.50.50 0 100 0 ?
*> 172.16.0.0 0.0.0.0 0 32768 ?
*>i172.17.0.0 50.50.50.50 0 100 0 ?
Route Distinguisher: 56:56
*>i6.6.6.6/32 50.50.50.50 11 100 0 ?
*>i55.55.55.55/32 50.50.50.50 0 100 0 ?
*>i172.17.0.0 50.50.50.50 0 100 0 ?
(3) 多协议BGP-VPNV4给BGP路由分标签
Core1和Core2并没有运行BGP协议。根据次末跳弹出原则,Core2将去往IPS2的报文(由IPS2的vrf重分发到MBGP-ipv4-vrf),弹掉LDP/TDP标签发送到Border2。这个时候Border2如何判断并正确转发报文到IPS2呢?(可以考虑一下有多个CE的情况并且有overlapped路由的情况).
在实际的实现中,是通过MBGP为BGP路由分配的标签来进行标签转发的。因此,Core1,Core2中的报文有两层标签,顶层的为LDP/TDP标签,底层的为MBGP分配的标签。
这种实现的好处是Core1,Core2并不需要特别大的标签开销和转发计算开销,只是边界路由器PE上需要比较高的计算性能。
r2#show mpls ldp bindings
tib entry: 10.2.2.0/24, rev 2
local binding: tag: imp-null
remote binding: tsr: 30.30.30.30:0, tag: imp-null
tib entry: 10.3.3.0/24, rev 6
local binding: tag: 200
remote binding: tsr: 30.30.30.30:0, tag: imp-null
tib entry: 10.4.4.0/24, rev 8
local binding: tag: 201
remote binding: tsr: 30.30.30.30:0, tag: 300
tib entry: 22.22.22.22/32, rev 4
local binding: tag: imp-null
remote binding: tsr: 30.30.30.30:0, tag: 303
tib entry: 30.30.30.30/32, rev 10
local binding: tag: 202
remote binding: tsr: 30.30.30.30:0, tag: imp-null
tib entry: 40.40.40.40/32, rev 12
local binding: tag: 203
remote binding: tsr: 30.30.30.30:0, tag: 301
tib entry: 50.50.50.50/32, rev 14
local binding: tag: 204
remote binding: tsr: 30.30.30.30:0, tag: 302
r2#
r2#show ip bgp vpnv4 rd 12:12 labels
Network Next Hop In label/Out label
Route Distinguisher: 12:12 (12)
6.6.6.6/32 50.50.50.50 nolabel/505
10.10.10.10/32 172.16.1.1 205/nolabel
20.20.20.20/32 0.0.0.0 206/aggregate(12)
55.55.55.55/32 50.50.50.50 nolabel/506
172.16.0.0 0.0.0.0 207/aggregate(12)
172.17.0.0 50.50.50.50 nolabel/507
(4) CEF表
当包从CE转发到PE的时候,是一个IP报文,需要查询vrf的cef表。这个cef表由于标签的回灌机制,会进行压标签并转发的动作。
r2#show ip cef vrf 12 detail
IP CEF with switching (Table Version 21), flags=0x0
15 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
6 instant recursive resolutions, 0 used background process
31 leaves, 51 nodes, 55336 bytes, 52 inserts, 21 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 0FDE3D1C
3(0) CEF resets, 0 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
0 in-place/0 aborted modifications
refcounts: 13577 leaf, 13568 node
Table epoch: 0 (15 entries at this epoch)
Adjacency Table has 3 adjacencies
0.0.0.0/0, version 0, epoch 0, attached, default route handler
0 packets, 0 bytes
via 0.0.0.0, 0 dependencies
valid no route adjacency
0.0.0.0/32, version 1, epoch 0, receive
6.6.6.6/32, version 18, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
via 50.50.50.50, 0 dependencies, recursive
next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
valid cached adjacency
tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
10.10.10.10/32, version 14, epoch 0, cached adjacency 172.16.1.1
0 packets, 0 bytes
tag information set
local tag: 205
via 172.16.1.1, Ethernet1/0, 0 dependencies
next hop 172.16.1.1, Ethernet1/0
valid cached adjacency
tag rewrite with Et1/0, 172.16.1.1, tags imposed: {}
20.20.20.20/32, version 10, epoch 0, connected, receive
tag information set
local tag: 206
55.55.55.55/32, version 19, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
via 50.50.50.50, 0 dependencies, recursive
next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
valid cached adjacency
tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
172.16.0.0/16, version 5, epoch 0, attached, connected
0 packets, 0 bytes
tag information set
local tag: 207
via Ethernet1/0, 0 dependencies
valid glean adjacency
tag rewrite with , , tags imposed: {}
172.16.0.0/32, version 8, epoch 0, receive
172.16.1.1/32, version 13, epoch 0, connected, cached adjacency 172.16.1.1
0 packets, 0 bytes
via 172.16.1.1, Ethernet1/0, 0 dependencies
next hop 172.16.1.1, Ethernet1/0
valid cached adjacency
172.16.2.2/32, version 7, epoch 0, receive
172.16.255.255/32, version 9, epoch 0, receive
172.17.0.0/16, version 20, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
via 50.50.50.50, 0 dependencies, recursive
next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
valid cached adjacency
tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
224.0.0.0/4, version 12, epoch 0
0 packets, 0 bytes, Precedence routine (0)
via 0.0.0.0, 0 dependencies
next hop 0.0.0.0
valid drop adjacency
224.0.0.0/24, version 3, epoch 0, receive
255.255.255.255/32, version 2, epoch 0, receive
r2#
由上面的输出可以看出,从CE1访问CE2的环回口地址6.6.6.6需要压入两层标签。顶层标签是mpls ldp分配的标签,这个标签是借用的BGP路由的下一跳IBGP路由标签302。底层标签是MBGP分配的标签,在PE上做转发。
底层MBGP分配的标签是根据CE转递的每条路由分的,所以不同路由的底层标签都不一样。这样的设计有些奇怪,为什么不根据rd来分标签呢?这样所有从同一个vrf学来的路由都分配同样的标签就可以了。
下一篇: 人工智能时代 创业会更容易成功吗