欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

基于Cisco技术的MPLS原理以及应用实现(二)

程序员文章站 2022-04-24 10:06:38
本部分将要讲述基本的MPLS VPN的基本架构和基本实现。仍然是基于frame-mode讲解MPLS VPN的实现。   如下图所示,虚拟路由器VRF在路由器IOS软件中的出...


本部分将要讲述基本的MPLS VPN的基本架构和基本实现。仍然是基于frame-mode讲解MPLS VPN的实现。
 

如下图所示,虚拟路由器VRF在路由器IOS软件中的出现。VRF实现的虚拟路由器将会维护自身独立的路由表和转发表,这些是独立于全局路由表的。就好像一台物理上独立的路由器。这样一台边界路由器(PE)可以接入多台客户边界路由器(CE)而不存在复杂的部署和维护。

 

基于Cisco技术的MPLS原理以及应用实现(二)

 

下面的6台路由器构成的拓扑将是要讲解并实现MPLS-VPN的环境。
 

基于Cisco技术的MPLS原理以及应用实现(二)

 

IPS1与Border1的VRF 12之间运行OSPF协议,Border1与Border2之间运行多协议BGP-VPN4(MBGP-VPN4),IPS2与Border2的VRF 56之间运行OSPF协议。Border1, Core1, Core2, Border2的接口之间运行LDP/TDP协议,并且这些接口之间还要运行OSPF协议。
 

基本配置如下所示:

r1#sh run
Building configuration...

Current configuration : 966 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
!
!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!         
interface Ethernet1/0
 ip address 172.16.1.1 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.10 0.0.0.0 area 0
 network 172.16.1.1 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

r1#  
r1#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

r2#
r2#sh run
Building configuration...

Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 12
 rd 12:12
 route-target export 12:12
 route-target import 56:56
!
ip cef
mpls label range 200 299
mpls label protocol ldp
tag-switching tdp router-id Loopback1
!
!         
interface Loopback0
 ip vrf forwarding 12
 ip address 20.20.20.20 255.255.255.255
!
interface Loopback1
 ip address 22.22.22.22 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip vrf forwarding 12
 ip address 172.16.2.2 255.255.0.0
 duplex half
!
interface Ethernet1/1
 ip address 10.2.2.2 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 2 vrf 12
 log-adjacency-changes
 redistribute bgp 200 subnets
 network 20.20.20.20 0.0.0.0 area 0
 network 172.16.2.2 0.0.0.0 area 0
!
router ospf 22
 log-adjacency-changes
 network 10.2.2.2 0.0.0.0 area 0
 network 22.22.22.22 0.0.0.0 area 0
!
router bgp 200
 bgp router-id 22.22.22.22
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 50.50.50.50 remote-as 200
 neighbor 50.50.50.50 update-source Loopback1
 !
 address-family vpnv4
 neighbor 50.50.50.50 activate
 neighbor 50.50.50.50 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 12
 redistribute ospf 2 match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

r2#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

r3#
r3#sh run
Building configuration...

Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 300 399
mpls label protocol ldp
tag-switching tdp router-id Loopback0

!
interface Loopback0
 ip address 30.30.30.30 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 ip address 10.2.2.3 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/2
 ip address 10.3.3.3 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!         
router ospf 3
 log-adjacency-changes
 network 10.2.2.3 0.0.0.0 area 0
 network 10.3.3.3 0.0.0.0 area 0
 network 30.30.30.30 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

r3# 
r3#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

r4#
r4#sh run
Building configuration...

Current configuration : 1130 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip cef
mpls label range 400 499
mpls label protocol ldp
tag-switching tdp router-id Loopback0

!
interface Loopback0
 ip address 40.40.40.40 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 ip address 10.3.3.4 255.255.255.0
 duplex half
 tag-switching ip
!
interface Ethernet1/3
 ip address 10.4.4.4 255.255.255.0
 duplex half
 tag-switching ip
!         
router ospf 4
 log-adjacency-changes
 network 10.3.3.4 0.0.0.0 area 0
 network 10.4.4.4 0.0.0.0 area 0
 network 40.40.40.40 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

r4# 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

r5#
r5#sh run
Building configuration...

Current configuration : 1860 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
!
ip vrf 56
 rd 56:56
 route-target export 56:56
 route-target import 12:12
!
ip cef
mpls label range 500 599
mpls label protocol ldp
tag-switching tdp router-id Loopback0
!
!         
interface Loopback0
 ip address 50.50.50.50 255.255.255.255
!
interface Loopback1
 ip vrf forwarding 56
 ip address 55.55.55.55 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip vrf forwarding 56
 ip address 172.17.5.5 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 ip address 10.4.4.5 255.255.255.0
 duplex half
 tag-switching ip
!
router ospf 55
 log-adjacency-changes
 network 10.4.4.5 0.0.0.0 area 0
 network 50.50.50.50 0.0.0.0 area 0
!
router ospf 5 vrf 56
 log-adjacency-changes
 redistribute bgp 200 subnets
 network 55.55.55.55 0.0.0.0 area 0
 network 172.17.5.5 0.0.0.0 area 0
!
router bgp 200
 bgp router-id 50.50.50.50
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 22.22.22.22 remote-as 200
 neighbor 22.22.22.22 update-source Loopback0
 !
 address-family vpnv4
 neighbor 22.22.22.22 activate
 neighbor 22.22.22.22 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf 56
 redistribute ospf 5 match internal external 1 external 2
 no auto-summary
 no synchronization
 exit-address-family
!
ip classless
no ip http server
no ip http secure-server
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

r5#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

r6#
r6#sh run
Building configuration...

Current configuration : 938 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
ip cef
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/0
 ip address 172.17.6.6 255.255.0.0
 duplex half
!
interface Ethernet1/1
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/2
 no ip address
 shutdown
 duplex half
!
interface Ethernet1/3
 no ip address
 shutdown
 duplex half
!
router ospf 6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 172.17.6.6 0.0.0.0 area 0
!         
ip classless
no ip http server
no ip http secure-server
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login    
!
!
end

r6#

重点我们首先可以看一下Border1(PE1)上的配置。

(1) vrf的配置

ip vrf 12
 rd 12:12
 route-target export 12:12
 route-target import 56:56

interface Loopback0
 ip vrf forwarding 12
 ip address 20.20.20.20 255.255.255.255
!
interface Ethernet1/0
 ip vrf forwarding 12
 ip address 172.16.2.2 255.255.0.0
 duplex half
 

vrf接口也需要挂在vrf下面。基本操作也必须挂vrf。比如,sh ip route vrf 12, ping 6.6.6.6 vrf 12, sh ip cef vrf 12等等.

(2) rd与rt的概念

rd是用于区分不同CE传递到PE1的相同网段路由。因此PE的vrf与CE之间路由是由rd与32位路由前缀构成。所以rd是本地unique的。

rt的动作有export和import。rt的作用在于控制路由的导入与导出。导出的概念是vrf路由可以导出到多协议BGP的ipv4 vrf协议族中。导入是指允许导入通过多协议BGP-VPNV4学习到的路由到MBGP-VPNV4路由表。rt是会随MBGP extended community传递的扩展属性。
 

r2#sh ip bgp vpnv4 rd 12:12 10.10.10.10
BGP routing table entry for 12:12:10.10.10.10/32, version 8
Paths: (1 available, best #1, table 12)
  Advertised to non peer-group peers:
  50.50.50.50 
  Local
    172.16.1.1 from 0.0.0.0 (22.22.22.22)
      Origin incomplete, metric 11, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:12:12 OSPF DOMAIN ID:0x0005:0x000000020200 OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:20.20.20.20:512,
      mpls labels in/out 205/nolabel
r2#

r2#sh ip bgp vpnv4 * 
BGP table version is 13, local router ID is 22.22.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 12:12 (default for vrf 12)
*>i6.6.6.6/32       50.50.50.50             11    100      0 ?
*> 10.10.10.10/32   172.16.1.1              11         32768 ?
*> 20.20.20.20/32   0.0.0.0                  0         32768 ?
*>i55.55.55.55/32   50.50.50.50              0    100      0 ?
*> 172.16.0.0       0.0.0.0                  0         32768 ?
*>i172.17.0.0       50.50.50.50              0    100      0 ?
Route Distinguisher: 56:56
*>i6.6.6.6/32       50.50.50.50             11    100      0 ?
*>i55.55.55.55/32   50.50.50.50              0    100      0 ?
*>i172.17.0.0       50.50.50.50              0    100      0 ?
 

(3) 多协议BGP-VPNV4给BGP路由分标签

Core1和Core2并没有运行BGP协议。根据次末跳弹出原则,Core2将去往IPS2的报文(由IPS2的vrf重分发到MBGP-ipv4-vrf),弹掉LDP/TDP标签发送到Border2。这个时候Border2如何判断并正确转发报文到IPS2呢?(可以考虑一下有多个CE的情况并且有overlapped路由的情况).

在实际的实现中,是通过MBGP为BGP路由分配的标签来进行标签转发的。因此,Core1,Core2中的报文有两层标签,顶层的为LDP/TDP标签,底层的为MBGP分配的标签。

这种实现的好处是Core1,Core2并不需要特别大的标签开销和转发计算开销,只是边界路由器PE上需要比较高的计算性能。
 

r2#show mpls ldp bindings     
  tib entry: 10.2.2.0/24, rev 2
        local binding:  tag: imp-null
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 10.3.3.0/24, rev 6
        local binding:  tag: 200
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 10.4.4.0/24, rev 8
        local binding:  tag: 201
        remote binding: tsr: 30.30.30.30:0, tag: 300
  tib entry: 22.22.22.22/32, rev 4
        local binding:  tag: imp-null
        remote binding: tsr: 30.30.30.30:0, tag: 303
  tib entry: 30.30.30.30/32, rev 10
        local binding:  tag: 202
        remote binding: tsr: 30.30.30.30:0, tag: imp-null
  tib entry: 40.40.40.40/32, rev 12
        local binding:  tag: 203
        remote binding: tsr: 30.30.30.30:0, tag: 301
  tib entry: 50.50.50.50/32, rev 14
        local binding:  tag: 204
        remote binding: tsr: 30.30.30.30:0, tag: 302
r2#

r2#show ip bgp vpnv4 rd 12:12 labels 
   Network          Next Hop      In label/Out label
Route Distinguisher: 12:12 (12)
   6.6.6.6/32       50.50.50.50     nolabel/505
   10.10.10.10/32   172.16.1.1      205/nolabel
   20.20.20.20/32   0.0.0.0         206/aggregate(12)
   55.55.55.55/32   50.50.50.50     nolabel/506
   172.16.0.0       0.0.0.0         207/aggregate(12)
   172.17.0.0       50.50.50.50     nolabel/507
 

(4) CEF表

当包从CE转发到PE的时候,是一个IP报文,需要查询vrf的cef表。这个cef表由于标签的回灌机制,会进行压标签并转发的动作。

r2#show ip cef vrf 12 detail 
IP CEF with switching (Table Version 21), flags=0x0
  15 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
  6 instant recursive resolutions, 0 used background process
  31 leaves, 51 nodes, 55336 bytes, 52 inserts, 21 invalidations
  0 load sharing elements, 0 bytes, 0 references
  universal per-destination load sharing algorithm, id 0FDE3D1C
  3(0) CEF resets, 0 revisions of existing leaves
  Resolution Timer: Exponential (currently 1s, peak 1s)
  0 in-place/0 aborted modifications
  refcounts:  13577 leaf, 13568 node

  Table epoch: 0 (15 entries at this epoch)

Adjacency Table has 3 adjacencies
0.0.0.0/0, version 0, epoch 0, attached, default route handler
0 packets, 0 bytes
  via 0.0.0.0, 0 dependencies
    valid no route adjacency
0.0.0.0/32, version 1, epoch 0, receive
6.6.6.6/32, version 18, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 505}
10.10.10.10/32, version 14, epoch 0, cached adjacency 172.16.1.1
0 packets, 0 bytes
  tag information set
    local tag: 205
  via 172.16.1.1, Ethernet1/0, 0 dependencies
    next hop 172.16.1.1, Ethernet1/0
    valid cached adjacency
    tag rewrite with Et1/0, 172.16.1.1, tags imposed: {}
20.20.20.20/32, version 10, epoch 0, connected, receive
  tag information set
    local tag: 206
55.55.55.55/32, version 19, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 506}
172.16.0.0/16, version 5, epoch 0, attached, connected
0 packets, 0 bytes
  tag information set
    local tag: 207
  via Ethernet1/0, 0 dependencies
    valid glean adjacency
    tag rewrite with , , tags imposed: {}
172.16.0.0/32, version 8, epoch 0, receive
172.16.1.1/32, version 13, epoch 0, connected, cached adjacency 172.16.1.1
0 packets, 0 bytes
  via 172.16.1.1, Ethernet1/0, 0 dependencies
    next hop 172.16.1.1, Ethernet1/0
    valid cached adjacency
172.16.2.2/32, version 7, epoch 0, receive
172.16.255.255/32, version 9, epoch 0, receive
172.17.0.0/16, version 20, epoch 0, cached adjacency 10.2.2.3
0 packets, 0 bytes
  tag information set
    local tag: VPN-route-head
    fast tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
  via 50.50.50.50, 0 dependencies, recursive
    next hop 10.2.2.3, Ethernet1/1 via 50.50.50.50/32
    valid cached adjacency
    tag rewrite with Et1/1, 10.2.2.3, tags imposed: {302 507}
224.0.0.0/4, version 12, epoch 0
0 packets, 0 bytes, Precedence routine (0)
  via 0.0.0.0, 0 dependencies
    next hop 0.0.0.0
    valid drop adjacency
224.0.0.0/24, version 3, epoch 0, receive
255.255.255.255/32, version 2, epoch 0, receive
r2#
 

由上面的输出可以看出,从CE1访问CE2的环回口地址6.6.6.6需要压入两层标签。顶层标签是mpls ldp分配的标签,这个标签是借用的BGP路由的下一跳IBGP路由标签302。底层标签是MBGP分配的标签,在PE上做转发。

 

底层MBGP分配的标签是根据CE转递的每条路由分的,所以不同路由的底层标签都不一样。这样的设计有些奇怪,为什么不根据rd来分标签呢?这样所有从同一个vrf学来的路由都分配同样的标签就可以了。