实验拓扑
实验场景
某A公司(红色)和B公司(蓝色)分别有两个网络,两个公司希望各自的两个网络内的员工能通过私网路由相互访问。两个公司希望在网络边缘设备上使用BGP协议将私网路由发送给运营商网络。运营商通过MP-BGP实现私网路由在公共网络上的传递,同时使用MPLS VPN技术保证客户网络信息的安全性和私密性。
实验配置
公网配置
AR3,AR4,AR5的IP配置(物理接口,Loopback)
AR3:
interface GigabitEthernet0/0/2
ip address 34.1.1.3 255.255.255.0
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
AR4:
interface GigabitEthernet0/0/0
ip address 34.1.1.4 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 45.1.1.4 255.255.255.0
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
AR5:
interface GigabitEthernet0/0/0
ip address 45.1.1.5 255.255.255.0
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
IGP配置(OSPF或者ISIS)
AR3:
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 34.1.1.3 0.0.0.0
AR4:
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 34.1.1.4 0.0.0.0
network 45.1.1.4 0.0.0.0
AR5:
ospf 1 router-id 5.5.5.5
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 45.1.1.5 0.0.0.0
MPLS配置(MPLS,MPLS LDP)
AR3:
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/2
mpls
mpls ldp
AR4:
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
mpls
mpls ldp
AR5:
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
mpls
mpls ldp
测试一下LSP的连通性
[AR3]ping lsp -a 3.3.3.3 ip 5.5.5.5 32
PE设备上的vpn-instance配置(VPN名,RD,RT,绑定接口,设IP)
AR3:
ip vpn-instance VPN1
ipv4-family
route-distinguisher 1:1
vpn-target 1:6 export-extcommunity
vpn-target 6:1 import-extcommunity
#
ip vpn-instance VPN2
ipv4-family
route-distinguisher 2:2
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
#
interface GigabitEthernet0/0/0
ip binding vpn-instance VPN1
ip address 192.168.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip binding vpn-instance VPN2
ip address 192.168.1.254 255.255.255.0
AR5:
ip vpn-instance VPN1
ipv4-family
route-distinguisher 1:1
vpn-target 6:1 export-extcommunity
vpn-target 1:6 import-extcommunity
#
ip vpn-instance VPN2
ipv4-family
route-distinguisher 2:2
vpn-target 10:10 export-extcommunity
vpn-target 10:10 import-extcommunity
#
interface GigabitEthernet0/0/1
ip binding vpn-instance VPN2
ip address 192.168.2.254 255.255.255.0
#
interface GigabitEthernet0/0/2
ip binding vpn-instance VPN1
ip address 192.168.2.254 255.255.255.0
BGP配置(PE之间,PE与CE之间)
AR3:
bgp 1
peer 5.5.5.5 as-number 1
peer 5.5.5.5 connect-interface LoopBack0
#
ipv4-family vpnv4
policy vpn-target
peer 5.5.5.5 enable
#
ipv4-family vpn-instance VPN1
peer 192.168.1.1 as-number 100
#
ipv4-family vpn-instance VPN2
peer 192.168.1.1 as-number 200
AR5:
bgp 1
peer 3.3.3.3 as-number 1
peer 3.3.3.3 connect-interface LoopBack0
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance VPN1
peer 192.168.2.1 as-number 300
#
ipv4-family vpn-instance VPN2
peer 192.168.2.1 as-number 400
用户端配置
AR1,AR2,AR6,AR7的IP地址(物理接口,Loopback)
AR1:
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 172.16.1.1 255.255.255.0
AR2:
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 172.16.1.1 255.255.255.0
AR6:
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 172.16.2.1 255.255.255.0
AR7:
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
#
interface LoopBack0
ip address 172.16.2.1 255.255.255.0
BGP配置(CE和PE之间)
AR1:
bgp 100
peer 192.168.1.254 as-number 1
#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
AR2:
bgp 200
peer 192.168.1.254 as-number 1
#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
AR6:
bgp 300
peer 192.168.2.254 as-number 1
#
ipv4-family unicast
network 172.16.2.0 255.255.255.0
AR7:
bgp 400
peer 192.168.2.254 as-number 1
#
ipv4-family unicast
network 172.16.2.0 255.255.255.0
测试最终的连通性
[AR1]ping -a 172.16.1.1 172.16.2.1
[AR2]ping -a 172.16.1.1 172.16.2.1