As shown in Figure 1:
1. AR4 is connected to the financial department of the company headquarters, and AR6 is connected to the financial department of the branch office. AR4 and AR6 belong to vpna;
2. AR5 is connected to the office of the company headquarters, and AR7 is connected to the office of the branch office. AR5 and AR7 belong to vpnb.
The company requires the deployment of BGP/MPLS IP VPN to achieve secure intercommunication between the headquarters and branches, and at the same time requires data isolation between financial and office areas.
The configuration roadmap (AR1 is pe1, AR2 is p, and AR3 is pe2)
adopts the following roadmap to configure BGP/MPLS IP VPN:
- Configure OSPF between P and PEs to implement IP connectivity on the backbone network.
- Configure basic MPLS capabilities and MPLS LDP on PEs and Ps, establish MPLS LSP public network tunnels, and transmit VPN data.
- Configure VPN instances on PE1 and PE2, where the VPN-target attribute used by vpna is 111:1, and the VPN-target attribute used by vpnb is 222:2, so as to realize intercommunication between the same VPN and isolation between different VPNs. At the same time, the interface connected to CE is bound to the corresponding VPN instance to access VPN users.
- Configure MP-IBGP between PE1 and PE2 to exchange VPN routing information.
- Configure EBGP between CE and PE to exchange VPN routing information.
AR1:
dis current-configuration
[V200R003C00]
sysname pe1
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1 //RD label
vpn-target 111:1 export-extcommunity //RT label
vpn-target 111:1 import-extcommunity //RT label
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
mpls lsr-id 1.1.1.9
mpls
mpls ldp
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
interface GigabitEthernet0/0/2
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
interface NULL0
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
bgp 100 // Establish MP-IBGP peer relationship between PEs
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
ipv4-family vpn-instance vpna
import-route direct
peer 10.1.1.1 as-number 65410
ipv4-family vpn-instance vpnb
import-route direct
peer 10.2.1.1 as-number 65420
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
AR2:
dis current-configuration [V200R003C00] # sysname p # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load flash:/portalpage.zip # drop illegal-mac alarm # wlan ac-global carrier id other ac id 0 # set cpu-usage threshold 80 restore 75 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # #
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
interface GigabitEthernet0/0/1
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
AR3:
dis current-configuration
[V200R003C00]
sysname pe2
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
mpls lsr-id 3.3.3.9
mpls
mpls ldp
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher % % K8m.Nt84DZ}e#<0`8bmE3Uw}% %
local-user admin service-type http
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
interface GigabitEthernet0/0/1
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
interface GigabitEthernet0/0/2
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
interface NULL0
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
ipv4-family vpn-instance vpna
import-route direct
peer 10.3.1.1 as-number 65430
ipv4-family vpn-instance vpnb
import-route direct
peer 10.4.1.1 as-number 65440
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
AR4:
dis cu
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65410
peer 10.1.1.2 as-number 100
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
AR5:
dis cu
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65420
peer 10.2.1.2 as-number 100
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
Ar6:
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 10.3.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65430
peer 10.3.1.2 as-number 100
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
Ar7:
dis cu
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 10.4.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65440
peer 10.4.1.2 as-number 100
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wool and
return
Check:
Execute the display mpls ldp session command, and you can see that the Status item in the displayed result is "Operational".
Run the display ip vpn-instance verbose command on the PE to view the configuration of the VPN instance. Each PE can ping the CE connected to it.
ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address parameter in the command -asource-ip-address, otherwise the ping may fail.
Execute the display bgp peer or display bgp vpnv4 all peer command on the PE device, and you can see that the BGP peer relationship between PEs has been established and has reached the Established state
Run the display bgp vpnv4 vpn-instance peer command, and you can see that the BGP peer relationship between PE and CE has been established and has reached the Established state.
Run the display ip routing-table vpn-instance command on the PE, and you can view the route to the peer CE.