Topology requirements:
On the MPLS network, the loopback0 of CE1 can ping the lookback0 of CE3, but CE4 cannot be pinged.
The lookback0 of CE2 can ping the lookback0 of CE4, but cannot ping CE3.
Topological difficulties:
1. The addresses of lookback0 of CE1 and CE2 are both 192.168.1.1, how to achieve isolation
2. The data packets sent by CE3 pass through the MPLS network to PE1. How does PE1 forward the data packets to CE1 instead of CE2? The data packets sent by CE4 pass through the MPLS network to PE2. How does PE1 forward the data packets to CE1? CE2, not forwarded to CE1
3. On the MPLS network, after the data packet sent by CE1 or CE2 reaches PE1, how does PE2 forward the data packet to PE2
Solution:
How to solve Difficulty 1: The addresses of lookback0 of CE1 and CE2 are both 192.168.1.1, using VRF to implement isolation
1.VRF——VPN Routing & Forwarding Instance
Function: isolate the LAN to solve user security
Command explanation: Take PE1 as an example
ip vrf A //Create a VRF named A
ip vrf B //Create a VRF named B
int f0/0 //Enter interface f0/0 to call VRF A
ip vrf forwarding A //call VRF A on f0/0 interface
int f1/0 //Enter interface f1/0 to call VRF B
ip vrf forwarding B //call VRF B on f1/0 interface
Idea analysis: Different VRFs are isolated from each other and do not communicate with each other. The f0/0 interface of PE1 is divided into vrf A, and the f1/0 interface of PE1 is divided into vrf B. In this way, CE1 and CE2 are divided into different VRFs. LANs cannot communicate with each other, so the isolation between LANs is realized
How to solve Difficulty 2: All data packets sent by CE3 reach PE1 through the MPLS network. How can PE1 forward the data packets to CE1 instead of CE2?
All the data packets sent by CE4 reach PE2 through the MPLS network. How does PE1 forward the data packets to CE2 instead of CE1? Use RD to resolve conflicts
2. RD - route distinguishers (route distinguishers)
Function: Add a 64bit RD to the client ipv4 address so that their addresses do not overlap, making it a globally unique address
The address after appending RD is the VPNv4 address
Attachment: The BGP protocol that can support address families other than IPv4 addresses is called multiprotocol BGP (MPBGP)
Command explanation: Take PE1 as an example
ip vrf A
rd 1:1 //Deploy RD for VRF A as 1:1
ip vrf B
rd 2:2 //Deploy RD for VRF B as 2:2
int f0/0 //Enter interface f0/0 to call VRF A
ip vrf forwarding A //call VRF A on f0/0 interface
int f1/0 //Enter interface f1/0 to call VRF B
ip vrf forwarding B //call VRF B on f1/0 interface
Idea analysis: Under the process of VRF A, deploy an RD such as 1:1. When the data packet sent by loopback0 of CE1 reaches PE1, the 192.168.1.1 address will be attached with the community attribute of RD being 1:1, and then used as the VPNv4 address. The address of the packet forwarded between PE1 and PE2 is 1:1 192.168.1.1;
Under the process of VRF B, deploy an RD such as 2:2. When the data packet sent by loopback0 of CE2 reaches PE1, the 192.168.1.1 address will be attached with the community attribute of RD 2:2, and then used as the VPNv4 address, PE1 and PE1 The address of the packet forwarded by PE2 is 2:2 192.168.1.1;
If PE1 receives the data packet and wants to forward it to 1:1 192.168.1.1, the data packet will be sent out from port f0/0.
If PE1 receives the data packet and wants to forward it to 2:2 192.168.1.1, the data packet will be sent out from port f1/0
How to solve Difficulty 3: On the MPLS network, after the data packet sent by CE1 or CE2 reaches PE1, how does PE 1 forward the data packet to PE2, and use RT to realize the connection
3. RT - route mark (route-target)
Function: Realize the import and export of routes, let the PE that sends the route know which VPN customers to send to, and let the PE that receives the route know which VRFs to import the route to
RT is an extended BGP community attribute, and VPNV4 routes must carry this attribute when transmitting
There are two RT values, one is export to export RT, the other is import to import RT
The export of the PE at the sending end must correspond to the import of the PE at the receiving end. Only when it matches, the PE at the receiving end will add the vpnv4 route to the VRF routing table
Command explanation:
Deploy on PE1:
ip vrf A
rd 1:1 //Deploy RD for VRF A as 1:1
route-target 10:1 //The export and import of deploying RT for VRF A are both 10:1
ip vrf B
rd 2:2 //Deploy RD for VRF B as 2:2
route-target 10:2 //The export and import of deploying RT for VRF B are both 10:2
int f0/0 //Enter interface f0/0 to call VRF A
ip vrf forwarding A //call VRF A on f0/0 interface
int f1/0 //Enter interface f1/0 to call VRF B
ip vrf forwarding B //call VRF B on f1/0 interface
Deploy on PE2:
ip vrf C
rd 3:3 //Deploy RD for VRF C as 3:3
route-target 10:1 //The export and import of RT deployment for VRF C are both 10:1
ip vrf D
rd 4:4 //Deploy RD for VRF D as 4:4
route-target 10:2 //The export and import of deploying RT for VRF D are both 10:2
int f1/0 //Enter interface f1/0 to call VRF C
ip vrf forwarding C //call VRF C on f1/0 interface
int f2/0 //Enter interface f2/0 to call VRF D
ip vrf forwarding D //call VRF D on f2/0 interface
Idea analysis: The export and import ratio of RT deployed in VRF A of PE1 is 10:1, and the export and import ratio of RT deployed in VRF B of PE2 are both 10:1. PE1 and PE2 become MPBGP neighbors, and PE1 PE2 can accurately receive the MPLS data packets sent, and PE1 can also accurately receive the MPLS data packets replied by PE2. The same is true for VRF B.
Combined with VRF, RD, and RT technologies, the topology requirements are realized:
On the MPLS network, loopback0 of CE1 can ping lookback0 of CE3 successfully, but cannot ping CE4.
The lookback0 of CE2 can ping the lookback0 of CE4, but cannot ping CE3.