我的笔记本

MPLS VPN实验

1.实验要求
某企业网络有一个总部( Headquarter)与3 个分支,其中分支一( Branch1)的主要业务是财务,分支二( Branch2 ) 与分支三( Branch3 )的主要业务是企业办公业务。企业总部需要接收分支一、分支二、分支三的路由条目,分支一不允许接收分支二与分支三的路由条目。 该企业骨千网规模较大,所以需要使用 VPN RR 简化配置



2.实验拓扑



3.关键技术
3.1 在骨干网部署IS-IS,构建底层网络,配置R2、R3、R4
#在 R2 上部署IS-IS
R2]isis 1
R2-isis-1] is-level level-2
R2-isis-1] cost-style wide
R2-isis-1] network-entity 49.0001.0100.1001.0002.00
R2-isis-1] is-name R2
R2-isis-17 quit
R2linterface LoopBack0
R2-LoopBack0] isis enable 1
R2-LoopBack0] quit
R2linterface GigabitEthernet0/0/1
R2-GigabitEthernet0/0/1] isis enable 1
R2-GigabitEthernet0/0/17 quit
R2linterface GigabitEthernet0/0/2
R2-GigabitEthernet0/0/2] isis enable 1
R2-GigabitEthernet0/0/2] quit
在R3检查:dis isis peer

3.2 合理规划 VPN 实例的 RT与 RD 值,并在 PE 上将 VPN 与相应接口绑定,以R2为例子,R5同理
#在 R2 上配置 VPN 实例,并绑定接口,配置IP地址
[R2]ip vpn-instance Finance&OA
[R2-vpn-instance-Finance&OA] route-distinguisher 65100:12 【规划好的RD】
[R2-vpn-instance-Finance&OA-af-ipv4] vpn-target 65100:12 65001:65002 【规划好的RT】
[R2-vpn-instance-Finance&OA-af-ipv4] quit
[R2lip vpn-instance OA
[R2-vpn-instance-OA] route-distinguisher 65001:2
[R2-vpn-instance-OA-af-ipv4] vpn-target 65001:65002
[R2-vpn-instance-OA-af-ipv4] quit
#绑定vpn实例到接口上
[R2]interface GigabitEthernet0/0/3
[R2-GigabitEthernet0/0/3] ip binding vpn-instance Finance&OA
[R2-GigabitEthernet0/0/3] ip address 10.0.12.2 255.255.255.0
[R2-GigabitEthernet0/0/3] quit
[R2Tinterface GigabitEthernet0/0/4
[R2-GigabitEthernet0/0/4] ip binding vpn-instance OA
[R2-GigabitEthernet0/0/4] ip address 10.0.21.2 255.255.255.0
[R2-GigabitEthernet0/0/4] quit



#在 R4 上配置 VPN 实例,并绑定接口,配置 地址
[R4] ip vpn-instance Finance
[R4-vpn-instance-Finance] route-distinguisher 65100:1
[R4-vpn-instance-Finance-af-ipv4] vpn-target 65100:12
[R4-vpn-instance-Finance-af-ipv4] quit
[R4]ip vpn-instance OA
[R4-vpn-instance-OA] route-distinguisher 65002:2
[R4-vpn-instance-OA-af-ipv4] vpn-target 65001:65002
[R4-vpn-instance-OA-af-ipv4] quit
[R4linterface GigabitEthernet0/0/2
[R4-GigabitEthernet0/0/2] ip binding vpn-instance Finance
[R4-GigabitEthernet0/0/2] ip address 10.0.45.4 255.255.255.0
[R4-GigabitEthernet0/0/2] quit
[R4linterface GigabitEthernet0/0/5
[R4-GigabitEthernet0/0/5] ip binding vpn-instance OA
[R4-GigabitEthernet0/0/57 ip address 10.0.42.4 255.255.255.0
[R4-GigabitEthernet0/0/5] quit



3.3 在骨干网部署 MPLS 与 MPLS LDP
[R2]mpls lsr-id 10.10.10.2
[R2]mpls
[R2-mpls] quit
[R2]mpls ldp
[R2-mpls-ldp] quit
[R2]interface GigabitEthernet0/0/1
[R2-GigabitEthernet0/0/1] mpls
[R2-GigabitEthernet0/0/1] mpls ldp
[R2-GigabitEthernet0/0/1] quit
[R2]interface GigabitEthernet0/0/2
[R2-GigabitEthernet0/0/2] mpls
[R2-GigabitEthernet0/0/2] mpls ldp
[R2-GigabitEthernet0/0/2] quit
#R3、R4类似配置
在R3上检查:
dis mpls peer 【检查对端建立情况】
dis mpls lsp 【检查路径生成情况】




3.4 在骨干网创建 VPNV4 IBGP 对等体,用于宣告路由信息
#配置 R2 VPNV4 IBGP 对等体
[R2]bgp 65100
[R2-bgp] undo default ipv4-unicast
[R2-bgp] peer 10.10.10.3 as-number 65100
[R2-bgp] peer 10.10.10.3 connect-interface LoopBack0
[R2-bgp] ipv4-family vpnv4
[R2-bgp-afvpnv4] peer 10.10.10.3 enable
[R2-bgp-afvpnv4] quit
#配置 R3 VPNV4IBGP 对等体,R3 作为 VPN RR 需要关闭 RT 过滤功能
[R3]bgp 65100
R3-bgp] undo default ipv4-unicast
[R3-bgp] peer 10.10.10.2 as-number 65100
[R3-bgp] peer10.10.10.2 connect-interface LoopBack0
[R3-bgp] peer 10.10.10.4 as-number 65100
[R3-bgp] peer 10.10.10.4 connect-interface LoopBack0
[R3-bgp] ipv4-family vpnv4
[R3-bgp-af vpnv4] undo policy vpn-target
[R3-bgp-af-vpnv4] peer 10.10.10.2 enable
[R3-bgp-af-vpnv4] peer 10.10.10.2 reflect-client
[R3-bgp-afvpnv4] peer 10.10.10.4 enable
[R3-bgp-af-vpnv4] peer 10.10.10.4 reflect-client
[R3-bgp-af vpnv4] quit
#R4配置类似R2
检查:
[R3-bgp]display bgp vpnv4 all peer

3.5 发布 Finance VPN 中的路由条目
[R1] router id 10.10.10.1
[Rl] ospf 1
[R1-ospf-1] area 0
[R1-ospf-1-area-0.0.0.0] network 10.0.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0] network 10.0.12.1 0.0.0.0
[R2]router id 10.10.10.2
[R2]ospf 1 vpn-instance Finance&OA
[R2-ospf-1] area 0
[R2-ospf-1-area-0.0.0.0] network 10.0.12.2 0.0.0.0
[R2-ospf-1-area-0.0.0.0] quit
#在 R2 与 R4 上进行双向路由引入
[R2]ospf 1 vpn-instance Finance&OA
R2-ospf-1] import-route bgp
R2-ospf-1] quit
[R2]bgp 65100
[R2-bgp] ipv4-family vpn-instance Finance&OA
[R2-bgp-Finance&OA] network 10.0.1.1 32
[R4] ospf 1 vpn-instance Finance
[R4-ospf-1] import-route bgp
[R4-ospf-1] quit
[R4] bgp 65100
[R4-bgp] ipv4-family vpn-instance Finance
[R4-bgp-Finance&OA] network 10.0.1.2 32

3.6 发布 OA VPN中的路由条目
#在 S1( CE)与 R2( PE) 之间建立BGP 对等体关系并发布路由
[S1]bgp 65001
[S1-bgp] peer 10.0.21.2 as-number 65100
[S1-bgp] network 10.0.2.1 32
[S1-bgp] quit
[R2]bgp 65100
[R2-bgp] ipv4 vpn-instance OA
[R2-bgp-OA] peer 10.0.21.1 as-number 65001
[R2-bgp-OA] quit
#在 S2( CE)与 R4(PE)之间建立 BGP 对等体关系并发布路由
[S2]bgp 65002S2-bgp] peer 10.0.42.4 as-number 65100
[S2-bgp] network 10.0.2.2 32
[S2-bgpl quit
[R4]bgp 65100
[R4-bgp] ipv4 vpn-instance OA
[R4-bgp-OA] peer 10.0.42.2 as-number 65002
[R4-bgp-OA] quit

4.测试
S1分别ping VPN Finance和OA的实例,Finance因为只允许65100:12作为进出,所以S1无法ping通,可以ping通Finance&OA和OA的实例,
因为RT值进出跟R2到S1接口上的实力RT值相同: