BGP MPLS VPN综合实验

BGP MPLS VPN综合实验

实验拓扑如下：

一、实验背景：

其中R1,R2,R3为某运营商网络中的PE-P-PE设备，R1/R2/R3运行OSPF协议打通IBGP路由，承载MPLS VPN业务；其中R1,R2,R3为一个MPLS域；R4,R5,R6,R7模拟客户的CE设备； R4与R6为同一个VPN站点：SITE-A, R5与R7为同一个VPN站点SITE-B 二、PE与CE间的路由方式：

R1与R4采用OSPF +VPN多实例，R1与R5采用EBGP R3与R6采用静态路由方式 R3与R7采用EBGP

三、IP地址规划：

R1 E0/0/0:192.168.1.1/30 LOOPBACK： 1.1.1.1/32 E0/0/1:192.168.3.1/30 G0/0/0:192.168.4.1/30 R2 E0/0/0:192.168.1.2/30 E0/0/1:192.168.2.1/30 LOOPBACK: 2.2.2.2/32 R3 E0/0/0:192.168.2.2/30 LOOPBACK: 3.3.3.3/32 E0/0/1:192.168.5.1/30 G0/0/0:192.168.6.1/30 R4 E0/0/0:192.168.3.2/30 LOOPBACK: 4.4.4.4/32 R5 E0/0/0:192.168.4.2/30 LOOPBACK: 5.5.5.5/32 R6 E0/0/0:192.168.5.2/30 LOOPBACK: 6.6.6.6/32 R7 E0/0/0:192.168.6.1/30 LOOPBACK: 7.7.7.7/32

四、实验需求：

按照要求完成本实验，业务验证：同一VPN站点的CE能够互访；并能够熟练掌握查看VPN路由信息；

配置步骤：

1. 首先配置各设备的IP地址(略) 2. 完成R1-R2-R3之间的OSPF配置；

R1 ospf 1

area 0.0.0.0

network 192.168.1.0 0.0.0.3 network 1.1.1.1 0.0.0.0 R2 ospf 1

area 0.0.0.0

network 192.168.1.0 0.0.0.3 network 2.2.2.2 0.0.0.0 network 192.168.2.0 0.0.0.3 R3 ospf 1

area 0.0.0.0

network 192.168.2.0 0.0.0.3 network 3.3.3.3 0.0.0.0

3. 完成R1-R3的IBGP配置

R1

bgp 100

peer 3.3.3.3 as-number 100

peer 3.3.3.3 connect-interface LoopBack0 #

ipv4-family unicast undo synchronization peer 3.3.3.3 enable

R3

bgp 100

peer 1.1.1.1 as-number 100

peer 1.1.1.1 connect-interface LoopBack0 #

ipv4-family unicast undo synchronization peer 1.1.1.1 enable

注解：由于这里BGP承载的业务为MPLS VPN业务，R1-R3之间不必要建立IBGP邻居，只是为了方便大家类似学习配置BGP VPNV4 PEER,所以我们开始配置BGP VPN PEER R1:

ipv4-family vpnv4

policy vpn-target peer 3.3.3.3 enable R3:

ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable

配置完成后要查看BGP VPNV4 PEER的建立情况，查看的命令如下： [R1-bgp]display bgp vpnv4 all peer BGP local router ID : 192.168.1.1 Local AS number : 100

Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

3.3.3.3 4 100 200 201 0 03:18:14 Established

4. 完成PE与CE（R1-R5）之间的VPN配置； 在R1上创建VPN实例（VRF）

ip vpn-instance site-a ipv4-family

route-distinguisher 20:20

vpn-target 10:10 export-extcommunity vpn-target 10:10 import-extcommunity #

ip vpn-instance site-b ipv4-family

route-distinguisher 30:30

vpn-target 40:40 export-extcommunity vpn-target 40:40 import-extcommunity 在端口进行绑定VPN实例：

interface GigabitEthernet0/0/0 ip binding vpn-instance site-b

ip address 192.168.4.1 255.255.255.252 注意事项一：

当配置上IP地址绑定VPN实例后， interface GigabitEthernet0/0/0 ip binding vpn-instance site-b

Info: All IPv4 related configurations on this interface are removed!

提示IPV4地址全部清除，这时我们需要重新配置,删除后也是，切记！ interface GigabitEthernet0/0/0 ip binding vpn-instance site-b

ip address 192.168.4.1 255.255.255.252 注意事项二：

在VPN里我们做ping测试的时候，需要带上vpn实例名字才能ping通，不带的话ping不通的；

[R1]ping 192.168.4.2

PING 192.168.4.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out 正确的PING测试为：

[R1]ping -vpn-instance site-b 192.168.4.2

PING 192.168.4.2: 56 data bytes, press CTRL_C to break

Reply from 192.168.4.2: bytes=56 Sequence=1 ttl=255 time=80 ms Reply from 192.168.4.2: bytes=56 Sequence=2 ttl=255 time=40 ms Reply from 192.168.4.2: bytes=56 Sequence=3 ttl=255 time=30 ms Reply from 192.168.4.2: bytes=56 Sequence=4 ttl=255 time=40 ms

5. 完成PE与CE（R1-R5）之间的EBGP配置；

R1: bgp 100

ipv4-family vpn-instance site-b peer 192.168.4.2 as-number 500 R5

bgp 500

peer 192.168.4.1 as-number 100 #

ipv4-family unicast undo synchronization peer 192.168.4.1 enable

查看BGP VPNV4 PEER建立成功与否： [R1-bgp]display bgp vpnv4 all peer

BGP local router ID : 192.168.1.1 Local AS number : 100

Total number of peers : 2 Peers in established state : 2

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.3 4 100 260 261 0 04:18:38 Established 0

Peer of IPv4-family for vpn instance : VPN-Instance site-b, Router ID 192.168.1.1:

192.168.4.2 4 500 3 2 0 00:00:03 Established 1 或者直接带上VPN实例名字查看

[R1-bgp]display bgp vpnv4 vpn-instance site-b peer BGP local router ID : 192.168.1.1 Local AS number : 100

VPN-Instance site-b, Router ID 192.168.1.1:

Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

192.168.4.2 4 500 10 9 0 00:07:08 Established 1

现在我们将R5的loopback地址给宣告出去，不采用import的方式； R5

bgp 500

network 5.5.5.5 255.255.255.255

宣告后我们在R1上进行查看是否学习到：

[R1-bgp]display bgp vpnv4 all routing-table BGP Local router ID is 192.168.1.1

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 1 Route Distinguisher: 30:30

Network NextHop MED LocPrf PrefVal Path/Ogn *> 5.5.5.5/32 192.168.4.2 0 0 500i

VPN-Instance site-b, Router ID 192.168.1.1: Total Number of Routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn *> 5.5.5.5/32 192.168.4.2 0 0 500i 我们在R3上看看能不能学习到：

display bgp vpnv4 all routing-table

通过查看发现R3学习不到关于5.5.5.5这条BGP VPN路由； 在思科设备里这时就应该能够学习到此条路由，但在华为设备里，必须要开启MPLS后才能学到，大家可以做个不带VPN的实验看看；

6. 开启R1--R2 --R3 MPLS域； R1

mpls lsr-id 1.1.1.1 mpls mpls ldp #

interface Ethernet0/0/0

ip address 192.168.1.1 255.255.255.252 mpls mpls ldp

R2:

mpls lsr-id 2.2.2.2 mpls mpls ldp #

interface Ethernet0/0/0

mpls mpls ldp #

interface Ethernet0/0/1 mpls mpls ldp

R3:

MPLS LSR 3.3.3.3 MPLS MPLS LDP #

[R3]interface Ethernet0/0/0 [R3-Ethernet0/0/0]mpls [R3-Ethernet0/0/0]mpls ldp

然后在R3上查看关于5.5.5.5这条路由信息：

[R3]display bgp vpnv4 all routing-table BGP Local router ID is 192.168.2.2

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 1 Route Distinguisher: 30:30

Network NextHop MED LocPrf PrefVal Path/Ogn *>i 5.5.5.5/32 1.1.1.1 0 100 0 500i

VPN-Instance site-b, Router ID 192.168.2.2: Total Number of Routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn *>i 5.5.5.5/32 1.1.1.1 0 100 0 500i 7.完成R3—R7之间的配置（略） 配置完成后，在R3上查看BGP VPNV4路由 [R3]display bgp vpnv4 all routing-table BGP Local router ID is 192.168.2.2

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Total number of routes from all PE: 2 Route Distinguisher: 30:30

Network NextHop MED LocPrf PrefVal Path/Ogn *>i 5.5.5.5/32 1.1.1.1 0 100 0 500i *> 7.7.7.7/32 192.168.6.2 0 0 700i

VPN-Instance site-b, Router ID 192.168.2.2:

Total Number of Routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn *>i 5.5.5.5/32 1.1.1.1 0 100 0 500i *> 7.7.7.7/32 192.168.6.2 0 0 700i

在R7上 进行ping测试ping 5.5.5.5 [R7-bgp]ping 5.5.5.5

PING 5.5.5.5: 56 data bytes, press CTRL_C to break Request time out Request time out

--- 5.5.5.5 ping statistics --- 2 packet(s) transmitted 0 packet(s) received 100.00% packet loss

通过测试发现PING 5.5.5.5不通，带上源地址ping 却能通； [R7-bgp]ping -a 7.7.7.7 5.5.5.5

PING 5.5.5.5: 56 data bytes, press CTRL_C to break

Reply from 5.5.5.5: bytes=56 Sequence=1 ttl=253 time=210 ms Reply from 5.5.5.5: bytes=56 Sequence=2 ttl=253 time=110 ms Reply from 5.5.5.5: bytes=56 Sequence=3 ttl=253 time=170 ms Reply from 5.5.5.5: bytes=56 Sequence=4 ttl=253 time=110 ms Reply from 5.5.5.5: bytes=56 Sequence=5 ttl=253 time=100 ms --- 5.5.5.5 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 100/140/210 ms ping -a 5.5.5.5 7.7.7.7

PING 7.7.7.7: 56 data bytes, press CTRL_C to break

Reply from 7.7.7.7: bytes=56 Sequence=1 ttl=253 time=130 ms Reply from 7.7.7.7: bytes=56 Sequence=2 ttl=253 time=80 ms Reply from 7.7.7.7: bytes=56 Sequence=3 ttl=253 time=110 ms --- 7.7.7.7 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss

round-trip min/avg/max = 80/106/130 ms

这是为什么呢？因为我们直接PING 的话是相当于带着源地址为接口地址PING的，由于接口IP地址和5.5.5.5路由不通；

那么怎么办呢？这时候就需要把直连vpn的接口的路由给发布出去，我们在R1上可以做network也可以做import方式；

在现网实际操作中会有很多路由地址段需要发布，我们假如要做的话就需要手工的方式进行network，工作量较大，这里我们采用import的方式进行引入； [R1]bgp 100

[R1-bgp] ipv4-family vpn-instance site-b [R1-bgp-site-b]import-route direct

[R3]bgp 100

[R3-bgp] ipv4-family vpn-instance site-b [R3-bgp-site-b]import-route direct

另附上network的方式： [R1] bgp 100

ipv4-family vpn-instance site-b network 192.168.4.0 255.255.255.252 peer 192.168.4.2 as-number 500 [R3] bgp 100

ipv4-family vpn-instance site-b network 192.168.6.0 255.255.255.252 peer 192.168.6.2 as-number 700 做完之后我们可以PING测试下：

[R1]ping -vpn-instance site-b 192.168.6.1

PING 192.168.6.1: 56 data bytes, press CTRL_C to break Reply from 192.168.6.1: bytes=56 Sequence=1 ttl=254 time=100 ms Reply from 192.168.6.1: bytes=56 Sequence=2 ttl=254 time=50 ms Reply from 192.168.6.1: bytes=56 Sequence=3 ttl=254 time=60 ms Reply from 192.168.6.1: bytes=56 Sequence=4 ttl=254 time=70 ms Reply from 192.168.6.1: bytes=56 Sequence=5 ttl=254 time=80 ms --- 192.168.6.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 50/72/100 ms

[R1]ping -vpn-instance site-b 5.5.5.5

PING 5.5.5.5: 56 data bytes, press CTRL_C to break Reply from 5.5.5.5: bytes=56 Sequence=1 ttl=255 time=30 ms Reply from 5.5.5.5: bytes=56 Sequence=2 ttl=255 time=60 ms Reply from 5.5.5.5: bytes=56 Sequence=3 ttl=255 time=30 ms --- 5.5.5.5 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss

round-trip min/avg/max = 30/40/60 ms

[R1]ping -vpn-instance site-b 7.7.7.7

PING 7.7.7.7: 56 data bytes, press CTRL_C to break

Reply from 7.7.7.7: bytes=56 Sequence=1 ttl=254 time=130 ms Reply from 7.7.7.7: bytes=56 Sequence=2 ttl=254 time=90 ms Reply from 7.7.7.7: bytes=56 Sequence=3 ttl=254 time=60 ms Reply from 7.7.7.7: bytes=56 Sequence=4 ttl=254 time=130 ms Reply from 7.7.7.7: bytes=56 Sequence=5 ttl=254 time=70 ms --- 7.7.7.7 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 60/96/130 ms

[R5]ping 7.7.7.7

PING 7.7.7.7: 56 data bytes, press CTRL_C to break

Reply from 7.7.7.7: bytes=56 Sequence=1 ttl=253 time=110 ms Reply from 7.7.7.7: bytes=56 Sequence=2 ttl=253 time=70 ms Reply from 7.7.7.7: bytes=56 Sequence=3 ttl=253 time=90 ms Reply from 7.7.7.7: bytes=56 Sequence=4 ttl=253 time=100 ms Reply from 7.7.7.7: bytes=56 Sequence=5 ttl=253 time=110 ms --- 7.7.7.7 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss

round-trip min/avg/max = 70/96/110 ms

7. 完成R1—R4之间的配置（略） [R1-ospf-2]dis this #

ospf 2 vpn-instance site-a area 0.0.0.0

network 192.168.3.0 0.0.0.3 8.

dis c c ospf # ospf 2 area 0.0.0.0

network 192.168.3.0 0.0.0.3 network 4.4.4.4 0.0.0.0

同理在R1做完后需要将OSPF路由引入到BGP VPN实例中，生成BGP VPNV4路由信息： [R1] bgp 100

ipv4-family vpn-instance site-a import-route ospf 2

引入之后我们在R1上查看关于R4的BGP VPNV4 路由

[R1-bgp-site-a]display bgp vpnv4 vpn-instance site-a routing-table BGP Local router ID is 192.168.1.1

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete VPN-Instance site-a, Router ID 192.168.1.1: Total Number of Routes: 2

Network NextHop MED LocPrf PrefVal Path/Ogn *> 4.4.4.4/32 0.0.0.0 2 0 ? *> 192.168.3.0/30 0.0.0.0 0 0 ?

从这里我们能看到R1学习到了R4的路由（其中包含4.4.4.4和互联接口），并生成了BGP VPNV4路由信息；

9. 完成R3—R6之间的配置(static路由方式) 在R3上指示静态路由方式打通VPNV4 路由；

[R3]ip route-static vpn-instance site-a 6.6.6.6 255.255.255.255 192.168.5.2 配置完成后在R3上应该能看到关于6.6.6.6的vpnv4路由 [R3]display ip routing-table vpn-instance site-a Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------ Routing Tables: site-a

Destinations : 3 Routes : 3

Destination/Mask Proto Pre Cost Flags NextHop Interface

6.6.6.6/32 Static 60 0 RD 192.168.5.2 Ethernet0/0/1 192.168.5.0/30 Direct 0 0 D 192.168.5.1 Ethernet0/0/1 192.168.5.1/32 Direct 0 0 D 127.0.0.1 Ethernet0/0/1 然后在R3上将这条路由变成BGP VPNV4路由； [R3] BGP 100

ipv4-family vpn-instance site-a import-route static

完成后在R3上就能看见关于R6的bgp vpnv4路由信息；

[R3-bgp-site-a]display bgp vpnv4 vpn-instance site-a routing-table

BGP Local router ID is 192.168.2.2

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete VPN-Instance site-a, Router ID 192.168.2.2: Total Number of Routes: 3

Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 4.4.4.4/32 1.1.1.1 2 100 0 ? *> 6.6.6.6/32 0.0.0.0 0 0 ? *>i 192.168.3.0/30 1.1.1.1 0 100 0 ?

我们查看路由表，发现有R4的loopback地址和互联接口的BGP VPNV4路由，及R6的loopback地址路由，但是没有R6的互联地址的路由，这样的话会导致R6的路由出不去？

这样的话，我们就将R6的路由也发布下，我们也可以采用network或者import的方式发布； 我们来采用import的方式！ [R3] bgp 100

ipv4-family vpn-instance site-a import-route direct 引入后我们来查看路由表：

[R3-bgp]display bgp vpnv4 vpn-instance site-a routing-table BGP Local router ID is 192.168.2.2

Status codes: * - valid, > - best, d - damped,

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete VPN-Instance site-a, Router ID 192.168.2.2: Total Number of Routes: 5

Network NextHop MED LocPrf PrefVal Path/Ogn *>i 4.4.4.4/32 1.1.1.1 2 100 0 ? *> 6.6.6.6/32 0.0.0.0 0 0 ? *>i 192.168.3.0/30 1.1.1.1 0 100 0 ? *> 192.168.5.0/30 0.0.0.0 0 0 ? *> 192.168.5.1/32 0.0.0.0 0 0 ? 引入后就多了R3与R6的互联地址路由信息；

那么在R6上我们需要做什么呢？那就是指导路由出去，匹配网关，也就是做条缺省路由； [R6] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1

做完以上所有的配置后，VPN之间就都能够互访了；

完整配置如下：

实验扩展二：

实验背景，在全国运营商中，有很多ISP基于P设备（P/PE设备一般来说都是NE5000E）的造价以及传输资源等一系列因素，可能就会放弃P设备的购买，把PE兼顾P设备进行使用； 本实验就把P设备去除，用R1和R3来模拟P/PE设备； 更新IP地址：

R3:E0/0/0:192.168.1.2/30 实验拓扑如下：

然后在R3的接口上开启MPLS后，其它配置不变；

实验扩展三：

实验背景：在运营商承载网里的PE-CE组网，有部分运营商采用S9300系列交换机作为CE，交换机采用静态或者动态路由协议方式打通路由

在本实验中R1与R3之间的配置不变，R1与SW1采用OSPF+VPN方式打通VPNV4路由，

R3与SW2采用静态路由的方式打通路由，此时R3的角色为PE兼CE，交换机就作为PC的三层网关设备； IP地址规划：

R1 E0/0/1:192.168.3.1/24

SW1 G0/0/1透传VLAN 4000 VLANIF4000：192.168.3.2/24 PC1: 192.168.3.100/24 R3 E0/0/1:192.168.5.1/24

SW2 G0/0/1透传VLAN 4000 VLANIF4000:192.168.5.2/24 PC2的VLAN:VLAN 10 网关VLANIF10IP:10.10.10.1/24 PC2:10.10.10.100/24

完整配置如附件

本文来源：https://www.bwwdw.com/article/7jho.html