如下圖
詳述:
典型的hub-spoke結構
中間的粉色區域爲公司搭建的骨幹網,AS號爲1
因爲AS號比較稀少和昂貴,所以總部和分部共用了一個AS,AS號爲2,即藍色部分表示
橙色區域爲互聯網,AS號爲3
要求:
分部到分部的流量需經過總部中轉,且從R8進從R8出
分部到互聯網也需要經過總部中轉,且從R8進從R9出
這個現象在有些場景下是需要的: 分部互訪的流量需要從總部中轉,這樣總部就可以對流量進行一些策略,比如說總部這裏可以有個防火牆,用來阻止危險流量;還可以進行分部流量之間的監控和統計等等
但是, 流量到達骨幹網連接總部的PE上時就會被VRF根據它自身的export值和import值進行路由的收與發,所以,流量並不會經過總部的路由器進行中轉
解決辦法
分析原因: 主要是因爲骨幹連接總部的PE設備上export和import在一個VRF中,這樣導致流量到達PE後就會在同一個VRF匹配這兩個值直接收發。所以解決的辦法就是將export和import分開,即創建兩個VRF:一個VRF(起名爲spoke)負責import,另一個VRF(起名爲hub)負責export,這樣流量import進spoke,因爲沒有export,所以就會通過BGP傳遞給總部,當流量經過總部回去時,就會進入hub然後被hub給export出去,返回另一個分部。這樣就可以解決分部互訪流量不中轉總部的問題
爲什麼骨幹是這樣的結構?中間的AR1有啥用?
因爲在MPLS-BGP-VPN裏面,邊界的設備均爲BGP設備,但是中間的AR2和AR3是普通設備,如果沒有AR1,那麼控制層面和數據層面的流量都要經過AR2和AR3,這樣會使得AR2和AR3承受很大的壓力。但是,如果有上一臺AR1,由AR1和其餘PE建立VPNV4鄰居,並充當VPNV4路由的反射器,這樣就會使得AR2和AR3的控制層面的壓力轉移到了AR1。這種讓控制流量和數據流量分開的做法,有利於整個骨幹的穩定性。
話不多說,上配置
AR1
mpls lsr-id 10.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.12.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.13.1.1 255.255.255.0
mpls
mpls ldp
#
interface NULL0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
#
bgp 1
router-id 10.1.1.1
group IBGP internal
peer IBGP connect-interface LoopBack0
peer 10.4.4.4 as-number 1
peer 10.4.4.4 group IBGP
peer 10.5.5.5 as-number 1
peer 10.5.5.5 group IBGP
peer 10.6.6.6 as-number 1
peer 10.6.6.6 group IBGP
peer 10.7.7.7 as-number 1
peer 10.7.7.7 group IBGP
#
ipv4-family unicast
undo synchronization
peer IBGP enable
peer IBGP reflect-client
peer 10.4.4.4 enable
peer 10.4.4.4 group IBGP
peer 10.5.5.5 enable
peer 10.5.5.5 group IBGP
peer 10.6.6.6 enable
peer 10.6.6.6 group IBGP
peer 10.7.7.7 enable
peer 10.7.7.7 group IBGP
#
ipv4-family vpnv4
undo policy vpn-target
peer IBGP enable
peer IBGP reflect-client
peer IBGP advertise-community
peer 10.4.4.4 enable
peer 10.4.4.4 group IBGP
peer 10.5.5.5 enable
peer 10.5.5.5 group IBGP
peer 10.6.6.6 enable
peer 10.6.6.6 group IBGP
peer 10.7.7.7 enable
peer 10.7.7.7 group IBGP
#
ospf 1 router-id 10.1.1.1
area 0.0.0.0
network 10.0.0.0 0.255.255.255
R2(R3同)
mpls lsr-id 10.2.2.2
mpls
#
mpls ldp
interface GigabitEthernet0/0/0
ip address 10.12.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.26.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 10.24.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
#
ospf 1 router-id 10.2.2.2
area 0.0.0.0
network 10.0.0.0 0.255.255.255
AR4(AR5同)
ip vpn-instance hub
ipv4-family
route-distinguisher 4:8
vpn-target 4:5 export-extcommunity
#
ip vpn-instance int
ipv4-family
route-distinguisher 12:4
#
ip vpn-instance spoke
ipv4-family
route-distinguisher 8:4
vpn-target 6:6 7:7 import-extcommunity
#
mpls lsr-id 10.4.4.4
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.45.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 1
ip binding vpn-instance spoke
ip address 48.1.1.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.2
dot1q termination vid 2
ip binding vpn-instance hub
ip address 48.1.2.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/0.3
dot1q termination vid 3
ip address 48.1.3.2 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet2/0/1
ip binding vpn-instance int
ip address 100.124.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.4.4.4 255.255.255.255
#
bgp 1
router-id 10.4.4.4
peer 10.1.1.1 as-number 1
peer 10.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.1.1 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise-community
#
ipv4-family vpn-instance hub
peer 48.1.2.1 as-number 2
peer 48.1.2.1 allow-as-loop 10
#
ipv4-family vpn-instance int
import-route static
peer 100.124.1.2 as-number 3
#
ipv4-family vpn-instance spoke
peer 48.1.1.1 as-number 2
peer 48.1.1.1 substitute-as
#
ospf 1 router-id 10.4.4.4
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 vpn-instance int 100.124.1.2
ip route-static vpn-instance int 20.0.0.0 255.0.0.0 48.1.3.1 public
AR6(AR7同)
ip vpn-instance spoke
ipv4-family
route-distinguisher 10:6
vpn-target 6:6 export-extcommunity
vpn-target 4:5 import-extcommunity
#
mpls lsr-id 10.6.6.6
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 10.26.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 10.67.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance spoke
ip address 106.1.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.6.6.6 255.255.255.255
#
bgp 1
router-id 10.6.6.6
peer 10.1.1.1 as-number 1
peer 10.1.1.1 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 10.1.1.1 enable
#
ipv4-family vpnv4
undo policy vpn-target
peer 10.1.1.1 enable
peer 10.1.1.1 advertise-community
#
ipv4-family vpn-instance spoke
peer 106.1.1.2 as-number 2
peer 106.1.1.2 substitute-as
#
ospf 1 router-id 10.6.6.6
area 0.0.0.0
network 10.0.0.0 0.255.255.255
AR8
interface GigabitEthernet0/0/0.1
dot1q termination vid 1
ip address 48.1.1.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 2
ip address 48.1.2.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.3
dot1q termination vid 3
ip address 48.1.3.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 20.3.89.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.3.48.2 255.255.255.0
#
interface LoopBack0
ip address 20.3.8.8 255.255.255.255
#
bgp 2
router-id 20.3.8.8
peer 20.3.9.9 as-number 2
peer 20.3.9.9 connect-interface LoopBack0
peer 48.1.1.2 as-number 1
peer 48.1.2.2 as-number 1
#
ipv4-family unicast
undo synchronization
network 20.3.48.0 255.255.255.0
peer 20.3.9.9 enable
peer 48.1.1.2 enable
peer 48.1.1.2 route-policy localpre import
peer 48.1.2.2 enable
#
ospf 1 router-id 20.3.8.8
area 0.0.0.0
network 20.0.0.0 0.255.255.255
#
route-policy localpre permit node 10
apply local-preference 200
#
route-policy localpre permit node 20
AR9
interface GigabitEthernet0/0/0.1
dot1q termination vid 1
ip address 59.1.1.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 2
ip address 59.1.2.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.3
dot1q termination vid 3
ip address 59.1.3.1 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1
ip address 20.3.89.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.3.59.2 255.255.255.0
bgp 2
router-id 20.3.9.9
peer 20.3.8.8 as-number 2
peer 20.3.8.8 connect-interface LoopBack0
peer 59.1.1.2 as-number 1
peer 59.1.2.2 as-number 1
#
ipv4-family unicast
undo synchronization
default-route imported
network 0.0.0.0
network 20.3.59.0 255.255.255.0
peer 20.3.8.8 enable
peer 59.1.1.2 enable
peer 59.1.2.2 enable
peer 59.1.2.2 route-policy med export
#
ospf 1 router-id 20.3.9.9
area 0.0.0.0
network 20.0.0.0 0.255.255.255
#
route-policy med permit node 10
apply cost 100
#
route-policy med permit node 20
#
ip route-static 0.0.0.0 0.0.0.0 59.1.3.2
ip route-static 0.0.0.0 0.0.0.0 20.3.89.1 preference 70
AR10(AR11同)
interface GigabitEthernet0/0/0
ip address 106.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 20.1.110.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 20.1.10.10 255.255.255.255
#
bgp 2
router-id 20.1.10.10
peer 106.1.1.1 as-number 1
#
ipv4-family unicast
undo synchronization
network 20.1.110.0 255.255.255.0
peer 106.1.1.1 enable
AR12
interface GigabitEthernet0/0/0
ip address 100.125.1.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.124.1.2 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address 12.12.12.12 255.255.255.255
#
bgp 3
router-id 12.12.12.12
peer 100.124.1.1 as-number 1
peer 100.125.1.1 as-number 1
#
ipv4-family unicast
undo synchronization
network 12.12.12.12 255.255.255.255
peer 100.124.1.1 enable
peer 100.125.1.1 enable
peer 100.125.1.1 route-policy perval import
#
route-policy perval permit node 10
apply preferred-value 20
#
route-policy perval permit node 20
測試
分部互訪
分部訪問互聯網