WOLF-LAB沃尔夫网络实验室中国网络精英的发源地!
24小时咨询热线:173-1636-2402

技术文档

Technical documentation

您当前位置: 首页 > 技术文档 > 详情

HCIE Datacom考试学习技术-MPLS-VPN MCE详解实验配置

发布日期:2022-05-07 浏览次数:2658 来源:崔志鹏

HCIE Datacom考试学习技术-MPLS-VPN MCE详解实验配置

技术文档 提供WOLFLAB IE培训讲师:崔志鹏 CCIE#64969 HCIE#15621,

HCIE Datacom循环开班,联系网站客服,0基础入门课程免费学习!


产生背景

BGP/MPLS IP VPN以隧道的方式解决了在公网中传送私网数据的问题,但传统的BGP/MPLS IP VPN架构要求每个VPN实例单独使用一个CE与PE相连,如图1所示。

HCIE Datacom.png


随着用户业务的不断细化和安全需求的提高,很多情况下一个私有网络内的用户需要划分成多个VPN,不同VPN用户间的业务需要完全隔离。此时,为每个VPN单独配置一台CE将增加用户的设备开支和维护成本;而多个VPN共用一台CE,使用同一个路由转发表,又无法保证数据的安全性。

使用MCE技术,可以有效解决多VPN网络带来的数据安全与网络成本之间的矛盾。如图2所示。

HCIE Datacom.png


MCE将PE的部分功能扩展到CE设备,通过将不同的接口与VPN绑定,并为每个VPN创建和维护独立的路由转发表(Multi-VRF)。这样不但能够隔离私网内不同VPN的报文转发路径,而且通过与PE间的配合,也能够将每个VPN的路由正确发布至对端PE,保证VPN报文在公网内的传输。

 

实验:使用MCE,让两个站点的A公司之间能够互相访问,B公司之间能够互相访问,A和B不能互相访问

HCIE Datacom.png


R3配置:

[AR3]dis current-configuration

 sysname AR3

#

ip vpn-instance A2

 ipv4-family

  route-distinguisher 3:3

  vpn-target 1:1 export-extcommunity

  vpn-target 1:1 import-extcommunity

#

ip vpn-instance B2

 ipv4-family

  route-distinguisher 4:4

  vpn-target 2:2 export-extcommunity

  vpn-target 2:2 import-extcommunity

#

mpls lsr-id 3.3.3.3

mpls

#

mpls ldp

#

interface GigabitEthernet0/0/0

 ip address 1.1.23.3 255.255.255.0

 mpls

 mpls ldp

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/1.1

 dot1q termination vid 10

 ip binding vpn-instance A2

 ip address 1.1.36.3 255.255.255.0

 arp broadcast enable

#

interface GigabitEthernet0/0/1.2

 dot1q termination vid 20

 ip binding vpn-instance B2

 ip address 1.1.63.3 255.255.255.0

 arp broadcast enable

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

bgp 123

 router-id 3.3.3.3

 peer 2.2.2.2 as-number 123

 peer 2.2.2.2 connect-interface LoopBack0

 #

 ipv4-family unicast

  undo synchronization

  undo peer 2.2.2.2 enable

 #

 ipv4-family vpnv4

  policy vpn-target

  peer 2.2.2.2 enable

 #

 ipv4-family vpn-instance A2

  network 7.7.7.7 255.255.255.255

 #

 ipv4-family vpn-instance B2

  network 8.8.8.8 255.255.255.255

#

ospf 1 router-id 3.3.3.3

 area 0.0.0.0

  network 1.1.23.3 0.0.0.0

  network 3.3.3.3 0.0.0.0

#

ospf 2 router-id 3.3.3.3 vpn-instance A2

 import-route bgp

 area 0.0.0.0

  network 1.1.36.3 0.0.0.0

#

ospf 3 router-id 3.3.3.3 vpn-instance B2

 import-route bgp

 area 0.0.0.0

  network 1.1.63.3 0.0.0.0

#

return

 

MCE配置:

[AR6]dis current-configuration

 sysname AR6

#

ip vpn-instance A2

 ipv4-family

  route-distinguisher 3:3

#

ip vpn-instance B2

 ipv4-family

  route-distinguisher 4:4

#

interface GigabitEthernet0/0/0

 ip binding vpn-instance A2

 ip address 1.1.67.6 255.255.255.0

#

interface GigabitEthernet0/0/1

#

interface GigabitEthernet0/0/1.1

 dot1q termination vid 10

 ip binding vpn-instance A2

 ip address 1.1.36.6 255.255.255.0

 arp broadcast enable

#

interface GigabitEthernet0/0/1.2

 dot1q termination vid 20

 ip binding vpn-instance B2

 ip address 1.1.63.6 255.255.255.0

 arp broadcast enable

#

interface GigabitEthernet0/0/2

 ip binding vpn-instance B2

 ip address 1.1.68.6 255.255.255.0

#

interface NULL0

#

interface LoopBack0

 ip address 6.6.6.6 255.255.255.255

#

ospf 2 router-id 6.6.6.6 vpn-instance A2

 vpn-instance-capability simple             //如果不敲,MCE收到4.4.4.4的五类LSA DN-BIT置位1只接收不计算,通过实验发现该命令可以使用dn-bit-check disable ase 替代效果一样,说明MCE环境下,只检查DN,不检查route-tag;

注意:如果不敲该命令,MCE只能在LSDB中看到4.4.4.4的5类lsa,路由表中算不出来,MCE会将这条LSA传递给R7,R7可以算出来,但是流量不通,R7不是MCE不会检查DN-bit;

 area 0.0.0.0

  network 1.1.36.6 0.0.0.0

  network 1.1.67.6 0.0.0.0

#

ospf 3 router-id 6.6.6.6 vpn-instance B2

 vpn-instance-capability simple

 area 0.0.0.0

  network 1.1.63.6 0.0.0.0

  network 1.1.68.6 0.0.0.0

#

Return

 

实验效果:

[AR7]ping -a 7.7.7.7 4.4.4.4

  PING 4.4.4.4: 56  data bytes, press CTRL_C to break

    Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=251 time=50 ms

    Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=251 time=40 ms

    Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=251 time=50 ms

    Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=251 time=30 ms

    Reply from 4.4.4.4: bytes=56 Sequence=5 ttl=251 time=50 ms

 

  --- 4.4.4.4 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 30/44/50 ms

[AR8]ping -a 8.8.8.8 5.5.5.5

  PING 5.5.5.5: 56  data bytes, press CTRL_C to break

    Reply from 5.5.5.5: bytes=56 Sequence=1 ttl=251 time=50 ms

    Reply from 5.5.5.5: bytes=56 Sequence=2 ttl=251 time=50 ms

    Reply from 5.5.5.5: bytes=56 Sequence=3 ttl=251 time=50 ms

    Reply from 5.5.5.5: bytes=56 Sequence=4 ttl=251 time=50 ms

    Reply from 5.5.5.5: bytes=56 Sequence=5 ttl=251 time=40 ms

 

  --- 5.5.5.5 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 40/48/50 ms

------------------------------------------------------------------------------

[AR7]ping -a 7.7.7.7 5.5.5.5

  PING 5.5.5.5: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

 

  --- 5.5.5.5 ping statistics ---

    2 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

 

[AR7] ping -a 7.7.7.7 8.8.8.8

  PING 8.8.8.8: 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

 

  --- 8.8.8.8 ping statistics ---

    3 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

HCIE Datacom学习考试资料联系网站客服获取

返回目录
在线咨询