当前位置: 王朝网络 >> other >> 实战Cisco: MPLS VPN: Cisco & Juniper together

实战Cisco: MPLS VPN: Cisco & Juniper together

王朝other·作者佚名 2008-05-31

最近做了个用Cisco 和 Juniper 路由器做PE的MPLS VPN实验。实验中R1 (Cisco)和R2 (Juniper)通过ATM 骨干互联, P-Network使用ISIS作为IGP协议，R2作为MP-BGP的路由反射器。Juniper 与 Cisco 在端口互联和IGP、BGP路由协议互操作上感觉很好，没有碰到什么问题。

实验中使用loopback 端口来模拟VPN用户网络。和cisco的概念不一样，Juniper的Loopback 端口只有一个，但可以划分子端口（在使用MPLS VPN时),只能使用/32的地址。

可能熟悉Juniper 命令行接口的朋友比较少

具体配置：

Cisco 路由器配置：

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service passWord-encryption

hostname R1

ip subnet-zero

no ip source-route

ip cef

ip vrf vpn_a

rd 2:1

route-target eXPort 111:1

route-target import 111:1

route-target import 111:2

ip vrf vpn_b

rd 3:304

route-target export 222:304

route-target export 111:2

route-target import 222:3

route-target import 111:1

mpls label protocol ldp

mpls ldp logging neighbor-changes

no FTP-server write-enable

interface Loopback0

ip address 192.168.40.1 255.255.255.255

ip router isis

interface Loopback200

ip vrf forwarding vpn_a

ip address 10.10.64.1 255.255.255.0

interface Loopback300

ip vrf forwarding vpn_b

ip address 10.10.65.1 255.255.255.0

interface ATM2/0

no ip address

no atm ilmi-keepalive

interface ATM2/0.1 point-to-point

ip address 192.168.34.4 255.255.255.0

ip router isis

pvc 1/134

protocol ip 192.168.34.3

brvpn_adcast

encapsulation aal5snap

tag-switching ip

router isis

net 47.0001.0000.0000.4444.00

router bgp 65888

no synchronization

bgp router-id 192.168.40.1

bgp log-neighbor-changes

neighbor rr-server peer-group

neighbor rr-server remote-as 65888

neighbor rr-server update-source Loopback0

neighbor 192.168.30.1 peer-group rr-server

no auto-summary

address-family vpnv4

neighbor 192.168.30.1 activate

neighbor 192.168.30.1 send-community both

exit-address-family

address-family ipv4 vrf vpn_b

redistribute connected

no auto-summary

no synchronization

exit-address-family

no ip http server

ip classless

line con 0

line aux 0

line vty 0 4

end

Juniper 路由器配置:

version 6.0R1.5;

system {

host-name R2;

user juny {

uid 2001;

class super-user;

authentication {

encrypted-password "$1$fhr423rkSB$0/fnrTsdfljwerWbeHX0"; # SECRET-DATA

}

services {

telnet;

}

chassis {

no-source-route;

}

interfaces {

at-0/0/1 {

description "To ATM Backbone";

atm-options {

vpi 1 {

maximum-vcs 1023;

}

unit 2 {

encapsulation atm-snap;

vci 1.134;

family inet {

address 192.168.34.3/24;

}

family iso;

family mpls;

}

vt-0/3/0 {

unit 200 {

family inet;

family mpls;

}

unit 300 {

family inet;

family mpls;

}

lo0 {

unit 0 {

family inet {

address 192.168.30.1/32;

}

family iso {

address 47.0001.0000.0000.3333.00;

}

unit 200 {

description "For vpn_a ";

family inet {

address 10.10.0.1/32;

}

unit 300 {

description "For vpn_b ";

family inet {

address 10.10.1.1/32;

}

routing-options {

router-id 192.168.30.1;

autonomous-system 65888;

}

protocols {

mpls {

interface at-0/0/1.2;

}

bgp {

local-address 192.168.30.1;

group rr-client {

type internal;

local-address 192.168.30.1;

family inet-vpn {

any;

}

cluster 192.168.30.1;

neighbor 192.168.10.1;

neighbor 192.168.20.1;

neighbor 192.168.40.1;

neighbor 192.168.50.1;

neighbor 192.168.60.1;

}

isis {

level 2 wide-metrics-only;

interface at-0/0/1.2;

interface lo0.0;

}

ldp {

interface at-0/0/1.2;

interface lo0.0;

}

policy-options {

policy-statement vpn_a-import {

term a {

from community [ vpn_a vpn_a-im ];

then accept;

}

term b {

then reject;

}

policy-statement vpn_a-export {

term a {

from protocol direct;

then {

community add vpn_a;

accept;

}

term b {

then reject;

}

policy-statement vpn_b-import {

term a {

from community [ vpn_b-province-to-city vpn_b-r4-site1 vpn_a ];

then accept;

}

term b {

then reject;

}

policy-statement vpn_b-export {

term a {

from protocol direct;

then {

community add vpn_b-site1-to-province;

community add vpn_a-im;

accept;

}

term b {

then reject;

}

community vpn_a members target:111:1;

community vpn_a-im members target:111:2;

community vpn_b members target:111:2;

community vpn_b-province-to-city members target:222:1;

community vpn_b-r4-site1 members target:222:304;

community vpn_b-site1-to-province members target:222:3;

}

routing-instances {

vpn_a {

description "For vpn_a";

instance-type vrf;

interface lo0.200;

interface vt-0/3/0.200;

route-distinguisher 2:1;

vrf-import vpn_a-import;

vrf-export vpn_a-export;

routing-options {

auto-export;

}

vpn_b {

description "For vpn_b";

instance-type vrf;

interface lo0.300;

interface vt-0/3/0.300;

route-distinguisher 3:3;

vrf-import vpn_b-import;

vrf-export vpn_b-export;

routing-options {

auto-export;

}

几点说明：

1.Cisco 默认使用TDP标签分发协议，要和其他厂商互联，需指定使用LDP标签分发协议。

不管是TDP还是LDP，都需要启用CEF来支持。

配置命令：mpls label protocol ldp

2.假如VPN Site 1 要和Site 2 及Site 3 互通，但是要求Site 2 和Site 3 不能互通时，使用VPN Overlay功能。 cisco 的配置方法简单明了：

ip vrf site1

ro im 1:2

ro im 1:3

ro ex 1:1

ip vrf site2

ro im 1:1

ro ex 1:2

ip vrf site3

ro im 1:1

ro ex 1:3

Juniper的配置方法:首先要给route target 命名，然后在策略policy-statement中引用，最后指定routing-instance使用指定的策略。除此之外Juniper 要启用routing-instance的auto-export 特性，否则site1的在该PE上的直连路由不能导入到同一PE的另一个site中。

3.源路由对有VPN Overlay 的环境来说是一种威胁。假如VPN Site 1 能够和Site 2 及Site 3 互通，但是策略要求Site 2 和Site 3 不能互通，Site 2 的用户有可能通过源路由技术经Site 1 到达 Site 3。

Cisco 路由器禁止源路由配置命令：

no ip source-route

Juniper 路由器禁止源路由配置命令：

chassis {

no-source-route;

}

4.PE接CE端口问题：

根据Juniper公司工程师介绍，由于Juniper 的主要用户为ISP, 所以设计的时候禁止用户Ping PE的端口，以增强P-network的安全性，该特性不能被关闭。

在实验中，我们首先发现，在PE上ping 不通某些直连的地址，尝试过多种处理方法之后，以下这种方法有较好的效果，但系统必须要配置有TUNNEL硬件板卡。

配置命令：

interfaces {