3.基于Inter_AS的MPLS/VPN
1.实验方案:
实验环境如图:
两个骨干的AS环境、R1、R3为AS200,R2为AS100
AS200的骨干IGP为IS-IS,其中包括三两个独立的L2域、每一个骨干路由器为一个独立的域,AS100的骨干IGP为OSPF。Inter-AS VPN的出现、使骨干网和省网之间打通VPN成为可能。
MPLS/VPN 中,三台骨干路由器为PE、其它设备为CE。
MPLS/VPN在Inter-AS上建立三个VPN :
a. VPN1的CE分别在两个不同的AS、采用EBGP和骨干路由器互联,AS号码为65505和65506
b. VPN2的两个CE采用不同的IGP路由协议互联、S3采用OSPF和R3连接、S2采用Rip和R2连接
c. VPN3的两个CE采用静态路由和PE连接
2.方案技术要点:
a. Inter_AS 的MPLS/VPN,R1为AS200 PE、R2为 AS100PE。CE R5、R6通过不同的AS连通。
b. Inter_AS的MPLS/VPN可以实现夸骨干网、省网之间的VPN,也就是说可以在国调、省调甚至地调实现VPN。
3. 配置命令:
version 12.0
hostname R3
!
ip vrf vpn2
rd 100:2
route-target eXPort 100:2
route-target import 100:2
clns routing
no mpls traffic-eng auto-bw timers frequency 0
!
interface Loopback0
ip address 10.10.30.3 255.255.255.255
no ip directed-broadcast
ip router isis
isis circuit-type level-2-only
!
interface GigabitEthernet1/0/0
ip address 10.10.23.3 255.255.255.0
no ip directed-broadcast
ip router isis
load-interval 30
negotiation auto
isis circuit-type level-2-only
isis metric 2 level-2
!
interface POS5/0/0
ip address 10.10.13.3 255.255.255.0
no ip directed-broadcast
ip router isis
encapsulation ppp
tag-switching ip
isis circuit-type level-2-only
isis metric 5 level-2
!
router ospf 33 vrf vpn2
log-adjacency-changes
network 10.10.33.0 0.0.0.255 area 0
!
router isis
net 00.1111.0000.0000.1113.00
is-type level-2-only
nsf cisco
!
router bgp 200
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
neighbor 10.10.10.1 remote-as 200
neighbor 10.10.10.1 update-source Loopback0
neighbor 10.10.23.2 remote-as 100
no auto-summary
!
address-family ipv4 multicast
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.10.10.1 activate
neighbor 10.10.10.1 next-hop-self
neighbor 10.10.10.1 send-community extended
neighbor 10.10.23.2 activate
neighbor 10.10.23.2 next-hop-self
neighbor 10.10.23.2 send-community extended
no auto-summary
exit-address-family
!
address-family ipv4
redistribute isis level-1-2
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf vpn2
redistribute connected
redistribute static
redistribute ospf 33
no auto-summary
no synchronization
exit-address-family
4. 确认命令:
R1#sh ip rou
100.0.0.0/24 is subnetted, 2 subnets
C 100.100.100.0 is directly connected, FastEthernet10/0/0
C 100.100.200.0 is directly connected, FastEthernet10/0/1
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.10.10.1/32 is directly connected, Loopback0
C 10.10.12.0/24 is directly connected, Serial4/1/0
C 10.10.13.0/24 is directly connected, POS4/0/0
C 10.10.13.3/32 is directly connected, POS4/0/0
C 10.10.12.2/32 is directly connected, Serial4/1/0
i L2 10.10.23.0/24 [115/7] via 10.10.13.3, POS4/0/0
i L2 10.10.30.3/32 [115/15] via 10.10.13.3, POS4/0/0
R1#sh ip router vrf vpn1
10.0.0.0/24 is subnetted, 4 subnets
C 10.10.15.0 is directly connected, FastEthernet2/0/1
B 10.10.26.0 [20/0] via 10.10.12.2, 00:01:41
B 10.10.50.0 [20/0] via 10.10.15.5, 00:05:31
B 10.10.60.0 [20/0] via 10.10.12.2, 00:01:41
R5-3640#sh ip rou
10.0.0.0/24 is subnetted, 4 subnets
C 10.10.15.0 is directly connected, FastEthernet0/0
B 10.10.26.0 [20/0] via 10.10.15.1, 00:05:45
C 10.10.50.0 is directly connected, Loopback0
B 10.10.60.0 [20/0] via 10.10.15.1, 00:05:45
R5-3640#ping 10.10.60.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.60.6, timeout is 2 seconds:
!!!!!
SUCcess rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5-3640#trace 10.10.60.6
Type escape sequence to abort.
Tracing the route to 10.10.60.6
1 10.10.15.1 0 msec 0 msec 4 msec
2 10.10.26.2 [AS 65506] [MPLS: Label 17 Exp 0] 4 msec 4 msec 4 msec
3 10.10.26.6 [AS 65506] 4 msec 4 msec *
5.结果:
R5 和R6之间实现VPN连接。
真正实现Inter_AS 的MPLS/VPN 。