致力于IT技巧与知识分享

配置本地VPN互访示例

2019年11月14日 jmps
Off
服务器, 知识库

组网需求

图2-38,企业A和企业B通过部署BGP/MPLS IP VPN实现总部和分支间的VPN互访。其中:

  • CE1连接企业A总部,CE3连接企业A分支,CE1和CE3属于vpna;
  • CE2连接企业B总部,CE4连接企业B分支,CE2和CE4属于vpnb。

因业务需求,企业A总部和企业B总部有互访需求。图2-38 本地VPN互访组网图

配置思路

本例按如下思路配置VPN互访:

  1. 在PE1上配置VPN实例,为VPN实例配置不同的VPN-Target属性,实现不同VPN的隔离。
  2. 在PE1上配置与CE相连的接口与VPN实例绑定,接入VPN用户。
  3. 在PE1上使能BGP-VPNv4地址族,配置将到本地CE的直连路由引入VPN路由表,同时在CE上配置访问另一CE设备的路由,以实现本地互访。

 说明:

对于非CE6870EI/非CE6875EI设备,MPLS报文标签弹出后默认不会根据IP头进行Eth-Trunk的负载分担。在PHP场景下,可以在倒数第二跳上通过配置mpls top-label src-ip dst-ip 2nd-label命令实现Eth-Trunk的流量负载分担。用户可以根据实际流量特征调整负载分担模板,以优化负载分担效果。

操作步骤

  1. 创建VLAN,配置各个接口允许通过的VLAN# 配置PE1。<HUAWEI> system-view [~HUAWEI] sysname PE1 [*HUAWEI] commit [~PE1] vlan batch 10 20 [*PE1] interface 10ge 1/0/1 [*PE1-10GE1/0/1] port link-type trunk [*PE1-10GE1/0/1] port trunk allow-pass vlan 10 [*PE1-10GE1/0/1] quit [*PE1] interface 10ge 1/0/2 [*PE1-10GE1/0/2] port link-type trunk [*PE1-10GE1/0/2] port trunk allow-pass vlan 20 [*PE1-10GE1/0/2] commit [~PE1-10GE1/0/2] quit# 配置CE1。<HUAWEI> system-view [~HUAWEI] sysname CE1 [*HUAWEI] commit [~CE1] vlan batch 10 [*CE1] interface 10ge 1/0/1 [*CE1-10GE1/0/1] port link-type trunk [*CE1-10GE1/0/1] port trunk allow-pass vlan 10 [*CE1-10GE1/0/1] commit [~CE1-10GE1/0/1] quit # 配置CE2。<HUAWEI> system-view [~HUAWEI] sysname CE2 [*HUAWEI] commit [~CE2] vlan batch 20 [*CE2] interface 10ge 1/0/1 [*CE2-10GE1/0/1] port link-type trunk [*CE2-10GE1/0/1] port trunk allow-pass vlan 20 [*CE2-10GE1/0/1] commit [~CE2-10GE1/0/1] quit
  2. 在PE设备上配置VPN实例,将CE接入PE# 配置PE1。[~PE1] ip vpn-instance vpna [*PE1-vpn-instance-vpna] ipv4-family [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity [*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 222:2 import-extcommunity [*PE1-vpn-instance-vpna-af-ipv4] quit [*PE1-vpn-instance-vpna] quit [*PE1] ip vpn-instance vpnb [*PE1-vpn-instance-vpnb] ipv4-family [*PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2 [*PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 export-extcommunity [*PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 111:1 import-extcommunity [*PE1-vpn-instance-vpnb-af-ipv4] quit [*PE1-vpn-instance-vpnb] quit [*PE1] interface vlanif 10 [*PE1-Vlanif10] ip binding vpn-instance vpna [*PE1-Vlanif10] ip address 10.1.1.2 24 [*PE1-Vlanif10] quit [*PE1] interface vlanif 20 [*PE1-Vlanif20] ip binding vpn-instance vpnb [*PE1-Vlanif20] ip address 10.2.1.2 24 [*PE1-Vlanif20] quit [*PE1] commit# 按图2-38配置各CE的接口IP地址。[~CE1] interface vlanif 10 [*CE1-Vlanif10] ip address 10.1.1.1 24 [*CE1-Vlanif10] commit [~CE1-Vlanif10] quit CE2的配置同CE1(略)。各PE能ping通自己接入的CE。以PE1和CE1为例:[~PE1] ping -vpn-instance vpna 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=5 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=16 ms — 10.1.1.1 ping statistics — 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/6/16 ms
  3. 配置BGP,使能BGP-VPNv4地址族,并将到本地CE的直连路由引入VPN路由表# 配置PE1。[~PE1] bgp 100 [*PE1-bgp] ipv4-family vpnv4 [*PE1-bgp-af-vpnv4] quit [*PE1-bgp] ipv4-family vpn-instance vpna [*PE1–bgp-vpna] import-route direct [*PE1–bgp-vpna] quit [*PE1-bgp] ipv4-family vpn-instance vpnb [*PE1–bgp-vpnb] import-route direct [*PE1–bgp-vpnb] quit [*PE1–bgp] quit [*PE1] commit
  4. 配置CE上的静态路由# 配置CE1。[~CE1] ip route-static 10.2.1.0 24 10.1.1.2 [*CE1] commit # 配置CE2。[~CE2] ip route-static 10.1.1.0 24 10.2.1.2 [*CE2] commit
  5. 检查配置结果配置完成后,在PE1上执行display ip routing-table vpn-instance可以看到不同VPN路由相互引入,以vpna为例:[~PE1] display ip routing-table vpn-instance vpna Proto: Protocol Pre: Preference Route Flags: R – relay, D – download to fib, T – to vpn-instance, B – black hole route —————————————————————————— Routing Table : vpna Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10 10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10 10.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif10 10.2.1.0/24 BGP 255 0 D 10.2.1.2 Vlanif20 10.2.1.2/32 BGP 255 0 D 127.0.0.1 Vlanif20 255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0 CE1和CE2能够相互ping通。[~CE1] ping 10.2.1.1 PING 10.2.1.1: 56 data bytes, press CTRL_C to break Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=72 ms Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=34 ms Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=50 ms Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=50 ms Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=34 ms — 10.2.1.1 ping statistics — 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 34/48/72 ms

配置文件

  • PE1的配置文件# sysname PE1 # vlan batch 10 20 # ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity vpn-target 222:2 import-extcommunity # ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity vpn-target 111:1 import-extcommunity # interface Vlanif10 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0 # interface Vlanif20 ip binding vpn-instance vpnb ip address 10.2.1.2 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 20 # bgp 100 # ipv4-family unicast # ipv4-family vpnv4 policy vpn-target # ipv4-family vpn-instance vpna import-route direct # ipv4-family vpn-instance vpnb import-route direct # return
  • CE1的配置文件# sysname CE1 # vlan batch 10 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # ip route-static 10.2.1.0 255.255.255.0 10.1.1.2 # return
  • CE2的配置文件# sysname CE2 # vlan batch 20 # interface Vlanif20 ip address 10.2.1.1 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 20 # ip route-static 10.1.1.0 255.255.255.0 10.2.1.2 # return
知识库
服务器

Comments are closed.

关于我们

测试  

Read More
知识库

Read More

Our Services

Worpress

Lorem ipsum dolor amet consectetur adipiscing elit. Nunc mi dui placerat eu faucibus vel, efficitur quis magna. Pellentesque habitant morbi tristique senectus et netus et malesuada.

Read More

Web Design

Lorem ipsum dolor amet consectetur adipiscing elit. Nunc mi dui placerat eu faucibus vel, efficitur quis magna. Pellentesque habitant morbi tristique senectus et netus et malesuada.

Read More

Ecommerce

Lorem ipsum dolor amet consectetur adipiscing elit. Nunc mi dui placerat eu faucibus vel, efficitur quis magna. Pellentesque habitant morbi tristique senectus et netus et malesuada.

Brand Now

SEO

Lorem ipsum dolor amet consectetur adipiscing elit. Nunc mi dui placerat eu faucibus vel, efficitur quis magna. Pellentesque habitant morbi tristique senectus et netus et malesuada.

Read More

Our Team

zahera

Zahera

(HR)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean vel tempor sem. Vestibulum suscipit faucibus sem ut porta. Integer ut justo euismod, auctor turpis et

Alex

Alex

(CEO)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean vel tempor sem. Vestibulum suscipit faucibus sem ut porta. Integer ut justo euismod, auctor turpis et

Alex

Sara

(CCO)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean vel tempor sem. Vestibulum suscipit faucibus sem ut porta. Integer ut justo euismod, auctor turpis et

Mark

Mark

(Manager)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean vel tempor sem. Vestibulum suscipit faucibus sem ut porta. Integer ut justo euismod, auctor turpis et

Testimonials

  • 一个记录信息化技巧和经验的网站
    Testimonials测试

Our Partners