思维导图
一、Layer-2
1.1 链路聚合
- S1和S2之间配置链路聚合,使用手动负载分担模式,基于源目MAC地址负载分担。(2分)
SW1配置:
[SW1]int Eth-Trunk 1[SW1-Eth-Trunk1]load-balance src-dst-mac[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/23[SW1-Eth-Trunk1]trunkport GigabitEthernet 0/0/24
SW2配置:
[SW2]int Eth-Trunk 1[SW2-Eth-Trunk1]load-balance src-dst-mac[SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/23[SW2-Eth-Trunk1]trunkport GigabitEthernet 0/0/24
最终效果:在SW1/SW2上检查Eth-Trunk状态为UP即可
1.2 Link-Type
- 在S1、S2、S3、S4互连接口上的链路类型为Trunk,允许除了VLAN1外的所有VLAN通过。(3分)
SW1配置:
[SW1]vlan batch 10 20[SW1]port-group group-member g0/0/1 g0/0/2 g0/0/12 Eth-Trunk 1[SW1-port-group]port link-type trunk[SW1-port-group]port trunk allow-pass vlan all[SW1-port-group]undo port trunk allow-pass vlan 1
SW2配置:
[SW2]vlan batch 10 20[SW2]port-group group-member g0/0/1 g0/0/2 g0/0/12 Eth-Trunk 1[SW2-port-group]port link-type trunk[SW2-port-group]port trunk allow-pass vlan all[SW2-port-group]undo port trunk allow-pass vlan 1
SW3配置:
[SW2]vlan batch 10 20[SW3]port-group group-member g0/0/1 g0/0/2[SW3-port-group]port link-type trunk[SW3-port-group]port trunk allow-pass vlan all[SW3-port-group]undo port trunk allow-pass vlan 1[SW3]int Ethernet0/0/1[SW3-Ethernet0/0/1]port link-type access[SW3-Ethernet0/0/1]port default vlan 10
SW4配置:
[SW2]vlan batch 10 20[SW4]port-group group-member g0/0/1 g0/0/2[SW4-port-group]port link-type trunk[SW4-port-group]port trunk allow-pass vlan all[SW4-port-group]undo port trunk allow-pass vlan 1[SW4]int Ethernet0/0/1[SW4-Ethernet0/0/1]port link-type access[SW4-Ethernet0/0/1]port default vlan 20
1.3 VRRP
- CE1、CE2的VRRP虚拟IP地址10.3.1.254,为PC1的网关。CE1会周期发送Sender IP为10.3.1.254,源MAC为00-00-5E-00-01-01的免费ARP。PC1与网关之间的数据包封装在VLAN10中(PC1收发untag的帧)。
CE1配置:
[CE1]int GigabitEthernet 0/0/2.10[CE1-GigabitEthernet0/0/2.10]arp broadcast enable[CE1-GigabitEthernet0/0/2.10]vrrp vrid 1 virtual-ip 10.3.1.254[CE1-GigabitEthernet0/0/2.10]vrrp vrid 1 priority 120
CE2配置:**
[CE2]int GigabitEthernet 0/0/2.10[CE2-GigabitEthernet0/0/2.10]arp broadcast enable[CE2-GigabitEthernet0/0/2.10]vrrp vrid 1 virtual-ip 10.3.1.254
- CE1、CE2的VRRP虚拟IP地址10.3.2.254,为Server1的网关。CE2会周期发送Sender IP为10.3.2.254,源MAC为00-00-5E-00-01-02的免费ARP。PC1与网关之间的数据包封装在VLAN20中(PC1收发untag的帧)。
CE1配置:
[CE1]int GigabitEthernet 0/0/2.20[CE1-GigabitEthernet0/0/2.20]arp broadcast enable[CE1-GigabitEthernet0/0/2.20]vrrp vrid 2 virtual-ip 10.3.2.254
CE2配置:
[CE2]int GigabitEthernet 0/0/2.20[CE2-GigabitEthernet0/0/2.20]arp broadcast enable[CE2-GigabitEthernet0/0/2.20]vrrp vrid 2 virtual-ip 10.3.2.254[CE2-GigabitEthernet0/0/2.20]vrrp vrid 2 priority 120
- VRRP的Master设备重启时,在G0/0/2变为UP一分钟后,才能重新成为Master。
CE1配置:
[CE1]int GigabitEthernet 0/0/2.10[CE1-GigabitEthernet0/0/2.10]vrrp vrid 1 preempt-mode timer delay 60
CE2配置:
[CE2]int GigabitEthernet 0/0/2.20[CE2-GigabitEthernet0/0/2.20]vrrp vrid 2 preempt-mode timer delay 60
最终效果:
1.4 MSTP
- S1、S2、S3、S4都运行MSTP。VLAN10在Instance 10,S1作为Primary Root。VLAN20在Instance 20,S2作为Primary Root。MSTP的region name是HUAWEI,Revision-level为12。
SW1配置:
[SW1]stp region-configuration[SW1-mst-region]region-name HUAWEI[SW1-mst-region]revision-level 12[SW1-mst-region]instance 10 vlan 10[SW1-mst-region]instance 20 vlan 20[SW1-mst-region]active region-configuration[SW1]stp instance 10 root primary[SW1]stp instance 20 root secondary
SW2配置:
[SW2]stp region-configuration[SW2-mst-region]region-name HUAWEI[SW2-mst-region]revision-level 12[SW2-mst-region]instance 10 vlan 10[SW2-mst-region]instance 20 vlan 20[SW2-mst-region]active region-configuration[SW2]stp instance 10 root secondary[SW2]stp instance 20 root primary
SW3配置:
[SW3]stp region-configuration[SW3-mst-region]region-name HUAWEI[SW3-mst-region]revision-level 12[SW3-mst-region]instance 10 vlan 10[SW3-mst-region]instance 20 vlan 20[SW3-mst-region]active region-configuration
SW4配置:
[SW4]stp region-configuration[SW4-mst-region]region-name HUAWEI[SW4-mst-region]revision-level 12[SW4-mst-region]instance 10 vlan 10[SW4-mst-region]instance 20 vlan 20[SW4-mst-region]active region-configuration
- 除了交换机互联的接口,其它接口要确保不能参与MSTP计算,由Disable直接转到Forwarding状态。
SW1/SW2/SW3/SW4配置:将交换机互联接口的边缘端口功能关闭
[SW1]port-group group-member g0/0/1 g0/0/12 Eth-Trunk 1[SW1-port-group]stp edged-port disable------------------------------------------------------------------------------------------[SW2]port-group group-member g0/0/1 g0/0/12 Eth-Trunk 1[SW2-port-group]stp edged-port disable------------------------------------------------------------------------------------------[SW3]port-group group-member g0/0/1 g0/0/2[SW3-port-group]stp edged-port disable------------------------------------------------------------------------------------------[SW4]port-group group-member g0/0/1 g0/0/2[SW4-port-group]stp edged-port disable
SW1/SW2/SW3/SW4配置:全局开启边缘端口功能,开启BPDU保护:
[SW1]stp edged-port default[SW1]stp bpdu-protection------------------------------------------------------------------------------------------[SW2]stp edged-port default[SW2]stp bpdu-protection------------------------------------------------------------------------------------------[SW3]stp edged-port default[SW3]stp bpdu-protection------------------------------------------------------------------------------------------[SW4]stp edged-port default[SW4]stp bpdu-protection
最终效果:
1.5 WAN
- PE1-RR1的互联接口Serial接口,绑定为一个逻辑接口,成员链路采用HDLC。逻辑接口的IPv4地址,IPv6地址,请按图中需求配置。(1分)
PE1配置:
[PE1]int Serial 0/0/0[PE1-Serial0/0/0]link-protocol hdlc[PE1]int Serial 0/0/1[PE1-Serial0/0/1]link-protocol hdlc[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]trunkport Serial 0/0/0[PE1-Ip-Trunk1]trunkport Serial 0/0/1[PE1-Ip-Trunk1]ip address 10.1.13.1 30[PE1-Ip-Trunk1]ipv6 enable[PE1-Ip-Trunk1]ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1300 127
RR1配置:
[RR1]int Serial 0/0/0[RR1-Serial0/0/0]link-protocol hdlc[RR1]int Serial 0/0/1[RR1-Serial0/0/1]link-protocol hdlc[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]trunkport Serial 0/0/0[RR1-Ip-Trunk1]trunkport Serial 0/0/1[RR1-Ip-Trunk1]ip address 10.1.13.2 30[RR1-Ip-Trunk1]ipv6 enable[RR1-Ip-Trunk1]ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1301 127
最终效果:
- PE3-CE3的互联接口POS接口,绑定为一个逻辑接口,成员链路采用PPP。逻辑接口的IPv4地址,按照图中需求配置。
PE3配置:
[PE3]int Mp-group 0/0/0[PE3-Mp-group0/0/0]ip address 10.2.33.2 30[PE3]int Pos 4/0/0[PE3-Pos4/0/0]ppp mp Mp-group 0/0/0[PE3]int Pos 6/0/0[PE3-Pos6/0/0]ppp mp Mp-group 0/0/0
CE3配置:
[CE3]int Mp-group 0/0/0[CE3-Mp-group0/0/0]ip address 10.2.33.1 30[CE3]int Pos 4/0/0[CE3-Pos4/0/0]ppp mp Mp-group 0/0/0[CE3]int Pos 6/0/0[CE3-Pos6/0/0]ppp mp Mp-group 0/0/0
最终效果:
二、IPv4 IGP
2.1 基本配置
- 所有设备的接口IPv4地址,按照图中配置。(除PE1-RR1的逻辑接口之外,已经预配)。
- Router-id与Loopback0的IPv4地址相同。MPLS域中各个设备的loopback0,从172.16.0.0/16取可用的主机地址,比如172.16.1.21/32可能分部在AS100,也可能分部在AS200。
2.2 OSPF
- CE1和CE2之间的链路,及该两台设备的loopback0,通告入OSPF区域0(已预配置)
- CE1的G0/0/2.10和G0/0/2.20,CE2的G0/0/2.10和G0/0/2.20,直连网段宣告进入OSPF区域0,但这些接口不能收发OSPF报文。(2分)
CE1配置:
[CE1]ospf 1[CE1-ospf-1]area 0[CE1-ospf-1-area-0.0.0.0]network 10.3.1.1 0.0.0.0[CE1-ospf-1-area-0.0.0.0]network 10.3.2.1 0.0.0.0[CE1-ospf-1-area-0.0.0.0]quit[CE1-ospf-1]silent-interface GigabitEthernet 0/0/2.10[CE1-ospf-1]silent-interface GigabitEthernet 0/0/2.20
CE2配置:
[CE2]ospf 1[CE2-ospf-1]area 0[CE2-ospf-1-area-0.0.0.0]network 10.3.1.2 0.0.0.0[CE2-ospf-1-area-0.0.0.0]network 10.3.2.2 0.0.0.0[CE2-ospf-1-area-0.0.0.0]quit[CE2-ospf-1]silent-interface GigabitEthernet 0/0/2.10[CE2-ospf-1]silent-interface GigabitEthernet 0/0/2.20
[cEIdispayospfpeebrie
ID172.17.1.1
OSPEProcEsS
Router
With
PeerStatisticIntormatio
State
AreaId
Neighbor
id
Intesface
Fu11
GigabitEtherneto/o/o
0.0.0.0
172,17.1.2
最终效果:
- 最终CE1和CE2只通过G0/0/0接口建立邻接关系,没有通过GE0/0/2.10和GE0/0/2.20建立邻接关系。
- RR2、P2、PE3、PE4在OSPF区域0中,cost如图所示。(已预配置)
- PE3-PE4的OSPF链路类型为P2P。(1分)
PE3/PE4配置:
[PE3]int GigabitEthernet 0/0/0[PE3-GigabitEthernet0/0/0]ospf network-type p2p------------------------------------------------------------------------------------------[PE4]int GigabitEthernet 0/0/0[PE4-GigabitEthernet0/0/0]ospf network-type p2p
- PE4上将loopback0地址引入OSPF。AS200中,各OSPF网元到PE4的loopback0的路由,要包含内部的cost。
PE4配置:
[PE4]ip ip-prefix PE4 permit 172.16.1.2 32[PE4]route-policy PE4 permit node 10[PE4-route-policy]if-match ip-prefix PE4[PE4]ospf 1[PE4-ospf-1]import-route direct route-policy PE4 type 1
最终效果:在其它路由器上172.16.1.2/32这条路由包含内部cost。
2.3 ISIS
- AS100内loopback0和互联接口全部开启ISIS协议,其中PE1、PE2路由类型为level-1,区域号为49.0001,RR1、P1路由类型Level-1-2,区域号为49.0001,ASBR1、ASBR2路由类型为Level-2,区域号为49.0002。各单元的System-ID唯一,cost-style为wide,cost值如图配置(除PE1-RR1之间的逻辑接口外,已预配置)。此时AS100中的所有ISIS路由器的loopback0都开启了ISIS功能。
PE1/RR1配置:根据以上题意,发现PE1-RR1之间的IP-Trunk没有配置ISIS和开销
[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]isis enable[PE1-Ip-Trunk1]isis cost 1500------------------------------------------------------------------------------------------[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]isis enable[RR1-Ip-Trunk1]isis cost 1500
- RR2-P2的ISIS链路类型为P2P。(1分)
RR2/P2配置:
[RR2]int GigabitEthernet 0/0/0[RR2-GigabitEthernet0/0/0]isis circuit-type p2p------------------------------------------------------------------------------------------[P1]int GigabitEthernet 0/0/0[P1-GigabitEthernet0/0/0]isis circuit-type p2p
- 为了保证后续MPLS VPN中的AS100公网LDP的可达(L1设备默认只有默认路由指向L2),在RR1和P1上做172.16.0.0/16主机路由level-2向level-1路由的渗透。(自记)
RR1/P1配置:
[RR1]ip ip-prefix L2toL1 permit 172.16.0.0 16 greater-equal 32 less-equal 32[RR1]isis 1[RR1-isis-1]import-route isis level-2 into level-1 filter-policy ip-prefix L2toL1-------------------------------------------------------------------------------------------------[P1]ip ip-prefix L2toL1 permit 172.16.0.0 16 greater-equal 32 less-equal 32[P1]isis 1[P1-isis-1]import-route isis level-2 into level-1 filter-policy ip-prefix L2toL1
最终效果:Level-1设备学习到了AS100域内的所有ISIS路由器的loopback0接口地址
- 在RR2、P2上,ISIS和OSPF双向引入前缀为172.16.0.0/16的主机路由。被引入的协议的cost要继承到引入后的协议中,P2和PE4的loopback0互访走最优路径。配置要求有最好的拓展性。(8分)
RR2配置:
[RR2]ip ip-prefix in permit 172.16.0.0 16 greater-equal 32 less-equal 32[RR2]route-policy ospftoisis deny node 10[RR2-route-policy]if-match tag 200[RR2-route-policy]quit[RR2]route-policy ospftoisis permit node 20[RR2-route-policy]if-match ip-prefix in[RR2-route-policy]apply tag 100[RR2-route-policy]quit[RR2]isis 1[RR2-isis-1]import-route ospf 1 inherit-cost route-policy ospftoisis------------------------------------------------------------------------------------------[RR2]route-policy isistoospf deny node 10[RR2-route-policy]if-match tag 300[RR2-route-policy]quit[RR2]route-policy isistoospf permit node 20[RR2-route-policy]if-match ip-prefix in[RR2-route-policy]apply tag 400[RR2-route-policy]quit[RR2]ospf 1[RR2-ospf-1]default cost inherit-metric[RR2-ospf-1]import-route isis 1 route-policy isistoospf
P2配置:
[P2]ip ip-prefix in permit 172.16.0.0 16 greater-equal 32 less-equal 32[P2]route-policy ospftoisis deny node 10[P2-route-policy]if-match tag 400[P2-route-policy]quit[P2]route-policy ospftoisis permit node 20[P2-route-policy]if-match ip-prefix in[P2-route-policy]apply tag 300[P2-route-policy]quit[P2]isis 1[P2-isis-1]import-route ospf 1 inherit-cost route-policy ospftoisis------------------------------------------------------------------------------------------[P2]route-policy isistoospf deny node 10[P2-route-policy]if-match tag 100[P2-route-policy]quit[P2]route-policy isistoospf permit node 20[P2-route-policy]if-match ip-prefix in[P2-route-policy]apply tag 200[P2-route-policy]quit[P2]ospf 1[P2-ospf-1]default cost inherit-metric[P2-ospf-1]import-route isis 1 route-policy isistoospf
最后通过标签解决环路问题,环路导致的原因:
- P2通过OSPF从PE4学习到的172.16.1.2这个外部路由的优先级是150
- 在做完双向引入后,RR2把172.16.1.2这条路由引入进ISIS,通过ISIS传递给P2,P2收到后,优先级是15
- 设备在对比后,优选了ISIS这条路由,导致路由环路
解决思路:在OSPF中,将不带标签的外部路由的优先级修改为10(高于15)(双向引入后,只有172.16.1.2这条路由是没有带标签的)。
RR2/P2配置:
[RR2]route-policy preference permit node 10[RR2-route-policy]if-match tag 200[RR2-route-policy]apply preference 150[RR2-route-policy]quit[RR2]ospf 1[RR2-ospf-1]preference ase route-policy preference 10------------------------------------------------------------------------------------------[P2]route-policy preference permit node 10[P2-route-policy]if-match tag 400[P2-route-policy]apply preference 150[P2-route-policy]quit[P2]ospf 1[P2-ospf-1]preference ase route-policy preference 10
最终效果:
- 通过以上操作,P2上OSPF学习到的路由172.16.1.2/32的优先级更高,所以优选OSPF路由。
- P1的ISIS进程:产生LSP的最大延迟时间是1S,初始延时为50ms,递增时间为50ms,使能LSP的快速扩散特性,SPF计算最大延迟为1s,初始延时为100ms,递增时间为100ms。
P1配置:
[P1]isis 1[P1-isis-1]timer lsp-generation 1 50 50[P1-isis-1]flash-flood[P1-isis-1]timer spf 1 100 100
三、MPLS VPN
3.1 基础配置
- CE1、CE2为VPN1的Hub-CE,PE1、PE2为Hub-PE;CE3、CE4为VPN1的Spoke站点;PE3、PE4为Spoke-PE。
- CE4为Multi-VPN-Instance CE,CE4的VPN实例VPN1,通过子接口GE0/0/1.1连接PE4。
CE4配置:配置VPN实例VPN1,将接口绑定VPN实例VPN1
[CE4]ip vpn-instance VPN1[CE4-vpn-instance-VPN1]route-distinguisher 100:14[CE4]int GigabitEthernet 0/0/1.1[CE4-GigabitEthernet0/0/1.1]ip binding vpn-instance VPN1[CE4-GigabitEthernet0/0/1.1]ip address 10.2.41.1 30[CE4]int LoopBack 0[CE4-LoopBack0]ip binding vpn-instance VPN1[CE4-LoopBack0]ip address 172.17.1.4 32[CE4]int LoopBack 1[CE4-LoopBack1]ip binding vpn-instance VPN1[CE4-LoopBack1]ip address 10.3.3.4 32
- 合理设置VPN1参数,使得Spoke站点互访的流量必须经过Hub-CE设备。当CE1-PE1链路断开的情况下,PE1仍然可以学习到CE1的业务路由。(PE3上VPN1的RD为100:13,Export RT为100:1,Import RT为200:1)。(2分)
PE1配置:
[PE1]ip vpn-instance vpn-in[PE1-vpn-instance-vpn-in]route-distinguisher 100:10[PE1-vpn-instance-vpn-in-af-ipv4]vpn-target 100:1 import-extcommunity[PE1-vpn-instance-vpn-in]quit[PE1]ip vpn-instance vpn-out[PE1-vpn-instance-vpn-out]route-distinguisher 100:12[PE1-vpn-instance-vpn-out-af-ipv4]vpn-target 200:1 export-extcommunity[PE1-vpn-instance-vpn-out]quit[PE1]int GigabitEthernet0/0/1.1[PE1-GigabitEthernet0/0/1.1]arp broadcast enable[PE1-GigabitEthernet0/0/1.1]ip binding vpn-instance vpn-in[PE1-GigabitEthernet0/0/1.1]ip address 10.2.11.2 30[PE1]int GigabitEthernet0/0/1.2[PE1-GigabitEthernet0/0/1.2]arp broadcast enable[PE1-GigabitEthernet0/0/1.2]ip binding vpn-instance vpn-out[PE1-GigabitEthernet0/0/1.2]ip address 10.2.11.6 30------------------------------------------------------------------------------------------[PE1]bgp 100[PE1-bgp]ipv4-family vpn-instance vpn-in[PE1-bgp-vpn-in]peer 10.2.11.1 as-number 65000[PE1-bgp-vpn-in]quit[PE1-bgp]ipv4-family vpn-instance vpn-out[PE1-bgp-vpn-out]peer 10.2.11.5 as-number 65000
PE2配置:
[PE2]ip vpn-instance vpn-in[PE2-vpn-instance-vpn-in]route-distinguisher 100:11[PE2-vpn-instance-vpn-in-af-ipv4]vpn-target 100:1 import-extcommunity[PE2-vpn-instance-vpn-in]quit[PE2]ip vpn-instance vpn-out[PE2-vpn-instance-vpn-out]route-distinguisher 100:15[PE2-vpn-instance-vpn-out-af-ipv4]vpn-target 200:1 export-extcommunity[PE2-vpn-instance-vpn-out]quit[PE2]int GigabitEthernet0/0/1.1[PE2-GigabitEthernet0/0/1.1]arp broadcast enable[PE2-GigabitEthernet0/0/1.1]ip binding vpn-instance vpn-in[PE2-GigabitEthernet0/0/1.1]ip address 10.2.22.2 30[PE2]int GigabitEthernet0/0/1.2[PE2-GigabitEthernet0/0/1.2]arp broadcast enable[PE2-GigabitEthernet0/0/1.2]ip binding vpn-instance vpn-out[PE2-GigabitEthernet0/0/1.2]ip address 10.2.22.6 30------------------------------------------------------------------------------------------[PE2]bgp 100[PE2-bgp]ipv4-family vpn-instance vpn-in[PE2-bgp-vpn-in]peer 10.2.22.1 as-number 65000[PE2-bgp-vpn-in]quit[PE2-bgp]ipv4-family vpn-instance vpn-out[PE2-bgp-vpn-out]peer 10.2.22.5 as-number 65000
CE1配置:
[CE1]int GigabitEthernet 0/0/1.1[CE1-GigabitEthernet0/0/1.1]arp broadcast enable[CE1]int GigabitEthernet 0/0/1.2[CE1-GigabitEthernet0/0/1.2]arp broadcast enable[CE1]bgp 65000[CE1-bgp]peer 10.2.11.2 as-number 100[CE1-bgp]peer 10.2.11.6 as-number 100
CE2配置:
[CE2]int GigabitEthernet 0/0/1.1[CE2-GigabitEthernet0/0/1.1]arp broadcast enable[CE2]int GigabitEthernet 0/0/1.2[CE2-GigabitEthernet0/0/1.2]arp broadcast enable[CE2]bgp 65000[CE2-bgp]peer 10.2.22.2 as-number 100[CE2-bgp]peer 10.2.22.6 as-number 100
最终效果:CE与PE设备建立Established的BGP邻居关系
- 如图,CE1通过G0/0/1.1和G0/0/1.2建立直连的EBGP邻居,接入PE1。CE1通过GE0/0/1.2,向PE1通告BGP Update中,某些路由的AS-path中有200。在CE1上将OSPF路由导入BGP。(2分)
CE1配置:
[CE1]bgp 65000[CE1-bgp]import-route ospf 1 med 0
PE1配置:
[PE1]bgp 100[PE1-bgp]ipv4-family vpn-instance vpn-out[PE1-bgp-vpn-out]peer 10.2.11.5 allow-as-loop
- 如图,CE2通过G0/0/1.1和G0/0/1.2建立直连的EBGP邻居,接入PE2。CE2通过GE0/0/1.2,向PE2通告BGP Update中,某些路由的AS-path中有200。在CE2上将OSPF路由导入BGP。(2分)
CE2配置:
[CE2]bgp 65000[CE2-bgp]import-route ospf 1 med 0
PE2配置:
[PE2]bgp 100[PE2-bgp]ipv4-family vpn-instance vpn-out[PE2-bgp-vpn-out]peer 10.2.22.5 allow-as-loop
- CE3通过OSPF区域1接入PE3,通过PE3-CE3的逻辑接口互通,通告CE3的各环回口,CE4通过OSPF区域0接入PE4,通过PE4-CE4的G0/0/1.1接口互通,通告CE4的环回口。
PE3配置:
[PE3]ip vpn-instance VPN1[PE3-vpn-instance-VPN1]route-distinguisher 100:13[PE3-vpn-instance-VPN1-af-ipv4]vpn-target 100:1 export-extcommunity[PE3-vpn-instance-VPN1-af-ipv4]vpn-target 200:1 import-extcommunity[PE3-vpn-instance-VPN1]quit[PE3]int Mp-group 0/0/0[PE3-Mp-group0/0/0]ip binding vpn-instance VPN1[PE3-Mp-group0/0/0]ip address 10.2.33.2 30------------------------------------------------------------------------------------------[PE3]ospf 2 vpn-instance VPN1[PE3-ospf-2]area 1[PE3-ospf-2-area-0.0.0.1]network 10.2.33.2 0.0.0.0
PE4配置:
[PE4]ip vpn-instance VPN1[PE4-vpn-instance-VPN1]route-distinguisher 100:14[PE4-vpn-instance-VPN1-af-ipv4]vpn-target 100:1 export-extcommunity[PE4-vpn-instance-VPN1-af-ipv4]vpn-target 200:1 import-extcommunity[PE4-vpn-instance-VPN1]quit[PE4]int GigabitEthernet 0/0/1.1[PE4-GigabitEthernet0/0/1.1]ip binding vpn-instance VPN1[PE4-GigabitEthernet0/0/1.1]ip address 10.2.41.2 30------------------------------------------------------------------------------------------[PE4]ospf 2 vpn-instance VPN1[PE4-ospf-2]area 0[PE4-ospf-2-area-0.0.0.0]network 10.2.41.2 0.0.0.0
CE3配置:
[CE3]ospf 2[CE3-ospf-2]area 1[CE3-ospf-2-area-0.0.0.1]network 10.2.33.1 0.0.0.0[CE3-ospf-2-area-0.0.0.1]network 10.3.3.3 0.0.0[CE3-ospf-2-area-0.0.0.1]network 172.17.1.3 0.0.0.0
CE4配置:
[CE4]ospf 2 vpn-instance VPN1[CE4-ospf-2]vpn-instance-capability simple[CE4-ospf-2-area-0.0.0.0]network 10.2.41.1 0.0.0.0[CE4-ospf-2-area-0.0.0.0]network 10.3.3.4 0.0.0.0[CE4-ospf-2-area-0.0.0.0]network 172.17.1.4 0.0.0.0
最终效果:PE3/PE4学习到了CE3/CE4的环回口地址
- 在ASBR上,将ISIS的loopback0路由引入BGP。(2分)
ASBR1配置:
[ASBR1]ip ip-prefix isisloopback permit 172.16.1.1 32[ASBR1]ip ip-prefix isisloopback permit 172.16.1.3 32[ASBR1]ip ip-prefix isisloopback permit 172.16.1.4 32[ASBR1]ip ip-prefix isisloopback permit 172.16.1.5 32[ASBR1]ip ip-prefix isisloopback permit 172.16.1.6 32[ASBR1]ip ip-prefix isisloopback permit 172.16.1.20 32[ASBR1]route-policy isisloopback permit node 10[ASBR1-route-policy]if-match ip-prefix isisloopback[ASBR1]bgp 100[ASBR1-bgp]import-route isis 1 route-policy isisloopback
ASBR2配置:
[ASBR2]ip ip-prefix isisloopback permit 172.16.1.1 32[ASBR2]ip ip-prefix isisloopback permit 172.16.1.3 32[ASBR2]ip ip-prefix isisloopback permit 172.16.1.4 32[ASBR2]ip ip-prefix isisloopback permit 172.16.1.5 32[ASBR2]ip ip-prefix isisloopback permit 172.16.1.6 32[ASBR2]ip ip-prefix isisloopback permit 172.16.1.20 32[ASBR2]route-policy isisloopback permit node 10[ASBR2-route-policy]if-match ip-prefix isisloopback[ASBR2]bgp 100[ASBR2-bgp]import-route isis 1 route-policy isisloopback
ASBR3配置:
[ASBR3]ip ip-prefix isisloopback permit 172.16.1.7 32[ASBR3]ip ip-prefix isisloopback permit 172.16.1.8 32[ASBR3]ip ip-prefix isisloopback permit 172.16.1.9 32[ASBR3]ip ip-prefix isisloopback permit 172.16.1.10 32[ASBR3]ip ip-prefix isisloopback permit 172.16.1.11 32[ASBR3]ip ip-prefix isisloopback permit 172.16.1.2 32[ASBR3]route-policy isisloopback permit node 10[ASBR3-route-policy]if-match ip-prefix isisloopback[ASBR3]bgp 200[ASBR3-bgp]import-route isis 1 route-policy isisloopback
ASBR4配置:
[ASBR4]ip ip-prefix isisloopback permit 172.16.1.7 32[ASBR4]ip ip-prefix isisloopback permit 172.16.1.8 32[ASBR4]ip ip-prefix isisloopback permit 172.16.1.9 32[ASBR4]ip ip-prefix isisloopback permit 172.16.1.10 32[ASBR4]ip ip-prefix isisloopback permit 172.16.1.11 32[ASBR4]ip ip-prefix isisloopback permit 172.16.1.2 32[ASBR4]route-policy isisloopback permit node 10[ASBR4-route-policy]if-match ip-prefix isisloopback[ASBR4]bgp 200[ASBR4-bgp]import-route isis 1 route-policy isisloopback
- 如图,AS100、AS200内各个网元配置MPLS LSR-ID,全局使能MPLS,MPLS LDP(已预配)。AS100、AS200内各直连链路建立LDP邻居(除PE1-RR1之间的逻辑链路外,已预配)。(1分)
PE1/RR1配置:
[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]mpls[PE1-Ip-Trunk1]mpls ldp------------------------------------------------------------------------------------------[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]mpls[RR1-Ip-Trunk1]mpls ldp
3.2 MPLS VPN
- 如图,各站点通过MPLS BGP VPN跨域Option C方案二,能够互相学习路由。MPLS域不能出现次优路径。(15分)
3.2.1 路由传递
BGP(IPv4邻居关系图)
BGP VPNv4邻居关系图
- 全网通过环回口建立VPNv4的邻居关系
- RR作为内部AS的其它PE的反射器
- 给邻居传递路由的时候,不需要修改路由的下一跳(例如PE1的路由传递到PE3后,PE3收到的路由下一跳要是PE1的环回口地址)
配置AS100内的IBGP的IPv4/VPNv4的邻居关系
[RR1]bgp 100[RR1-bgp]peer 172.16.1.1 as-number 100[RR1-bgp]peer 172.16.1.1 connect-interface LoopBack 0[RR1-bgp]peer 172.16.1.1 reflect-client[RR1-bgp]peer 172.16.1.20 as-number 100[RR1-bgp]peer 172.16.1.20 connect-interface LoopBack 0[RR1-bgp]peer 172.16.1.20 reflect-client[RR1-bgp]ipv4-family vpnv4[RR1-bgp-af-vpnv4]undo policy vpn-target[RR1-bgp-af-vpnv4]peer 172.16.1.1 enable[RR1-bgp-af-vpnv4]peer 172.16.1.1 reflect-client[RR1-bgp-af-vpnv4]peer 172.16.1.1 next-hop-invariable[RR1-bgp-af-vpnv4]peer 172.16.1.20 enable[RR1-bgp-af-vpnv4]peer 172.16.1.20 reflect-client[RR1-bgp-af-vpnv4]peer 172.16.1.20 next-hop-invariable------------------------------------------------------------------------------------------[PE1]bgp 100[PE1-bgp]peer 172.16.1.3 as-number 100[PE1-bgp]peer 172.16.1.3 connect-interface LoopBack0[PE1-bgp]ipv4-family vpnv4[PE1-bgp-af-vpnv4]peer 172.16.1.3 enable------------------------------------------------------------------------------------------[PE2]bgp 100[PE2-bgp]peer 172.16.1.3 as-number 100[PE2-bgp]peer 172.16.1.3 connect-interface LoopBack 0[PE2-bgp]ipv4-family vpnv4[PE2-bgp-af-vpnv4]peer 172.16.1.3 enable
最终效果:AS100域内的VPNv4邻居建立成功
配置AS200内的IBGP IPv4/VPNv4的邻居关系
[RR2]bgp 200[RR2-bgp]peer 172.16.1.2 as-number 200[RR2-bgp]peer 172.16.1.2 connect-interface LoopBack 0[RR2-bgp]peer 172.16.1.2 reflect-client[RR2-bgp]peer 172.16.1.11 as-number 100[RR2-bgp]peer 172.16.1.11 connect-interface LoopBack 0[RR2-bgp]peer 172.16.1.11 reflect-client[RR2-bgp]ipv4-family vpnv4[RR2-bgp-af-vpnv4]undo policy vpn-target[RR2-bgp-af-vpnv4]peer 172.16.1.2 enable[RR2-bgp-af-vpnv4]peer 172.16.1.2 reflect-client[RR2-bgp-af-vpnv4]peer 172.16.1.2 next-hop-invariable[RR2-bgp-af-vpnv4]peer 172.16.1.11 enable[RR2-bgp-af-vpnv4]peer 172.16.1.11 reflect-client[RR2-bgp-af-vpnv4]peer 172.16.1.11 next-hop-invariable------------------------------------------------------------------------------------------[PE3]bgp 200[PE3-bgp]peer 172.16.1.9 as-number 200[PE3-bgp]peer 172.16.1.9 connect-interface LoopBack 0[PE3-bgp]ipv4-family vpnv4[PE3-bgp-af-vpnv4]peer 172.16.1.9 enable------------------------------------------------------------------------------------------[PE4]bgp 200[PE4-bgp]peer 172.16.1.9 as-number 200[PE4-bgp]peer 172.16.1.9 connect-interface LoopBack 0[PE4-bgp]ipv4-family vpnv4[PE4-bgp-af-vpnv4]peer 172.16.1.9 enable
最终效果:AS200域内的VPNv4邻居建立成功
ASBR之间建立EBGP(IPv4)的邻居关系
[ASBR1]bgp 100[ASBR1-bgp]peer 10.1.57.2 as-number 200------------------------------------------------------------------------------------------[ASBR2]bgp 100[ASBR2-bgp]peer 10.1.68.2 as-number 200------------------------------------------------------------------------------------------[ASBR3]bgp 200[ASBR3-bgp]peer 10.1.57.1 as-number 100------------------------------------------------------------------------------------------[ASBR4]bgp 200[ASBR4-bgp]peer 10.1.68.1 as-number 100
分别在ASBR1、ASBR2上将BGP路由引入到ISIS协议(如果没有配置,RR之间邻居起不来)
ASBR1/ASBR2/ASBR3/ASBR4配置:
[ASBR1]isis 1[ASBR1-isis-1]import-route bgp------------------------------------------------------------------------------------------[ASBR2]isis 1[ASBR2-isis-1]import-route bgp------------------------------------------------------------------------------------------[ASBR3]isis 1[ASBR3-isis-1]import-route bgp------------------------------------------------------------------------------------------[ASBR4]isis 1[ASBR4-isis-1]import-route bgp
最终效果:两个AS域中的PE设备学习到全网的设备的loopback0接口地址
RR1与RR2建立EBGP邻居(VPNv4)关系
RR1/RR2配置:
[RR1]bgp 100[RR1-bgp]peer 172.16.1.9 as-number 200[RR1-bgp]peer 172.16.1.9 connect-interface LoopBack 0[RR1-bgp]peer 172.16.1.9 ebgp-max-hop 255[RR1-bgp]ipv4-family vpnv4[RR1-bgp-af-vpnv4]peer 172.16.1.9 enable[RR1-bgp-af-vpnv4]peer 172.16.1.9 allow-as-loop[RR1-bgp-af-vpnv4]peer 172.16.1.9 next-hop-invariable[RR1-bgp]ipv4-family unicast[RR1-bgp-af-ipv4]undo peer 172.16.1.9 enable------------------------------------------------------------------------------------------[RR2]bgp 200[RR2-bgp]peer 172.16.1.3 as-number 100[RR2-bgp]peer 172.16.1.3 connect-interface LoopBack 0[RR2-bgp]peer 172.16.1.3 ebgp-max-hop 255[RR2-bgp]ipv4-family vpnv4[RR2-bgp-af-vpnv4]peer 172.16.1.3 enable[RR2-bgp-af-vpnv4]peer 172.16.1.3 allow-as-loop[RR2-bgp-af-vpnv4]peer 172.16.1.3 next-hop-invariable[RR2-bgp]ipv4-family unicast[RR2-bgp-af-ipv4]undo peer 172.16.1.3 enable
3.2.2 标签分发
- 配置ASBR具备标签接受能力和传递能力
ASBR1/ASBR2/ASBR3/ASBR4配置:ASBR之间配置标签接受能力和传递能力
[ASBR1]bgp 100[ASBR1-bgp]peer 10.1.57.2 label-route-capability------------------------------------------------------------------------------------------[ASBR2]bgp 100[ASBR2-bgp]peer 10.1.68.2 label-route-capability------------------------------------------------------------------------------------------[ASBR3]bgp 200[ASBR3-bgp]peer 10.1.57.1 label-route-capability------------------------------------------------------------------------------------------[ASBR4]bgp 200[ASBR4-bgp]peer 10.1.68.1 label-route-capability
ASBR1/ASBR2/ASBR3/ASBR4配置:在AS之间的ASBR设备接口上开启MPLS
[ASBR1]int GigabitEthernet0/0/2[ASBR1-GigabitEthernet0/0/2]mpls------------------------------------------------------------------------------------------[ASBR2]int GigabitEthernet0/0/2[ASBR2-GigabitEthernet0/0/2]mpls------------------------------------------------------------------------------------------[ASBR3]int GigabitEthernet0/0/2[ASBR3-GigabitEthernet0/0/2]mpls------------------------------------------------------------------------------------------[ASBR4]int GigabitEthernet0/0/2[ASBR4-GigabitEthernet0/0/2]mpls
- 配置ASBR标签分配功能,针对发送给对端ASBR的路由,附加MPLS标签,跨域交换的时候使用
ASBR1/ASBR2/ASB3/ASBR4配置:
[ASBR1]route-policy 2 permit node 10[ASBR1-route-policy]apply mpls-label[ASBR1-route-policy]quit[ASBR1]bgp 100[ASBR1-bgp]peer 10.1.57.2 route-policy 2 export------------------------------------------------------------------------------------------[ASBR2]route-policy 2 permit node 10[ASBR2-route-policy]apply mpls-label[ASBR2-route-policy]quit[ASBR2]bgp 100[ASBR2-bgp]peer 10.1.68.2 route-policy 2 export------------------------------------------------------------------------------------------[ASBR3]route-policy 2 permit node 10[ASBR3-route-policy]apply mpls-label[ASBR3-route-policy]quit[ASBR3]bgp 200[ASBR3-bgp]peer 10.1.57.1 route-policy 2 export------------------------------------------------------------------------------------------[ASBR4]route-policy 2 permit node 10[ASBR4-route-policy]apply mpls-label[ASBR4-route-policy]quit[ASBR4]bgp 200[ASBR4-bgp]peer 10.1.68.1 route-policy 2 export
- 启用为BGP(IPv4)路由产生LDP LSP功能
ASBR1/ASBR2/ASBR3/ASBR4配置:
[ASBR1]mpls[ASBR1-mpls]lsp-trigger bgp-label-route------------------------------------------------------------------------------------------[ASBR2]mpls[ASBR2-mpls]lsp-trigger bgp-label-route------------------------------------------------------------------------------------------[ASBR3]mpls[ASBR3-mpls]lsp-trigger bgp-label-route------------------------------------------------------------------------------------------[ASBR4]mpls[ASBR4-mpls]lsp-trigger bgp-label-route
- 在ASBR3上配置后,就会将ASBR1传递过来带标签的路由(BGP LSP)再产生LDP的标签,也就是配置了后,AS内的PE设备去外部AS的时候直接封装LDP的标签即可(2层标签),这就是和方案1的区别点。
3.2.3 路由引入
- 在PE3、PE4上将VPNv4路由引入OSPF,将OSPF路由引入VPNv4。
PE3/PE4配置:
[PE3]ospf 2 vpn-instance VPN1[PE3-ospf-2]import-route bgp[PE3]bgp 200[PE3-bgp]ipv4-family vpn-instance VPN1[PE3-bgp-VPN1]import-route ospf 2------------------------------------------------------------------------------------------[PE4]ospf 2 vpn-instance VPN1[PE4-ospf-2]import-route bgp[PE4]bgp 200[PE4-bgp]ipv4-family vpn-instance VPN1[PE4-bgp-VPN1]import-route ospf 2
3.3 其它配置
- CE1-PE1之间链路端,CE1设备上可学到Spoke业务网段;当CE2-PE2之间断路,CE2仍可学习到Spoke业务网段。配置保证有最好的拓展性。
CE1配置:
[CE1]route-policy tag permit node 10[CE1-route-policy]apply tag 100[CE1-route-policy]quit[CE1]route-policy ospftobgp deny node 10[CE1-route-policy]if-match tag 200[CE1-route-policy]quit[CE1]route-policy ospftobgp permit node 20[CE1-route-policy]quit[CE1]ospf 1[CE1-ospf-1]import-route bgp route-policy tag[CE1]bgp 65000[CE1-bgp]import-route ospf 1 route-policy ospftobgp med 0
CE2配置:
[CE2]route-policy tag permit node 10[CE2-route-policy]apply tag 200[CE2-route-policy]quit[CE2]route-policy ospftobgp deny node 10[CE2-route-policy]if-match tag 100[CE2-route-policy]quit[CE2]route-policy ospftobgp permit node 20[CE2-route-policy]quit[CE2]ospf 1[CE2-ospf-1]import-route bgp route-policy tag[CE2]bgp 65000[CE2-bgp]import-route ospf 1 route-policy ospftobgp med 0
- 在拓扑正常的情况下,需求CE1、CE2访问Spoke业务网段时,不从本AS内部绕行,EBGP优先级改为120。
CE1/CE2配置:
[CE1]bgp 65000[CE1-bgp]preference 120 255 255------------------------------------------------------------------------------------------[CE2]bgp 65000[CE2-bgp]preference 120 255 255
最终效果:Hub-CE设备学习到的私网路由优选EBGP路由,不从本AS绕行
- 在PE3/PE4访问对端172.16.A.X/32,若X为奇数,流量走ASBR1-ASBR3这条路径,当X为偶数时,流量走ASBR2-ASBR4这条路径,来回路径是否一致。并保证有最好的拓展性(3分)
因为跨域C方案二要求把BGP引入到ISIS,此处题目要求把ISIS引入到BGP,因此形成了双向引入,而且要求保证最优的拓展性。 所以必须在ASBR上用Tag解决路由回馈问题(之前有配置过路由引入,但是没有做标签)
- 跨域双向引入路由优化
ASBR1配置:
[ASBR1]ip ip-prefix ISIS permit 172.16.0.0 16 greater-equal 32 less-equal 32[ASBR1]route-policy bgptoisis permit node 10[ASBR1-route-policy]apply tag 10[ASBR1-route-policy]quit[ASBR1]route-policy isistobgp deny node 10[ASBR1-route-policy]if-match tag 20[ASBR1-route-policy]quit[ASBR1]route-policy isistobgp permit node 20[ASBR1-route-policy]if-match ip-prefix ISIS[ASBR1]isis 1[ASBR1-isis-1]import-route bgp route-policy bgptoisis[ASBR1]bgp 100[ASBR1-bgp]import-route isis 1 route-policy isistobgp
ASBR2配置:
[ASBR2]ip ip-prefix ISIS permit 172.16.0.0 16 greater-equal 32 less-equal 32[ASBR2]route-policy bgptoisis permit node 10[ASBR2-route-policy]apply tag 20[ASBR2-route-policy]quit[ASBR2]route-policy isistobgp deny node 10[ASBR2-route-policy]if-match tag 10[ASBR2-route-policy]quit[ASBR2]route-policy isistobgp permit node 20[ASBR2-route-policy]if-match ip-prefix ISIS[ASBR2]isis 1[ASBR2-isis-1]import-route bgp route-policy bgptoisis[ASBR2]bgp 100[ASBR2-bgp]import-route isis 1 route-policy isistobgp
ASBR3配置:
[ASBR3]ip ip-prefix ISIS permit 172.16.0.0 16 greater-equal 32 less-equal 32[ASBR3]route-policy bgptoisis permit node 10[ASBR3-route-policy]apply tag 30[ASBR3-route-policy]quit[ASBR3]route-policy isistobgp deny node 10[ASBR3-route-policy]if-match tag 40[ASBR3-route-policy]quit[ASBR3]route-policy isistobgp permit node 20[ASBR3-route-policy]if-match ip-prefix ISIS[ASBR3]isis 1[ASBR3-isis-1]import-route bgp route-policy bgptoisis[ASBR3]bgp 100[ASBR3-bgp]import-route isis 1 route-policy isistobgp
ASBR4配置:
[ASBR4]ip ip-prefix ISIS permit 172.16.0.0 16 greater-equal 32 less-equal 32[ASBR4]route-policy bgptoisis permit node 10[ASBR4-route-policy]apply tag 40[ASBR4-route-policy]quit[ASBR4]route-policy isistobgp deny node 10[ASBR4-route-policy]if-match tag 30[ASBR4-route-policy]quit[ASBR4]route-policy isistobgp permit node 20[ASBR4-route-policy]if-match ip-prefix ISIS[ASBR4]isis 1[ASBR4-isis-1]import-route bgp route-policy bgptoisis[ASBR4]bgp 100[ASBR4-bgp]import-route isis 1 route-policy isistobgp
- 控制流量走向
**
- 在ASBR上做策略,例如ASBR1上做匹配奇数IP,172.16.1.1 0.0.0.254,抓取到的IP就为172.16.1.1 .3 .5,这样就可以抓取到对端AS200的奇数IP,172.16.1.7 .9 .11,然后在BGP中对路由优先级进行策略,匹配到这些IP的路由优先级调至10。
ASBR1/ASBR3配置:对奇数IP优先级调为10**
[ASBR1]acl 2000[ASBR1-acl-basic-2000]rule permit source 172.16.1.1 0.0.0.254[ASBR1]route-policy preference permit node 10[ASBR1-route-policy]if-match acl 2000[ASBR1-route-policy]apply preference 10[ASBR1]bgp 100[ASBR1-bgp]preference route-policy preference------------------------------------------------------------------------------------------[ASBR3]acl 2000[ASBR3-acl-basic-2000]rule permit source 172.16.1.1 0.0.0.254[ASBR3]route-policy preference permit node 10[ASBR3-route-policy]if-match acl 2000[ASBR3-route-policy]apply preference 10[ASBR3]bgp 200[ASBR3-bgp]preference route-policy preference
ASBR2/ASBR4配置:对偶数IP优先级调为10**
[ASBR2]acl 2000[ASBR2-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.254[ASBR2]route-policy preference permit node 10[ASBR2-route-policy]if-match acl 2000[ASBR2-route-policy]apply preference 10[ASBR2]bgp 100[ASBR2-bgp]preference route-policy preference------------------------------------------------------------------------------------------[ASBR4]acl 2000[ASBR4-acl-basic-2000]rule permit source 172.16.1.0 0.0.0.254[ASBR4]route-policy preference permit node 10[ASBR4-route-policy]if-match acl 2000[ASBR4-route-policy]apply preference 10[ASBR4]bgp 100[ASBR4-bgp]preference route-policy preference
最终效果:
- 在PE3/PE4上修改BGP local-preference属性,实现CE3/CE4访问非直连的10.3.X.0/24网段时,若X为奇数,PE3/PE4优选下一跳为PE1,若X为偶数,PE3/PE4优选下一跳为PE2,不用考虑来回路径是否一致。
PE3/PE4配置:
[PE3]ip ip-prefix PE1 permit 172.16.1.1 32[PE3]ip ip-prefix PE2 permit 172.16.1.20 32[PE3]acl 2000[PE3-acl-basic-2000]rule permit source 10.3.1.0 0.0.254.0[PE3]acl 2001[PE3-acl-basic-2001]rule permit source 10.3.0.0 0.0.254.0[PE3]route-policy local permit node 10[PE3-route-policy]if-match acl 2000[PE3-route-policy]if-match ip next-hop ip-prefix PE1[PE3-route-policy]apply local-preference 200[PE3-route-policy]quit[PE3]route-policy local permit node 20[PE3-route-policy]if-match acl 2001[PE3-route-policy]if-match ip next-hop ip-prefix PE2[PE3-route-policy]apply local-preference 200[PE3-route-policy]quit[PE3]route-policy local permit node 100[PE3]bgp 200[PE3-bgp]ipv4-family vpnv4[PE3-bgp-af-vpnv4]peer 172.16.1.9 route-policy local import------------------------------------------------------------------------------------------[PE4]ip ip-prefix PE1 permit 172.16.1.1 32[PE4]ip ip-prefix PE2 permit 172.16.1.20 32[PE4]acl 2000[PE4-acl-basic-2000]rule permit source 10.3.1.0 0.0.254.0[PE4]acl 2001[PE4-acl-basic-2001]rule permit source 10.3.0.0 0.0.254.0[PE4]route-policy local permit node 10[PE4-route-policy]if-match acl 2000[PE4-route-policy]if-match ip next-hop ip-prefix PE1[PE4-route-policy]apply local-preference 200[PE4-route-policy]quit[PE4]route-policy local permit node 20[PE4-route-policy]if-match acl 2001[PE4-route-policy]if-match ip next-hop ip-prefix PE2[PE4-route-policy]apply local-preference 200[PE4-route-policy]quit[PE4]route-policy local permit node 100[PE4]bgp 200[PE4-bgp]ipv4-family vpnv4[PE4-bgp-af-vpnv4]peer 172.16.1.9 route-policy local import
最终效果:奇数网段优选下一跳为PE1,偶数网段优选下一跳为PE2
四、Feature
4.1 HA
- CE1配置静态的默认路由访问ISP,下一跳IP为100.0.1.2。默认该路由要与CE1-ISP链路的BFD绑定(CE1的对端设备不支持BFD),感知故障时间要小于150ms。(2分)
CE1配置:
[CE1]bfd[CE1]bfd ISP bind peer-ip 100.0.1.2 interface GigabitEthernet 2/0/1 one-arm-echo[CE1-bfd-session-isp]discriminator local 1[CE1-bfd-session-isp]min-echo-rx-interval 30[CE1-bfd-session-isp]commit[CE1]ip route-static 0.0.0.0 0 100.0.1.2 track bfd-session ISP
- CE1配置静态的默认路由访问ISP,下一跳IP为100.0.1.2。默认路由要与CE1-ISP链路的NQA ICMP测试,每隔3S测试例执行1次。
CE1配置:
[CE1]nqa test-instance ISP ICMP[CE1-nqa-ISP-ICMP]test-type icmp[CE1-nqa-ISP-ICMP]destination-address ipv4 100.0.1.2[CE1-nqa-ISP-ICMP]frequency 3[CE1-nqa-ISP-ICMP]start now[CE1]ip route-static 0.0.0.0 0 100.0.1.2 track nqa ISP ICMP
- CE2、CE3、CE4能够通过默认路由访问ISP。(4分)
CE1/CE2配置:
[CE1]ospf 1[CE1-ospf-1]default-route-advertise[CE1]bgp 65000[CE1-bgp]peer 10.2.11.6 default-route-advertise conditional-route-match-all 0.0.0.0 0------------------------------------------------------------------------------------------[CE2]ospf 1[CE2-ospf-1]default-route-advertise[CE2]bgp 65000[CE2-bgp]peer 10.2.22.6 default-route-advertise conditional-route-match-all 0.0.0.0 0
PE3/PE4配置:
[PE3]ospf 2 vpn-instance VPN1[PE3-ospf-2]default-route-advertise------------------------------------------------------------------------------------------[PE4]ospf 2 vpn-instance VPN1[PE4-ospf-2]default-route-advertise
4.2 NAT
- 在CE1上,10.3.0.0/16(不包含10.3.2.10)的内网地址转换为102.0.1.2-102.0.1.6,通过GE2/0/1访问ISP。Server1拥有单独的公网地址102.0.1.1,对ISP提供FTP和HTTP服务。(2分)
CE1配置:
[CE1]nat alg ftp enable[CE1]nat address-group 1 102.0.1.2 102.0.1.6[CE1]acl 2000[CE1-acl-basic-2000]rule deny source 10.3.2.10 0.0.0.0[CE1-acl-basic-2000]rule permit source 10.3.0.0 0.0.255.255[CE1]int GigabitEthernet 2/0/1[CE1-GigabitEthernet2/0/1]nat outbound 2000 address-group 1[CE1-GigabitEthernet2/0/1]nat server protocol tcp global 102.0.1.1 www inside 10.3.2.10 www[CE1-GigabitEthernet2/0/1]nat server protocol tcp global 102.0.1.1 ftp inside 10.3.2.10 ftp
最终效果:
4.3 QOS
- 在CE1的G2/0/1,周一至周五的8:00-18:00点,对TCP目的端口号6881-6999的流量,承诺的平均速率为1Mbps。(3分)
CE1配置:
[CE1]time-range working 8:00 to 18:00 working-day[CE1]acl 3000[CE1-acl-adv-3000]rule permit tcp destination-port range 6881 6999 time-range working[CE1]interface GigabitEthernet 2/0/1[CE1-GigabitEthernet2/0/1]qos car outbound acl 3000 cir 1024
五、IPv6
5.1 基本配置
- 所有设备的接口IPv6地址,按照图中配置。(除PE1-RR1的逻辑接口之外,已预配)
PE1/RR1配置:
[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]ipv6 enable[PE1-Ip-Trunk1]ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1300/127------------------------------------------------------------------------------------------[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]ipv6 enable[RR1-Ip-Trunk1]ipv6 address 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:1301/127
5.2 IPv6 ISIS
- 如图,PE1、PE2、RR1、P1、ASBR1、ASBR2运行ISIS协议。各直连网段通告入ISIS,配置各链路cost。
PE1/PE2/RR1/P1/ASBR1/ASBR2配置:**
[PE1]isis 1[PE1-isis-1]ipv6 enable topology ipv6[PE1]int GigabitEthernet0/0/0[PE1-GigabitEthernet0/0/0]isis ipv6 enable[PE1-GigabitEthernet0/0/0]isis ipv6 cost 20[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]isis ipv6 enable[PE1-Ip-Trunk1]isis ipv6 cost 1550[PE1]int LoopBack0[PE1-LoopBack0]isis ipv6 enable------------------------------------------------------------------------------------------[PE2]isis 1[PE2-isis-1]ipv6 enable topology ipv6[PE2]int GigabitEthernet0/0/0[PE2-GigabitEthernet0/0/0]isis ipv6 enable[PE2-GigabitEthernet0/0/0]isis ipv6 cost 20[PE2]int GigabitEthernet0/0/2[PE2-GigabitEthernet0/0/2]isis ipv6 enable[PE2-GigabitEthernet0/0/2]isis ipv6 cost 1500[PE2]int LoopBack0[PE2-LoopBack0]isis ipv6 enable------------------------------------------------------------------------------------------[RR1]isis 1[RR1-isis-1]ipv6 enable topology ipv6[RR1]int GigabitEthernet0/0/0[RR1-GigabitEthernet0/0/0]isis ipv6 enable[RR1-GigabitEthernet0/0/0]isis ipv6 cost 80[RR1]int GigabitEthernet0/0/1[RR1-GigabitEthernet0/0/1]isis ipv6 enable[RR1-GigabitEthernet0/0/1]isis ipv6 cost 860[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]isis ipv6 enable[RR1-Ip-Trunk1]isis ipv6 cost 1550[RR1]int LoopBack0[RR1-LoopBack0]isis ipv6 enable------------------------------------------------------------------------------------------[P1]isis 1[P1-isis-1]ipv6 enable topology ipv6[P1]int GigabitEthernet0/0/0[P1-GigabitEthernet0/0/0]isis ipv6 enable[P1-GigabitEthernet0/0/0]isis ipv6 cost 80[P1]int GigabitEthernet0/0/2[P1-GigabitEthernet0/0/2]isis ipv6 enable[P1-GigabitEthernet0/0/2]isis ipv6 cost 1500[P1]interface GigabitEthernet0/0/1[P1-GigabitEthernet0/0/1]isis ipv6 enable[P1-GigabitEthernet0/0/1]isis ipv6 cost 1000[P1]int LoopBack0[P1-LoopBack0]isis ipv6 enable------------------------------------------------------------------------------------------[ASBR1]isis 1[ASBR1-isis-1]ipv6 enable topology ipv6[ASBR1]int GigabitEthernet0/0/1[ASBR1-GigabitEthernet0/0/1]isis ipv6 enable[ASBR1-GigabitEthernet0/0/1]isis ipv6 cost 860[ASBR1]int GigabitEthernet0/0/0[ASBR1-GigabitEthernet0/0/0]isis ipv6 enable[ASBR1-GigabitEthernet0/0/0]isis ipv6 cost 100[ASBR1]int LoopBack0[ASBR1-LoopBack0]isis ipv6 enable------------------------------------------------------------------------------------------[ASBR2]isis 1[ASBR2-isis-1]ipv6 enable topology ipv6[ASBR2]int GigabitEthernet0/0/1[ASBR2-GigabitEthernet0/0/1]isis ipv6 enable[ASBR2-GigabitEthernet0/0/1]isis ipv6 cost 1000[ASBR2]int GigabitEthernet0/0/[ASBR2-GigabitEthernet0/0/0]isis ipv6 enable[ASBR2-GigabitEthernet0/0/0]isis ipv6 cost 100[ASBR2]int LoopBack0[ASBR2-LoopBack0]isis ipv6 enable
IPv6路由渗透(为了防止IPv6的ISIS路由的次优路径,在RR1/P1上配置路由泄露)
RR1/P1配置:
[RR1]isis 1[RR1-isis-1]ipv6 import-route isis level-2 into level-1------------------------------------------------------------------------------------------[P1]isis 1[P1-isis-1]ipv6 import-route isis level-2 into level-1
5.3 IPv6组播
- AS100域内所有设备,启用PIM SM
PE1/PE2/RR1/P1/ASBR1/ASBR2配置:
[PE1]multicast ipv6 routing-enable[PE1]int Ip-Trunk 1[PE1-Ip-Trunk1]pim ipv6 sm[PE1]int GigabitEthernet0/0/0[PE1-GigabitEthernet0/0/0]pim ipv6 sm------------------------------------------------------------------------------------------[PE2]multicast ipv6 routing-enable[PE2]int GigabitEthernet0/0/0[PE2-GigabitEthernet0/0/0]pim ipv6 sm[PE2]int GigabitEthernet0/0/2[PE2-GigabitEthernet0/0/2]pim ipv6 sm------------------------------------------------------------------------------------------[RR1]multicast ipv6 routing-enable[RR1]int GigabitEthernet0/0/0[RR1-GigabitEthernet0/0/0]pim ipv6 sm[RR1]int GigabitEthernet0/0/1[RR1-GigabitEthernet0/0/1]pim ipv6 sm[RR1]int Ip-Trunk 1[RR1-Ip-Trunk1]pim ipv6 sm------------------------------------------------------------------------------------------[P1]multicast ipv6 routing-enable[P1-GigabitEthernet0/0/0]pim ipv6 sm[P1]int GigabitEthernet0/0/1[P1-GigabitEthernet0/0/1]pim ipv6 sm[P1]int GigabitEthernet0/0/2[P1-GigabitEthernet0/0/2]pim ipv6 sm------------------------------------------------------------------------------------------[ASBR1]multicast ipv6 routing-enable[ASBR1]int GigabitEthernet0/0/0[ASBR1-GigabitEthernet0/0/0]pim ipv6 sm[ASBR1]int GigabitEthernet0/0/1[ASBR1-GigabitEthernet0/0/1]pim ipv6 sm------------------------------------------------------------------------------------------[ASBR2]multicast ipv6 routing-enable[ASBR2]int GigabitEthernet0/0/0[ASBR2-GigabitEthernet0/0/0]pim ipv6 sm[ASBR2]int GigabitEthernet0/0/1[ASBR2-GigabitEthernet0/0/1]pim ipv6 sm
- ASBR1,ASBR2的loopback0为C-BSR和C-RP,RP范围FF1E::/112,ASBR1为主BSR,ASBR2为主RP,PE1的E0/0/0加入组FF1E::AA,无论哪台设备作为RP,都需要能够生成(*,G)路由。
ASBR1/ASBR2配置RP和BSR:
[ASBR1]int LoopBack0[ASBR1-LoopBack0]pim ipv6 sm[ASBR1]acl ipv6 2000[ASBR1-acl6-basic-2000]rule permit source FF1E::/112[ASBR1]pim-ipv6[ASBR1-pim6]c-bsr priority 255[ASBR1-pim6]c-bsr 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5[ASBR1-pim6]c-rp 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA5 group-policy 2000------------------------------------------------------------------------------------------[ASBR2]int LoopBack0[ASBR2-LoopBack0]pim ipv6 sm[ASBR2]acl ipv6 2000[ASBR2-acl6-basic-2000]rule permit source FF1E::/112[ASBR2]pim-ipv6[ASBR2-pim6]c-bsr priority 254[ASBR2-pim6]c-bsr 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6[ASBR2-pim6]c-rp 2000:EAD8:99EF:CC3E:B2AD:9EFF:32DD:DCA6 group-policy 2000[ASBR2-pim6]c-rp priority 0
PE1配置:将E0/0/0接口静态加入组播组**
[PE1]int Ethernet0/0/0[PE1-Ethernet0/0/0]mld static-group FF1E::AA
最终效果:
- 不管哪台设备作为是RP,产生的(*,G)的路由不能有次优问题。
这个需求在前面做ISIS IPv6路由泄露已经解决!
若有收获,就点个赞吧
0 人点赞
