Segment Routing MPLS：配置L3VPN迭代SR-BE隧道示例

本次实验目的

配置L3VPN，保证相同VPN用户之间的安全互访。

组网需求

配置L3VPN迭代SR-BE隧道，保证相同VPN用户之间的安全互访。同时由于公网PE之间存在多条链路，要求数据流量在公网能够进行负载分担。

配置思路

配置L3VPN迭代SR-BE隧道示例

骨干网上配置IS-IS实现PE之间的互通。

骨干网上使能MPLS，配置Segment Routing，建立SR LSP。使能TI-LFA FRR。

PE上配置使能IPv4地址族VPN实例，并把与CE相连的接口和相应的VPN实例绑定。

PE之间配置MP-IBGP交换路由信息。

CE与PE之间配置EBGP交换路由信息。

操作步骤:

配置接口的IP地址

配置PE1

PE1:interface LoopBack1 ip address 1.1.1.9 255.255.255.255interface Ethernet1/0/2 ip address 172.3.1.1 255.255.255.0interface Ethernet1/0/1 ip address 172.1.1.1 255.255.255.0

配置P1

P1:interface LoopBack1 ip address 2.2.2.9 255.255.255.255interface Ethernet1/0/0 ip address 172.1.1.2 255.255.255.0interface Ethernet1/0/1 ip address 172.2.1.1 255.255.255.0

配置PE2

PE2:interface LoopBack1 ip address 3.3.3.9 255.255.255.255interface Ethernet1/0/0 ip address 172.2.1.2 255.255.255.0interface Ethernet1/0/1 ip address 172.4.1.2 255.255.255.0

配置P2

P2:interface LoopBack1 ip address 4.4.4.9 255.255.255.255interface Ethernet1/0/1 ip address 172.3.1.2 255.255.255.0interface Ethernet1/0/0 ip address 172.4.1.1 255.255.255.0

在骨干网上配置IGP协议，实现骨干网PE和P的互通。本例中以IS-IS为例进行说明。

配置PE1

PE1:isis 1 is-level level-1 network-entity 10.0000.0000.0001.00interface Ethernet1/0/1 isis enable 1interface Ethernet1/0/2 isis enable 1

配置P1

P1:isis 1 is-level level-1 network-entity 10.0000.0000.0002.00interface Ethernet1/0/1 ip address 172.2.1.1 255.255.255.0interface Ethernet1/0/0 isis enable 1

配置PE2

PE2:isis 1 is-level level-1 network-entity 10.0000.0000.0003.00interface Ethernet1/0/0 isis enable 1interface Ethernet1/0/1 isis enable 1

配置P2

P2:isis 1 is-level level-1 network-entity 10.0000.0000.0004.00interface Ethernet1/0/1 isis enable 1interface Ethernet1/0/0 isis enable 1

在骨干网上配置MPLS基本能力

配置PE1

PE1:mpls lsr-id 1.1.1.9mpls

配置P1

P1:mpls lsr-id 2.2.2.9mpls

配置PE2

PE2:mpls lsr-id 3.3.3.9mpls

配置P2

P2:mpls lsr-id 4.4.4.9mpls

在骨干网上配置Segment Routing，同时使能TI-LFA FRR功能

配置PE1

PE1:segment-routingisis 1 cost-style wide segment-routing mpls segment-routing global-block 160000 161000 frr loop-free-alternate level-1 ti-lfa level-1interface LoopBack1 isis prefix-sid index 10

配置P1

P1:segment-routingisis 1 cost-style wide segment-routing mpls segment-routing global-block 160000 161000 frr loop-free-alternate level-1 ti-lfa level-1interface LoopBack1 isis prefix-sid index 20

配置PE2

PE2:segment-routingisis 1 cost-style wide segment-routing mpls segment-routing global-block 160000 161000 frr loop-free-alternate level-1 ti-lfa level-1interface LoopBack1 isis prefix-sid index 30

配置P2

PE2:segment-routingisis 1 cost-style wide segment-routing mpls segment-routing global-block 160000 161000 frr loop-free-alternate level-1 ti-lfa level-1interface LoopBack1 isis prefix-sid index 40

配置完成后，在PE设备上执行display tunnel-info all命令，可以看到SR LSP已建立。以PE1的显示为例。[~PE1-LoopBack1]dis tunnel-info allTunnel ID Type Destination Status----------------------------------------------------------------------------------------0x000000002900000042 srbe-lsp 2.2.2.9 UP 0x000000002900000043 srbe-lsp 3.3.3.9 UP 0x000000002900000045 srbe-lsp 4.4.4.9 UP [~PE1-LoopBack1]

在PE1上使用Ping检测SR LSP连通性，例如：

[~PE1-LoopBack1]ping lsp segment-routing ip 3.3.3.9 32 version draft2 LSP PING FEC: SEGMENT ROUTING IPV4 PREFIX 3.3.3.9/32 : 100 data bytes, press CTRL_C to break Reply from 3.3.3.9: bytes=100 Sequence=1 time=19 ms Reply from 3.3.3.9: bytes=100 Sequence=2 time=6 ms Reply from 3.3.3.9: bytes=100 Sequence=3 time=4 ms Reply from 3.3.3.9: bytes=100 Sequence=4 time=7 ms Reply from 3.3.3.9: bytes=100 Sequence=5 time=6 ms --- FEC: SEGMENT ROUTING IPV4 PREFIX 3.3.3.9/32 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/8/19 ms[~PE1-LoopBack1]

在PE之间建立MP-IBGP对等体关系

配置PE1

PE1:bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 ipv4-family vpnv4 peer 3.3.3.9 enable

配置PE2

PE2:bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 ipv4-family vpnv4 peer 1.1.1.9 enable

配置完成后，在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令，可以看到PE之间的BGP对等体关系已建立，并达到Established状态。

以PE1的显示为例。

[~PE1-bgp]dis bgp peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 4 4 0 00:00:29 Established 0[~PE1-bgp]dis bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3.3.3.9 4 100 4 4 0 00:00:49 Established 0[~PE1-bgp]

在PE设备上配置使能IPv4地址族的VPN实例，将CE接入PE

配置PE1

PE1:ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunityinterface Ethernet1/0/0 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0

配置PE2

PE2:ip vpn-instance vpna ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunityinterface Ethernet1/0/2 ip binding vpn-instance vpna ip address 10.3.1.2 255.255.255.0

在PE设备上配置隧道选择策略，优选SR LSP。

配置PE1

PE1:tunnel-policy p1 tunnel select-seq sr-lsp load-balance-number 2ip vpn-instance vpna ipv4-family tnl-policy p1

配置PE2

PE2:tunnel-policy p1 tunnel select-seq sr-lsp load-balance-number 2ip vpn-instance vpna ipv4-family tnl-policy p1

在PE与CE之间建立EBGP对等体关系

配置CE1

CE1:interface LoopBack1 ip address 11.1.1.1 255.255.255.255interface Ethernet1/0/0 ip address 10.1.1.1 255.255.255.0bgp 65410 peer 10.1.1.2 as-number 100 ipv4-family unicast network 11.1.1.1 255.255.255.255

配置CE2

CE2:interface LoopBack1 ip address 22.2.2.2 255.255.255.255interface Ethernet1/0/0 ip address 10.2.1.1 255.255.255.0bgp 65420 peer 10.2.1.2 as-number 100 ipv4-family unicast network 22.2.2.2 255.255.255.255

配置PE1

PE1:bgp 100 ipv4-family vpn-instance vpna peer 10.1.1.1 as-number 65410

配置PE2

PE2:bgp 100 ipv4-family vpn-instance vpna peer 10.2.1.1 as-number 65420

配置完成后，在PE设备上执行display bgp vpnv4 vpn-instance peer命令，可以看到PE与CE之间的BGP对等体关系已建立，并达到Established状态。

以PE1与CE1的对等体关系为例：[~PE1-bgp]dis bgp vpnv4 vpn-instance vpna peer BGP local router ID : 1.1.1.9 Local AS number : 100 VPN-Instance vpna, Router ID 1.1.1.9: Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 10.1.1.1 4 65410 5 5 0 00:01:09 Established 1[~PE1-bgp]

检查配置结果

在PE设备上执行display ip routing-table vpn-instance命令，可以看到去往CE上的Loopback接口路由。

以PE1的显示为例：

[~PE1]dis ip routing-table vpn-instance vpna Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route------------------------------------------------------------------------------Routing Table : vpna Destinations : 7 Routes : 7 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2 Ethernet1/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0 10.1.1.255/32 Direct 0 0 D 127.0.0.1 Ethernet1/0/0 11.1.1.1/32 EBGP 255 0 RD 10.1.1.1 Ethernet1/0/0 22.2.2.2/32 IBGP 255 0 RD 3.3.3.9 Ethernet1/0/1 IBGP 255 0 RD 3.3.3.9 Ethernet1/0/2 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0[~PE1]

同一VPN的CE能够相互Ping通，例如：CE1能够Ping通CE2 （22.2.2.2）。

[~CE1-bgp]ping -a 11.1.1.1 22.2.2.2 PING 22.2.2.2: 56 data bytes, press CTRL_C to break Reply from 22.2.2.2: bytes=56 Sequence=1 ttl=252 time=13 ms Reply from 22.2.2.2: bytes=56 Sequence=2 ttl=252 time=9 ms Reply from 22.2.2.2: bytes=56 Sequence=3 ttl=252 time=13 ms Reply from 22.2.2.2: bytes=56 Sequence=4 ttl=252 time=10 ms Reply from 22.2.2.2: bytes=56 Sequence=5 ttl=252 time=11 ms --- 22.2.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 9/11/13 ms[~CE1-bgp]

END