图8-2 域间MPLS VPN解决方案C(3)实施拓扑
思科运行商XR设备实现跨域MPLS VPN的Option3(即OptionC)方案详解
承载VPN路由的MPLS骨干网跨越多个AS,需要配置跨域VPN。当每个AS都有大量的VPN路由需要交换时,可选择跨域VPN-OptionC方式,防止ASBR成为阻碍网络进一步扩展的瓶颈,进一步解决OptionB中ASBR设备收取了所有客户的VPNv4路由缺陷。同时在OptionC中,设置了多协议BGP的RR设备,这使得网络架构更加清晰。
OptionC的总体层次化结构:
1.在P设备上实施MP-BGP的路由反射器,用于接收VPNV4路由并反射到EBGP邻居
2.为了构建BGP的反射器,需要在ASBR之间构建IPv4单播的EBGP邻居、ASBR和RR之间构建IPv4单播的IBGP邻居用于更新反射器的环回接口
3.在RR和PE之间构建多协议BGP的iBGP邻居用于把客户的VPNv4路由更新到RR设备。
在后续的内容中,我们再来实现标签的连续性。
我们在图8-2中实施本案例,请读者把OptionC作为学习的重点,它几乎是运营商CCIE的必考点。

8.3.1 实施各AS内部的IGP和LDP协议

如图8-2所示,在AS100内实施OSPF协议,在AS200内实施IS-IS协议,并且完成LDP的自动配置。

AS200:
ASBR-R4(config)#router isis
ASBR-R4(config-router)# net 49.4567.0000.0000.4444.00
ASBR-R4(config-router)# mpls ldp autoconfig level-1
ASBR-R4(config-router)# is-type level-1
ASBR-R4(config-router)# metric-style wide
ASBR-R4(config-router)# log-adjacency-changes
ASBR-R4(config-router)#int lo0
ASBR-R4(config-if)#ip router isis
ASBR-R4(config-if)#int e0/1
ASBR-R4(config-if)#ip router isis
ASBR-R4(config-if)#int e0/3      
ASBR-R4(config-if)#ip router isis
!
RR-R5(config)#router isis
RR-R5(config-router)# net 49.4567.0000.0000.5555.00
RR-R5(config-router)# is-type level-1
RR-R5(config-router)# metric-style wide
RR-R5(config-router)# log-adjacency-changes
RR-R5(config-router)#mpls ldp autoconfig level-1
RR-R5(config-router)#
RR-R5(config-router)#exi
RR-R5(config)#int lo0
RR-R5(config-if)#ip router isis
RR-R5(config-if)#int r e0/0 - 1
RR-R5(config-if-range)#ip router isis
!
PE-R6(config)#router isis
PE-R6(config-router)# mpls ldp autoconfig level-1
PE-R6(config-router)# is-type level-1
PE-R6(config-router)# metric-style wide
PE-R6(config-router)# log-adjacency-changes
PE-R6(config-router)#  net 49.4567.0000.0000.6666.00  
PE-R6(config-router)# 
PE-R6(config-router)#exi
PE-R6(config)#int lo0
PE-R6(config-if)#ip router isis
PE-R6(config-if)#int r e0/1 - 2
PE-R6(config-if-range)#ip router isis

验证IS-IS邻居和LDP邻居
RR-R5#show isis neighbors

System Id Type Interface IP Address State Holdtime Circuit Id
ASBR-R4 L1 Et0/0 45.1.1.4 UP 22 RR-R5.01
PE-R6 L1 Et0/1 56.1.1.6 UP 25 RR-R5.02
RR-R5#show mpls ldp neighbor
Peer LDP Ident: 44.1.1.1:0; Local LDP Ident 55.1.1.1:0
TCP connection: 44.1.1.1.646 - 55.1.1.1.35275
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:04:40
LDP discovery sources:
Ethernet0/0, Src IP addr: 45.1.1.4
Addresses bound to peer LDP Ident:
45.1.1.4 24.1.1.4 46.1.1.4 44.1.1.1
Peer LDP Ident: 66.1.1.1:0; Local LDP Ident 55.1.1.1:0
TCP connection: 66.1.1.1.22823 - 55.1.1.1.646
State: Oper; Msgs sent/rcvd: 13/14; Downstream
Up time: 00:04:35
LDP discovery sources:
Ethernet0/1, Src IP addr: 56.1.1.6
Addresses bound to peer LDP Ident:
56.1.1.6 46.1.1.6 66.1.1.1
查看标签转发表,由于P设备刚好是LSP的次末跳设备,所以,它看到的去往ASBR和PE的环回口标签应该为Pop
RR-R5#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 44.1.1.1/32 0 Et0/0 45.1.1.4
17 Pop Label 46.1.1.0/24 0 Et0/0 45.1.1.4
Pop Label 46.1.1.0/24 0 Et0/1 56.1.1.6
18 Pop Label 66.1.1.1/32 0 Et0/1 56.1.1.6
AS100的配置

R3:
router ospf 110
 mpls ldp autoconfig area 0
!
interface Loopback0
 ip address 33.1.1.1 255.255.255.255
 ip ospf 110 area 0
!
interface Ethernet0/1
 ip address 23.1.1.3 255.255.255.0
 ip ospf 110 area 0
end
!
interface Ethernet0/2
 ip address 13.1.1.3 255.255.255.0
 ip ospf 110 area 0
XR1:
router ospf 110
 area 0
  mpls ldp auto-config
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/1
!
mpls ldp
 router-id 22.1.1.1

XR2:
router ospf 110
 area 0
  mpls ldp auto-config
  interface Loopback0
  !
  interface GigabitEthernet0/0/0/0
  !
  interface GigabitEthernet0/0/0/2
  !
 !
!
mpls ldp
 router-id 22.1.1.1

验证OSPF邻居、LDP邻居和标签转发表
RR-R3#show ip ospf nei

Neighbor ID Pri State Dead Time Address Interface
11.1.1.1 1 FULL/BDR 00:00:31 13.1.1.1 Ethernet0/2
22.1.1.1 1 FULL/BDR 00:00:34 23.1.1.2 Ethernet0/1
RR-R3#show mpls ldp neighbor
Peer LDP Ident: 11.1.1.1:0; Local LDP Ident 33.1.1.1:0
TCP connection: 11.1.1.1.646 - 33.1.1.1.16513
State: Oper; Msgs sent/rcvd: 17/18; Downstream
Up time: 00:08:07
LDP discovery sources:
Ethernet0/2, Src IP addr: 13.1.1.1
Addresses bound to peer LDP Ident:
12.1.1.1 13.1.1.1 11.1.1.1
Peer LDP Ident: 22.1.1.1:0; Local LDP Ident 33.1.1.1:0
TCP connection: 22.1.1.1.646 - 33.1.1.1.49735
State: Oper; Msgs sent/rcvd: 14/15; Downstream
Up time: 00:04:20
LDP discovery sources:
Ethernet0/1, Src IP addr: 23.1.1.2
Addresses bound to peer LDP Ident:
22.1.1.1 23.1.1.2 12.1.1.2
Duplicate Addresses advertised by peer:
13.1.1.1
RR-R3#show mpls forwarding-table
Local Outgoing Prefix Bytes Label Outgoing Next Hop
Label Label or Tunnel Id Switched interface
16 Pop Label 12.1.1.0/24 0 Et0/2 13.1.1.1
Pop Label 12.1.1.0/24 0 Et0/1 23.1.1.2
17 Pop Label 11.1.1.1/32 599 Et0/2 13.1.1.1
18 Pop Label 22.1.1.1/32 503 Et0/1 23.1.1.2
到此两个AS的域内配置完毕

8.3.2 构建RR之间的MP-EBGP邻居关系

为了使得RR之间能构建EBGP邻居,那么需要在两个ASBR之间构建IPv4单播的EBGP,以及构建RR和ASBR之间的IBGP邻居。即R2和R4建立EBGP邻居,R3和R2以及R5和R4建立IBGP邻居。然后通告R3和R5的环回口,使得两者可以建立EBGP

XR2:
route-policy EBGP
  pass
end-policy
router bgp 100
 address-family ipv4 unicast
 !
 neighbor 24.1.1.4
  remote-as 200
  address-family ipv4 unicast
   route-policy EBGP in
   route-policy EBGP out
  !
 !
 neighbor 33.1.1.1
  remote-as 100
  update-source Loopback0
  address-family ipv4 unicast
   next-hop-self
!
R3:
router bgp 100
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 22.1.1.1 remote-as 100
 neighbor 22.1.1.1 update-source Loopback0
 !
 address-family ipv4
  network 33.1.1.1 mask 255.255.255.255
  neighbor 22.1.1.1 route-reflector-client
  neighbor 22.1.1.1 activate
!
ASBR-R4
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 24.1.1.2 remote-as 100
 neighbor 55.1.1.1 remote-as 200
 neighbor 55.1.1.1 update-source Loopback0
 !
 address-family ipv4
  neighbor 24.1.1.2 activate
  neighbor 55.1.1.1 activate
  neighbor 55.1.1.1 next-hop-self
!
R5:
router bgp 200
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 44.1.1.1 remote-as 200
 neighbor 44.1.1.1 update-source Loopback0
 !
 address-family ipv4
  network 55.1.1.1 mask 255.255.255.255
  neighbor 44.1.1.1 route-reflector-client
  neighbor 44.1.1.1 activate

本步骤都是常规的建立IPv4单播BGP的邻居和更新RR的环回口路由即可。
RP/0/0/CPU0:ASBR-2#show bgp ipv4 unicast summary //ASBR构建成功EBGP邻居和IBGP邻居
Fri Oct 14 12:52:56.454 UTC
BGP router identifier 22.1.1.1, local AS number 100
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0xe0000000 RD version: 4
BGP main routing table version 4
BGP scan interval 60 secs

BGP is operating in STANDALONE mode.

Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 4 4 4 4 4 4

Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
24.1.1.4 0 200 109 99 4 0 0 01:35:33 1
33.1.1.1 0 100 118 104 4 0 0 01:40:52 1
我们的目的是使得R3和R5的环回口可以通信,那我们来查看通过BGP更新得到的路由
RR-R3#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

  55.0.0.0/32 is subnetted, 1 subnets

B 55.1.1.1 [200/0] via 22.1.1.1, 00:21:30
RR-R5#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

  33.0.0.0/32 is subnetted, 1 subnets

B 33.1.1.1 [200/0] via 44.1.1.1, 01:41:23
RR-R5#ping 33.1.1.1 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 55.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
环回口之间已经可以通信,那么现在我们来构建MP-EBGP邻居

RR-R5(config)#router bgp 200
RR-R5(config-router)#neighbor 33.1.1.1 remote-as 100     
RR-R5(config-router)#neighbor 33.1.1.1 update-source lo0
RR-R5(config-router)#neighbor 33.1.1.1 ebgp-multihop 
RR-R5(config-router)#address-family vpnv4              
RR-R5(config-router-af)#neighbor 33.1.1.1 activate 
!
RR-R3(config)#router bgp 100
RR-R3(config-router)#neighbor 55.1.1.1 remote-as 200        
RR-R3(config-router)#neighbor 55.1.1.1 update-source lo0              
RR-R3(config-router)#neighbor 55.1.1.1 ebgp-multihop 
RR-R3(config-router)#address-family vpnv4            
RR-R3(config-router-af)#neighbor 55.1.1.1 activate

RR之间的多协议BGP已经建立
RR-R3#show bgp vpnv4 unicast all summary
BGP router identifier 33.1.1.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
55.1.1.1 4 200 11 12 1 0 0 00:08:03 0
RR-R5#show bgp vpnv4 unicast all summary
BGP router identifier 55.1.1.1, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
33.1.1.1 4 100 12 12 1 0 0 00:08:35 0
RR-R5#

8.3.3 构建RR和PE设备的MP-iBGP邻居关系

本步骤的目的是使得PE得到的客户的VPNv4路由可以更新到RR,然后通过RR更新给对端的EBGP
XR1:

router bgp 100
 address-family vpnv4 unicast
 !
 neighbor 33.1.1.1
  remote-as 100
  update-source Loopback0
  address-family vpnv4 unicast
!
R3:
RR-R3(config)#router bgp 100
RR-R3(config-router)#neighbor 11.1.1.1 remote-as 100         
RR-R3(config-router)#neighbor 11.1.1.1 update-source lo0
RR-R3(config-router)#address-family vpnv4 unicast             
RR-R3(config-router-af)#neighbor 11.1.1.1 activate 
RR-R3(config-router-af)#neighbor 11.1.1.1 route-reflector-client
!
R5:
RR-R5(config)#router bgp 200
RR-R5(config-router)#neighbor 66.1.1.1 remote-as 200       
RR-R5(config-router)#neighbor 66.1.1.1 update-source lo0
RR-R5(config-router)#address-family vpnv4 unicast 
RR-R5(config-router-af)#neighbor 66.1.1.1 route-reflector-client
!
PE-R6(config)#router bgp 200
PE-R6(config-router)#neighbor 55.1.1.1 remote-as 200         
PE-R6(config-router)#neighbor 55.1.1.1 update-source lo0
PE-R6(config-router)#address-family vpnv4 
PE-R6(config-router-af)#neighbor 55.1.1.1 update-source lo0             
PE-R6(config-router-af)#neighbor 55.1.1.1 activate 
PE-R6(config-router-af)#

验证MP-BGP邻居
RR-R5#show bgp vpnv4 unicast all summary //RR和本AS的PE构建了iBGP邻居,和对端AS的RR构建了EBGP邻居
BGP router identifier 55.1.1.1, local AS number 200
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
33.1.1.1 4 100 330 328 1 0 0 04:54:47 0
66.1.1.1 4 200 5 5 1 0 0 00:01:23 0
RP/0/0/CPU0:PE-XR1#show bgp vpnv4 unicast summary //PE和RR构建了正常的BGP邻居
Fri Oct 14 17:52:32.823 UTC
BGP router identifier 11.1.1.1, local AS number 100
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 1
BGP scan interval 60 secs

BGP is operating in STANDALONE mode.

Process RcvTblVer bRIB/RIB LabelVer ImportVer SendTblVer StandbyVer
Speaker 1 1 1 1 1 1

Neighbor Spk AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down St/PfxRcd
33.1.1.1 0 100 8 6 1 0 0 00:03:41 0

8.3.4 实施VRF并且实施客户端的BGP协议以获取VPNv4路由

本步骤的主要目的是获取客户的路由并且更新到其他CE站点
XR上实施VRF并且和R8构建EBGP邻居

vrf Ender
 address-family ipv4 unicast
  import route-target
   100:200
  !
  export route-target
   100:200 //实施RT值为100:200
  !
 !
!
interface GigabitEthernet0/0/0/3
 vrf Ender //把连接CE的接口划入VRF接口
 ipv4 address 18.1.1.1 255.255.255.0
 no shutdown
!
router bgp 100
 vrf Ender
  rd 100:200 //在BGP的vrf下设置RD值,该值自定义
  address-family ipv4 unicast //在BGP的vrf地址族初始化IPv4单播地址族
  !
  neighbor 18.1.1.8
   remote-as 300
   address-family ipv4 unicast
    as-override //和CE激活IPv4邻居,并且配置修改AS的命令,使得CE可以正常得到其他CE站点的路由,用以解决EBGP防环导致的路由无法收取问题
     route-policy PASS in
     route-policy PASS out//针对邻居应用放行所有EBGP邻居,否则默认为丢弃策略
!
route-policy PASS
  pass
end-policy
R8:
router bgp 300
 bgp log-neighbor-changes
 network 88.1.1.1 mask 255.255.255.255
 neighbor 18.1.1.1 remote-as 100

我们可以直接查看R3,如果PE和CE构建了邻居,那么PE会把路由更新到R3
RR-R3#show bgp vpnv4 unicast all //R3已经正常的得到了本侧AS的路由
BGP table version is 2, local router ID is 33.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200
*>i 88.1.1.1/32 11.1.1.1 0 100 0 300 i
AS100已经实施完毕,接下来实施AS200的PE和CE

PE-R6:
PE-R6(config)#vrf definition Ender
PE-R6(config-vrf)#rd 100:200
PE-R6(config-vrf)#address-family ipv4          
PE-R6(config-vrf-af)#route-target 100:200
!
PE-R6(config-vrf)#int e0/3
PE-R6(config-if)#no shu
PE-R6(config-if)#vrf forwarding
PE-R6(config-if)#ip add 67.1.1.6 255.255.255.0
!
PE-R6(config)#router bgp 200
PE-R6(config-router)#address-family ipv4 vrf Ender
PE-R6(config-router-af)#neighbor 67.1.1.7 remote-as 300
PE-R6(config-router-af)#  neighbor 67.1.1.7 as-override 
!
R7:
router bgp 300
 bgp log-neighbor-changes
 network 77.1.1.1 mask 255.255.255.255
 neighbor 67.1.1.6 remote-as 200

验证RR上是否得到了本AS一侧的客户的路由
RR-R5#show bgp vpnv4 unicast all //RR上得到了两侧客户的环回口路由
BGP table version is 3, local router ID is 55.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200
>i 77.1.1.1/32 66.1.1.1 0 100 0 300 i
> 88.1.1.1/32 33.1.1.1 0 100 300 i
但是别高兴的太早哦,我们来查看CE站点
CE-R7#show ip route b
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

CE-R7#
CE-R8#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

CE-R8#
我们发现在CE站点“空无一物”,此时我们必须查看PE设备是否得到了完整的路由
RP/0/0/CPU0:PE-XR1#show bgp vpnv4 unicast
Fri Oct 14 18:16:21.345 UTC
BGP router identifier 11.1.1.1, local AS number 100
BGP generic scan interval 60 secs
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 4
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:200 (default for vrf Ender)

  • i77.1.1.1/32 55.1.1.1 0 100 0 200 300 i
    > 88.1.1.1/32 18.1.1.8 0 0 300 i
    PE-R6#show bgp vpnv4 unicast all
    BGP table version is 2, local router ID is 66.1.1.1
    Status codes: s suppressed, d damped, h history,
    valid, > best, i - internal,
    r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
    x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found

    Network Next Hop Metric LocPrf Weight Path
    Route Distinguisher: 100:200 (default for vrf Ender)
    *> 77.1.1.1/32 67.1.1.7 0 0 300 i

    • i 88.1.1.1/32 33.1.1.1 0 100 0 100 300 I //我们发现了问题,即从其他AS更新得到的路由并非最优的路由,很明显,我们忘记了在多协议BGP的边界,即RR设备针对PE实施修改下一跳的命令。当然这里还有另外一个解决方案:此时下一跳为对端AS的RR设备的环回口,该接口地址已经通过BGP得到了路由,那么就可以有条件的把该路由引入到IGP。我们在此修改下一跳。
      RR-R3(config)#router bgp 100
      RR-R3(config-router)#address-family vpnv4 unicast 
      RR-R3(config-router-af)#neighbor 11.1.1.1 next-hop-self
      !
      RR-R5(config)#router bgp 200
      RR-R5(config-router)#address-family vpnv4 
      RR-R5(config-router-af)#neighbor 66.1.1.1 next-hop-self

      验证PE得到的VPNv4路由是否优化
      RP/0/0/CPU0:PE-XR1#show bgp vpnv4 unicast
      Fri Oct 14 18:22:40.049 UTC
      BGP router identifier 11.1.1.1, local AS number 100
      BGP generic scan interval 60 secs
      BGP table state: Active
      Table ID: 0x0 RD version: 0
      BGP main routing table version 6
      BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 100:200 (default for vrf Ender)
>i77.1.1.1/32 33.1.1.1 0 100 0 200 300 I //路由已经最优,那么就可以更新给CE端了
> 88.1.1.1/32 18.1.1.8 0 0 300 i
PE-R6#show bgp vpnv4 unicast all
BGP table version is 3, local router ID is 66.1.1.1
Status codes: s suppressed, d damped, h history,
valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200 (default for vrf Ender)
> 77.1.1.1/32 67.1.1.7 0 0 300 i
>i 88.1.1.1/32 55.1.1.1 0 100 0 100 300 i
验证CE端路由是否正常得到
CE-R7#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

  88.0.0.0/32 is subnetted, 1 subnets

B 88.1.1.1 [20/0] via 67.1.1.6, 00:01:46
CE-R8#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

  77.0.0.0/32 is subnetted, 1 subnets

B 77.1.1.1 [20/0] via 18.1.1.1, 00:02:06
读者会发现此时客户站点正常的得到了其他站点的路由。当然现在数据无法实现通信,因为便签此时并不连续

8.3.5 域间MPLS的LSP连续的解决方案

标签分发协议有很多种,常用的自然是LDP协议,LDP协议可以为域内的IGP路由分发标签;另外一种为IPv4单播路由分发标签的工具是BGP协议。在本节中我们使用BGP为IPv4的单播路由分发标签,LDP方式我们将在13.4小节中实施。
我们来观察R6-PE上到达VPNv4路由88.1.1.1的下一跳,以及R5-RR上到达VPNv4路由88.1.1.1的下一跳
PE-R6#show bgp vpnv4 unicast all
BGP table version is 3, local router ID is 66.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200 (default for vrf Ender)
> 77.1.1.1/32 67.1.1.7 0 0 300 i
>i 88.1.1.1/32 55.1.1.1 0 100 0 100 300 I //下一跳为55.1.1.1,而到达55.1.1.1的路由是通过IGP得到的,则LDP就已经分发了LSP
RR-R5#show bgp vpnv4 unicast all
BGP table version is 3, local router ID is 55.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200
>i 77.1.1.1/32 66.1.1.1 0 100 0 300 i
> 88.1.1.1/32 33.1.1.1 0 100 300 I //RR设备上到达该路由的下一跳为对端AS的RR的更新源地址,读者是想,现在到达该下一跳地址33.1.1.1是通过什么方式得到的路由呢?没错是BGP。而LDP协议是无法为BGP路由分发标签的。同样的道理,R3上看到的77.1.1.1的路由的下一跳是通过BGP得到的55.1.1.1
RR-R3#show bgp vpnv4 unicast all
BGP table version is 3, local router ID is 33.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200
> 77.1.1.1/32 55.1.1.1 0 200 300 I //下一跳为55.1.1.1,而该路由通过下面一条验证得知通过BGP协议得到路由
>i 88.1.1.1/32 11.1.1.1 0 100 0 300 i
RR-R3#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route

    • replicated route, % - next hop override

Gateway of last resort is not set

  55.0.0.0/32 is subnetted, 1 subnets

B 55.1.1.1 [200/0] via 22.1.1.1, 05:44:24
LDP不能解决LSP连续问题,同时在ASBR之间也需要一种使得LSP连续的方式。在前边的学习中我们知道BGP是一种重要的分发标签的协议,除了可以分发VPNv4路由的标签,还可以为IPv4单播路由分发标签。
在ASBR和RR之间通过BGP的方式为从BGP协议得到的RR的更新源的IPv4单播路由分发标签

ASBR-R4(config)#router bgp 200
ASBR-R4(config-router)#address-family ipv4 unicast
ASBR-R4(config-router-af)#neighbor 24.1.1.2 send-label //IPv4地址族下协商为IPv4单播路由分发标签的能力
ASBR-R4(config-router-af)#neighbor 55.1.1.1 send-label //IPv4地址族下协商为IPv4单播路由分发标签的能力
!
R5:
RR-R5(config)#router bgp 200
RR-R5(config-router)#address-family ipv4 unicast 
RR-R5(config-router-af)#neighbor 44.1.1.1 send-label
验证IPv4单播标签:
RR-R5#show bgp ipv4 un
RR-R5#show bgp ipv4 unicast la
RR-R5#show bgp ipv4 unicast labels 
   Network          Next Hop      In label/Out label
   33.1.1.1/32      44.1.1.1        nolabel/19 //R5现在有了出方向的标签19
   55.1.1.1/32      0.0.0.0         imp-null/nolabel
在AS100中存在XR设备, IOS XR通过ipv4 labeled-unicast地址族来支持IPv4标签
router static
 address-family ipv4 unicast
  24.1.1.4/32 GigabitEthernet0/0/0/1 //手工写到达对端ASBR的直连地址的主机路由的静态路由,而且必须为出接口,才能使得ASBR得到到达对端ASBR的Pop标签
 !
!
router bgp 100
 address-family ipv4 unicast
  allocate-label all //在IPv4单播路由下针对所有路由分发开关,默认不分发任何标签
 !
 neighbor 24.1.1.4
  address-family ipv4 labeled-unicast //针对EBGP,在IPv4单播标签地址族下继承原来的IPv4单播路由的策略
   route-policy EBGP in
   route-policy EBGP out
  !
 !
 neighbor 33.1.1.1
  address-family ipv4 labeled-unicast //针对RR激活IPv4单播标签地址族
   next-hop-self
R3:
RR-R3(config)#router bgp 100
RR-R3(config-router)#address-family ipv4 unicast 
RR-R3(config-router-af)#neighbor 22.1.1.1 send-label //R3在IPv4单播地址族下和ASBR构建IPv4单播标签地址族邻居

验证RR设备标签是否分发成功
RR-R3#show bgp ipv4 unicast labels
Network Next Hop In label/Out label
33.1.1.1/32 0.0.0.0 imp-null/nolabel
55.1.1.1/32 22.1.1.1 nolabel/16004 //R3得到了到达VPNv4下一跳即55.1.1.1的的出方向标签,R2分发的16004
RP/0/0/CPU0:ASBR-2#show mpls forwarding
Fri Oct 14 19:02:27.845 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched


16000 Pop 11.1.1.1/32 Gi0/0/0/2 12.1.1.1 55282
16001 Pop 13.1.1.0/24 Gi0/0/0/2 12.1.1.1 0
16002 Pop 24.1.1.4/32 Gi0/0/0/1 24.1.1.4 1424 //该Pop(一定是Pop)标签是到达24.1.1.4的标签,这就是我们写静态路由的目的
16003 Pop 33.1.1.1/32 Gi0/0/0/0 23.1.1.3 153104
16004 16 55.1.1.1/32 Gi0/0/0/1 24.1.1.4 61789 //ASBR上到达55.1.1.1的标签为24.1.1.4分配的标签16
CE-R7#traceroute 88.1.1.1 source loopback 0 numeric //此时RR设备到达VPNv4路由下一跳的LSP连续,那么数据可以正常的在CE站点间发送。
Type escape sequence to abort.
Tracing the route to 88.1.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 67.1.1.6 1 msec 0 msec 0 msec
2 56.1.1.5 [MPLS: Label 20 Exp 0] 25 msec 26 msec 21 msec
3 45.1.1.4 [MPLS: Labels 19/19 Exp 0] 20 msec 22 msec 20 msec
4 24.1.1.2 [MPLS: Labels 16003/19 Exp 0] 23 msec 20 msec 19 msec
5 23.1.1.3 [MPLS: Label 19 Exp 0] 29 msec 22 msec 24 msec
6 13.1.1.1 [MPLS: Label 16003 Exp 0] 23 msec 19 msec 18 msec
7 18.1.1.8 20 msec * 29 msec
8.3.6 优化标签转发路径解决方案
虽然数据可以正常的通信,但请读者仔细观察,其实在我们的拓扑中XR1和XR之间,R4和R6之间存在链路,而且运行了LDP协议,如果此时数据通过这些链路来转发,那么转发效率明显优于现有的转发路径。解决方案是在RR设备上针对MP-EBGP邻居做下一跳不变命令,即保持到达VPNv4路由的下一跳为PE设备

RR-R3(config)#router bgp 100
RR-R3(config-router)#address-family vpnv4
RR-R3(config-router-af)#neighbor 55.1.1.1 next-hop-unchanged //针对EBGP做下一跳不变命令,即依旧保持下一跳为PE设备的更新源
!
RR-R5(config)#router bgp 200
RR-R5(config-router)#address-family vpnv4 unicast 
RR-R5(config-router-af)#neighbor 33.1.1.1 next-hop-unchanged

验证VPNv4路由的下一跳
RR-R5#show bgp vpnv4 unicast all
BGP table version is 10, local router ID is 55.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

 Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 100:200
*>i 77.1.1.1/32 66.1.1.1 0 100 0 300 i

  • 88.1.1.1/32 11.1.1.1 0 100 300 i
    RR-R3#show bgp vpnv4 unicast all
    BGP table version is 12, local router ID is 33.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
    x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found

    Network Next Hop Metric LocPrf Weight Path
    Route Distinguisher: 100:200

  • 77.1.1.1/32 66.1.1.1 0 200 300 i
    *>i 88.1.1.1/32 11.1.1.1 0 100 0 300 i
    读者会发现下一跳不可达,很简单,RR上并未得到该路由。解决方案我想读者也很容易想到,只要在BGP协议中通告该路由即可

    ASBR-R4(config)#router bgp 200
    ASBR-R4(config-router)#address-family ipv4 unicast 
    ASBR-R4(config-router-af)#network 66.1.1.1 mask 255.255.255.255
    !
    RP/0/0/CPU0:ASBR-2(config)#router bgp 100
    RP/0/0/CPU0:ASBR-2(config-bgp)#
    RP/0/0/CPU0:ASBR-2(config-bgp)#address-family ipv4 unicast 
    RP/0/0/CPU0:ASBR-2(config-bgp-af)#network 11.1.1.1/32
    RP/0/0/CPU0:ASBR-2(config-bgp-af)#commi

    在修改完毕下一跳之后,我们来查看下一跳的改变
    RR-R3#show bgp vpnv4 unicast all
    BGP table version is 13, local router ID is 33.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
    x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found

    Network Next Hop Metric LocPrf Weight Path
    Route Distinguisher: 100:200
    > 77.1.1.1/32 66.1.1.1 0 200 300 I //下一跳由RR改变为PE的更新源,那么此时我们就要关注到达PE更新源的LSP连续问题,当然它还是连续的,不是嘛!
    >i 88.1.1.1/32 11.1.1.1 0 100 0 300 i
    RR-R5#show bgp vpnv4 unicast all
    BGP table version is 11, local router ID is 55.1.1.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
    x best-external, a additional-path, c RIB-compressed,
    Origin codes: i - IGP, e - EGP, ? - incomplete
    RPKI validation codes: V valid, I invalid, N Not found

    Network Next Hop Metric LocPrf Weight Path
    Route Distinguisher: 100:200
    >i 77.1.1.1/32 66.1.1.1 0 100 0 300 i
    > 88.1.1.1/32 11.1.1.1 0 100 300 i
    让我们来验证最后的优化完毕的转发路径
    CE-R7#traceroute 88.1.1.1 source loopback 0 numeric //该路径不在经过R3,报文到达R2后直接转发到R1
    Type escape sequence to abort.
    Tracing the route to 88.1.1.1
    VRF info: (vrf in name/id, vrf out name/id)
    1 67.1.1.6 6 msec 0 msec 1 msec
    2 56.1.1.5 [MPLS: Label 20 Exp 0] 25 msec 25 msec 27 msec
    3 45.1.1.4 [MPLS: Labels 21/16003 Exp 0] 24 msec 29 msec 25 msec
    4 24.1.1.2 [MPLS: Labels 16000/16003 Exp 0] 24 msec 31 msec 26 msec
    5 12.1.1.1 [MPLS: Label 16003 Exp 0] 23 msec 25 msec 30 msec
    6 18.1.1.8 26 msec * 26 msec
    到此Option3实施完毕。