通过全局路由表的方式实现MPLS ×××上互联网

原创

碧云天 2013-08-25 22:57:36 博主文章分类：路由交换 ©著作权

文章标签 INTERNET MPLS MPLS VPN 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者碧云天的原创作品，请联系作者获取转载授权，否则将追究法律责任

一.概述：

MPLS ×××中，如果CE有三根线，一根连接内网，一根专线连接MPLS的PE,一根直接连接互联网，那么内网通过CE上互联网比较容易：CE通过MPLS ×××的明细路由走PE，一条默认路由到连接互联网的设备。但是有时情况没那么简单，CE只有一根专线连接PE，并且还需通过PE上互联网，这就需要有方法把上互联网的流量和MPLS ×××的流量分开，本文采用全局路由的方式来实现。

参考链接：http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml

二.基本思路：

A.CE只配置一条默认路由到PE

B.PE设置VRF的默认路由到IGW,并设置global属性

C.这样PE就不需要有互联网的路由，只需要通过默认路由把包送到IGW

D.NAT是在CE上面做的，PE需要设置到nat后地址的静态路由指向CE,并将该静态路由重分布到IGP中，让IGW能学习的到，并通过EBGP通告给外界

E.IGW通过EBGP与外界联系，获得互联网路由，通过IGP获得内部路由，因为只负载互联网访问，可以配置路由过滤，只接收CE NAT后的路由

----测试时发现配置路由过滤的时候，必须放行LDP邻居Local LDP Ident标识的网段，都在LDP邻居无法建立

----尝试过利用mpls ldp router-id Ethernet0/2命令指定LDP Ident，但是没有效果，即使是把接口的mpls ip命令取消，再重启输入。（eth0/2不管是否开启LDP都没有用）

-----后来经人指点，在接口下配置mpls ldp discovery transport-address interface，设置成功，这样P路由器用接口地址与IGW路由器，建立LDP邻居，就不受路由过滤的影响了

三.测试拓扑：

四.基本配置：

A.CE1

interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback2
ip address 192.168.10.1 255.255.255.0

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.1.2

B.PE1：

ip vrf A
rd 100:1
route-target export 1:1
route-target import 1:1

interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.0
mpls ip

no shut

interface Ethernet0/1
ip vrf forwarding A
ip address 10.1.1.2 255.255.255.0
no shut

C.P:

interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0

no shut

mpls ip
interface Ethernet0/1
ip address 23.1.1.2 255.255.255.0
no shut
mpls ip
interface Ethernet0/2
ip address 26.1.1.6 255.255.255.0
mpls ip

no shut

mpls ldp discovery transport-address interface

------用接口的地址与对方建立LDP邻居，否则会受到路由过滤的影响，而无法建立LDP邻居

D.PE2:

ip vrf A
rd 100:1
route-target export 1:1
route-target import 1:1

interface Loopback0
ip address 3.3.3.3 255.255.255.0

interface Ethernet0/0
ip address 23.1.1.3 255.255.255.0

mpls ip

no shut

interface Ethernet0/1
ip vrf forwarding A
ip address 202.100.1.2 255.255.255.252

no shut

E.CE2：

interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface Loopback1
ip address 192.168.2.1 255.255.255.0
interface Loopback2
ip address 192.168.20.1 255.255.255.0

interface Ethernet0/0
ip address 10.1.2.1 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 10.1.2.2

五.MPLS ×××配置：

A.静态路由配置：

①PE1：

ip route 192.168.1.0 255.255.255.0 Ethernet0/1 10.1.1.1
ip route vrf A 192.168.1.0 255.255.255.0 10.1.1.1

②PE2：

ip route 192.168.2.0 255.255.255.0 Ethernet0/1 10.1.2.1
ip route vrf A 192.168.2.0 255.255.255.0 10.1.2.1

B.IGP配置：

①PE1：

router ospf 1

router-id 1.1.1.1
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0

②P：

router ospf 1
router-id 2.2.2.2
network 0.0.0.0 255.255.255.255 area 0

②PE2：

router ospf 1
router-id 3.3.3.3
redistribute static subnets
network 0.0.0.0 255.255.255.255 area 0

C.BGP配置：

①PE1：

router bgp 100
no synchronization
bgp router-id 1.1.1.1
neighbor 3.3.3.3 remote-as 100
neighbor 3.3.3.3 update-source Loopback0
neighbor 3.3.3.3 next-hop-self
no auto-summary
address-family vpnv4

neighbor 3.3.3.3 activate

neighbor 3.3.3.3 send-community extended

exit-address-family
address-family ipv4 vrf A
no synchronization

network 192.168.1.0

exit-address-family

②PE2：

router bgp 100
no synchronization
bgp router-id 3.3.3.3
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source Loopback0
neighbor 1.1.1.1 next-hop-self
no auto-summary
address-family vpnv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community extended

exit-address-family
address-family ipv4 vrf A
no synchronization

network 192.168.2.0

exit-address-family

D.MPLS Lable验证：

PE-1#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 2.2.2.2/32 0 Et0/0 12.1.1.2
17 19 3.3.3.3/32 0 Et0/0 12.1.1.2
18 Pop tag 23.1.1.0/24 0 Et0/0 12.1.1.2
19 Untagged 192.168.1.0/24 0 Et0/1 10.1.1.1
20 18 192.168.2.0/24 0 Et0/0 12.1.1.2
21 Untagged 192.168.1.0/24[V] 7012 Et0/1 10.1.1.1
22 Pop tag 26.1.1.0/24 0 Et0/0 12.1.1.2

PE-2#show mpls forwarding-table
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
16 Pop tag 12.1.1.0/24 0 Et0/0 23.1.1.2
17 17 1.1.1.1/32 0 Et0/0 23.1.1.2
18 Pop tag 2.2.2.2/32 0 Et0/0 23.1.1.2
19 16 192.168.1.0/24 0 Et0/0 23.1.1.2
20 Untagged 192.168.2.0/24 0 Et0/1 10.1.2.1
21 Untagged 192.168.2.0/24[V] 6410 Et0/1 10.1.2.1
22 Pop tag 26.1.1.0/24 0 Et0/0 23.1.1.2

D.MPLS ×××验证：

CE-1#traceroute 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

1 10.1.1.2 188 msec 52 msec 64 msec
2 12.1.1.2 [MPLS: Labels 19/21 Exp 0] 156 msec 144 msec 140 msec
3 10.1.2.2 [MPLS: Label 21 Exp 0] 96 msec 100 msec 124 msec
4 10.1.2.1 172 msec 160 msec *

六.IPsec ×××配置：

A.PE1：

①第一阶段策略：

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.1

②第二阶段策略：

crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode transport

③ 配置ipsec profile

crypto ipsec profile ipsec_profile
set transform-set transet

④配置tunnel接口，并应用ipsec profile

interface Tunnel0

ip address 172.16.1.1 255.255.255.0
ip mtu 1400
tunnel source Loopback1
tunnel destination 192.168.2.1
tunnel protection ipsec profile ipsec_profile

B.PE2：

①第一阶段策略：

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.1.1

②第二阶段策略：

crypto ipsec transform-set transet esp-3des esp-md5-hmac
mode transport

③ 配置ipsec profile

crypto ipsec profile ipsec_profile
set transform-set transet

④配置tunnel接口，并应用ipsec profile

interface Tunnel0

ip address 172.16.1.2 255.255.255.0
ip mtu 1400
tunnel source Loopback1
tunnel destination 192.168.1.1
tunnel protection ipsec profile ipsec_profile

C.配置静态路由：

----也可以用动态路由来代替

①PE1：

ip route 192.168.20.0 255.255.255.0 Tunnel0

②PE2：

ip route 192.168.10.0 255.255.255.0 Tunnel0

D.IPSec ×××验证：

①ping：

CE-1#ping 192.168.20.1 source 192.168.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 156/186/232 ms

②查看isakmp sa和加解密：

CE-1#show crypto isakmp sa
dst src state conn-id slot status
192.168.2.1 192.168.1.1 QM_IDLE 2 0 ACTIVE

CE-1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
2 Tunnel0 172.16.1.1 set HMAC_MD5+3DES_56_C 0 0
2001 Tunnel0 192.168.1.1 set 3DES+MD5 4 0
2002 Tunnel0 192.168.1.1 set 3DES+MD5 0 4

七.通过PE上互联网配置：

A.CE1：

interface Loopback2
ip nat inside

interface Ethernet0/0
ip nat outside

ip access-list extended PAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any

ip nat pool NATPOOL 202.100.1.1 202.100.1.2 netmask 255.255.255.0
ip nat inside source list PAT pool NATPOOL overload

B.PE1：

ip route vrf A 0.0.0.0 0.0.0.0 67.1.1.6 global

ip route 202.100.1.0 255.255.255.0 Ethernet0/1 10.1.1.1

ip route vrf A 202.100.1.0 255.255.255.0 10.1.1.1

---IGP重分布静态路由已经配置

C.CE2：

interface Loopback2
ip nat inside

interface Ethernet0/0
ip nat outside

ip access-list extended PAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any

ip nat pool NATPOOL 202.100.2.1 202.100.2.2 netmask 255.255.255.0
ip nat inside source list PAT pool NATPOOL overload

D.PE2：

ip route vrf A 0.0.0.0 0.0.0.0 67.1.1.6 global

ip route 202.100.2.0 255.255.255.0 Ethernet0/1 10.1.2.1
ip route vrf A 202.100.2.0 255.255.255.0 10.1.2.1

---IGP重分布静态路由已经配置

E.IGW：

interface Loopback0
ip address 6.6.6.6 255.255.255.255
interface Ethernet0/0
ip address 26.1.1.6 255.255.255.0
no shut
mpls ip
interface Ethernet0/1
ip address 67.1.1.6 255.255.255.0

no shut

access-list 10 permit 202.100.1.0 0.0.0.255
access-list 10 permit 202.100.2.0 0.0.0.255

access-list 10 permit 23.1.1.0 0.0.0.255

---如果P路由器没有在接口指定LDP的用什么IP来建立邻居，则需要根据LDP邻居的ID来确定网段来放行

router ospf 1
router-id 6.6.6.6
passive-interface default
no passive-interface Ethernet0/0
network 26.1.1.0 0.0.0.255 area 0
network 67.1.1.0 0.0.0.255 area 0

distribute-list 10 in Ethernet0/0
router bgp 100
no synchronization
bgp router-id 6.6.6.6
network 202.100.1.0
network 202.100.2.0
neighbor 67.1.1.7 remote-as 200
no auto-summary

F.R7：

interface Loopback0
ip address 7.7.7.7 255.255.255.255
interface Loopback1
ip address 202.100.3.7 255.255.255.0
interface Ethernet0/0
ip address 67.1.1.7 255.255.255.0

no shut

router bgp 200
no synchronization
bgp router-id 7.7.7.7
network 202.100.3.0

neighbor 67.1.1.6 remote-as 100
no auto-summary

G.路由验证：

R7#SHOW IP ROUte
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B 202.100.2.0/24[20/20] via 67.1.1.6, 00:11:34
C 202.100.3.0/24 is directly connected, Loopback1
67.0.0.0/24 is subnetted, 1 subnets
C 67.1.1.0 is directly connected, Ethernet0/0
7.0.0.0/32 is subnetted, 1 subnets
C 7.7.7.7 is directly connected, Loopback0
B 202.100.1.0/24[20/20] via 67.1.1.6, 00:12:04

IGW#SHOW IP ROUte
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

O E2 202.100.2.0/24 [110/20] via 26.1.1.2, 00:04:54, Ethernet0/0
B 202.100.3.0/24[20/0] via 67.1.1.7, 00:42:18
6.0.0.0/32 is subnetted, 1 subnets
C 6.6.6.6 is directly connected, Loopback0
67.0.0.0/24 is subnetted, 1 subnets
C 67.1.1.0 is directly connected, Ethernet0/1
O E2 202.100.1.0/24 [110/20] via 26.1.1.2, 00:04:54, Ethernet0/0
26.0.0.0/24 is subnetted, 1 subnets
C 26.1.1.0 is directly connected, Ethernet0/0

CE-1#TR 202.100.3.7 SOUrce 192.168.10.1

Type escape sequence to abort.
Tracing the route to 202.100.3.7

1 10.1.1.2 88 msec 124 msec 52 msec
2 12.1.1.2 [MPLS: Label 21 Exp 0] 92 msec 140 msec 120 msec
3 26.1.1.6 108 msec 168 msec 164 msec
4 67.1.1.7 172 msec 200 msec *
CE-1#

CE-2#TRaceroute 202.100.3.7 SOUrce 192.168.20.1

Type escape sequence to abort.
Tracing the route to 202.100.3.7

1 10.1.2.2 52 msec 108 msec 84 msec
2 23.1.1.2 [MPLS: Label 21 Exp 0] 60 msec 60 msec 140 msec
3 26.1.1.6 104 msec 148 msec 172 msec
4 67.1.1.7 160 msec 144 msec *