MPLS VPN option B

原创

sailorsoul 2018-01-04 22:46:23 ©著作权

文章标签 CCIE SP 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者sailorsoul的原创作品，请联系作者获取转载授权，否则将追究法律责任

捣鼓了半天EVE-NG,太耗资源了。纯思科还是GNS3方便些。。。这次做的实验室mpls vpn option B。争取明天把option C实验敲完再写下来。 inter-as option B，又名ASBR-ASBR，相对于inter-as option A是比较靠谱的解决方案，唯一问题是ASBR的负担较重，既要承担数据层面路由转发又要控制跨域的标签分发。这个方案最关键核心就是ASBR与同一AS的PE建立vpnv4邻居的时候，需要在mpbgp中使用next-hop-self，以及在ASBR中关闭route-target filter。

以下是topology 底层使用的是EIGRP，intra-as之间使用mpls ip，PE-CE间使用的是ospf。直接贴预配，两台P路由器就不贴了。 R1#sh run | s router router eigrp 100 network 1.1.1.1 0.0.0.0 network 12.1.1.1 0.0.0.0 router ospf 100 vrf CustomerA redistribute bgp 100 subnets network 192.168.1.1 0.0.0.0 area 1 router bgp 100 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 ! address-family ipv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 next-hop-self exit-address-family ! address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended exit-address-family ! address-family ipv4 vrf CustomerA redistribute ospf 100 match internal external 1 external 2 exit-address-family R1#sh run | s ip vrf ip vrf CustomerA rd 100:1 route-target export 100:1 route-target import 200:1

R1#

R3#sh run | s router router eigrp 100 network 3.3.3.3 0.0.0.0 network 23.1.1.3 0.0.0.0 router bgp 100 bgp log-neighbor-changes no bgp default ipv4-unicast no bgp default route-target filter neighbor 1.1.1.1 remote-as 100 neighbor 1.1.1.1 update-source Loopback0 neighbor 34.1.1.4 remote-as 200 ! address-family ipv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 next-hop-self neighbor 34.1.1.4 activate exit-address-family ! address-family vpnv4 neighbor 1.1.1.1 activate neighbor 1.1.1.1 send-community extended neighbor 1.1.1.1 next-hop-self neighbor 34.1.1.4 activate neighbor 34.1.1.4 send-community extended exit-address-family

R4#sh run | s router router eigrp 100 network 4.4.4.4 0.0.0.0 network 45.1.1.4 0.0.0.0 router bgp 200 bgp log-neighbor-changes no bgp default ipv4-unicast no bgp default route-target filter neighbor 6.6.6.6 remote-as 200 neighbor 6.6.6.6 update-source Loopback0 neighbor 34.1.1.3 remote-as 100 ! address-family ipv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 next-hop-self neighbor 34.1.1.3 activate exit-address-family ! address-family vpnv4 neighbor 6.6.6.6 activate neighbor 6.6.6.6 send-community extended neighbor 6.6.6.6 next-hop-self neighbor 34.1.1.3 activate neighbor 34.1.1.3 send-community extended exit-address-family R4# R6#sh run | s router router eigrp 100 network 6.6.6.6 0.0.0.0 network 56.1.1.6 0.0.0.0 router ospf 100 vrf CustomerA redistribute bgp 200 subnets network 192.168.2.1 0.0.0.0 area 1 router bgp 200 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor 4.4.4.4 remote-as 200 neighbor 4.4.4.4 update-source Loopback0 ! address-family ipv4 neighbor 4.4.4.4 activate neighbor 4.4.4.4 next-hop-self exit-address-family ! address-family vpnv4 neighbor 4.4.4.4 activate neighbor 4.4.4.4 send-community extended exit-address-family ! address-family ipv4 vrf CustomerA redistribute ospf 100 match internal external 1 external 2 exit-address R6#sh run | s ip vrf ip vrf CustomerA rd 200:1 route-target export 200:1 route-target import 100:1

先分析控制层面。之前一篇日志提到，内层label是通过mp-bgp传递，根据VRF来分配的。这里有一层意思，既：BGP作为一个application protocol，还能分发标签。。。这在后面inter-as option C会用到。

来看R1 （AS100的PE），其会把22.22.22.22/32 路由放入BGP vrf 中并通过重分发进ospf的方式发给CE端。注意此时因为R3在vpnv4中使用了next-hop-self，使得这条路由的下一跳是R3的loopback地址。同理，在R6 （AS200的PE）上，此时要看得是RT 100:1的11.11.11.11/32 ，其下一跳是AS200的ASBR loopback接口地址。

注意：此时要关闭bgp default route-target filter。否则ASBR间的vpnv4邻居关系不会起来。

看完vpnv4路由，再来看label如何分配 R1#show ip cef vrf CustomerA 22.22.22.22 detail 22.22.22.22/32, epoch 0, flags rib defined all labels recursive via 3.3.3.3 label 309 nexthop 12.1.1.2 GigabitEthernet1/0 label 203 当CE1 （R7）把包交给PE1 （R1），R1查看vrf cef，内层标签为309（MPBGP发放的，因为MPBGP会默认为这条路由的下一跳分配一个标签）。外层标签是203，由R2（P router）发放。 R2收到之后直接php pop，交给R3 R2#sh mpls forwarding-table labels 203 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 203 Pop Label 3.3.3.3/32 7020 Gi2/0 23.1.1.3 而R3收到的是个只有一层标签308的数据包， R3#show mpls forwarding-table labels 309 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 309 409 200:1:22.22.22.22/32
8968 Gi1/0 34.1.1.4

注：一个比较有趣的地方当路由器使用BGP去分发标签时，ASBR之间的接口会默认产生这条命令 mpls bgp forwarding

R3#sh run int gi 1/0 interface GigabitEthernet1/0 ip address 34.1.1.3 255.255.255.0 negotiation auto mpls bgp forwarding

R4#sh run int gi 1/0 interface GigabitEthernet1/0 ip address 34.1.1.4 255.255.255.0 negotiation auto mpls bgp forwarding

以下是两个链接，解释mpls bgp forwarding出现场景。 https://supportforums.cisco.com/t5/mpls/mpls-bgp-forwarding/td-p/2930379 https://learningnetwork.cisco.com/thread/71557

之后就比较按部就班了，一层层标签该swap swap，该pop pop R4#show mpls forwarding-table labels 409 detail Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 409 605 200:1:22.22.22.22/32
16348 Gi2/0 45.1.1.5 MAC/Encaps=14/22, MRU=1496, Label Stack{503 605} CA0739940038CA063AF000388847 001F70000025D000 No output feature configured 注意，这里有个比较有趣的细节，需要使用show detail来查看。

R6#show ip bgp vpnv4 all labels Network Next Hop In label/Out label Route Distinguisher: 100:1 11.11.11.11/32 4.4.4.4 nolabel/406 192.168.1.0 4.4.4.4 nolabel/407 Route Distinguisher: 200:1 (CustomerA) 11.11.11.11/32 4.4.4.4 nolabel/406 22.22.22.22/32 192.168.2.33 605/nolabel 192.168.1.0 4.4.4.4 nolabel/407 192.168.2.0 0.0.0.0 604/nolabel(CustomerA)

ASBR会在外层贴一层503的标签，这个是用来到达PE，LDP分配的。 R5#sh mpls forwarding-table labels 503 detail Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 503 Pop Label 6.6.6.6/32 20334 Gi1/0 56.1.1.6

R6#show mpls forwarding-table labels 605 Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 605 No Label 22.22.22.22/32[V]
15276 Gi0/0 192.168.2.33 R6#

附上BGP update的抓包文件，抓包很清晰，BGP vpnv4根据下一跳分发标签，next-hop为本地loopback接口，extended community里面包含200:1，路由条目NLRI只是很小的一部分，包含标签605，RD，以及前缀22.22.22.22/32