【实验】MPLS L3VPN中实现CE访问外网(CE上PAT,VRF路由泄露到全局,route leak)

如需注册 @ccie.engineer、@ccde.engineer、@ccar.engineer、@hcie.engineer、@rhce.engineer 和 @cissp.engineer 邮箱,请点击这里

实验环境:

操作系统:Mac OS X 10.11.4(当时最新正式版),模拟器:GNS3 IOU for Mac 1.4.5(当时最新版本)
注:当然,只要有思科模拟器都可以做这个实验

拓扑额外描述:

  • IOU1和IOU6的rd值和rt import/export值都是2345:16;
  • PE和CE之间使用的是公网IP地址,而CE内部(环回口)才是内网IP地址。

实验需求:

两个CE(IOU1和IOU6)之间互通,同时两个CE还能实现上网(访问全局路由表下的7.7.7.7)。

先根据图中的要求快速完成MPLS VPN的配置:

IOU2:

conf t
int l 0
ip add 2.2.2.2 255.255.255.255

int e 0/0
ip add 12.1.1.2 255.255.255.0
no sh

int e 0/1
ip add 23.1.1.2 255.255.255.0
no sh

router os 2345
router-id 2.2.2.2

int r e 0/1 , l 0
ip os 2345 a 0

ip cef
mpls ip
mpls label pro ldp
mpls ldp ro l 0 fo

int e 0/1
mpls ip

ip vrf IOU1
rd 2345:16
route-target 2345:16

int e 0/0
ip vrf f IOU1
ip add 12.1.1.2 255.255.255.0
ip os 16 a 0

router bgp 2345
bgp router-id 2.2.2.2
no bgp def ipv4
nei 3.3.3.3 remot 2345
nei 3.3.3.3 up l 0

add vpnv4 un
nei 3.3.3.3 ac

add ipv4 un
nei 3.3.3.3 ac
nei 3.3.3.3 next-hop-self

add ipv4 vrf IOU1
red os 16 ma e i

router os 16 vrf IOU1
red bgp 2345 subnets

IOU3:

conf t
int l 0
ip add 3.3.3.3 255.255.255.255

int e 0/1
ip add 23.1.1.3 255.255.255.0
no sh

int e 0/2
ip add 34.1.1.3 255.255.255.0
no sh

int e 0/3
ip add 35.1.1.3 255.255.255.0
no sh

router os 2345
router-id 3.3.3.3

int r e 0/1-3 , l 0
ip os 2345 a 0

ip cef
mpls ip
mpls label pro ldp
mpls ldp ro l 0 fo

int r e 0/1-3
mpls ip

router bgp 2345
bgp router-id 3.3.3.3
no bgp def ipv4
nei 2.2.2.2 remot 2345
nei 2.2.2.2 up l 0
nei 4.4.4.4 remot 2345
nei 4.4.4.4 up l 0
nei 5.5.5.5 remot 2345
nei 5.5.5.5 up l 0

add vpnv4 un
nei 2.2.2.2 ac
nei 2.2.2.2 route-reflector-client
nei 4.4.4.4 ac
nei 4.4.4.4 route-reflector-client

add ipv4 un
nei 2.2.2.2 ac
nei 2.2.2.2 route-reflector-client
nei 4.4.4.4 ac
nei 4.4.4.4 route-reflector-client
nei 5.5.5.5 ac
nei 5.5.5.5 route-reflector-client

IOU4:

conf t
int l 0
ip add 4.4.4.4 255.255.255.255

int e 0/0
ip add 46.1.1.4 255.255.255.0
no sh

int e 0/2
ip add 34.1.1.4 255.255.255.0
no sh

router os 2345
router-id 4.4.4.4

int r e 0/2 , l 0
ip os 2345 a 0

ip cef
mpls ip
mpls label pro ldp
mpls ldp ro l 0 fo

int e 0/2
mpls ip

ip vrf IOU6
rd 2345:16
route-target 2345:16

int e 0/0
ip vrf f IOU6
ip add 46.1.1.4 255.255.255.0
ip os 16 a 0

router bgp 2345
bgp router-id 4.4.4.4
no bgp def ipv4
nei 3.3.3.3 remot 2345
nei 3.3.3.3 up l 0

add vpnv4 un
nei 3.3.3.3 ac

add ipv4 un
nei 3.3.3.3 ac
nei 3.3.3.3 next-hop-self

add ipv4 vrf IOU6
red os 16 ma e i

router os 16 vrf IOU6
red bgp 2345 subnets

IOU5:

conf t
int l 0
ip add 5.5.5.5 255.255.255.255

int e 0/3
ip add 35.1.1.5 255.255.255.0
no sh

int e 0/0
ip add 57.1.1.5 255.255.255.0
no sh

router os 2345
router-id 5.5.5.5

int r e 0/3 , l 0
ip os 2345 a 0

ip cef
mpls ip
mpls label pro ldp
mpls ldp ro l 0 fo

int e 0/3
mpls ip

router bgp 2345
bgp router-id 5.5.5.5
nei 3.3.3.3 remot 2345
nei 3.3.3.3 up l 0
nei 3.3.3.3 next-hop-self
nei 57.1.1.7 remot 7

IOU7:

conf t
int l 0
ip add 7.7.7.7 255.255.255.255

int e 0/0
ip add 57.1.1.7 255.255.255.0
no sh

router bgp 7
bgp router-id 7.7.7.7
nei 57.1.1.5 remot 2345
net 7.7.7.7 mask 255.255.255.255

IOU1:

conf t
int l 0
ip add 192.168.1.1 255.255.255.255

int e 0/0
ip add 12.1.1.1 255.255.255.0
no sh

router os 16
router-id 1.1.1.1
net 0.0.0.0 0.0.0.0 a 0

IOU6:

conf t
int l 0
ip add 192.168.2.1 255.255.255.255

int e 0/0
ip add 46.1.1.6 255.255.255.0
no sh

router os 16
router-id 6.6.6.6
net 0.0.0.0 0.0.0.0 a 0

实验过程:

我们先来看看数据包是如何从CE传递到全局路由表上的:

1、在IOU2上写一条静态默认路由,做route leak,指向Internet:

ip route vrf IOU1 0.0.0.0 0.0.0.0 5.5.5.5 global

2、在IOU2上再写一条回包路由,并通过BGP通告:

ip route 12.1.1.0 255.255.255.0 e 0/0 12.1.1.1

router bgp 2345
 add ipv4 un
 net 12.1.1.0 mask 255.255.255.0

3、在IOU2上往CE下发默认路由:

router os 16 vrf IOU1
 default-information originate

4、IOU1上做NAT(注意:这里要做过滤,CE站点间的流量不做PAT):

ip access-list extended VPN
 deny ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source list VPN interface e 0/0 overload

int e 0/0
 ip nat outside

int l 0
 ip nat inside

现在VRF里的CE可以访问Internet了,成功ping通7.7.7.7:

IOU1#p 7.7.7.7 so l 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

IOU1#tra 7.7.7.7 so l 0
Type escape sequence to abort.
Tracing the route to 7.7.7.7
VRF info: (vrf in name/id, vrf out name/id)
  1 12.1.1.2 11 msec 4 msec 4 msec
  2 23.1.1.3 [MPLS: Label 17 Exp 0] 5 msec 5 msec 5 msec
  3 35.1.1.5 6 msec 2 msec 2 msec
  4 57.1.1.7 5 msec 7 msec 1 msec
IOU1#sh ip nat translations
Pro Inside global     Inside local         Outside local    Outside global
icmp 12.1.1.1:2       192.168.1.1:2        7.7.7.7:2        7.7.7.7:2
udp 12.1.1.1:49167    192.168.1.1:49167    7.7.7.7:33434    7.7.7.7:33434
udp 12.1.1.1:49168    192.168.1.1:49168    7.7.7.7:33435    7.7.7.7:33435
udp 12.1.1.1:49169    192.168.1.1:49169    7.7.7.7:33436    7.7.7.7:33436
udp 12.1.1.1:49170    192.168.1.1:49170    7.7.7.7:33437    7.7.7.7:33437
udp 12.1.1.1:49171    192.168.1.1:49171    7.7.7.7:33438    7.7.7.7:33438
udp 12.1.1.1:49172    192.168.1.1:49172    7.7.7.7:33439    7.7.7.7:33439
udp 12.1.1.1:49173    192.168.1.1:49173    7.7.7.7:33440    7.7.7.7:33440
udp 12.1.1.1:49174    192.168.1.1:49174    7.7.7.7:33441    7.7.7.7:33441
udp 12.1.1.1:49175    192.168.1.1:49175    7.7.7.7:33442    7.7.7.7:33442
udp 12.1.1.1:49176    192.168.1.1:49176    7.7.7.7:33443    7.7.7.7:33443
udp 12.1.1.1:49177    192.168.1.1:49177    7.7.7.7:33444    7.7.7.7:33444
udp 12.1.1.1:49178    192.168.1.1:49178    7.7.7.7:33445    7.7.7.7:33445

同时IOU1也能访问IOU6:

IOU1#tra 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 12.1.1.2 7 msec 6 msec 2 msec
  2 23.1.1.3   [MPLS: Labels 17/22 Exp 0] 2 msec 1 msec 1 msec
  3 46.1.1.4   [MPLS: Label 22 Exp 0] 5 msec 5 msec 5 msec
  4 46.1.1.6 5 msec 5 msec 5 msec

实验按理来说到这里就结束了,但如果你还想在IOU6上做路由泄露,同时IOU1和IOU6之间能互相访问,你可以接着往下看。

1、在IOU4上写一条静态默认路由,做route leak,指向Internet:

ip route vrf IOU6 0.0.0.0 0.0.0.0 5.5.5.5 global

2、在IOU4上再写一条回包路由,并通过BGP通告:

ip route 46.1.1.0 255.255.255.0 e 0/0 46.1.1.6

router bgp 2345
 add ipv4 un
 net 46.1.1.0 mask 255.255.255.0

3、在IO4上往CE下发默认路由:

router os 16 vrf IOU6
 default-information originate

4、IOU6上做NAT(注意:这里要做过滤,CE站点间的流量不做PAT):

ip access-list extended VPN
 deny ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.255.255 any

ip nat inside source list VPN interface e 0/0 overload

int e 0/0
 ip nat outside

int l 0
 ip nat inside

测试:

IOU6#p 7.7.7.7 so l 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

IOU6#tra 7.7.7.7 so l 0
Type escape sequence to abort.
Tracing the route to 7.7.7.7
VRF info: (vrf in name/id, vrf out name/id)
  1 46.1.1.4 5 msec 5 msec 5 msec
  2 34.1.1.3 [MPLS: Label 17 Exp 0] 1 msec 1 msec 0 msec
  3 35.1.1.5 1 msec 1 msec 6 msec
  4 57.1.1.7 2 msec 7 msec 8 msec
IOU6#sh ip nat translations
Pro   Inside global    Inside local       Outside local   Outside global
icmp  46.1.1.6:0       192.168.2.1:0      7.7.7.7:0       7.7.7.7:0
udp   46.1.1.6:49154   192.168.2.1:49154  7.7.7.7:33434   7.7.7.7:33434
udp   46.1.1.6:49155   192.168.2.1:49155  7.7.7.7:33435   7.7.7.7:33435
udp   46.1.1.6:49156   192.168.2.1:49156  7.7.7.7:33436   7.7.7.7:33436
udp   46.1.1.6:49157   192.168.2.1:49157  7.7.7.7:33437   7.7.7.7:33437
udp   46.1.1.6:49158   192.168.2.1:49158  7.7.7.7:33438   7.7.7.7:33438
udp   46.1.1.6:49159   192.168.2.1:49159  7.7.7.7:33439   7.7.7.7:33439
udp   46.1.1.6:49160   192.168.2.1:49160  7.7.7.7:33440   7.7.7.7:33440
udp   46.1.1.6:49161   192.168.2.1:49161  7.7.7.7:33441   7.7.7.7:33441
udp   46.1.1.6:49162   192.168.2.1:49162  7.7.7.7:33442   7.7.7.7:33442
udp   46.1.1.6:49163   192.168.2.1:49163  7.7.7.7:33443   7.7.7.7:33443
udp   46.1.1.6:49164   192.168.2.1:49164  7.7.7.7:33444   7.7.7.7:33444
udp   46.1.1.6:49165   192.168.2.1:49165  7.7.7.7:33445   7.7.7.7:33445

同时IOU1也能访问IOU6:

IOU6#tra 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 46.1.1.4 6 msec 8 msec 5 msec
  2 34.1.1.3 [MPLS: Labels 16/23 Exp 0] 2 msec 1 msec 0 msec
  3 12.1.1.2 [MPLS: Label 23 Exp 0] 1 msec 1 msec 0 msec
  4 12.1.1.1 1 msec 1 msec 0 msec

这是思科官方的英文参考文档 — Route Leaking in MPLS/VPN Networks:

http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/multiprotocol-label-switching-vpns-mpls-vpns/47807-routeleaking.html

 

其他相关文章:

 

本文完。如有疑问,欢迎在下方留言;如本文有什么错误,欢迎在下方留言指正,谢谢。

打赏作者
这里是 “ CCIE 工程师社区 ” 官方的捐款通道,您是否可以考虑请我们喝杯咖啡呢?

您的支持将鼓励我们继续创作!

[微信] 扫描二维码打赏

[支付宝] 扫描二维码打赏

Was this article helpful?

Related Articles

Leave A Comment?

This site uses Akismet to reduce spam. Learn how your comment data is processed.