• 文章搜索:
  • 灵犀一指

        • 分享到...

        • 新浪微博
        • 腾讯微博
        • 推荐到豆瓣 豆瓣空间
        • 分享到搜狐微博 搜狐微博
        • 分享到QQ空间 QQ空间
        • 分享到腾讯朋友 腾讯朋友
        • 网易微博分享 网易微博
        • 添加到百度搜藏 百度搜藏
        • 转贴到开心网 开心网
        • 转发好友 告诉聊友
    • 推荐
    • 打印
    • 收藏

    苦练内经,防走火入魔--MPLS VPN网络案例一则

    作者:  |  上传时间:2014-11-26  |  关键字:苦练内经,防走火入魔--MPLS VPN网络案例一则

    一、组网案例

    组网简介:

    拓扑图中PEB与PEC运行域内MPLS VPN组网,PEA与PEB之间运行MPLS VPN option B跨域组网,PE B与PE C建立IBGP对等体,PE B与PE A建立EBGP对等体,CE D与PEB、PEC建立OSPF邻居(CE D上发布了环回口路由5.5.5.5/32),在PE B和PE C上分别将OSPF路由引入到MP-BGP中,同时将MP-BGP路由引入到OSPF多实例中。

    PE A上的VPN1配置如下:

    ip vpn-instance 1

    route-distinguisher 2:2

    vpn-target 1:1 export-extcommunity

    vpn-target 1:1 import-extcommunity

    PE B上的VPN1配置如下:

    ip vpn-instance 1

    route-distinguisher 2:2

    vpn-target 1:1 export-extcommunity

    vpn-target 1:1 import-extcommunity

    所有设备路由收敛完成后,发现从PEA上到5.5.5.5的路径是PE A—>PE B—>PE C—>CE D,也就是说PE A优选了PE C发布的BGP VPNV4路由,这是为什么呢?

    二、案例分析

    首先在PE A上查看VPN1下的5.5.5.5/32的路由

    <RT1>display bgp vpnv4 vpn-instance 1 routing-table 5.5.5.5 32

    BGP local router ID : 10.0.0.1

    Local AS number : 200

    Paths: 2 available, 1 best

    BGP routing table entry information of 5.5.5.5/32:

    From : 10.0.0.2 (30.0.0.1)

    Relay Nexthop : 0.0.0.0

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : MED 2, pref-val 0, pre 255

    State : valid, external,

    Not advertised to any peers yet

    BGP routing table entry information of 5.5.5.5/32:

    From : 10.0.0.2 (30.0.0.1)

    Relay Nexthop : 0.0.0.0

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 30.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : pref-val 0, pre 255

    State : valid, external, best,

    Not advertised to any peers yet

    通过OSPF ROUTER ID字段可以确认PE A优选了PE C发布的BGP VPNv4路由,优选的原因为这条路由没有MED值,而PE B发布的BGPVPNv4路由带了MED值且MED值为2,这就产生了几个问题:

    问题一、协议规定:BGP发言者只把自己使用的路由发布给对等体,为什么PE B发布了两条BGP VPNv4路由给PE A

    首先需要查看一下PE B的VPN1的路由表,确认一下优选的路由。通过查看发现,本地最优的路由是通过ospf多实例学习到的:

    <RT4>display ip routing-table vpn-instance 1 5.5.5.5

    Destination/Mask Proto Pre Cost NextHop Interface

    5.5.5.5/32 OSPF 10 1 20.0.0.2 S0/2/1

    那么,为什么PE B会发布2条BGP VPNv4的路由给PE A呢?

    BGP VPNv4路由是每个RD一张路由表,BGP发言者在每张路由中将自己最优的BGP路由发布给对等体,不同的RD代表不同的路由,因为PE BPE CVPN 1RD属性不一样,所以PE B会把5.5.5.5/322条不同RDBGP VPNv4路由发给PE A.

    查看PE A上的BGP VPNv4路由,有2条不同RD属性的5.5.5.5/32的路由:

    <RT1>display bgp vpnv4 all routing-table

    BGP Local router ID is 10.0.0.1

    Status codes: * - valid, > - best, d - damped,

    h - history, i - internal, s - suppressed, S - Stale

    Origin : i - IGP, e - EGP, ? - incomplete

    Total number of routes from all PE: 4

    Route Displaytinguisher: 2:2

    Network NextHop In/Out Label MED LocPrf

    *> 5.5.5.5/32 10.0.0.2 NULL/1024 2

    *> 40.0.0.0/24 10.0.0.2 NULL/1024 1564

    Route Displaytinguisher: 1:1

    Network NextHop In/Out Label MED LocPrf

    *> 5.5.5.5/32 10.0.0.2 NULL/1028

    *> 20.0.0.0/24 10.0.0.2 NULL/1028

    问题二、为什么PE BRD1:15.5.5.5/32BGP VPNv4路由发布给PE A时,路由里没携带MED属性?

    协议规定:MED属性仅在相邻两个AS之间交换,收到此属性的AS不会再将其通告给其它AS,所以PE BRD1:15.5.5.5/32路由通告给PE A时,不会带MED属性,如果要通过MED属性来控制路由选路,需要在BGP边界路由器上来设定MED属性

    问题三、PE A的到5.5.5.5的路由下一跳都是到PE B的,而PE B优选通过OSPF到达5.5.5.5,为什么报文会到PE C转一圈?

    来看一下报文转发的流程,首先查看PE A上基于5.5.5.5的标签转发表:

    [RT1]display bgp vpnv4 vpn-instance 1 routing-table label

    BGP Local router ID is 10.0.0.1

    Status codes: * - valid, > - best, d - damped,

    h - history, i - internal, s - suppressed, S - Stale

    Origin : i - IGP, e - EGP, ? - incomplete

    Total routes of vpn-instance 1: 5

    Network NextHop In/Out Label

    * 5.5.5.5/32 10.0.0.2 NULL/1024

    *> 5.5.5.5/32 10.0.0.2 NULL/1028

    * >40.0.0.0/24 10.0.0.2 NULL/1024

    * > 20.0.0.0/24 10.0.0.2 NULL/1026

    最优的私网标签是1028,则在跨域B的组网下,PE A5.5.5.5的报文打上1028的标签发给PE B,报文到PE B之后会查找BGP VPNv4路由的标签表(不是查找本地vpn1的路由的标签表),对于ASBR来说只对对端ASBR过来的报文进行标签交换,查找的是BGPVPNv4路由的标签表

    [H3C]display bgp vpnv4 all routing-table label

    BGP Local router ID is 2.2.2.2

    Status codes: * - valid, > - best, d - damped,

    h - history, i - internal, s - suppressed, S - Stale

    Origin : i - IGP, e - EGP, ? - incomplete

    Total number of routes from all PE: 3

    Route Displaytinguisher: 1:1

    Network NextHop In/Out Label

    *>i 5.5.5.5/32 1.1.1.1 1028/1025

    *>i 20.0.0.0/24 1.1.1.1 1028/1025

    Route Displaytinguisher: 3:3

    Network NextHop In/Out Label

    *> 6.6.6.6/32 10.0.0.1 1027/1024

    Total routes of vpn-instance 1: 1

    Network NextHop In/Out Label

    *> 5.5.5.5/32 20.0.0.2 1024/NULL

    * i 5.5.5.5/32 1.1.1.1 NULL/1025

    *> 6.6.6.6/32 10.0.0.1 NULL/1024

    * i 20.0.0.0/24 1.1.1.1 NULL/1025

    *> 40.0.0.0/24 20.0.0.2 1024/NULL

    这时PE B根据BGPVPNv4的路由标签表将报文私网标签转换为1025(倒数第二跳公网标签弹出)转发给PE C,PE C收到私网标签1025的报文发现该私网标签是自己分给别人的则弹出私网标签后,根据路由表转发报文。

    [R1-bgp]display bgp vpnv4 all routing-table label

    BGP Local router ID is 1.1.1.1

    Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,

    h - history, i - internal, s - suppressed, S - Stale

    Origin : i - IGP, e - EGP, ? - incomplete

    Total number of routes from all PE: 3

    Route Distinguisher: 2:2

    Network NextHop In/Out Label

    *^ i 5.5.5.5/32 2.2.2.2 NULL/1024

    *^ i 40.0.0.0/24 2.2.2.2 NULL/1024

    Total routes of vpn-instance 1: 5

    Network NextHop In/Out Label

    *^> 5.5.5.5/32 40.0.0.1 1024/NULL

    * i 5.5.5.5/32 2.2.2.2 NULL/1024

    * i 40.0.0.0/24 2.2.2.2 NULL/1024

    *^> 20.0.0.0/24 40.0.0.1 1024/NULL

    三、小结

    本案例通过一个跨域Option B的组网,分析平时理解中容易存在的3个误区:

    1、 BGP发言者只把自己使用的路由发布给对等体,这个自己使用的路由并非指的是本地路由表里存在的路由,而是BGP最优的路由(且VPN路由是基于RD最优的);

    2、 MED属性的应用,在非边界路由器修改MED,该属性无法通过边界路由器传递到别的AS里;

    3、 在标签转发的时候查的是BGP VPNv4的路由标签表,非本地vpn路由的标签表,特别的在ASBR上要特别注意(这个也很好理解,因为很多应用中ASBR上并不需要创建vpn实例)

    四、引申

    在该组网中如何才能实现报文从PE A 到PE B时直接往CE转发而不往PE C转发呢?

    有多个方法,有兴趣的可以研究一下,这里提供一种方法示例:

    在PE C上对于引入的路由打上团体属性如100:1 然后在PE B发布给PE C时匹配100:1团体属性的路由并做路由策略将MED值改大。

    PEC关键配置如下:

    [R1-bgp]

    bgp 100

    undo synchronization

    peer 2.2.2.2 as-number 100

    peer 2.2.2.2 connect-interface LoopBack0

    #

    ipv4-family vpn-instance 1

    import-route ospf 1 route-policy comm

    #

    ipv4-family vpnv4

    peer 2.2.2.2 enable

    peer 2.2.2.2 advertise-community

    [R1-bgp]display route-policy comm

    Route-policy : comm

    permit : 10

    apply community 100:1

    PEB关键配置如下:

    [R2-bgp]

    bgp 100

    undo synchronization

    peer 1.1.1.1 as-number 100

    peer 10.0.0.1 as-number 200

    peer 1.1.1.1 connect-interface LoopBack0

    #

    ipv4-family vpn-instance 1

    import-route ospf 1

    #

    ipv4-family vpnv4

    peer 1.1.1.1 enable

    peer 10.0.0.1 enable

    peer 10.0.0.1 route-policy med export

    [R2-bgp]display route-policy med

    Route-policy : med

    permit : 10

    if-match community 10

    apply cost 10

    permit : 20

    [R2-bgp]display ip community-list 10

    Community List Number 10

    permit 100:1

    增加配置后来看一下PE B的VPNv4路由

    [R2-bgp]display bgp vpnv4 all routing-table 5.5.5.5 32

    BGP local router ID : 2.2.2.2

    Local AS number : 100

    Route Distinguisher: 1:1

    Paths: 1 available, 0 best, 1 VPNv4 best

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1024/1026

    From : 1.1.1.1 (1.1.1.1)

    Original nexthop: 1.1.1.1

    Community : <100:1>

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : (null)

    Origin : incomplete

    Attribute value : MED 2, localpref 100, pref-val 0, pre 255

    State : valid, internal, VPNv4 best,

    Advertised to such 1 peers:

    10.0.0.1

    Total Number of Routes: 2(1)

    Paths: 2 available, 1 best, 1 VPNv4 best

    BGP routing table entry information of 5.5.5.5/32:

    Imported route.

    Label information (Received/Applied): NULL/1024

    From : 0.0.0.0 (0.0.0.0)

    Original nexthop: 20.0.0.2

    Ext-Community :<OSPF Domain Id: 0.0.0.0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>, <OSPF Router Id: 20.0.0.1:0:0>, <RT: 1:1>

    AS-path : (null)

    Origin : incomplete

    Attribute value : MED 2, pref-val 0, pre 10

    State : valid, local, best, VPNv4 best,

    Not advertised to any peers yet

    Advertised to such 2 VPNv4 peers:

    1.1.1.1

    10.0.0.1

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1024/NULL

    From : 1.1.1.1 (1.1.1.1)

    Relay Nexthop : 0.0.0.0

    Original nexthop: 1.1.1.1

    Community : <100:1>

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : (null)

    Origin : incomplete

    Attribute value : MED 2, localpref 100, pref-val 0, pre 255

    State : valid, internal,

    Not advertised to any peers yet

    Not advertised to any VPNv4 peers yet

    现在再来看一下PE A路由的优先情况:

    [R6]display bgp vpnv4 all routing-table 5.5.5.5 32

    BGP local router ID : 6.6.6.6

    Local AS number : 200

    Route Distinguisher: 2:2

    Paths: 1 available, 0 best, 1 VPNv4 best

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1024/NULL

    From : 10.0.0.2 (2.2.2.2)

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : MED 2, pref-val 0, pre 255

    State : valid, external, VPNv4 best,

    Not advertised to any peers yet

    Route Distinguisher: 1:1

    Paths: 1 available, 0 best, 1 VPNv4 best

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1026/NULL

    From : 10.0.0.2 (2.2.2.2)

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : MED 10, pref-val 0, pre 255

    State : valid, external, VPNv4 best,

    Not advertised to any peers yet

    Total Number of Routes: 2(1)

    Paths: 2 available, 1 best, 0 VPNv4 best

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1024/NULL

    From : 10.0.0.2 (2.2.2.2)

    Relay Nexthop : 0.0.0.0

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : MED 2, pref-val 0, pre 255

    State : valid, external, best,

    Not advertised to any peers yet

    Not advertised to any VPNv4 peers yet

    BGP routing table entry information of 5.5.5.5/32:

    Label information (Received/Applied): 1026/NULL

    From : 10.0.0.2 (2.2.2.2)

    Relay Nexthop : 0.0.0.0

    Original nexthop: 10.0.0.2

    Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>

    AS-path : 100

    Origin : incomplete

    Attribute value : MED 10, pref-val 0, pre 255

    State : valid, external,

    Not advertised to any peers yet

    Not advertised to any VPNv4 peers yet

    通过PE A上的BGP VPNv4路由优选信息,根据BGP选路原则,优选了PEB发送的路由。通过比对OSPF RouterID也可以看到,PE A优选了PE B始发的BGP VPNv4路由加入到了VPN路由表中。