HCIP综合实验:
实验拓扑:
拓扑描述:
- 网络规划如图所示:
- AS 100内运行MPLS VPN,
- 各具体实验要求如下所示
实验要求:
全网依照拓扑图配置vlan和IP地址
总公司:
SW3和SW4的互连接口启用eth-trunk,最大带宽为2G
SW1、SW2、SW3、和SW4运行MSTP,SW1为VLAN10的Root,SW2为VLAN20的Root
PC1-PC4需要提供网关冗余,为了提高安全性,需要做认证,并使用BFD动态检查上行链路状态,实现自动切换
AS100需求:
每台设备都需要配置Loopback接口,地址为X.X.X.X(X为设备编号)
AS100底层IGP协议为IS-IS,区域为level-2,确保各路由器的loopback接口互通
R1与R4建立IBGP邻居(使用loopback接口)
MPLS-VPN需求:
总公司的PC能访问分公司1/2的PC,分公司之间不能互访
R1和SW3、SW4之间运行OSPF协议
R4和R5之间运行BGP协议
R4和R6之间运行OSPF协议
R1和R4建立MP-BGP邻居
分公司1需求:
- SW5为二层交换机,PC5与PC6配置不同VLAN(属于不同网段),确保两台PC能互访
分公司2需求:
PC8与PC7属于不同VLAN(相同网段),通过VLANIF技术让两台PC正常访问总公司,但是不能互访
内部IGP运行OSPF协议,为了加快收敛速度,每网段不允许存在DR
要求分析:
实验拓扑很大,实验要求很多,但是我们将此划分成若各小部分就可以了
配置总公司,链路聚合和MSTP被明确提出,并表明了谁为ROOT,网关冗余就是VRRP,不过多加一个认证和BFD
- 总公司配置:动态链路聚合/MSTP/VRRP/VRRP认证/VRRP BFD上行链路故障检测,
配置分公司一:要求pc属于不同vlan,属于不同网段,但是可以互访,典型的单臂路由。
- 分公司一配置:单臂路由
配置分公司二:要求pc属于不同vlan,但是都可以通过vlan访问外网,且不能互访,想到是super-vlan,但是super-vlan间是可以互访的,所以关闭arp代理功能,让他们不能互访,且还需在内部运行OSPF协议,并且不能有DR,所以将链路类型改为p2p
- 分公司二配置:super vlan/OSPF/修改OSPF链路类型
配置MPLS-VPN:总公司可以访问两个分公司,两个分公司不能互访,通过两个vpn实例可以有效解决,然后就是CE与PE之间运行的各种协议。
MPLS-VPN配置:
AS 100内的isis协议
MPLS LDP/MPLS VPN/MP-BGP/
R1和SW3、SW4之间运行OSPF协议
- R4和R5之间运行BGP协议
- R4和R6之间运行OSPF协议
实验步骤:
配置ip地址,ping直连检验连通性,配置loopback口地址,(略)
配置总公司:
创建vlan,将vlan加入接口(略),
配置SW1-SW2-SW3-SW4的MSTP:
1
2
3
4
5
6
7
8
9
10
11
12
13[SW1]stp region-configuration
[SW1-mst-region] region-name cfw //配置MSTP域的名称
[SW1-mst-region] revision-level 1 //配置MSTP等级
[SW1-mst-region] instance 1 vlan 10 //创建实例1并将vlan10加入该实例
[SW1-mst-region] instance 2 vlan 20 //创建实例2并将vlan10加入该实例
[SW1-mst-region] active region-configuration //激活该MSTP域
SW2,SW3跟SW4一样的配置,
[SW3]stp instance 1 root primary //配置SW3为实例1的主根
[SW3]stp instance 2 root secondary //配置SW3为实例2的备份根
#SW3,SW4相同的配置,反着来就行。查看MSTP状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71[SW3]dis stp instance 1
-------[MSTI 1 Global Info]-------
MSTI Bridge ID :0.4c1f-cc06-74f7 //转发桥id
MSTI RegRoot/IRPC :0.4c1f-cc06-74f7 / 0 //桥id
MSTI RootPortId :0.0 //根路劲开销为0
MSTI Root Type :Primary root
Master Bridge :32768.4c1f-cc06-74f7
Cost to Master :0
TC received :5
TC count per hello :0
Time since last TC :0 days 0h:4m:44s
Number of TC :6
Last TC occurred :GigabitEthernet0/0/2
----[Port2(GigabitEthernet0/0/2)][FORWARDING]----
Port Role :Designated Port //端口类型为DP
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :0.4c1f-cc06-74f7 / 128.2
Port Times :RemHops 20
TC or TCN send :4
TC or TCN received :2
----[Port3(GigabitEthernet0/0/3)][FORWARDING]----
Port Role :Designated Port //端口类型为DP
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :0.4c1f-cc06-74f7 / 128.3
Port Times :RemHops 20
TC or TCN send :6
TC or TCN received :3
[SW3]
[SW4]dis stp instance 2
-------[MSTI 2 Global Info]-------
MSTI Bridge ID :0.4c1f-cc8e-4dd9
MSTI RegRoot/IRPC :0.4c1f-cc8e-4dd9 / 0
MSTI RootPortId :0.0
MSTI Root Type :Primary root
Master Bridge :32768.4c1f-cc06-74f7
Cost to Master :10000
TC received :13
TC count per hello :0
Time since last TC :0 days 0h:6m:9s
Number of TC :10
Last TC occurred :GigabitEthernet0/0/3
----[Port3(GigabitEthernet0/0/2)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :0.4c1f-cc8e-4dd9 / 128.3
Port Times :RemHops 20
TC or TCN send :8
TC or TCN received :10
----[Port4(GigabitEthernet0/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=20000
Designated Bridge/Port :0.4c1f-cc8e-4dd9 / 128.4
Port Times :RemHops 20
TC or TCN send :9
TC or TCN received :3
----[Port1(Eth-Trunk1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=10000
Designated Bridge/Port :0.4c1f-cc8e-4dd9 / 128.1
Port Times :RemHops 20
TC or TCN send :9
TC or TCN received :0
[SW4]
#SW3为实例1的root,实例4为实例2的root。配置动态链路聚合:
1
2
3
4
5
6
7[SW4]in eth 1
[SW4-Eth-Trunk1]mode lacp-static //配置静态lacp
[SW4-Eth-Trunk1]max active-linknumber 2 //修改最大活跃链路为2
[SW4-Eth-Trunk1]port link-type trunk
[SW4-Eth-Trunk1]port trunk allow-pass vlan 10 20
#题目要求最大带宽为2G,说明要求最大活跃链路为2 ,可以通过静态LACP来完成:查看链路聚合状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24[SW3]dis eth 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 4c1f-cc06-74f7
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Selected 1GE 32768 2 305 10111100 1
GigabitEthernet0/0/4 Selected 1GE 32768 5 305 10111100 1
GigabitEthernet0/0/5 Unselect 1GE 32768 6 305 10100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 4c1f-cc8e-4dd9 32768 2 305 10111100
GigabitEthernet0/0/4 32768 4c1f-cc8e-4dd9 32768 5 305 10111100
GigabitEthernet0/0/5 32768 4c1f-cc8e-4dd9 32768 6 305 10100000
[SW3]
#发现g0/0/1和g0/0/4状态为seleted,g0/0/5状态为unselect,说明0/1口和0/4口是活跃了。且带宽加起来正好为2.配置VRRP:
1
2
3
4
5
6
7
8
9[SW3-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254 //配置vrrp组1的虚拟网关为192.168.10.254
[SW3-Vlanif10]vrrp vrid 1 priority 150 //配置vrrp组一的优先级为150
[SW3-Vlanif10]vrrp vrid 1 authentication-mode md5 huawei //配置vrrp组一的MD5认证
[SW4-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[SW4-Vlanif10]vrrp vrid 1 authentication-mode md5 huawei
#vrrp认证有两种,一种是md5,一种是simple,亲测配置为simple,两边状态都为master。所以我们还是用md5.
#两边配置一模一样,这里仅取VRRP组一的配置查看vrrp组一状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41[SW3]dis vrrp 1
Vlanif10 | Virtual Router 1
State : Master
Virtual IP : 192.168.10.254
Master IP : 192.168.10.252
PriorityRun : 150
PriorityConfig : 150
MasterPriority : 150
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : MD5 Auth key : Zm~.C3k[ND$+cx#k/mS=p_M#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2019-04-27 13:19:09 UTC-08:00
Last change time : 2019-04-27 13:19:13 UTC-08:00
[SW3]
[SW4]dis vrrp 1
Vlanif10 | Virtual Router 1
State : Backup
Virtual IP : 192.168.10.254
Master IP : 192.168.10.252
PriorityRun : 100 //本地优先级为100,默认为100
PriorityConfig : 100
MasterPriority : 150 //master优先级为150
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : MD5 Auth key : 1!9d=^g7u)^QW:LZJi;=J>a# //认证类型为MD5
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Create time : 2019-04-27 12:52:05 UTC-08:00
Last change time : 2019-04-27 13:25:31 UTC-08:00
[SW4]
#发现sw3为vrrp组一的master,sw4为vrrp组一的backup。配置vrrp bfd检测上行链路故障:
1
2
3
4
5
6
7[SW3]bfd //全局打开bfd
[SW3]bfd cfw bind peer-ip 192.168.13.1 interface Vlanif 30 source-ip 192.168.13.
3 auto //配置bfd名称为cfw,邻居为192.168.13.1 检测vlanif接口,源ip为192.168.13.3 自动创建本地标识符和源端标识符。
[SW3-bfd-session-cfw]commit //提交配置
[SW3-Vlanif10]vrrp vrid 1 track bfd-session session-name cfw reduced 100 //使能VRRP通过联动BFD会话状态检测上行链路状态,执行动作为降低100优先级。
#VRRP备份组与BFD联动,一般配置在master上,实时检测上行链路,当链路发生故障后,原先的master之间降低优先级,变为backup。查看BFD状态:
1
2
3
4
5
6
7
8
9
10
11[SW3]dis bfd session peer-ip 192.168.13.1
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
8193 0 192.168.13.1 Down S_AUTO_IF Vlanif30
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 0/1
[SW3]
#发现状态为DOWN,这是因为没有在接口下使能BFD,对端邻居的接口也要使能BFD接口使能BFD:
1
2
3
4[SW3-Vlanif30]ospf bfd enable //在OSPF的特定接口下使能BFD特性
[R1-GigabitEthernet0/0/0]ospf bfd enable
#BFD通常会跟IGP协议结合使用,动态的检测链路状态查看BFD状态:
1
2
3
4
5
6
7
8
9
10
11[SW3]dis bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
8193 8197 192.168.13.1 Up S_AUTO_IF Vlanif30
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
[SW3]
#状态已经up了,这是我们就可以验证了,关闭g0/0/6口,查看VRRP组一是否会发生变化关闭g0/0/6,查看VRRP组一:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25[SW3-GigabitEthernet0/0/6]shutdown
[SW3]dis vrrp 1
Vlanif10 | Virtual Router 1
State : Backup //转台为backup
Virtual IP : 192.168.10.254
Master IP : 192.168.10.253
PriorityRun : 50 //本地优先级改为了50
PriorityConfig : 150 //原先优先级为150
MasterPriority : 100 //master的优先级为100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : MD5 Auth key : Zm~.C3k[ND$+cx#k/mS=p_M#
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Track BFD : cfw Priority reduced : 100
BFD-session state : DOWN //bfd状态为down
Create time : 2019-04-27 13:19:09 UTC-08:00
Last change time : 2019-04-27 17:59:29 UTC-08:00
[SW3]
#发现当上行链路故障之后,master自动降低优先级,成为了backup,实现了主备之前的切换,完成实验。抓包分析:
BFD报文,基于UDP协议,协议号为3784,单跳检测的为3784,多条检测为4784/3784
当上行链路故障后,宣告报文会将降低的优先级填写进去,然后发送给邻居,进行状态切换
配置分公司一:
配置SW5二层交换机的vlan,并将vlan加入对应的接口(略)
配置单臂路由:
1
2
3
4
5
6[R5]in g 0/0/1.10
[R5-GigabitEthernet0/0/1.10]dot1q termination vid 10 //配置子接口Dot1q终结的单层VLAN ID
[R5-GigabitEthernet0/0/1.10]ip address 192.168.55.254 255.255.255.0
[R5-GigabitEthernet0/0/1.10]arp broadcast enable //开启arp代理
#题目要求不同网段,不同vlan,但是要求可以互通,那么就想到了单臂路由
配置分公司二:
创建vlan,配置supper-vlan:
1
2
3
4
5
6
7
8[SW7]vlan 30
[SW7-vlan30]aggregate-vlan //配置vlan30位super-vlan
[SW7-vlan30]access-vlan 10 20 //配置vlan10 20 为vlan30的sub-vlan
[SW7]int vlan 30
[SW7-Vlanif30]ip add 192.168.78.254 24
#题目要求先相同网段,不同vlan,要求不能互通,想到了super-vlan,但是super-vlan之间是可以互通的,所以想到了关闭arp代理功能,但是因为arp代理默认就是关闭的,所以我们就不用进行配置了。
#基本的配置的话,是要开启vlan间 arp代理的,但是题目要求不能进行互访,所以没有开启ARP代理,配置分公司OSPF:
1
2
3
4
5
6
7
8
9[R6]ospf 200 router-id 6.6.6.6
[R6-ospf-200]area 0
[R6-ospf-200-area-0.0.0.0]network 6.6.6.6 0.0.0.0
[R6-ospf-200-area-0.0.0.0]network 192.168.67.6 0.0.0.0
[SW7]ospf 200 router-id 7.7.7.7
[SW7-ospf-200]area 0
[SW7-ospf-200-area-0.0.0.0]network 192.168.67.7 0.0.0.0
[SW7-ospf-200-area-0.0.0.0]network 7.7.7.7 0.0.0.0查看OSPF状态:
1
2
3
4
5
6
7
8
9
10
11
12[R6]dis ospf peer brief
OSPF Process 200 with Router ID 6.6.6.6
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 10.1.46.4 Full
0.0.0.0 GigabitEthernet0/0/1 7.7.7.7 Full
----------------------------------------------------------------------------
[R6]
#当状态为full,代表邻接关系建立成功了。查看OSPF接口状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15[SW7]dis ospf interface Vlanif 40
OSPF Process 200 with Router ID 7.7.7.7
Interfaces
Interface: 192.168.67.7 (Vlanif40)
Cost: 1 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 192.168.67.7
Backup Designated Router: 192.168.67.6
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
[SW7]
#发现此接口为DR,是因为这是MA链路类型,在邻居关系建立之后,就会选举DR,(先比较优先级,默认为1,在比较R-ID,都比大),但是题目要求不能有DR,所以我们要将接口类型该为p2p.修改OSPF区域内所有接口的网络类型:
1
2
3[R6-GigabitEthernet0/0/1]ospf network-type p2p //修改链路类型为p2p
[SW7-Vlanif40]ospf network-type p2p再次查看OSPF接口状态:
1
2
3
4
5
6
7
8
9
10
11
12
13[SW7]dis ospf interface Vlanif 40
OSPF Process 200 with Router ID 7.7.7.7
Interfaces
Interface: 192.168.67.7 (Vlanif40) --> 192.168.67.6
Cost: 1 State: P-2-P Type: P2P MTU: 1500
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
[SW7]
#状态为P-2-P,已经没有了DR的存在,达成题目要求。
#到这一步,所以的基础配置就已经全部完成,接下来就是MPLS vpn
配置MPLS-VPN
部署AS区域底层isis协议
1
2
3
4
5
6
7
8[R1]isis 1
[R1-isis-1]is-level level-2
[R1-isis-1]network-entity 49.0001.0001.0000.0000.0001.00
[R1-GigabitEthernet0/0/2] isis enable 1
[R1-GigabitEthernet4/0/0] isis enable 1
[R1-LoopBack0] isis enable 1
#取R1的配置,所有的路由器上都是一样的配置。查看ISIS状态:
1
2
3
4
5
6
7
8
9
10
11
12
13[R1]dis isis peer
Peer information for ISIS(1)
System Id Interface Circuit Id State HoldTime Type PRI
-------------------------------------------------------------------------------
0000.0000.0002 GE0/0/2 0000.0000.0001.01 Up 22s L2 64
0000.0000.0003 GE4/0/0 0000.0000.0001.02 Up 30s L2 64
Total Peer(s): 2
[R1]
#状态全部为up。- 开启MPLS区域的MPLS,及MPLS LDP协议
1
2
3
4
5
6
7
8
9
10
11[R3]mpls lsr‐id 3.3.3.3 ‐‐配置lsr id
[R3]mpls ‐‐开启MPLS
[R3]mpls ldp ‐‐开启 mpls ldp
[R3]in g 0/0/0
[R3‐GigabitEthernet0/0/0]mpls ‐‐接口模式开启mpls
[R3‐GigabitEthernet0/0/0]mpls ldp ‐‐接口模式开启mpls ldp
[R3]in g 0/0/1
[R3‐GigabitEthernet0/0/1]mpls ‐‐接口模式开启mpls
[R3‐GigabitEthernet0/0/1]mpls ldp ‐‐接口模式开启mpls ldp
#取R3配置,所有路由器的配置相同。- 查看MPLS LDP状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16[R3]dis mpls ldp session all
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
1.1.1.1:0 Operational DU Active 0000:02:22 569/569
4.4.4.4:0 Operational DU Passive 0000:02:22 570/570
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
[R3]
#状态为Operational,LDP会话建立成功- 在PE设备上部署VPN实例,并配置RD与RT属性
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32[R1]ip vpn-instance 1
[R1-vpn-instance-1]route-distinguisher 100:100 //配置RD属性为100:100
[R1-vpn-instance-1-af-ipv4]vpn-target 100:100 export-extcommunity //配置RT 出属性为100:100
[R1-vpn-instance-1-af-ipv4]vpn-target 100:100 import-extcommunity ////配置RT 进属性为100:100
[R1-GigabitEthernet0/0/0]ip binding vpn-instance 1 //在接口下绑定vpn实例1
[R1-GigabitEthernet0/0/0]ip address 192.168.13.1 255.255.255.0 //重新配置ip
[R1]ip vpn-instance 2
[R1-vpn-instance-2]route-distinguisher 200:200
[R1-vpn-instance-2-af-ipv4]vpn-target 200:200 export-extcommunity
[R1-vpn-instance-2-af-ipv4]vpn-target 200:200 import-extcommunity
[R1-GigabitEthernet0/0/1]ip binding vpn-instance 2
[R1-GigabitEthernet0/0/1]ip address 192.168.14.1 255.255.255.0
[R4]ip vpn-instance 1
[R4-vpn-instance-1]route-distinguisher 100:100 //配置RD属性为100:100
[R4-vpn-instance-1-af-ipv4]vpn-target 100:100 export-extcommunity //配置RT 出属性为100:100
[R4-vpn-instance-1-af-ipv4]vpn-target 100:100 import-extcommunity ////配置RT 进属性为100:100
[R4-GigabitEthernet4/0/0]ip binding vpn-instance 1
[R4-GigabitEthernet4/0/0]ip address 10.1.46.4 255.255.255.0
[R4]ip vpn-instance 2
[R4-vpn-instance-2]route-distinguisher 200:200
[R4-vpn-instance-2-af-ipv4]vpn-target 200:200 export-extcommunity
[R4-vpn-instance-2-af-ipv4]vpn-target 200:200 import-extcommunity
[R4-GigabitEthernet0/0/2]ip binding vpn-instance 2
[R4-GigabitEthernet0/0/2]ip address 10.1.45.4 255.255.255.0
#RD,RT值的意义我们就不在过多的赘述了,
#我们主要的还是要了解为啥要这样设置vpn实例,先看一下题目要求,要求总公司可以和分公司互访,但是分公司之间不能互访。
#所以我们还是要配置两个vpn实例的,总公司那边配置两个实例,和分公司那边的实例做一一对应的关系,每隔分公司配置一个实例,只与总公司对应,便完成了我们的实验目的。在PE设备间部署MP-BGP协议
1
2
3
4
5
6
7
8
9
10
11[R1]bgp 100
[R1-bgp]peer 4.4.4.4 as-number 100
[R1-bgp]peer 4.4.4.4 connect-interface LoopBack0
[R1-bgp]ipv4-family vpnv4 //进入BGP-VPNv4地址族视图。
[R1-bgp-af-vpnv4]peer 4.4.4.4 enable //使能与4.4.4.4之间交换路由信息。
[R4]bgp 100
[R4-bgp]peer 1.1.1.1 as-number 100
[R4-bgp]peer 1.1.1.1 connect-interface LoopBack0
[R4-bgp]ipv4-family vpnv4 //进入BGP-VPNv4地址族视图。
[R4-bgp-af-vpnv4]peer 1.1.1.1 enable //使能与1.1.1.1之间交换路由信息。查看MP-BGP状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15[R4]dis bgp vpnv4 all peer
BGP local router ID : 10.1.24.4
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
1.1.1.1 4 100 186 158 0 02:31:17 Established
0
[R4]
#BGP邻居建立完成。部署PE-R4与CE-R6之间的OSPF路由协议:
1
2
3
4
5
6
7
8
9
10[R4]ospf 200 vpn-instance 1 //配置基于VPN实例1的OSPF
[R4-ospf-200]a 0
[R4-ospf-200-area-0.0.0.0]network 10.1.46.4 0.0.0.0
[R4-ospf-200-area-0.0.0.0]network 4.4.4.4 0.0.0.0
[R6]ospf 200
[R6-ospf-200]a 0
[R6-ospf-200-area-0.0.0.0]network 10.1.46.6 0.0.0.0
#在这里要注意,两边的链路类型要是一致,刚在在R6上修改链路类型为p2p后,如果对端为以太网链路,那么依旧是可以建立起邻接关系的,因为他们的hello,dead时间都是一致的,所以可以建立起邻接关系,但是是不传递路由的,这里一定要注意查看OSPF状态:
1
2
3
4
5
6
7
8
9
10
11[R4]dis ospf pe b
OSPF Process 200 with Router ID 10.1.46.4
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet4/0/0 6.6.6.6 Full
----------------------------------------------------------------------------
[R4]
#OSPF邻接关系建立成功部署PE-R4与CE-R5之间的BGP路由协议:
1
2
3
4
5
6
7[R4]bgp 100
[R4-bgp]ipv4-family vpn-instance 2 //进入BGP-VPN实例视图
[R4-bgp-2]as-number 300 //创建新的AS号
[R4-bgp-2]peer 10.1.45.5 as-number 200 //手动指EBGP邻居
[R5]bgp 200
[R5-bgp]peer 10.1.45.4 as-number 300查看BGP状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20[R4]dis bgp vpnv4 all peer
BGP local router ID : 10.1.24.4
Local AS number : 100
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State Pre
fRcv
1.1.1.1 4 100 233 205 0 03:18:19 Established
0
Peer of IPv4-family for vpn instance :
VPN-Instance 2, Router ID 10.1.24.4:
10.1.45.5 4 200 202 222 0 03:18:42 Established
2
[R4]
#发现有两个邻居,一个是IBGP邻居,意识EBGP邻居部署PE-R1与CE-SW3/SW4之间的OSPF路由协议:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22[R1]ospf 1 vpn-instance 1 //创建基于实例1的OSPF
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]network 1.1.1.1 0.0.0.0
[R1-ospf-1-area-0.0.0.0]network 192.168.13.1 0.0.0.0
[R1]ospf 2 vpn-instance 2
[R1-ospf-2]a 0
[R1-ospf-2-area-0.0.0.0]network 192.168.14.1 0.0.0.0
[SW3]ospf 1
[SW3-ospf-1]a 0
[SW3-ospf-1-area-0.0.0.0]network 192.168.13.3 0.0.0.0
[SW4]ospf 1
[SW4-ospf-1]a 0
[SW4-ospf-1-area-0.0.0.0]network 192.168.14.4 0.0.0.0
[SW4-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[SW4-ospf-1-area-0.0.0.0]network 192.168.20.0 0.0.0.255
#因为有两个vpn实例,所以我们要创建分别基于两个实例的OSPF来让他们分别学习路由。查看OSPF状态:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18[R1]dis ospf peer brief
OSPF Process 1 with Router ID 192.168.13.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 192.168.10.252 Full
----------------------------------------------------------------------------
OSPF Process 2 with Router ID 192.168.14.1
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/1 192.168.10.253 Full
----------------------------------------------------------------------------
[R1]
#两个OSFP的邻接状态都建立成功了查看R1上的ospf vpnv4的路由表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28[R1]dis ip routing-table vpn-instance 1 protocol ospf
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
1 routing table : OSPF
Destinations : 5 Routes : 5
OSPF routing table status : <Active>
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.10.0/24 OSPF 10 2 D 192.168.13.3 GigabitEthernet
0/0/0
192.168.10.254/32 OSPF 10 2 D 192.168.13.3 GigabitEthernet
0/0/0
192.168.14.0/24 OSPF 10 3 D 192.168.13.3 GigabitEthernet
0/0/0
192.168.20.0/24 OSPF 10 2 D 192.168.13.3 GigabitEthernet
0/0/0
192.168.20.254/32 OSPF 10 3 D 192.168.13.3 GigabitEthernet
0/0/0
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
[R1]
#发现已经有了总公司主机的路由,但是BGP里面不存在,所以我么要将其引入进BGP,让他传递给分公司,- 在PE-R1上做单点双向路由引入:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20//在BGP 里面引入OSPF:
[R1-bgp]ipv4-family vpn-instance 1
[R1-bgp-1]import-route ospf 1
[R1-bgp]ipv4-family vpn-instance 2
[R1-bgp-2]import-route ospf 2
//在ospf里面引入BGP:
[R1]ospf 1
[R1-ospf-1]import-route bgp
[R1]ospf 2
[R1-ospf-2]import-route bgp
//在BGP 里面引入OSPF:
[R4-bgp]ipv4-family vpn-instance 1
[R4-bgp-1]import-route ospf 200
//在ospf里面引入BGP:
[R4]ospf 200
[R4-ospf-200]import-route bgp- 查看PE的vpnv4 实例1的路由表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20[R1]dis ip rou vpn 1 192.168.78.0 verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : 1
Summary Count : 1
Destination: 192.168.78.0/24
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 4
NextHop: 4.4.4.4 Neighbour: 4.4.4.4
State: Active Adv Relied Age: 00h00m58s
Tag: 0 Priority: low
Label: 1040 QoSInfo: 0x0
IndirectID: 0x4
RelayNextHop: 10.1.12.2 Interface: GigabitEthernet0/0/2
TunnelID: 0x3 Flags: RD
[R1]
#发现已经有了分公司二的主机路由了,私网标签为1040,这是由BGP分发的,
#私网标签的作用是用于判断数据包通过哪个VPN实例进行转发。- 查看MPLS LSP :
1
2
3
4
5
6
7
8
9
10
11[R4]dis mpls lsp include 3.3.3.3 32
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
3.3.3.3/32 NULL/3 -/GE0/0/1
3.3.3.3/32 1024/3 -/GE0/0/1
[R4]
#发现由MPLS LDP分配的公网标签为1024,
#公网标签的作用是由于骨干网中没有vpnv4的路由表,指导不了vpnv4的路由转发,所以由公网标签进行指导转发,指导该数据包去往对端PE.抓包查看标签:
发现公网标签为1024,私网标签为1040,跟上述一致
- 查看PE的vpnv4 实例2的路由表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20[R1]dis ip routing-table vpn-instance 2 192.168.56.0 verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : 2
Summary Count : 1
Destination: 192.168.56.0/24
Protocol: IBGP Process ID: 0
Preference: 255 Cost: 0
NextHop: 4.4.4.4 Neighbour: 4.4.4.4
State: Active Adv Relied Age: 03h55m09s
Tag: 0 Priority: low
Label: 1027 QoSInfo: 0x0
IndirectID: 0x3
RelayNextHop: 10.1.12.2 Interface: GigabitEthernet0/0/2
TunnelID: 0x3 Flags: RD
[R1]
#私网标签为1027
#公网标签是一样的。因为数据都要达到R4抓包查看:
公网你标签为1024,私网标签为1027.
实验结果:
在总公司PC1上访问分公司PC 7:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16PC>ping 192.168.78.7
Ping 192.168.78.7: 32 data bytes, Press Ctrl_C to break
From 192.168.78.7: bytes=32 seq=1 ttl=122 time=141 ms
From 192.168.78.7: bytes=32 seq=2 ttl=122 time=140 ms
From 192.168.78.7: bytes=32 seq=3 ttl=122 time=94 ms
From 192.168.78.7: bytes=32 seq=4 ttl=122 time=141 ms
From 192.168.78.7: bytes=32 seq=5 ttl=122 time=94 ms
--- 192.168.78.7 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 94/122/141 ms
PC>
在总公司PC 2上访问分公司PC 6:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16PC>ping 192.168.56.6
Ping 192.168.56.6: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 192.168.56.6: bytes=32 seq=2 ttl=123 time=141 ms
From 192.168.56.6: bytes=32 seq=3 ttl=123 time=125 ms
From 192.168.56.6: bytes=32 seq=4 ttl=123 time=172 ms
From 192.168.56.6: bytes=32 seq=5 ttl=123 time=172 ms
--- 192.168.56.6 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/152/172 ms
PC>
在分公司二PC 7上访问分公司一PC 6:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15PC>ping 192.168.78.7
Ping 192.168.78.7: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.78.7 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>
实验总结:
本次实验的话,考察了很多的知识点,最难的是MPLS-VPN,其他的地方没有特别难的,但是要注意细节,整个实验考察了IP 大部分知识点,但是最难的路由过滤和渗透没有考察,总体来说,配置特别繁琐,要注意细节,根据自己的经验,一步一步的来,基本就没什么问题了。