mpls vpn实验总结

MPLS VPN 实验验总结
1实验拓扑
实验拓扑如下：
2.理论要点
本次实验针对的是MPLS VPN 的学习，设计到基础网路搭建，mpls vpn 网络两部分组成，下面就设计三个层次的网络分别做简单的技术说明：
2.1基础网络简单描述：
如上图所示：R1,R2,R3作为AS边境路由器运行EBGP，其中R1属于AS100，R2属于AS200,R3属于AS300；
AS100对应的运营商的承载网络路由器有：R1,R4,R5,R6,其中R4,R5,R6运行OSPF协议，R1运行OSPF和EBGP协议，并且相互进行重分布；在重分布的时候需要注意以下两个问题：1．OSPF重分布进EBGP的时候，作为AS区域边境路由器，正常采用汇总路由去通告，关闭详细路由通告，如果需要EBGP去通告详细路由，建议采用策略机制去控制，比如ACL控制机制去通告（其实应该是route-map，ACL搞得太多，所以习惯称所有控制都要ACL）；当然也可以先写一条指向NULL口的汇总路由，然后用network宣告进EBGP；总之方法很多，具体问题，具体对待，本次实现这不是重点，所以就直接ospf重分布进EBGP，没有采用任何策略；
2．EBGP重分布进OSPF的时候，注意严禁直接把EBGP重分布进OSPF，原因有两个：一：正常的两个运营商之间一般不希望自己的详细路由信息通告给其他运营商，这样等于自己的网络完全暴露给对手，造成严重的安全问题；
二：造成AS域内的OSPF路由器的路由条目过多，因为路由器性能跟不上，造成路由器宕机；
这里我的做法是：在边境路由器上面，指向null口的默认路由，然后重分布进ospf，这种
方法也很愚蠢；当然也有更好的方式，比如在AS域内运行IBGP，把ospf的区域划分成多
个相互独立的ospf区域（是ospf独立区域，不是AS），当然在运行IBGP的时候，要注意
EBGP和IBGP的特性；比下一跳属性，路由同步，联盟，反射等问题；
其它BGP和OSPF的问题，可以参考其他文档说明这里不做叙述；
2.2 mpls vpn 网络简单描述：
在MPLS VPN网络需要的技术如下：
1.LDP协议（当然也可以采用RSVP-TE分配标签）
如上图所示，R1-R11，R22-R24组成运营商的数据网路，其中R1-R11组成MPLS网络，R22-R24是简单的ip路由网络：
这里重点说明R1-R11是怎么运行LDP建立MPLS网络的，其中面临的最大问题是：R1-R2-R3之间运行是EBGP，LDP是不能给BGP路由分配标签的，实际准确的说（通过实验观察），在路
由器上是可以分配标签的，但是传递到邻居路由器的时候，邻居路由器会检查路由和标签，当
发现这条路由是从BGP学到的时候，不会将远端发来的标签加入标签转发表的（ps：这里有个
很好玩的东西，就是MPLS防止BGP路由黑洞，有兴趣可以玩玩）；
那么怎么解决这个问题呢，在实际的配置中，我采用的是绕过这个问题的方法解决的，具体实
现方法如下：
首先在R1,R2,R3上建立环回口，然后利用静态路由，让彼此都能通信，再基于环回口，配置GRE隧道，然后再启用OSPF协议，将GRE的隧道接口宣告进OSPF里面去，这样因为EBGP
通告给OSPF的路由采用的五类LSA外部路由的方式，而通过GRE隧道学到的是OSPF内部路由，
当然本次实现我这个意图没有体现出来，因为我在EBGP注入OSPF的时候，采用的是在R1,R2,R3 上将0.0.0.0 0.0.0.0 null0这条路由重分布进OSPF的；
解决了LDP穿透BGP的问题，下面就是启用LDP协议了，在LDP协议中，关心的几个点是：
1.LDP协议的端口控制
2.LDP协议的标签通告控制
3.LDP的负载均衡
4.IP数据进出LDP网络时候，TTL变化
5.LDP的最后一跳问题（POP）
6.LDP标签和路由同步问题
7.IP CEF具体作用，实现路由快速转发；
2.VRF原理（将VRF放在MPBGP之前是为了方便说明）
VRF就是路由器里虚拟路由器，就像电脑装个虚拟机，首先你要装个虚拟机，然后把电脑资源划给它，最后怎么和internet通信；
VRF其实也一样，首先你要配置一个VRF，然后把所属接口划给它，最后解决怎么通信互联问题：
下面就详细的说明一下VRF的功能，首先简单配置一个VRF如下：
ip vrf vpn1
rd 300:1
route-target export 300:1
route-target import 100:1
interface Serial2/0
p vrf forwarding vpn1
ip address 11.15.1.1 255.255.255.252
具体说明如下：
1.创建VRF实体，命令：ip vrf vpn1
2.PE1路由器同时接入两个私网，两个私网都是192.168.1.0/24网段，这时在
PE1上就要给192.168.1.0/24网段区分开，当通过公网传输到目的端时，让
接收到这个ip网段的路由器知道到底是属于哪个私网；所以就要在这个
192.168.1.0/24网段前加一个RD；
RD的格式有两种，ASN:nn（常用）和 IP-address:nn
ASN 代表 BGP AS 号码，nn 代表数字，数字可以随便定义，只要合理即可，
但这个数字，对于一台路由器上的不同用户，肯定是不同的，后面我们在
VPNV4地址簇中用到的地址就是RD+IP地址；
3.RT解决的是，定义的是这个VRF感兴趣的进和出RD+IP的路由（VRF中进和
出的路由格式是：RD+IP），就是你想让什么样的路由进和出本VRF；
4.最后就是绑定端口了，绑定端口的作用是在这个端口接收到的IP路由，然后
加上RD再转发出去，也就是在这个端口实现RD+IP路由和IP路由之间的转
化；
3.MPBGP协议
如上图所示，R13和R15-R17/R25-R26和R14/R18-R19分别是某企业分布于三个不同地方的子公司，要求R13和R15R26互通，属于部门1，R18与R16R25互通，属于部门2，
R19与R17互通，属于部门3；R14作为R18和R19的汇聚路由器；
MPBGP主要解决怎么把企业的私网路由通过公网进行互联互通；实现细节如下：
1.建立邻居，因为BGP协议是建立在TCP之上的，所以先实现客户边缘路
由器R5,R8,R11之间分别相互建立邻居；
2.在R5,R8,R11上分别为不同部门创建VRF，绑定端口实现部门之间业务
隔离；
3.分别在不同的vrf中配置启用OSPF协议，学习用户部门内部路由；
4.在MPBGP中分别为不同创建VPNV4地址簇，并且绑定相应的VRF；
5.在MPBGP和OSPF之间进行路由重分布
重点说明： a：MPBGP通告的路由信息是带VRF的RD的，封装在扩展NLRI中（MPBGP
定义了几种，有兴趣可以看看），RT是通过扩展commit属性传输的；
b：本次实验采用OSPF协议作为专网路由协议，通过MPBGP学到对端
路由是以五类LSA，外部路由通告进来的，当然也可以配置是3类LSA
路由宣告进来；也可以采用Sham-Link技术去实现更真实的OSPF网
络；
c:如果采用BGP协议作为专网协议的话，要考虑AS-PATCH问题；
典型配置如下：
router bgp 300
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 ebgp-multihop 255
neighbor 5.5.5.5 update-source Loopback0
neighbor 5.5.5.5 next-hop-self
neighbor 8.8.8.8 remote-as 200
neighbor 8.8.8.8 ebgp-multihop 255
neighbor 8.8.8.8 update-source Loopback0
neighbor 8.8.8.8 next-hop-self
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both
exit-address-family
!
address-family ipv4 vrf vpn1
redistribute ospf 100
exit-address-family
!
address-family ipv4 vrf vpn2
redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf vpn3
redistribute ospf 102
exit-address-family
4.客户专网：CE-PE-PE-CE之间的解决方案：
要求如下：
1.R13和R15-R17/R25-R26和R14/R18-R19分别是某企业分布于三个不同地方
的子公司，要求R13和R15R26互通，属于部门1，R18与R16R25互通，属于
部门2，R19与R17互通，属于部门3；R14作为R18和R19的汇聚路由器；
2.局域网内部门之间某些含有重要数据的电脑或者网段不能之间不能相互访问；
针对这个问题采用的方式是：在CE上启用VRF功能，并且在VRF中启用OSPF
与PE交换路由信息，基于路由器端口去隔离数据，路由器上其他非重要端口
采用EIGRP协议实现部门互通；
3.实现所有CE上客户能访问INTERNET，采用的方式是：在PE-CE之间建立GRE
隧道，然后INTERNET网络和内网运行EIGRP协议学习路由，然后再用静态路
由+静态路由重分布进EIGRP中，实现重要数据的电脑和网段访问INTERNET；
4.实现重要数据的电脑和网段的数据加密传输；采用在mpls vpn网络中应用
IPSEC，配置不能生效，具体原因不明；
3.具体配置如下：
1. AS边界路由器R1,R2,R3配置：
R1配置:
ip cef
no ipv6 cef
!
mpls label protocol ldp
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip address 1.11.1.1 255.255.255.255
!
interface Loopback2
ip address 1.11.11.1 255.255.255.255 !
interface Loopback3
ip address 1.11.11.11 255.255.255.255 !
interface Tunnel0
ip address 192.168.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback0
tunnel destination 2.2.2.2
!
interface Tunnel1
ip address 192.168.2.1 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback1
tunnel destination 3.3.3.3
!
interface Ethernet0/0
ip address 12.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Ethernet0/1
ip address 13.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Serial1/0
ip address 14.1.1.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 15.1.1.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 16.1.1.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial2/0
ip address 1.22.1.1 255.255.255.252
serial restart-delay 0
!
router eigrp 100
network 0.0.0.0
network 1.11.11.11 0.0.0.0
network 1.22.1.1 0.0.0.0
!
router ospf 110
router-id 1.1.1.1
network 1.1.1.1 0.0.0.0 area 0
network 1.11.1.1 0.0.0.0 area 0
network 1.11.11.1 0.0.0.0 area 0
network 14.1.1.1 0.0.0.0 area 0
network 15.1.1.1 0.0.0.0 area 0
network 16.1.1.1 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0 network 192.168.2.1 0.0.0.0 area 0
default-information originate
!
router bgp 100
bgp log-neighbor-changes
redistribute eigrp 100
redistribute ospf 110
neighbor 12.1.1.2 remote-as 200
neighbor 12.1.1.2 update-source Ethernet0/0 neighbor 12.1.1.2 next-hop-self
neighbor 13.1.1.2 remote-as 300
neighbor 13.1.1.2 update-source Ethernet0/1 neighbor 13.1.1.2 next-hop-self
!
ip route 0.0.0.0 0.0.0.0 Null0
ip route 2.2.2.2 255.255.255.255 12.1.1.2
ip route 2.22.2.2 255.255.255.255 12.1.1.2
ip route 3.3.3.3 255.255.255.255 13.1.1.2
ip route 3.33.3.3 255.255.255.255 13.1.1.2 mpls ldp router-id Loopback0
R2配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls label protocol ldp
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
ip address 2.22.2.2 255.255.255.255
!
interface Loopback2
ip address 2.22.22.2 255.255.255.255
!
interface Loopback3
ip address 2.22.22.22 255.255.255.255
!
interface Tunnel0
ip address 192.168.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback0
tunnel destination 1.1.1.1
!
interface Tunnel1
ip address 192.168.3.1 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback1
tunnel destination 3.33.3.3
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Ethernet0/1
ip address 23.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Serial1/0
ip address 27.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 28.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 29.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial2/0
ip address 2.23.1.1 255.255.255.252 serial restart-delay 0
!
router eigrp 200
network 0.0.0.0
network 2.22.22.22 0.0.0.0 network 2.23.1.1 0.0.0.0
!
router ospf 110
router-id 2.2.2.2
network 2.2.2.2 0.0.0.0 area 0 network 2.22.2.2 0.0.0.0 area 0 network 2.22.22.2 0.0.0.0 area 0
network 27.1.1.1 0.0.0.0 area 0
network 28.1.1.1 0.0.0.0 area 0
network 29.1.1.1 0.0.0.0 area 0
network 192.168.1.2 0.0.0.0 area 0 network 192.168.3.1 0.0.0.0 area 0
default-information originate
!
router bgp 200
bgp log-neighbor-changes
redistribute eigrp 200
redistribute ospf 110
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 ebgp-multihop 2 neighbor 1.1.1.1 update-source Loopback0 neighbor 1.1.1.1 next-hop-self
neighbor 12.1.1.1 remote-as 100
neighbor 12.1.1.1 update-source Ethernet0/0 neighbor 12.1.1.1 next-hop-self
neighbor 23.1.1.2 remote-as 300
neighbor 23.1.1.2 update-source Ethernet0/1 neighbor 23.1.1.2 next-hop-self
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Null0
ip route 1.1.1.1 255.255.255.255 12.1.1.1
ip route 1.11.1.1 255.255.255.255 12.1.1.1
ip route 3.3.3.3 255.255.255.255 23.1.1.2
ip route 3.33.3.3 255.255.255.255 23.1.1.2
!
mpls ldp router-id Loopback0
R3配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls label protocol ldp
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Loopback1
ip address 3.33.3.3 255.255.255.255
!
interface Loopback2
ip address 3.33.33.3 255.255.255.255 !
interface Loopback3
ip address 3.33.33.33 255.255.255.255 !
interface Tunnel0
ip address 192.168.2.2 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback0
tunnel destination 1.11.1.1
!
interface Tunnel1
ip address 192.168.3.2 255.255.255.252 mpls label protocol ldp
mpls ip
tunnel source Loopback1
tunnel destination 2.22.2.2
!
interface Ethernet0/0
ip address 13.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Ethernet0/1
ip address 23.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
!
interface Serial1/0
ip address 3.10.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 3.11.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 3.12.1.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial2/0
ip address 3.24.1.1 255.255.255.252
serial restart-delay 0
!
router eigrp 300
network 0.0.0.0
network 3.24.1.1 0.0.0.0
network 3.33.33.33 0.0.0.0
!
router ospf 110
router-id 3.3.3.3
network 3.3.3.3 0.0.0.0 area 0
network 3.10.1.1 0.0.0.0 area 0
network 3.11.1.1 0.0.0.0 area 0
network 3.12.1.1 0.0.0.0 area 0
network 3.33.3.3 0.0.0.0 area 0
network 3.33.33.3 0.0.0.0 area 0
network 192.168.2.2 0.0.0.0 area 0 network 192.168.3.2 0.0.0.0 area 0
default-information originate
!
router bgp 300
bgp log-neighbor-changes
redistribute eigrp 300
redistribute ospf 110
neighbor 13.1.1.1 remote-as 100
neighbor 13.1.1.1 update-source Ethernet0/0 neighbor 23.1.1.1 remote-as 200
neighbor 23.1.1.1 update-source Ethernet0/1 neighbor 23.1.1.1 next-hop-self
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Null0
ip route 1.1.1.1 255.255.255.255 13.1.1.1
ip route 1.11.1.1 255.255.255.255 13.1.1.1 ip route 2.2.2.2 255.255.255.255 23.1.1.1 ip route 2.22.2.2 255.255.255.255 23.1.1.1 !
mpls ldp router-id Loopback0
2. AS100内公网配置：
R4配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface Loopback1
ip address 4.44.4.4 255.255.255.255
!
interface Loopback2
ip address 4.44.44.4 255.255.255.255
!
interface Serial1/0
ip address 14.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 45.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 46.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
router ospf 110
router-id 4.4.4.4
network 4.4.4.4 0.0.0.0 area 0 network 4.44.4.4 0.0.0.0 area 0 network 4.44.44.4 0.0.0.0 area 0 network 14.1.1.2 0.0.0.0 area 0 network 45.1.1.1 0.0.0.0 area 0 network 46.1.1.1 0.0.0.0 area 0
!
R5配置：
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 300:1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
interface Loopback0
ip address 5.5.5.5 255.255.255.255 !
interface Loopback1
ip address 5.55.5.5 255.255.255.255 !
interface Loopback2
ip address 5.55.55.5 255.255.255.255 !
interface Serial1/0
ip address 15.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 45.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 56.1.1.1 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/3
ip vrf forwarding vpn1
ip address 5.13.1.1 255.255.255.252
serial restart-delay 0
!
!
router ospf 100 vrf vpn1
redistribute bgp 100 subnets
network 5.13.1.1 0.0.0.0 area 0
!
router ospf 110
router-id 5.5.5.5
network 5.5.5.5 0.0.0.0 area 0
network 5.55.5.5 0.0.0.0 area 0
network 5.55.55.5 0.0.0.0 area 0
network 15.1.1.2 0.0.0.0 area 0
network 45.1.1.2 0.0.0.0 area 0
network 56.1.1.1 0.0.0.0 area 0
!
router bgp 100
bgp log-neighbor-changes
neighbor 8.8.8.8 remote-as 200
neighbor 8.8.8.8 ebgp-multihop 255 neighbor 8.8.8.8 update-source Loopback0 neighbor 8.8.8.8 next-hop-self
neighbor 11.11.11.11 remote-as 300 neighbor 11.11.11.11 ebgp-multihop 255 neighbor 11.11.11.11 update-source Loopback0 neighbor 11.11.11.11 next-hop-self
!
address-family vpnv4
neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both neighbor 11.11.11.11 activate
neighbor 11.11.11.11 send-community both exit-address-family
!
address-family ipv4 vrf vpn1
redistribute ospf 100
exit-address-family
!
3. AS200公网配置：
R7配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
interface Loopback0
ip address 7.7.7.7 255.255.255.255 !
interface Loopback1
ip address 7.77.7.7 255.255.255.255 !
interface Loopback2
ip address 7.77.77.7 255.255.255.255 !
interface Serial1/0
ip address 27.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 78.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 79.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
router ospf 110
router-id 7.7.7.7
network 7.7.7.7 0.0.0.0 area 0 network 7.77.7.7 0.0.0.0 area 0 network 7.77.77.7 0.0.0.0 area 0 network 27.1.1.2 0.0.0.0 area 0 network 78.1.1.1 0.0.0.0 area 0
network 79.1.1.1 0.0.0.0 area 0
R8配置：
ip vrf vpn2
rd 200:1
route-target export 200:1
route-target import 300:2
!
ip vrf vpn3
rd 200:2
route-target export 200:2
route-target import 300:3
!
!
!
!
ip cef
no ipv6 cef
!
interface Loopback0
ip address 8.8.8.8 255.255.255.255 !
interface Loopback1
ip address 8.88.8.8 255.255.255.255 !
interface Loopback2
ip address 8.88.88.8 255.255.255.255 !
interface Serial1/0
ip address 28.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 78.1.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 89.1.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/3
ip vrf forwarding vpn2
ip address 8.14.1.1 255.255.255.252
serial restart-delay 0
!
interface Serial2/0
ip vrf forwarding vpn3
ip address 8.14.14.1 255.255.255.252
serial restart-delay 0
!
router ospf 101 vrf vpn2
redistribute bgp 200 subnets
network 8.14.1.1 0.0.0.0 area 0
!
router ospf 102 vrf vpn3
redistribute bgp 200 subnets
network 8.14.14.1 0.0.0.0 area 0
!
router ospf 110
router-id 8.8.8.8
network 8.8.8.8 0.0.0.0 area 0
network 8.88.8.8 0.0.0.0 area 0
network 8.88.88.8 0.0.0.0 area 0
network 28.1.1.2 0.0.0.0 area 0
network 78.1.1.2 0.0.0.0 area 0
network 89.1.1.1 0.0.0.0 area 0
!
router bgp 200
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 100
neighbor 5.5.5.5 ebgp-multihop 255 neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 next-hop-self
neighbor 11.11.11.11 remote-as 300 neighbor 11.11.11.11 ebgp-multihop 255 neighbor 11.11.11.11 update-source Loopback0 neighbor 11.11.11.11 next-hop-self
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both neighbor 11.11.11.11 activate
neighbor 11.11.11.11 send-community both exit-address-family
!
address-family ipv4 vrf vpn2
redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf vpn3
redistribute ospf 102
exit-address-family
R9配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
mpls label protocol ldp
!
interface Loopback0
ip address 9.9.9.9 255.255.255.255
!
interface Loopback1
ip address 9.99.9.9 255.255.255.255
!
interface Loopback2
ip address 9.99.99.9 255.255.255.255
!
interface Serial1/0
ip address 29.1.1.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 89.1.1.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 79.1.1.2 255.255.255.252
mpls label protocol ldp
mpls ip
!
router ospf 110
router-id 9.9.9.9
network 9.9.9.9 0.0.0.0 area 0
network 9.99.9.9 0.0.0.0 area 0
network 9.99.99.9 0.0.0.0 area 0 network 29.1.1.2 0.0.0.0 area 0
network 79.1.1.2 0.0.0.0 area 0
network 89.1.1.2 0.0.0.0 area 0
!
4.AS300内公网配置：
R10配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
interface Loopback0
ip address 10.10.10.10 255.255.255.255 !
interface Loopback1
ip address 10.100.10.10 255.255.255.255 !
interface Loopback2
ip address 10.100.100.10 255.255.255.255 !
interface Serial1/0
ip address 3.10.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 10.11.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 10.12.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
!
router ospf 110
router-id 10.10.10.10
network 3.10.1.2 0.0.0.0 area 0 network 10.10.10.10 0.0.0.0 area 0 network 10.11.1.1 0.0.0.0 area 0 network 10.12.1.1 0.0.0.0 area 0 network 10.100.10.10 0.0.0.0 area 0 network 10.100.100.10 0.0.0.0 area 0
!
R11配置：
!
ip vrf vpn1
rd 300:1
route-target export 300:1
route-target import 100:1
!
ip vrf vpn2
rd 300:2
route-target export 300:2
route-target import 200:1
!
ip vrf vpn3
rd 300:3
route-target export 300:3
route-target import 200:2
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255 !
interface Loopback1
ip address 11.110.11.11 255.255.255.255
!
interface Loopback2
ip address 11.110.110.11 255.255.255.255 !
interface Loopback3
ip address 11.110.110.110 255.255.255.255 !
interface Tunnel0
ip address 111.1.1.1 255.255.255.252 tunnel source 11.15.1.1
tunnel destination 11.15.1.2
tunnel vrf vpn1
!
interface Serial1/0
ip address 3.11.1.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 10.11.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 11.12.1.1 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial2/0
ip vrf forwarding vpn1
ip address 11.15.1.1 255.255.255.252 serial restart-delay 0
!
interface Serial2/1
ip vrf forwarding vpn2
ip address 11.16.1.1 255.255.255.252 serial restart-delay 0
!
interface Serial2/2
ip vrf forwarding vpn3
ip address 11.17.1.1 255.255.255.252 serial restart-delay 0
!
interface Serial2/3
ip address 11.20.1.1 255.255.255.252 serial restart-delay 0
!
router eigrp 300
network 11.20.1.1 0.0.0.0
network 11.110.110.110 0.0.0.0 network 111.1.1.1 0.0.0.0
!
router ospf 100 vrf vpn1
redistribute bgp 300 subnets
network 11.15.1.1 0.0.0.0 area 0
!
router ospf 101 vrf vpn2
redistribute bgp 300 subnets
network 11.16.1.1 0.0.0.0 area 0
!
router ospf 102 vrf vpn3
redistribute bgp 300 subnets
network 11.17.1.1 0.0.0.0 area 0
!
router ospf 110
router-id 11.11.11.11
network 3.11.1.2 0.0.0.0 area 0
network 10.11.1.2 0.0.0.0 area 0 network 11.11.11.11 0.0.0.0 area 0 network 11.12.1.1 0.0.0.0 area 0 network 11.110.11.11 0.0.0.0 area 0 network 11.110.110.11 0.0.0.0 area 0
!
router bgp 300
bgp log-neighbor-changes
neighbor 5.5.5.5 remote-as 100 neighbor 5.5.5.5 ebgp-multihop 255 neighbor 5.5.5.5 update-source Loopback0 neighbor 5.5.5.5 next-hop-self
neighbor 8.8.8.8 remote-as 200 neighbor 8.8.8.8 ebgp-multihop 255 neighbor 8.8.8.8 update-source Loopback0 neighbor 8.8.8.8 next-hop-self
!
address-family vpnv4
neighbor 5.5.5.5 activate
neighbor 5.5.5.5 send-community both neighbor 8.8.8.8 activate
neighbor 8.8.8.8 send-community both exit-address-family
!
address-family ipv4 vrf vpn1 redistribute ospf 100
exit-address-family
!
address-family ipv4 vrf vpn2 redistribute ospf 101
exit-address-family
!
address-family ipv4 vrf vpn3 redistribute ospf 102
exit-address-family
!
R12配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated mpls label protocol ldp
interface Loopback0
ip address 12.12.12.12 255.255.255.255 !
interface Loopback1
ip address 12.120.12.12 255.255.255.255 !
interface Loopback2
ip address 12.120.120.12 255.255.255.255 !
interface Serial1/0
ip address 3.12.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/1
ip address 11.12.1.2 255.255.255.252
mpls label protocol ldp
mpls ip
serial restart-delay 0
!
interface Serial1/2
ip address 10.12.1.2 255.255.255.252 mpls label protocol ldp
mpls ip
serial restart-delay 0
!
router ospf 110
router-id 12.12.12.12
network 3.12.1.2 0.0.0.0 area 0
network 10.12.1.2 0.0.0.0 area 0 network 11.12.1.2 0.0.0.0 area 0 network 12.12.12.12 0.0.0.0 area 0 network 12.120.12.12 0.0.0.0 area 0 network 12.120.120.12 0.0.0.0 area 0
5.AS100内CE配置：
R13配置：
ip vrf vpn1
rd 100:1
route-target export 100:1
route-target import 300:1
!
ip cef
no ipv6 cef
interface Loopback0
ip vrf forwarding vpn1
ip address 13.13.13.13 255.255.255.0
!
interface Loopback1
ip address 13.130.13.13 255.255.255.255 !
interface Loopback2
ip address 13.130.130.13 255.255.255.255 !
interface Ethernet0/0
ip vrf forwarding vpn1
ip address 103.1.1.1 255.255.255.0
!
interface Serial1/0
ip vrf forwarding vpn1
ip address 5.13.1.2 255.255.255.252 serial restart-delay 0
!
router ospf 100 vrf vpn1
router-id 13.13.13.13
capability vrf-lite
network 5.13.1.2 0.0.0.0 area 0
network 13.13.13.0 0.0.0.255 area 0 network 103.1.1.0 0.0.0.255 area 0
!
6.AS200内CE配置：
R14配置：
ip vrf vpn2
rd 200:1
route-target export 200:1
route-target import 300:2
!
ip vrf vpn3
rd 200:2
route-target export 200:2
route-target import 300:3
!
ip cef
no ipv6 cef
interface Loopback0
ip vrf forwarding vpn2
ip address 14.14.14.14 255.255.255.0
!
interface Loopback1
ip vrf forwarding vpn3
ip address 14.140.14.14 255.255.255.0
!
interface Loopback2
ip address 14.140.140.14 255.255.255.255 !
interface Serial1/0
ip vrf forwarding vpn2
ip address 8.14.1.2 255.255.255.252 serial restart-delay 0
!
interface Serial1/1
ip vrf forwarding vpn3
ip address 8.14.14.2 255.255.255.252
serial restart-delay 0
!
interface Serial1/2
ip vrf forwarding vpn2
ip address 14.18.1.1 255.255.255.252
serial restart-delay 0
!
interface Serial1/3
ip vrf forwarding vpn3
ip address 14.19.1.1 255.255.255.252
serial restart-delay 0
!
interface Serial2/0
ip address 8.14.14.2 255.255.255.252
serial restart-delay 0
!
router ospf 101 vrf vpn2
router-id 14.14.14.14
capability vrf-lite
network 8.14.1.2 0.0.0.0 area 0
network 14.14.14.0 0.0.0.255 area 0
network 14.18.1.1 0.0.0.0 area 0
!
router ospf 102 vrf vpn3
capability vrf-lite
network 8.14.14.2 0.0.0.0 area 0
network 14.19.1.1 0.0.0.0 area 0
network 14.140.14.0 0.0.0.255 area 0
R18配置：
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 25.25.25.25
!
!
crypto ipsec transform-set ccie esp-3des esp-sha-hmac mode tunnel
!
!
!
crypto map l2l 1 ipsec-isakmp
set peer 25.25.25.25
set transform-set ccie
match address 100
!
!
!
!
!
interface Loopback0
ip address 18.18.18.18 255.255.255.255
crypto map l2l
!
interface Loopback1
ip address 18.180.18.18 255.255.255.255
!
interface Loopback2
ip address 18.180.180.18 255.255.255.255
!
interface Loopback3
ip address 172.1.2.1 255.255.255.0
!
interface Serial0/0
ip address 14.18.1.2 255.255.255.252
serial restart-delay 0
!
router ospf 101
router-id 18.18.18.18
network 14.18.1.2 0.0.0.0 area 0
network 18.18.18.18 0.0.0.0 area 0
network 18.180.18.18 0.0.0.0 area 0
network 18.180.180.18 0.0.0.0 area 0
!
access-list 100 permit ip 172.1.2.0 0.0.0.255 172.1.1.0 0.0.0.255
R19配置：
ip cef
no ipv6 cef
!
interface Loopback0
ip address 19.19.19.19 255.255.255.255
!
interface Loopback1
ip address 19.190.19.19 255.255.255.255 !
interface Loopback2
ip address 19.190.190.19 255.255.255.255 !
interface Serial0/0
ip address 14.19.1.2 255.255.255.252 serial restart-delay 0
!
router ospf 102
router-id 19.19.19.19
network 14.19.1.2 0.0.0.0 area 0 network 19.19.19.19 0.0.0.0 area 0 network 19.190.19.19 0.0.0.0 area 0 network 19.190.190.19 0.0.0.0 area 0
!
6.AS300内CE配置：
R15配置：
ip vrf vpn1
rd 300:1
route-target export 300:1
route-target import 100:1
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated interface Loopback0
ip vrf forwarding vpn1
ip address 15.15.15.15 255.255.255.0
!
interface Loopback1
ip address 15.150.15.15 255.255.255.255 !
interface Loopback2
ip address 15.150.150.15 255.255.255.255 !
interface Tunnel0
ip address 111.1.1.2 255.255.255.252 tunnel source 11.15.1.2
tunnel destination 11.15.1.1。