暗夜星空: 跨域MPLS VPN Option A配置案例（IOS XR）

跨域VPN的解决方案主要是为了解决客户不同AS之间的站点的互通问题，即客户的VPN路由可以在两个AS之间进行传递。RFC4364介绍了三种解决方案，我会在接下来的文章中一一介绍。本文先说第一种解决方案：Option A,这种解决方案需要在两个AS之间的ASBR上使用专门的接口去传递路由信息，所以我们也称这种为VRF-to-VRF。

写在最前面

配置步骤如下：

配置IP地址以及VRF
配置两个AS中的IGP协议_ISIS
配置AS中的标签分配协议（LDP）
配置CE与PE,PE与ASBR之间的BGP邻居
配置ASRB之间路由互相引入
验证连通性

配置IP地址以及VRF

```
R1:
interface Loopback0
 ipv4 address 10.1.1.1 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.12.1 255.255.255.0
```
```
R2:
vrf VIP
 address-family ipv4 unicast
  import route-target
   100:100
  export route-target
   100:100
   
interface Loopback0
 ipv4 address 10.1.2.2 255.255.255.255
interface GigabitEthernet0/0/0/0
 vrf VIP
 ipv4 address 10.1.12.2 255.255.255.0
interface GigabitEthernet0/0/0/1
 ipv4 address 10.1.23.2 255.255.255.0
```
```
R3:
interface Loopback0
 ipv4 address 10.1.3.3 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.34.3 255.255.255.0
interface GigabitEthernet0/0/0/1
 ipv4 address 10.1.23.3 255.255.255.0
```
```
R4:
vrf VIP
 address-family ipv4 unicast
  import route-target
   100:100
  export route-target
   100:100
   
interface Loopback0
 ipv4 address 10.1.4.4 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.34.4 255.255.255.0
interface GigabitEthernet0/0/0/1    <<<这个就是前文所说的ASBR上特殊的接口
 vrf VIP
 ipv4 address 10.1.45.4 255.255.255.0
```
```
R5:
vrf VIP
 address-family ipv4 unicast
  import route-target
   100:100
  export route-target
   100:100
   
interface Loopback0
 ipv4 address 10.1.5.5 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.56.5 255.255.255.0
interface GigabitEthernet0/0/0/1
 vrf VIP
 ipv4 address 10.1.45.5 255.255.255.0
```
```
R6:
interface Loopback0
 ipv4 address 10.1.6.6 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.56.6 255.255.255.0
interface GigabitEthernet0/0/0/1
 ipv4 address 10.1.67.6 255.255.255.0
```
```
R7:
vrf VIP
 address-family ipv4 unicast
  import route-target
   100:100
  export route-target
   100:100
​
interface Loopback0
 ipv4 address 10.1.7.7 255.255.255.255
interface GigabitEthernet0/0/0/0
 vrf VIP
 ipv4 address 10.1.78.7 255.255.255.0
interface GigabitEthernet0/0/0/1
 ipv4 address 10.1.67.7 255.255.255.0
```
```
R8:
interface Loopback0
 ipv4 address 10.1.8.8 255.255.255.255
interface GigabitEthernet0/0/0/0
 ipv4 address 10.1.78.8 255.255.255.0
```

配置两个AS中的IGP协议_ISIS

```
R2:
router isis 1
 is-type level-2-only
 net 49.0000.0000.0000.0001.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
  !
```
```
R3:
router isis 1
 is-type level-2-only
 net 49.0000.0000.0000.0002.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
  !
 !
!
```
```
R4:
router isis 1
 is-type level-2-only
 net 49.0000.0000.0000.0004.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
  !
 !
!
```
```
R5:
router isis 1
 is-type level-2-only
 net 49.0001.0000.0000.0005.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
  !
 !
!        
```
```
R6:
router isis 1
 is-type level-2-only
 net 49.0001.0000.0000.0006.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/0
  point-to-point
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
  !
 !
!
```
```
R7:
router isis 1
 is-type level-2-only
 net 49.0001.0000.0000.0007.00
 address-family ipv4 unicast
  metric-style wide
 !
 interface Loopback0
  passive
  address-family ipv4 unicast
  !
 !
 interface GigabitEthernet0/0/0/1
  point-to-point
  address-family ipv4 unicast
  !
 !
!
```

配置AS中的标签分配协议（LDP）

```
R2:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.2.2
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/1
 !
!
```
```
R3:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.3.3
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/0
 !
 interface GigabitEthernet0/0/0/1
 !
!
```
```
R4:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.4.4
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/0
 !
!
```
```
R5:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.5.5
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/0
 !
!
```
```
R6:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.6.6
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/0
 !
 interface GigabitEthernet0/0/0/1
 !
!
```
```
R7:
mpls ldp
 log
  neighbor
 !
 router-id 10.1.7.7
 address-family ipv4
  label
   local
    allocate for host-routes
   !
  !
 !
 interface GigabitEthernet0/0/0/1
 !
!
```

配置CE与PE,PE与ASBR之间的BGP邻居

需要提前了解到的是，在IOS XR中, IBGP可以不用配置router-policy,但是对于EBGP，一定需要配置router-policy,入向和出向都需要配置，即使router-policy只有一个关键字pass.入向不配置，会drop对端发来的update；出向不配置，不会发布update

```
R1:
route-policy EBGP_PASS
  pass
end-policy
!
router bgp 65000
 bgp router-id 10.1.1.1
 address-family ipv4 unicast
  network 10.1.1.1/32
 !
 neighbor 10.1.12.2
  remote-as 1
  address-family ipv4 unicast
   route-policy EBGP_PASS in
   route-policy EBGP_PASS out
  !
 !
!
```
```
R2:
router bgp 1
 bgp router-id 10.1.2.2
 address-family vpnv4 unicast
 !
 neighbor 10.1.4.4
  remote-as 1
  update-source Loopback0
  address-family vpnv4 unicast
   next-hop-self
  !
 !
 vrf VIP
  rd auto
  address-family ipv4 unicast
  !
  neighbor 10.1.12.1
   remote-as 65000
   address-family ipv4 unicast
    route-policy EBGP_PASS in
    route-policy EBGP_PASS out
   !
  !
 !
!
```
```
R4
router bgp 1
 bgp router-id 10.1.4.4
 address-family vpnv4 unicast
 !
 neighbor 10.1.2.2
  remote-as 1
  update-source Loopback0
  address-family vpnv4 unicast
   next-hop-self
  !
 !
 vrf VIP      <<<配置VRF的原因是为了能让受到的VPNv4路由加入路由表，否则我们只会在BGP 路由表中看到
  rd auto 
  address-family ipv4 unicast
  !
 !
!
```
```
R5:
router bgp 2
 bgp router-id 10.1.5.5
 address-family vpnv4 unicast
 !
 neighbor 10.1.7.7
  remote-as 2
  update-source Loopback0
  address-family vpnv4 unicast
   next-hop-self
  !
 !
 vrf VIP
  rd auto 
  address-family ipv4 unicast
  !
 !
!
```
```
R7:
router bgp 2
 bgp router-id 10.1.7.7
 address-family vpnv4 unicast
 !
 neighbor 10.1.5.5
  remote-as 2
  update-source Loopback0
  address-family vpnv4 unicast
   next-hop-self
  !
 !
 vrf VIP
  rd auto
  address-family ipv4 unicast
  !
  neighbor 10.1.78.8
   remote-as 65001
   address-family ipv4 unicast
    route-policy EBGP_PASS in
    route-policy EBGP_PASS out
   !
  !
 !
!
```
```
R8:
router bgp 65001
 bgp router-id 10.1.8.8
 address-family ipv4 unicast
  network 10.1.8.8/32
 !
 neighbor 10.1.78.7
  remote-as 2
  address-family ipv4 unicast
   route-policy EBGP_PASS in
   route-policy EBGP_PASS out
  !
 !
!
```

配置ASRB之间路由互相引入

```
R4:
router ospf VIP
 vrf VIP
  capability vrf-lite
  redistribute bgp 1
  area 0
   interface GigabitEthernet0/0/0/1
   !
  !
 !
!
router bgp 1
 vrf VIP
  rd auto 
  address-family ipv4 unicast
   redistribute ospf VIP
  !
 !
!
```
```
R5:
router ospf VIP
 vrf VIP
  capability vrf-lite
  redistribute bgp 2
  area 0
   interface GigabitEthernet0/0/0/1
   !
  !
 !
!
router bgp 2
 vrf VIP
  rd auto 
  address-family ipv4 unicast
   redistribute ospf VIP
  !
 !
!
```

验证连通性

```
RP/0/0/CPU0:R1#traceroute 10.1.8.8 source 10.1.1.1
Mon Jun 24 01:24:28.393 UTC
​
Type escape sequence to abort.
Tracing the route to 10.1.8.8
​
 1  10.1.12.2 0 msec  0 msec  0 msec 
 2  10.1.23.3 [MPLS: Labels 24001/24002 Exp 0] 9 msec  19 msec  9 msec 
 3  10.1.34.4 [MPLS: Label 24002 Exp 0] 19 msec  19 msec  9 msec 
 4  10.1.45.5 9 msec  9 msec  9 msec 
 5  10.1.56.6 [MPLS: Labels 24000/24002 Exp 0] 29 msec  19 msec  29 msec 
 6  10.1.67.7 [MPLS: Label 24002 Exp 0] 29 msec  19 msec  29 msec 
 7  10.1.78.8 29 msec  *  19 msec 
RP/0/0/CPU0:R1#

Q&A

为什么需要配置这个命令”capability vrf-lite”?
主要目的是为了能将收到的路由顺利加表，原理如下:R4对于R5而言是个PE设备，PE在决定将Type3, 5, 7的LSA发布给对端的CE时，都会置为一个DN bit，如下所示，对端CE收到DN bit的LSA是不会加表的，主要目的是为了防止环路。所以在这种情景下，使用这条命令可以不产生DN bit，使收到的路由能顺利的加表.

```
RP/0/0/CPU0:R4#show ospf vrf VIP database  external 
Sat Jun 22 13:53:37.752 UTC
​
​
            OSPF Router with ID (10.1.4.4) (Process ID VIP, VRF VIP)
​
                Type-5 AS External Link States
​
  LS age: 28
  Options: (No TOS-capability, DC, DN)
  LS Type: AS External Link
  Link State ID: 10.1.1.1 (External Network Number)
  Advertising Router: 10.1.4.4
  LS Seq Number: 80000004
  Checksum: 0xaf8e
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0 
        Metric: 1 
        Forward Address: 0.0.0.0
        External Route Tag: 3489660929
```

配置文件:
https://mega.nz/#F!xKg1VSJQ!MOGudG5349kecCxBY52LRA

This Blog from Xuxing's Blog;

Link: http://imxing.cn/?p=147

暗夜星空

Sunday, June 13, 2021

跨域MPLS VPN Option A配置案例（IOS XR）