Hub-Spoke MPLS VPN（非跨域）-摩杜云开发者社区

拓扑图

Hub-Spoke MPLS VPN（非跨域）_ide

通过Hub-Spoke MPLS VPN实现分支间的互通

实现分支通过MPLS VPN通过Hub访问Internet

配置

ISP内部运行OSPF，并配置MPLS及VPNV4的BGP邻居

Spoke-CE和Spoke-PE之间运行BGP传递路由

R1作为Hub-PE配置两个VRF，分别负责将Spoke的路由导入到Hub，以及将Hub-CE的汇总路由导出给Spoke

Spoke-PE和Hub-PE之间设置对应的导入导出RT

Hub-CE将收到的Spoke的路由连同自身的私网路由汇总，发布给Hub-PE

Spoke-PE收到汇总路由，并传递给Spoke-CE

R1：

hostname R1
!
ip vrf hub-spoke
 rd 65006:61
 route-target export 65006:61
!
ip vrf spoke-hub
 rd 65006:16
 route-target import 65004:4
 route-target import 65005:5
!
mpls label protocol ldp
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 no shutdown
!
interface Ethernet0/0.10
 encapsulation dot1Q 10
 ip vrf forwarding spoke-hub
 ip address 10.1.16.1 255.255.255.0
!
interface Ethernet0/0.20
 encapsulation dot1Q 20
 ip vrf forwarding hub-spoke
 ip address 10.1.61.1 255.255.255.0
!
interface Ethernet0/1
 ip address 12.1.1.1 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface Ethernet0/2
 ip address 13.1.1.1 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
router ospf 1
 router-id 1.1.1.1
!
router bgp 10
 bgp router-id 1.1.1.1
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 10
 neighbor 2.2.2.2 update-source Loopback0
 neighbor 3.3.3.3 remote-as 10
 neighbor 3.3.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf hub-spoke
  neighbor 10.1.61.6 remote-as 65006
  neighbor 10.1.61.6 activate
 exit-address-family
 !
 address-family ipv4 vrf spoke-hub
  neighbor 10.1.16.6 remote-as 65006
  neighbor 10.1.16.6 activate
 exit-address-family
!

R2：

hostname R2
!
ip vrf spoke1
 rd 65004:4
 route-target export 65004:4
 route-target import 65006:61
!
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 12.1.1.2 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding spoke1
 ip address 10.1.24.2 255.255.255.0
!
router ospf 1
 router-id 2.2.2.2
!
router bgp 10
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.1.1 remote-as 10
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf spoke1
  neighbor 10.1.24.4 remote-as 65004
  neighbor 10.1.24.4 activate
 exit-address-family
!

R3：

hostname R3
!
ip vrf spoke2
 rd 65005:5
 route-target export 65005:5
 route-target import 65006:61
!
mpls label protocol ldp
mpls ldp router-id Loopback0 force
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
 ip ospf 1 area 0
!
interface Ethernet0/0
 ip address 13.1.1.3 255.255.255.0
 ip ospf 1 area 0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding spoke2
 ip address 10.1.35.3 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
!
router bgp 10
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.1.1 remote-as 10
 neighbor 1.1.1.1 update-source Loopback0
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf spoke2
  neighbor 10.1.35.5 remote-as 65005
  neighbor 10.1.35.5 activate
 exit-address-family
!

R4：

hostname R4
!
interface Loopback0
 ip address 172.16.4.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.1.24.4 255.255.255.0
!
router bgp 65004
 bgp router-id 4.4.4.4
 network 172.16.4.0 mask 255.255.255.0
 neighbor 10.1.24.2 remote-as 10
!

R5：

hostname R5
!
interface Loopback0
 ip address 172.16.5.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.1.35.5 255.255.255.0
!
router bgp 65005
 bgp router-id 5.5.5.5
 bgp log-neighbor-changes
 neighbor 10.1.35.3 remote-as 10
 !
 address-family ipv4
  network 172.16.5.0 mask 255.255.255.0
  neighbor 10.1.35.3 activate
 exit-address-family
!

R6：

hostname R6
!
interface Loopback0
 ip address 172.16.6.1 255.255.255.0
!
interface Ethernet0/0.10
 encapsulation dot1Q 10
 ip address 10.1.16.6 255.255.255.0
!
interface Ethernet0/0.20
 encapsulation dot1Q 20
 ip address 10.1.61.6 255.255.255.0
!
router bgp 65006
 bgp router-id 6.6.6.6
 network 172.16.6.0 mask 255.255.255.0
 aggregate-address 172.16.0.0 255.255.0.0 summary-only
 neighbor 10.1.16.1 remote-as 10
 neighbor 10.1.61.1 remote-as 10
!

结果查看

查看ISP内部的OSPF与MPLS

Hub-Spoke MPLS VPN（非跨域）_OSPF_02

查看MPLS LDP邻居

Hub-Spoke MPLS VPN（非跨域）_OSPF_03

查看MPLS的LSP

Hub-Spoke MPLS VPN（非跨域）_Internet_04

查看VPNV4邻居

Hub-Spoke MPLS VPN（非跨域）_Internet_05

查看PE的路由

Hub-Spoke MPLS VPN（非跨域）_OSPF_06

Hub-Spoke MPLS VPN（非跨域）_Internet_07

Hub-Spoke MPLS VPN（非跨域）_ide_08

查看CE学到的路由

Hub-Spoke MPLS VPN（非跨域）_OSPF_09

Hub-Spoke MPLS VPN（非跨域）_OSPF_10

Hub-Spoke MPLS VPN（非跨域）_Internet_11

测试分支间互访

可以看到分支之间互访经过了Hub

Hub-Spoke MPLS VPN（非跨域）_Internet_12

分支通过Hub访问Internet

R1、R6创建子接口，通过子接口访问Internet

Hub-CE配置静态默认，并发布BGP默认路由

R1把公网子接口路由发布到OSPF中，并设置该接口为被动接口

此时Spoke-CE上应该可以收到默认路由

Hub-CE上配置NAT实现Internet访问

R1：

interface Ethernet0/0.30
 encapsulation dot1Q 30
 ip address 16.1.1.1 255.255.255.0
!
router ospf 1
 passive-interface Ethernet0/0.30
 network 16.1.1.1 0.0.0.0 area 0
!

R6：

interface Ethernet0/0.30
 encapsulation dot1Q 30
 ip address 16.1.1.6 255.255.255.0
 ip nat outside
!
interface Ethernet0/0.20
 ip nat inside
!
interface Loopback0
 ip nat inside
!
ip nat inside source list 10 interface Ethernet0/0.30 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/0.30 16.1.1.1
!
access-list 10 permit 172.16.0.0 0.0.255.255
!
!
router bgp 65006
default-information originate
redistribute static
!

查看CE上的BGP的默认路由

Hub-Spoke MPLS VPN（非跨域）_OSPF_13

Hub-Spoke MPLS VPN（非跨域）_Internet_14

R4访问Internet，可以看到流量确实从Hub走

Hub-Spoke MPLS VPN（非跨域）_Internet_15

Hub-Spoke MPLS VPN（非跨域）_Internet_16

Hub-CE上可以看到NAT转换记录

Hub-Spoke MPLS VPN（非跨域）_Internet_17