modified on 11 sty 2010 at 13:48 ••• 6 593 views

Przykład VPN MPLS na warstwie 3

Z MikroTik Wiki

Konfiguracja typu "wsadźmy wszystko naraz".

Użyte technologie:

  • LDP dla dystrybucji etykiet MPLS
  • BGP dla dystrybucji tras VPNv4
  • OSPF jako protokół routingu CE - PE

Oprogramowanie:

  • Routery PE i P mają RouterOS 3.17 z pakietami routing-test i mpls-test.
  • Routery CE mają RouterOS 3.17 z pakietem routing-test. (można użyć pakietu routing i starszych wersji.)

Image:l3vpn.png

Spis treści

Adresacja IP i routing

Sieć providera

Na routerze B:

/ip address add address=10.1.1.2/24 interface=ether2
/ip address add address=10.2.2.2/24 interface=ether3
 
# put PE-CE interface in a VRF
/ip route vrf add routing-mark=vrf1 interfaces=ether2 \
 route-distinguisher=10.1.1.1:111 import-route-targets=10.1.1.1:111 export-route-targets=10.1.1.1:111
 
# loopback interface
/interface bridge add name=lobridge
/ip address add address=10.9.9.2/32 interface=lobridge
 
# add routes to loopback addresses
# (static routing is used for destinations inside providers network)
/ip route add dst-address=10.9.9.3/32 gateway=10.2.2.3
/ip route add dst-address=10.9.9.4/32 gateway=10.2.2.3

Na routerze C:

/ip address add address=10.2.2.3/24 interface=ether3
/ip address add address=10.3.3.3/24 interface=ether2
 
# loopback interface
/interface bridge add name=lobridge
/ip address add address=10.9.9.3/32 interface=lobridge
 
# add routes to loopback addresses
/ip route add dst-address=10.9.9.2/32 gateway=10.2.2.2
/ip route add dst-address=10.9.9.4/32 gateway=10.3.3.4

Na routerze D:

/ip address add address=10.3.3.4/24 interface=ether2
/ip address add address=10.4.4.4/24 interface=ether3
 
# put PE-CE interface in a VRF
/ip route vrf add routing-mark=vrf1 interfaces=ether3 \
 route-distinguisher=10.1.1.1:111 import-route-targets=10.1.1.1:111 export-route-targets=10.1.1.1:111
 
# loopback interface
/interface bridge add name=lobridge
/ip address add address=10.9.9.4/32 interface=lobridge
 
# add routes to loopback addresses
/ip route add dst-address=10.9.9.2/32 gateway=10.3.3.3
/ip route add dst-address=10.9.9.3/32 gateway=10.3.3.3

Strona klienta

Na routerze A:

/ip address add address=10.1.1.1/24 interface=<ToRouterB>

Na routerze E:

/ip address add address=10.4.4.5/24 interface=<ToRouterD>
/ip address add address=10.7.7.5/24 interface=<ToLocalNetwork>

LDP

Na routerze B:

/mpls ldp set enabled=yes transport-address=10.9.9.2
/mpls ldp interface add interface=ether3

Na routerze C:

/mpls ldp set enabled=yes transport-address=10.9.9.3
/mpls ldp interface add interface=ether2
/mpls ldp interface add interface=ether3

Na routerze D:

/mpls ldp set enabled=yes transport-address=10.9.9.4
/mpls ldp interface add interface=ether2

Nie jest wymagane ustawienie adresu transportowego dla LDP, ale rekomendowane. Jeśli nie jest ustawiony adres, router losowo wybierze adres, który może być adresem należącym do VRF i nie będzie dostępny z wewnętrznych routerów P.

Wyniki

[admin@C] > /mpls ldp neighbor print
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello, V - vpls
 #      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN ADDRESSES
 0  O   10.9.9.2        10.9.9.3        10.1.1.2:0                 no  10.1.1.2
                                                                       10.2.2.2
                                                                       10.9.9.2
 1      10.3.3.4                                                   no
 2  O   10.9.9.4        10.9.9.3        10.3.3.4:0                 no  10.3.3.4
                                                                       10.4.4.4
                                                                       10.9.9.4

BGP

Na routerze B:

/routing bgp instance vrf add instance=default routing-mark=vrf1 redistribute-connected=yes redistribute-ospf=yes
/routing bgp peer add remote-address=10.9.9.3 remote-as=65530 address-families=vpnv4 update-source=lobridge

Na routerze C:

/routing bgp peer add remote-address=10.9.9.2 remote-as=65530 route-reflect=yes address-families=vpnv4 update-source=lobridge
/routing bgp peer add remote-address=10.9.9.4 remote-as=65530 route-reflect=yes address-families=vpnv4 update-source=lobridge
# client-to-client-reflection is on by default
#/routing bgp instance set default client-to-client-reflection=yes

Na routerze D:

/routing bgp instance vrf add instance=default routing-mark=vrf1 redistribute-connected=yes redistribute-ospf=yes
/routing bgp peer add remote-address=10.9.9.3 remote-as=65530 address-families=vpnv4 update-source=lobridge

Reflektor trasy użyty jest tylko dla przykładu.

Prostsza konfiguracja również będzie dobrze działać - ta w której znajduje się sesja BGP pomiędzy B i D, a C nie ma wogóle uruchomionej sesji BGP.

Wyniki

Sprawdź trasy na routerach PE:

/routing bgp vpn vpnv4-route print

i

/ip route print where bgp

OSPF

Na routerze A:

/routing ospf network add network=10.1.1.0/24 area=backbone

Na routerze B:

/routing ospf instance set default routing-table=vrf1 redistribute-bgp=as-type-1
/routing ospf network add network=10.1.1.0/24 area=backbone

Na routerze D:

/routing ospf instance set default routing-table=vrf1 redistribute-bgp=as-type-1
/routing ospf network add network=10.4.4.0/24 area=backbone

Na routerze E:

/routing ospf network add network=10.4.4.0/24 area=backbone
/routing ospf network add network=10.7.7.0/24 area=backbone

Wyniki

Tablica routingu na routerze CE, A:

[admin@A] > /ip route pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADC  10.1.1.0/24        10.1.1.1        ether2             0
 1 ADo  10.4.4.0/24                        10.1.1.2 reachab... 110
 2 ADo  10.7.7.0/24                        10.1.1.2 reachab... 110

Tablica routingu na routerze CE, E:

[admin@E] > /ip route pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADo  10.1.1.0/24                        10.4.4.4 reachab... 110
 1 ADC  10.4.4.0/24        10.4.4.5        ether2             0
 2 ADC  10.7.7.0/24        10.7.7.5        ether3             0

Test

Na routerze A:

Ping z CE1 -> do PE1:

[admin@A] > /ping 10.1.1.2
10.1.1.2 64 byte ping: ttl=64 time=8 ms
10.1.1.2 64 byte ping: ttl=64 time=4 ms
10.1.1.2 64 byte ping: ttl=64 time=5 ms
10.1.1.2 64 byte ping: ttl=64 time=5 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 4/5.5/8 ms

Ping z CE1 -> do CE2:

[admin@A] > /ping 10.4.4.5
10.4.4.5 64 byte ping: ttl=61 time=12 ms
10.4.4.5 64 byte ping: ttl=61 time=5 ms
10.4.4.5 64 byte ping: ttl=61 time=6 ms
10.4.4.5 64 byte ping: ttl=61 time=8 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 5/7.7/12 ms

[admin@A] > /ping 10.7.7.5

10.7.7.5 64 byte ping: ttl=61 time=14 ms
10.7.7.5 64 byte ping: ttl=61 time=4 ms
10.7.7.5 64 byte ping: ttl=61 time=8 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 4/8.6/14 ms
[admin@A] > /tool traceroute 10.7.7.5
     ADDRESS                                    STATUS
   1         10.1.1.2 3ms 6ms 2ms
   2         0.0.0.0 timeout timeout timeout
   3         10.3.3.4 4ms 3ms 3ms
   4         10.7.7.5 3ms 3ms 3ms

Błąd drugiego skoku jest normalny.

Aby zobaczyć całą chmurę MPLS jako jeden skok IP, skonfiguruj propagate-ttl=no. Powinieneś to ustawić na wszystkich routerach providera.


Na routerach B,C,D:

/mpls set propagate-ttl=no
[admin@A] > /tool traceroute 10.7.7.5
     ADDRESS                                    STATUS
   1         10.1.1.2 6ms 3ms 5ms
   2         10.3.3.4 5ms 3ms 6ms
   3         10.7.7.5 9ms 9ms 6ms

Brak błędu.

Łączenie z PE do CE

W tym przypadku należy ręcznie określić routing-table.

Ping z PE1 -> do CE1:

[admin@B] > ping 10.1.1.1 routing-table=vrf1
10.1.1.1 64 byte ping: ttl=64 time=9 ms
10.1.1.1 64 byte ping: ttl=64 time=6 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 6/7.5/9 ms