配置MPLS_VPN实现总部与分部之间不同VPN之间的路由隔离、地址空间隔离和访问隔离。
配置思路
1.根据拓扑配置各接口IP;
2.核心交换机做冗余,配置vrrp
3.R1,R2,R3之间配置OSPF协议;
4.R3,FW1,SW10之间配置静态路由协议;
5.R1,R2,R3配置BGP 100;SW10、SW11配置BGP 300与R3建立EBGP
6.R1,R2,R3启用MPLS,为互联接口配置MPLS和MPLS LDP
7.在R1,R2,R3上配置yewubu和yanfabu的vpn实例,打通各部门之间的通讯;
8.为了使分部一的研发部能够通过vpn实例访问总部研发部的同时,也能够访问Internet,在R3上配置单臂路由,分别用来连接MPLS VPN和访问Internet
9.防火墙上配置NAT地址转换,分部一的研发部通过NAT技术访问INTERNET
配置内容
总部-R1:
sysname r1
#
ip vpn-instance yanfabu
route-distinguisher 2024:1
vpn-target 2024:1 import-extcommunity
vpn-target 2024:1 export-extcommunity
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.0.0.12 0.0.0.0
#
ospf 100 vpn-instance yanfabu
import-route bgp
area 0.0.0.0
network 100.0.0.2 0.0.0.0
network 200.0.0.2 0.0.0.0
#
mpls lsr-id 1.1.1.1
#
sysid r1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 100.0.0.12 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip binding vpn-instance yanfabu
ip address 100.0.0.2 255.255.255.252
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
ip binding vpn-instance yanfabu
ip address 200.0.0.2 255.255.255.252
#
bgp 100
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
address-family ipv4 unicast
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
address-family vpnv4
peer 2.2.2.2 enable
peer 3.3.3.3 enable
#
ip vpn-instance yanfabu
#
address-family ipv4 unicast
import-route ospf 100
总部-SW8:
sysname SW8
#
track 1 interface GigabitEthernet1/0/1
#
ospf 1 router-id 8.8.8.8
silent-interface Vlan-interface10
silent-interface Vlan-interface20
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 100.0.0.1 0.0.0.0
network 192.168.10.252 0.0.0.0
network 192.168.20.252 0.0.0.0
#
lldp global enable
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 100
#
stp region-configuration
region-name qclr
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
stp instance 1 root primary
stp instance 2 root secondary
stp global enable
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 10 20
#
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
#
interface Vlan-interface10
ip address 192.168.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 150
vrrp vrid 10 track 1 weight reduced 50
#
interface Vlan-interface20
ip address 192.168.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
#
interface Vlan-interface100
ip address 100.0.0.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
总部-SW9:
sysname SW8
#
track 1 interface GigabitEthernet1/0/1
#
ospf 1 router-id 8.8.8.8
silent-interface Vlan-interface10
silent-interface Vlan-interface20
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 100.0.0.1 0.0.0.0
network 192.168.10.252 0.0.0.0
network 192.168.20.252 0.0.0.0
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 100
#
stp region-configuration
region-name qclr
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
stp instance 1 root primary
stp instance 2 root secondary
stp global enable
#
interface Bridge-Aggregation1
port link-type trunk
port trunk permit vlan 1 10 20
#
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
#
interface Vlan-interface10
ip address 192.168.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 150
vrrp vrid 10 track 1 weight reduced 50
#
interface Vlan-interface20
ip address 192.168.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
#
interface Vlan-interface100
ip address 100.0.0.1 255.255.255.252
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 100
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
port link-aggregation group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
总部-SW12
sysname SW12
#
vlan 1
#
vlan 10
#
vlan 20
#
stp region-configuration
region-name qclr
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
stp bpdu-protection
stp global enable
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
combo enable fiber
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
combo enable fiber
stp edged-port
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 20
combo enable fiber
stp edged-port
R2:
sysname R2
#
ip vpn-instance yewubu
route-distinguisher 2024:2
vpn-target 2024:2 import-extcommunity
vpn-target 2024:2 export-extcommunity
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.0.0.13 0.0.0.0
network 102.0.0.1 0.0.0.0
#
mpls lsr-id 2.2.2.2
#
vlan 1
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 100.0.0.13 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 102.0.0.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
ip binding vpn-instance yewubu
ip address 102.0.0.12 255.255.255.252
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack0
#
address-family ipv4 unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
address-family vpnv4
peer 1.1.1.1 enable
peer 3.3.3.3 enable
#
ip vpn-instance yewubu
#
address-family ipv4 unicast
import-route static
ip route-static vpn-instance yewubu 192.168.30.0 24 102.0.0.13
分公司二-R4:
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.30.254 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 102.0.0.13 255.255.255.252
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
ip address 105.0.0.1 255.255.255.252
#
ip route-static 0.0.0.0 0 102.0.0.12
分公司一 R3:
sysname R3
#
ip vpn-instance yanfabu
route-distinguisher 2024:1
vpn-target 2024:1 import-extcommunity
vpn-target 2024:1 export-extcommunity
#
ip vpn-instance yewubu
route-distinguisher 2024:2
vpn-target 2024:2 import-extcommunity
vpn-target 2024:2 export-extcommunity
#
address-family ipv4
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 102.0.0.2 0.0.0.0
#
mpls lsr-id 3.3.3.3
#
vlan 1
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 102.0.0.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet0/1.1
ip binding vpn-instance yanfabu
ip address 10.10.10.2 255.255.255.252
vlan-type dot1q vid 101
#
interface GigabitEthernet0/1.2
ip address 20.20.20.2 255.255.255.252
vlan-type dot1q vid 102
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
ip binding vpn-instance yewubu
ip address 10.10.10.14 255.255.255.252
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
ip address 105.0.0.1 255.255.255.252
#
bgp 100
router-id 3.3.3.3
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack0
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
address-family ipv4 unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
address-family vpnv4
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ip vpn-instance yanfabu
peer 10.10.10.1 as-number 300
#
address-family ipv4 unicast
import-route direct
peer 10.10.10.1 enable
#
ip vpn-instance yewubu
peer 10.10.10.13 as-number 300
#
address-family ipv4 unicast
import-route direct
peer 10.10.10.13 enable
分公司一 SW10:
interface LoopBack0
ip address 10.10.10.10 255.255.255.255
#
interface Vlan-interface10
ip address 172.168.10.254 255.255.255.0
#
interface Vlan-interface101
ip address 10.10.10.1 255.255.255.252
#
interface Vlan-interface102
ip address 20.20.20.1 255.255.255.252
#
interface FortyGigE1/0/53
port link-mode bridge
#
interface FortyGigE1/0/54
port link-mode bridge
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 101 to 102
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
combo enable fiber
#
bgp 300
router-id 10.10.10.10
peer 10.10.10.2 as-number 100
#
address-family ipv4 unicast
network 172.168.10.0 255.255.255.0
peer 10.10.10.2 enable
#
ip route-static 105.0.0.0 30 20.20.20.2
ip route-static 202.1.1.0 30 20.20.20.2
分公司一 SW11:
interface LoopBack0
ip address 11.11.11.11 255.255.255.255
#
interface Vlan-interface10
ip address 172.168.20.254 255.255.255.0
#
interface Vlan-interface111
ip address 10.10.10.13 255.255.255.252
#
interface FortyGigE1/0/53
port link-mode bridge
#
interface FortyGigE1/0/54
port link-mode bridge
#
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 111
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
combo enable fiber
#
bgp 300
router-id 11.11.11.11
peer 10.10.10.14 as-number 100
#
address-family ipv4 unicast
network 172.168.20.0 255.255.255.0
peer 10.10.10.14 enable
分公司一 FW:
sysname FW
#
object-group ip address yanfabu
0 network subnet 172.168.10.0 255.255.255.0
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.56.2 255.255.255.0
manage http inbound
manage https inbound
manage ping inbound
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 202.1.1.1 255.255.255.252
manage ping inbound
manage ping outbound
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 105.0.0.2 255.255.255.252
manage ping inbound
manage ping outbound
#
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
#
ip route-static 0.0.0.0 0 202.1.1.2
ip route-static 20.20.20.0 30 105.0.0.1
ip route-static 172.168.10.0 24 105.0.0.1
#
nat policy
rule name trust>internet
source-ip yanfabu
outbound-interface GigabitEthernet1/0/2
action easy-ip
#
ip http enable
ip https enable
#
security-policy ip
rule 0 name trust>untrust
action pass
source-zone Trust
destination-zone Untrust
INTERNET:
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 202.1.1.2 255.255.255.252
测试连通性
业务部之间互访
抓包查看,可以看到该数据包是通过MPLS进行传输的。
测试研发部之间互访
测试分公司一研发部访问INTERNET
抓包查看,PC_15访问互联网时先将源IP转换为防火墙的出接口IP再将数据包发送出去
在公众号回复▲MPLS▼获取工程文件。▽往期推荐△
原文始发于微信公众号(青菜浪人):MPLS实验小记(H3C)
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/288928.html
