Upload
isikalp82
View
814
Download
2
Tags:
Embed Size (px)
DESCRIPTION
ine mpls basic
Citation preview
Mpls basics
Alp
14.1 VRF Lite
VPN_A rd 100:1VPN_B rd 100:2
VPN_A routing tableLo101 172.16.7.7/24Vlan 67 155.1.67.0/24
VPN_B routing tableLo101 192.168.7.7/24Vlan 67 155.1.76.0/24
vl67
vl76
14.1 VRF Lite• AtR6interface Ethernet1/0.67 encapsulation dot1Q 67
ip vrf forwarding VNP_A ip address 155.1.67.6 255.255.255.0
interface Ethernet1/0.76 encapsulation dot1Q 76
ip vrf forwarding VNP_B ip address 155.1.76.6 255.255.255.0
ip route vrf VNP_A 192.168.7.0 255.255.255.0 Ethernet1/0.76 155.1.76.7
ip route vrf VNP_B 172.16.7.0 255.255.255.0 Ethernet1/0.67 155.1.67.7
ip vrf VNP_A rd 100:1ip vrf VNP_B
rd 100:2
• At SW1ip vrf VPN_A
rd 100:1ip vrf VPN_B
rd 100:2interface Loopback101 ip vrf forwarding VPN_A
ip address 172.16.7.7 255.255.255.0interface Loopback102 ip vrf forwarding VPN_B
ip address 192.168.7.7 255.255.255.0interface Ethernet1/0.67 encapsulation dot1Q 67
ip vrf forwarding VPN_A ip address 155.1.67.7 255.255.255.0
interface Ethernet1/0.76 encapsulation dot1Q 76 ip vrf forwarding VPN_B ip address 155.1.76.7 255.255.255.0
ip route vrf VPN_A 0.0.0.0 0.0.0.0 155.1.67.6ip route vrf VPN_B 0.0.0.0 0.0.0.0 155.1.76.6
14.2 MPLS LDP• At R4
mpls ipmpls ldp router-id lo0 force
int e0/1mpls ldp discovery transport-address interface
router ospf 1mpls ldp autoconf
mpls ldp password requiredmpls ldp neighbor 150.1.5.5 password CISCOmpls ldp neighbor 150.1.6.6 password CISCO
• At R6mpls ipmpls ldp router-id lo0 forceint e0/0.146mpls ldp discovery transport-address interfacempls ip mpls ldp password required mpls ldp neighbor 150.1.4.4 password CISCO
• At R5mpls ipmpls ldp router-id lo0 forceint s2/1mpls ipint s2/0mpls ipmpls ldp password requiredmpls ldp neighbor 150.1.4.4 password CISCO
14.3 MPLS Label Filtering
• At R4, R5, R6
access-list 10 permit 150.1.0.0 0.0.255.255no mpls ldp advertise-labelsmpls ldp advertise-labels for 10
14.4 MP-BGP VPNv4
R5
R4
R6
RR
Vlan5Vl58
Vpn_aVpn_b
vl67vl76Vpn_b
Vpn_a
R5Vrf VPN_A bgp table155.1.58.0/24 155.1.67.0/24 Bgp vpnv4
R5Vrf VPN_B bgp table155.1.5.0/24 155.1.76.0/24
Redistribute connected Static into bgp
Redistribute connected Static into bgp
14.4 MP-BGP VPNv4• At R4
router bgp 100
no bgp default ipv4-unicastneighbor 150.1.5.5 remote-as 100neighbor 150.1.5.5 update-source lo0neighbor 150.1.6.6 remote-as 100neighbor 150.1.6.6 update-source lo0
address-family vpnv4 unicastneighbor 150.1.5.5 activateneighbor 150.1.6.6 activateneighbor 150.1.5.5 send-community extendedneighbor 150.1.6.6 send-community extendedneighbor 150.1.5.5 route-reflector-clientneighbor 150.1.6.6 route-reflector-client
• At R5ip vrf VPN_Ard 100:1 route-target both 100:1ip vrf VPN_B rd 100:2 route-target both 100:2
int e0/0ip vrf forwarding VPN_Aip add 155.1.58.5 255.255.255.0int e0/1ip vrf forwarding VPN_Bip address 155.1.5.5 255.255.255.0
• At R6ip vrf VNP_Ard 100:1route-target both 100:1ip vrf VNP_Brd 100:2route-target both 100:2
• At R5 & R6router bgp 100no bgp default ipv4neighbor 150.1.4.4 remote-as 100neighbor 150.1.4.4 update-source lo0
address-family vpnv4 unicastneighbor 150.1.4.4 activateneighbor 150.1.4.4 send-community extended // RT valuesunu bununla taşırız.
address-family ipv4 vrf VPN_Aredistribute connectedredistribute static
address-family ipv4 vrf VPN_Bredistribute connectedredistribute static
14.5 MP-BGP Prefix Filtering
R5
R4
R6
RR
Vlan5Vl58
Vpn_aVpn_b
vl67vl76
Vpn_b
Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
Lo1 192.16.6.6/24
14.5 MP-BGP Prefix Filtering• At R5
int lo 101ip vrf forvarding VPN_Aip address 172.16.5.5 255.255.255.0
ip prefix-list LO101 permit 172.16.5.0/24
route-map VPN-A_EXPORT permit 10match ip address prefix-list LO101set extcommunity rt 100:55
route-map VPN-A_EXPORT permit 20set extcommunity rt 100:1
ip vrf VPN_Aexport map VPN-A_EXPORTroute-target import 100:66
• At R6int lo102ip vrf forwarding VNP_Bip address 192.168.6.6 255.255.255.0
ip prefix-list LO202 permit 192.168.6.0/24
route-map VNP-B-EXPORT permit 10match ip address prefix-list LO102set extcommunity rt 100:66route-map VNP-B-EXPORT permit 20set extcommunity rt 100:2
ip vrf VNP_Bexport map VNP-B-EXPORTroute-target import 100:55
14.6 PE – CE Routing with RIP
R5
R4
R6
RR
Vlan5Vl58
Vpn_aVpn_b
vl76
Vpn_b
Bgp vpnv4
Lo1 172.16.5.5/24
Lo1 192.16.6.6/24
RIP vrf vpn_b
vlan43
Vpn_b
RIP vrf vpn_b
Bgp to ripRip to bgp redistribution
Rip to bgpredistribution
204.12.1.0/24
14.6 PE – CE Routing with RIP• At R4ip vrf VPN_B
rd 100:2 route-target export 100:2 route-target import 100:2
router rip version 2 no auto-summary address-family ipv4 vrf VPN_B redistribute bgp 100 metric transparent ///// metriğin korunmasını sağlıyor network 204.12.1.0 no auto-summary exit-address-family
router bgp 100 no bgp default ipv4-unicast
address-family vpnv4 neighbor 150.1.5.5 activate neighbor 150.1.5.5 send-community extended neighbor 150.1.5.5 route-reflector-client
neighbor 150.1.6.6 activate neighbor 150.1.6.6 send-community extended
neighbor 150.1.6.6 route-reflector-client exit-address-family address-family ipv4 vrf VPN_B redistribute rip
• At R6router rip
ver 2no auto-sumaddress-family ipv4 vrf VNP_B
redistribute bgp 100 metric transparent //metriğin korunmasını sağlıyornetwork 155.1.0.0
no ip route vrf VNP_B 172.16.7.0 255.255.255.0 e1/0.67 155.1.67.7
• At SW1no ip route vrf VNP_A 0.0.0.0 0.0.0.0 155.1.76.6router rip
ver 2no auto-sumaddress-family ipv4 vrf VPN_Bnetwork 155.1.0.0 network 192.168.7.0
14.7 PE- CE Routing with OSPF
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
Ospf area1
Ospf area 1
SW2
Lo 172.16.8.8/24
Redistribute bgp into vrf VPN_A ospf
Redistribute vrf VNP_A ospf into vrf VPN_A bgp
Redistribute bgp into vrf VPN_A ospf
Redistribute vrf VNP_A ospf into vrf VPN_A bgp SW1
Lo 172.16.7.7
Vrf VPN_A
14.7 PE- CE Routing with OSPF• MP-BGP’nin olduğu cloud’a super area 0 (super
backbone) denir.• OSPF iki yeni attribute’e sahip
1- domain-id : farklı vpn’lerdeki ospf process’leri ayırt etmeye yarar.
2- OSPF route-type: 3 bileşen içerir: source-area, route-type (lsa type) ve option (E1 – E2[external])metric değeri biz değiştirmediğimiz sürece aynı şekilde taşınır.
• At R5router ospf 100 vrf VPN_A
domain-id 0.0.0.5log-adjacency-changesredistribute bgp 100 subnetsnetwork 0.0.0.0 255.255.255.255 area 1
router bgp 100address-family ipv4 vrf VPN_Aredistribute ospf 100 vrf VPN_A
• At R6router ospf 100 vrf VNP_A
domain-id 0.0.0.6log-adjacency-changesredistribute bgp 100 subnetsnetwork 0.0.0.0 255.255.255.255 area 1summary-address 172.16.0.0 255.255.0.0
router bgp 100address-family ipv4 vrf VNP_Aredistribute ospf 100 vrf VNP_A
• SW1no ip route vrf VPN_A 0.0.0.0 0.0.0.0 155.14.76.6router ospf 1 vrf VPN_A
netw 0.0.0.0 255.255.255.255 area 1• SW2
ip routing router ospf 1
network 0.0.0.0 255.255.255.255 area 1int lo100
ip add 172.16.8.8 255.255.255.0
14.8 OSPF Sham-link
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
Ospf area1
Ospf area 1
SW2
Lo 172.16.8.8/24
Redistribute bgp into vrf VPN_A ospf
Redistribute vrf VNP_A ospf into vrf VPN_A bgp
Redistribute bgp into vrf VPN_A ospf
Redistribute vrf VNP_A ospf into vrf VPN_A bgp SW1
Lo 172.16.7.7Backdoor link
Sham-link
lo100
lo100
Vrf A
14.8 OSPF Sham-link• At R5
router ospf 100 vrf VPN_Ano domain-id 0.0.0.5area 1 sham-link 150.1.55.55 150.1.66.66 cost 1no network 0.0.0.0 255.255.255.255 area 1network 155.1.58.5 0.0.0.0 area 1
int lo 200ip vrf forwarding VPN_Aip address 150.1.55.55 255.255.255.255
router bgp 100address-family ipv4 vrf VPN_A
network 150.1.55.55 mask 255.255.255.255
• At R6router ospf 100 vrf VNP_A
no domain-id 0.0.0.5area 1 sham-link 150.1.66.66 150.1.55.55 cost 1no network 0.0.0.0 255.255.255.255 area 1network 155.1.67.6 0.0.0.0 area 1
int lo 200ip vrf forwarding VNP_Aip address 150.1.66.66 255.255.255.255
router bgp 100address-family ipv4 vrf VNP_A
network 150.1.66.66 mask 255.255.255.255
• At SW1int e0/3
no swip address 155.1.78.7 255.255.255.0ip ospf cost 9999
int e1/0.67no ip vrf forwarding VPN_Aip address 155.1.67.7 255.255.255.0
int lo101ip add 172.16.7.7 255.255.255.0
no router ospf 1router ospf 1
network 0.0.0.0 255.255.255.255 area 1• At SW2
int e0/3no swip address 155.1.78.8 255.255.255.0ip ospf cost 9999
14.9 PE- CE Routing with EIGRP
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
EIGRP
EIGRP
SW2
Lo 172.16.8.8/24
Redistribute bgp into vrf VPN_A eigrp
Redistribute vrf VNP_A eigrp into vrf VPN_A bgp
Redistribute bgp into vrf VPN_A eigrp
Redistribute vrf VNP_A eigrpinto vrf VPN_A bgp SW1
Lo 172.16.7.7
Backdoor link
Vlan 43204.12.1.0/24
EIGRPVPN_A
Redistribute vrf VPN_A EIGRPinto BGP
Redistribute bgp into vrf VPN_A eigrp
Delay 1000
Vrf VPN_A
14.9 PE- CE Routing with EIGRP• At R4
ip vrf VPN_Ard 100:1route-target both 100:1router eigrp 100no autoaddress-family ipv4 vrf VPN_Aautonomous-system 100network 204.12.1.0 0.0.0.255redistribute bgp 100 metric 1 1 1 1 1
router bgp 100 address-family ipv4 vrf VPN_Aredistribute eigrp 100
int e0/0ip vrf forwarding VPN_Aip address 204.12.1.4 255.255.255.0
• At R5no router ospf 100router eigrp 100
no autoaddress-family ipv4 vrf VPN_A
autonomous-system 100network 155.1.58.5 0.0.0.0redistribute bgp 100 metric 1 1 1 1 1
router bgp 100address-family ipv4 vrf VPN_A
redistribute eigrp 100
• At R6no router ospf 100router eigrp 100
no autoaddress-family ipv4 vrf VNP_A
autononous-system 100network 155.1.67.6 0.0.0.0
router bgp 100address-family ipv4 vrf VNP_A
redistribute eigrp 100
• At SW1 – SW2no router ospf 1router eigrp 100
no autosummnetwork 0.0.0.0 255.255.255.255
int e0/3delay 1000 /// to be sure it will be
backdoor.
14.10 EIGRP SITE OF ORIGIN
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
BGP AS 78
BGP AS 78
SW2
Lo 172.16.8.8/24
SW1Lo 172.16.7.7
AS100
Vrf VPN_A
Backdoor link
SW1SW2
R5 R6
100:15
100:15
100:16
100:16
14.10 EIGRP Site-of-Origin
• At R5route-map EIGRP-SOOset extcommunity soo 100:15int e0/0ip vrf sitemap EIGRP-SOO
• At R6route-map EIGRP-SOOset extcommunity soo 100:16int e0/0.67ip vrf sitemap EIGRP-SOO
• At SW2route-map EIGRP-SOO
set extcommunity soo 100:15int e0/2
ip vrf sitemap EIGRP-SOO
• At SW1route-map EIGRP-SOO
set extcommunity soo 100:16int e0/2
ip vrf sitemap EIGRP-SOO
14.11 PE- CE Routing with BGP
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
BGP AS 78
BGP AS 78
SW2
Lo 172.16.8.8/24
SW1Lo 172.16.7.7
AS100
Vrf VPN_A
AS78 overrided AS100
AS78 overrided AS100
• Farklı yerlerde aynı AS’in kullanılması; aynı AS ile gelen bilginin alınmayacağından prefix’in filtrelenmesine yol açar. Bunu çözmek için allowas-in ile as-override yapabliriz.
14.11 PE- CE Routing with BGP
• At R5no router eigrp 100router bgp 100
address-family ipv4 vrf VPN_Aneighbor 155.1.58.8 remote-as 78neighbor 155.1.58.8 as-override
• At R6no router eigrp 100router bgp 100
address-family ipv4 vrf VNP_Aneighbor 155.1.67.7 remote-as 78neighbor 155.1.67.7 as-override
• At SW1no router eigrp 100router bgp 78neighbor 155.1.67.6 remote-as 100network 150.1.7.0 mask 255.255.255.0
• At SW2no router eigrp 100router bgp 78neighbor 155.1.58.5 remote-as 100network 150.1.8.0 mask 255.255.255.0
14.12 BGP SoO Attribute
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Bgp vpnv4
Lo1 172.16.5.5/24
BGP AS 78
BGP AS 78
SW2
Lo 172.16.8.8/24
SW1Lo 172.16.7.7
AS100
Backdoor link
Soo 100:1
Soo 100:1Vrf VPN_A
14.12 BGP SoO Attribute
• At R5router bgp 100
address-family ipv4 vrf VPN_Aneighbor 155.1.58.8 soo
100:1
• At R6router bgp 100
address-family ipv4 vrf VNP_Aneighbor 155.1.67.7 soo
100:1
SW1SW2
R5 R6
ibgp
ebgp ebgp
Bgp vpn
Soo 100:1 Soo 100:1
• At SW1router bgp 78
neighbor 155.1.78.8 remote-as 78
• At SW2router bgp 78
neighbor 155.1.78.7 remote-as 78
///CE’lerde backdoor komşuluğunu ekledik.
14.13 Internet Access• At R6
router ripvers 2no auto-sumnetwork 54.0.0.0ip route vrf VNP_A 0.0.0.0 0.0.0.0 54.1.1.254 global
router bgp 100address-family ipv4 vrf VNP_Adefault-information originateredistribute staticint s2/0ip nat outsideint e0/0.146ip nat insideint e0/0.67ip nat insideip access-list standard VPN-PREFIXESpermit 150.1.0.0 0.0.255.255ip nat inside source list VPN-PREFIXES interface s2/0 vrf VNP_A overload
14.14 AToM
R5
R4
R6
RR
Vl58
Vpn_a
vl67Vpn_a
Layer 2 vpn Bgp vpnv4
AS100
Vl 5 (e0/1)
E0/1
14.14 AToM
• At R5default interface e0/1int e0/1xconnect 150.1.6.6 100 encapsulation mpls
mpls ldp neighbor 150.1.6.6 password CISCO
• At R6int e0/1no shxconnect 150.1.5.5 100 encapsulation mpls
mpls ldp neighbor 150.1.5.5 password CISCO
• R5 ve R6 ya bağlı olan sw3 ve sw4 interfacelerine ip verip birbirlerini pingleyebiliriz.
14.15 L2TPV3
• At R5, similiar at R6pseudowire-class L2TPV3
encapsulation l2tpv3ip local interface lo0ip pmtuip dfbit setip tos reflect
default int e0/1int e0/1
xconnect 150.1.6.6 100 encapsulation l2tpv3 pw-class L2TPV3
14.16 MPLS VPN Performance Tuning
• At R4router bgp 100
address-family vpnv4 unicastneighbor 150.1.5.5 advertisement-interval 0neighbor 150.1.6.6 advertisement-interval 0
• At R5; R6router bgp 100
address-family vpnv4 unicastneighbor 150.1.4.4 advertisement-internal 0bgp scan import 5