苦练内经,防走火入魔--MPLS VPN网络案例一则
一、组网案例
组网简介:
拓扑图中PEB与PEC运行域内MPLS VPN组网,PEA与PEB之间运行MPLS VPN option B跨域组网,PE B与PE C建立IBGP对等体,PE B与PE A建立EBGP对等体,CE D与PEB、PEC建立OSPF邻居(CE D上发布了环回口路由5.5.5.5/32),在PE B和PE C上分别将OSPF路由引入到MP-BGP中,同时将MP-BGP路由引入到OSPF多实例中。
PE A上的VPN1配置如下:
ip vpn-instance 1
route-distinguisher 2:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
PE B上的VPN1配置如下:
ip vpn-instance 1
route-distinguisher 2:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
所有设备路由收敛完成后,发现从PEA上到5.5.5.5的路径是PE A—>PE B—>PE C—>CE D,也就是说PE A优选了PE C发布的BGP VPNV4路由,这是为什么呢?
二、案例分析
首先在PE A上查看VPN1下的5.5.5.5/32的路由
<RT1>display bgp vpnv4 vpn-instance 1 routing-table 5.5.5.5 32
BGP local router ID : 10.0.0.1
Local AS number : 200
Paths: 2 available, 1 best
BGP routing table entry information of 5.5.5.5/32:
From : 10.0.0.2 (30.0.0.1)
Relay Nexthop : 0.0.0.0
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : MED 2, pref-val 0, pre 255
State : valid, external,
Not advertised to any peers yet
BGP routing table entry information of 5.5.5.5/32:
From : 10.0.0.2 (30.0.0.1)
Relay Nexthop : 0.0.0.0
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 30.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : pref-val 0, pre 255
State : valid, external, best,
Not advertised to any peers yet
通过OSPF ROUTER ID字段可以确认PE A优选了PE C发布的BGP VPNv4路由,优选的原因为这条路由没有MED值,而PE B发布的BGPVPNv4路由带了MED值且MED值为2,这就产生了几个问题:
问题一、协议规定:BGP发言者只把自己使用的路由发布给对等体,为什么PE B发布了两条BGP VPNv4路由给PE A呢
首先需要查看一下PE B的VPN1的路由表,确认一下优选的路由。通过查看发现,本地最优的路由是通过ospf多实例学习到的:
<RT4>display ip routing-table vpn-instance 1 5.5.5.5
Destination/Mask Proto Pre Cost NextHop Interface
5.5.5.5/32 OSPF 10 1 20.0.0.2 S0/2/1
那么,为什么PE B会发布2条BGP VPNv4的路由给PE A呢?
BGP VPNv4路由是每个RD一张路由表,BGP发言者在每张路由中将自己最优的BGP路由发布给对等体,不同的RD代表不同的路由,因为PE B、PE C的VPN 1的RD属性不一样,所以PE B会把5.5.5.5/32的2条不同RD的BGP VPNv4路由发给PE A.
查看PE A上的BGP VPNv4路由,有2条不同RD属性的5.5.5.5/32的路由:
<RT1>display bgp vpnv4 all routing-table
BGP Local router ID is 10.0.0.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 4
Route Displaytinguisher: 2:2
Network NextHop In/Out Label MED LocPrf
*> 5.5.5.5/32 10.0.0.2 NULL/1024 2
*> 40.0.0.0/24 10.0.0.2 NULL/1024 1564
Route Displaytinguisher: 1:1
Network NextHop In/Out Label MED LocPrf
*> 5.5.5.5/32 10.0.0.2 NULL/1028
*> 20.0.0.0/24 10.0.0.2 NULL/1028
问题二、为什么PE B将RD为1:1的5.5.5.5/32的BGP VPNv4路由发布给PE A时,路由里没携带MED属性?
协议规定:MED属性仅在相邻两个AS之间交换,收到此属性的AS不会再将其通告给其它AS,所以PE B将RD为1:1的5.5.5.5/32路由通告给PE A时,不会带MED属性,如果要通过MED属性来控制路由选路,需要在BGP边界路由器上来设定MED属性
问题三、PE A的到5.5.5.5的路由下一跳都是到PE B的,而PE B优选通过OSPF到达5.5.5.5,为什么报文会到PE C转一圈?
来看一下报文转发的流程,首先查看PE A上基于5.5.5.5的标签转发表:
[RT1]display bgp vpnv4 vpn-instance 1 routing-table label
BGP Local router ID is 10.0.0.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total routes of vpn-instance 1: 5
Network NextHop In/Out Label
* 5.5.5.5/32 10.0.0.2 NULL/1024
*> 5.5.5.5/32 10.0.0.2 NULL/1028
* >40.0.0.0/24 10.0.0.2 NULL/1024
* > 20.0.0.0/24 10.0.0.2 NULL/1026
最优的私网标签是1028,则在跨域B的组网下,PE A到5.5.5.5的报文打上1028的标签发给PE B,报文到PE B之后会查找BGP VPNv4路由的标签表(不是查找本地vpn1的路由的标签表),对于ASBR来说只对对端ASBR过来的报文进行标签交换,查找的是BGPVPNv4路由的标签表
[H3C]display bgp vpnv4 all routing-table label
BGP Local router ID is 2.2.2.2
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Displaytinguisher: 1:1
Network NextHop In/Out Label
*>i 5.5.5.5/32 1.1.1.1 1028/1025
*>i 20.0.0.0/24 1.1.1.1 1028/1025
Route Displaytinguisher: 3:3
Network NextHop In/Out Label
*> 6.6.6.6/32 10.0.0.1 1027/1024
Total routes of vpn-instance 1: 1
Network NextHop In/Out Label
*> 5.5.5.5/32 20.0.0.2 1024/NULL
* i 5.5.5.5/32 1.1.1.1 NULL/1025
*> 6.6.6.6/32 10.0.0.1 NULL/1024
* i 20.0.0.0/24 1.1.1.1 NULL/1025
*> 40.0.0.0/24 20.0.0.2 1024/NULL
这时PE B根据BGPVPNv4的路由标签表将报文私网标签转换为1025(倒数第二跳公网标签弹出)转发给PE C,PE C收到私网标签1025的报文发现该私网标签是自己分给别人的则弹出私网标签后,根据路由表转发报文。
[R1-bgp]display bgp vpnv4 all routing-table label
BGP Local router ID is 1.1.1.1
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 2:2
Network NextHop In/Out Label
*^ i 5.5.5.5/32 2.2.2.2 NULL/1024
*^ i 40.0.0.0/24 2.2.2.2 NULL/1024
Total routes of vpn-instance 1: 5
Network NextHop In/Out Label
*^> 5.5.5.5/32 40.0.0.1 1024/NULL
* i 5.5.5.5/32 2.2.2.2 NULL/1024
* i 40.0.0.0/24 2.2.2.2 NULL/1024
*^> 20.0.0.0/24 40.0.0.1 1024/NULL
三、小结
本案例通过一个跨域Option B的组网,分析平时理解中容易存在的3个误区:
1、 BGP发言者只把自己使用的路由发布给对等体,这个自己使用的路由并非指的是本地路由表里存在的路由,而是BGP最优的路由(且VPN路由是基于RD最优的);
2、 MED属性的应用,在非边界路由器修改MED,该属性无法通过边界路由器传递到别的AS里;
3、 在标签转发的时候查的是BGP VPNv4的路由标签表,非本地vpn路由的标签表,特别的在ASBR上要特别注意(这个也很好理解,因为很多应用中ASBR上并不需要创建vpn实例)
四、引申
在该组网中如何才能实现报文从PE A 到PE B时直接往CE转发而不往PE C转发呢?
有多个方法,有兴趣的可以研究一下,这里提供一种方法示例:
在PE C上对于引入的路由打上团体属性如100:1 然后在PE B发布给PE C时匹配100:1团体属性的路由并做路由策略将MED值改大。
PEC关键配置如下:
[R1-bgp]
bgp 100
undo synchronization
peer 2.2.2.2 as-number 100
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family vpn-instance 1
import-route ospf 1 route-policy comm
#
ipv4-family vpnv4
peer 2.2.2.2 enable
peer 2.2.2.2 advertise-community
[R1-bgp]display route-policy comm
Route-policy : comm
permit : 10
apply community 100:1
PEB关键配置如下:
[R2-bgp]
bgp 100
undo synchronization
peer 1.1.1.1 as-number 100
peer 10.0.0.1 as-number 200
peer 1.1.1.1 connect-interface LoopBack0
#
ipv4-family vpn-instance 1
import-route ospf 1
#
ipv4-family vpnv4
peer 1.1.1.1 enable
peer 10.0.0.1 enable
peer 10.0.0.1 route-policy med export
[R2-bgp]display route-policy med
Route-policy : med
permit : 10
if-match community 10
apply cost 10
permit : 20
[R2-bgp]display ip community-list 10
Community List Number 10
permit 100:1
增加配置后来看一下PE B的VPNv4路由
[R2-bgp]display bgp vpnv4 all routing-table 5.5.5.5 32
BGP local router ID : 2.2.2.2
Local AS number : 100
Route Distinguisher: 1:1
Paths: 1 available, 0 best, 1 VPNv4 best
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1024/1026
From : 1.1.1.1 (1.1.1.1)
Original nexthop: 1.1.1.1
Community : <100:1>
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : (null)
Origin : incomplete
Attribute value : MED 2, localpref 100, pref-val 0, pre 255
State : valid, internal, VPNv4 best,
Advertised to such 1 peers:
10.0.0.1
Total Number of Routes: 2(1)
Paths: 2 available, 1 best, 1 VPNv4 best
BGP routing table entry information of 5.5.5.5/32:
Imported route.
Label information (Received/Applied): NULL/1024
From : 0.0.0.0 (0.0.0.0)
Original nexthop: 20.0.0.2
Ext-Community :<OSPF Domain Id: 0.0.0.0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>, <OSPF Router Id: 20.0.0.1:0:0>, <RT: 1:1>
AS-path : (null)
Origin : incomplete
Attribute value : MED 2, pref-val 0, pre 10
State : valid, local, best, VPNv4 best,
Not advertised to any peers yet
Advertised to such 2 VPNv4 peers:
1.1.1.1
10.0.0.1
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1024/NULL
From : 1.1.1.1 (1.1.1.1)
Relay Nexthop : 0.0.0.0
Original nexthop: 1.1.1.1
Community : <100:1>
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : (null)
Origin : incomplete
Attribute value : MED 2, localpref 100, pref-val 0, pre 255
State : valid, internal,
Not advertised to any peers yet
Not advertised to any VPNv4 peers yet
现在再来看一下PE A路由的优先情况:
[R6]display bgp vpnv4 all routing-table 5.5.5.5 32
BGP local router ID : 6.6.6.6
Local AS number : 200
Route Distinguisher: 2:2
Paths: 1 available, 0 best, 1 VPNv4 best
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1024/NULL
From : 10.0.0.2 (2.2.2.2)
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : MED 2, pref-val 0, pre 255
State : valid, external, VPNv4 best,
Not advertised to any peers yet
Route Distinguisher: 1:1
Paths: 1 available, 0 best, 1 VPNv4 best
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1026/NULL
From : 10.0.0.2 (2.2.2.2)
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : MED 10, pref-val 0, pre 255
State : valid, external, VPNv4 best,
Not advertised to any peers yet
Total Number of Routes: 2(1)
Paths: 2 available, 1 best, 0 VPNv4 best
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1024/NULL
From : 10.0.0.2 (2.2.2.2)
Relay Nexthop : 0.0.0.0
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 20.0.0.1:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : MED 2, pref-val 0, pre 255
State : valid, external, best,
Not advertised to any peers yet
Not advertised to any VPNv4 peers yet
BGP routing table entry information of 5.5.5.5/32:
Label information (Received/Applied): 1026/NULL
From : 10.0.0.2 (2.2.2.2)
Relay Nexthop : 0.0.0.0
Original nexthop: 10.0.0.2
Ext-Community : <RT: 1:1>, <OSPF Domain Id: 0.0.0.0:0>, <OSPF Router Id: 40.0.0.2:0:0>, <OSPF AreaNum: 0.0.0.0 RouteType: 1 Option: 0>
AS-path : 100
Origin : incomplete
Attribute value : MED 10, pref-val 0, pre 255
State : valid, external,
Not advertised to any peers yet
Not advertised to any VPNv4 peers yet
通过PE A上的BGP VPNv4路由优选信息,根据BGP选路原则,优选了PEB发送的路由。通过比对OSPF RouterID也可以看到,PE A优选了PE B始发的BGP VPNv4路由加入到了VPN路由表中。