扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
最近做了个用Cisco 和 Juniper 路由器做PE的MPLS VPN实验。实验中R1 (Cisco)和R2 (Juniper)通过ATM 骨干互联, P-Network使用ISIS作为IGP协议,R2作为MP-BGP的路由反射器。Juniper 与 Cisco 在端口互联和IGP、BGP路由协议互操作上感觉很好,没有碰到什么问题。
实验中使用loopback 端口来模拟VPN用户网络。和cisco的概念不一样,Juniper的Loopback 端口只有一个,但可以划分子端口(在使用MPLS VPN时),只能使用/32的地址。
可能熟悉Juniper 命令行接口的朋友比较少
详细配置:
Cisco 路由器配置:
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
ip subnet-zero
no ip source-route
ip cef
ip vrf vpn_a
rd 2:1
route-target export 111:1
route-target import 111:1
route-target import 111:2
!
ip vrf vpn_b
rd 3:304
route-target export 222:304
route-target export 111:2
route-target import 222:3
route-target import 111:1
!
mpls label protocol ldp
mpls ldp logging neighbor-changes
no ftp-server write-enable
!
!
!
!
interface Loopback0
ip address 192.168.40.1 255.255.255.255
ip router isis
!
interface Loopback200
ip vrf forwarding vpn_a
ip address 10.10.64.1 255.255.255.0
!
interface Loopback300
ip vrf forwarding vpn_b
ip address 10.10.65.1 255.255.255.0
!
interface ATM2/0
no ip address
no atm ilmi-keepalive
!
interface ATM2/0.1 point-to-point
ip address 192.168.34.4 255.255.255.0
ip router isis
pvc 1/134
protocol ip 192.168.34.3
brvpn_adcast
encapsulation aal5snap
!
tag-switching ip
!
router isis
net 47.0001.0000.0000.4444.00
!
router bgp 65888
no synchronization
bgp router-id 192.168.40.1
bgp log-neighbor-changes
neighbor rr-server peer-group
neighbor rr-server remote-as 65888
neighbor rr-server update-source Loopback0
neighbor 192.168.30.1 peer-group rr-server
no auto-summary
!
address-family vpnv4
neighbor 192.168.30.1 activate
neighbor 192.168.30.1 send-community both
exit-address-family
!
address-family ipv4 vrf vpn_b
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
no ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Juniper 路由器配置:
version 6.0R1.5;
system {
host-name R2;
login {
user juny {
uid 2001;
class super-user;
authentication {
encrypted-password "$1$fhr423rkSB$0/fnrTsdfljwerWbeHX0"; # SECRET-DATA
}
}
}
services {
telnet;
}
}
chassis {
no-source-route;
}
interfaces {
at-0/0/1 {
description "To ATM Backbone";
atm-options {
vpi 1 {
maximum-vcs 1023;
}
}
unit 2 {
encapsulation atm-snap;
vci 1.134;
family inet {
address 192.168.34.3/24;
}
family iso;
family mpls;
}
}
vt-0/3/0 {
unit 200 {
family inet;
family mpls;
}
unit 300 {
family inet;
family mpls;
}
}
lo0 {
unit 0 {
family inet {
address 192.168.30.1/32;
}
family iso {
address 47.0001.0000.0000.3333.00;
}
}
unit 200 {
description "For vpn_a ";
family inet {
address 10.10.0.1/32;
}
}
unit 300 {
description "For vpn_b ";
family inet {
address 10.10.1.1/32;
}
}
}
}
routing-options {
router-id 192.168.30.1;
autonomous-system 65888;
}
protocols {
mpls {
interface at-0/0/1.2;
}
bgp {
local-address 192.168.30.1;
group rr-client {
type internal;
local-address 192.168.30.1;
family inet-vpn {
any;
}
cluster 192.168.30.1;
neighbor 192.168.10.1;
neighbor 192.168.20.1;
neighbor 192.168.40.1;
neighbor 192.168.50.1;
neighbor 192.168.60.1;
}
}
isis {
level 2 wide-metrics-only;
interface at-0/0/1.2;
interface lo0.0;
}
ldp {
interface at-0/0/1.2;
interface lo0.0;
}
}
policy-options {
policy-statement vpn_a-import {
term a {
from community [ vpn_a vpn_a-im ];
then accept;
}
term b {
then reject;
}
}
policy-statement vpn_a-export {
term a {
from protocol direct;
then {
community add vpn_a;
accept;
}
}
term b {
then reject;
}
}
policy-statement vpn_b-import {
term a {
from community [ vpn_b-province-to-city vpn_b-r4-site1 vpn_a ];
then accept;
}
term b {
then reject;
}
}
policy-statement vpn_b-export {
term a {
from protocol direct;
then {
community add vpn_b-site1-to-province;
community add vpn_a-im;
accept;
}
}
term b {
then reject;
}
}
community vpn_a members target:111:1;
community vpn_a-im members target:111:2;
community vpn_b members target:111:2;
community vpn_b-province-to-city members target:222:1;
community vpn_b-r4-site1 members target:222:304;
community vpn_b-site1-to-province members target:222:3;
}
routing-instances {
vpn_a {
description "For vpn_a";
instance-type vrf;
interface lo0.200;
interface vt-0/3/0.200;
route-distinguisher 2:1;
vrf-import vpn_a-import;
vrf-export vpn_a-export;
routing-options {
auto-export;
}
}
vpn_b {
description "For vpn_b";
instance-type vrf;
interface lo0.300;
interface vt-0/3/0.300;
route-distinguisher 3:3;
vrf-import vpn_b-import;
vrf-export vpn_b-export;
routing-options {
auto-export;
}
}
}
几点说明:
1.Cisco 默认使用TDP标签分发协议,要和其他厂商互联,需指定使用LDP标签分发协议。不管是TDP还是LDP,都需要启用CEF来支持。
配置命令:mpls label protocol ldp
2.如果VPN Site 1 要和Site 2 及Site 3 互通,但是要求Site 2 和Site 3 不能互通时,使用VPN Overlay功能。 cisco 的配置方法简单明了:
ip vrf site1
ro im 1:2
ro im 1:3
ro ex 1:1
ip vrf site2
ro im 1:1
ro ex 1:2
ip vrf site3
ro im 1:1
ro ex 1:3
Juniper的配置方法:首先要给route target 命名, 然后在策略policy-statement中引用,最后指定routing-instance使用指定的策略。除此之外Juniper 要启用routing-instance的auto-export 特性,否则site1的在该PE上的直连路由不能导入到同一PE的另一个site中。
3.源路由对有VPN Overlay 的环境来说是一种威胁。如果VPN Site 1 能够和Site 2 及Site 3 互通,但是策略要求Site 2 和Site 3 不能互通,Site 2 的用户有可能通过源路由技术经Site 1 到达 Site 3。
Cisco 路由器禁止源路由配置命令:
no ip source-route
Juniper 路由器禁止源路由配置命令:
chassis {
no-source-route;
}
4.PE接CE端口问题:
根据Juniper公司工程师介绍,由于Juniper 的主
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者
京公网安备 11010802021500号