MPLS_Lab_3_AToM

MPLS_Lab_3_AToM

第二层VPN服务可以基于MPLS,这种技术叫做AToM。
第二层VPN服务也可以基于纯IP,这种技术叫做L2TPv3。

FR和ATM也属于第二层VPN,但是他们都由于扩展性问题和自己本身的缺陷渐渐推出了历史舞台。当今的互联网的发展趋势是基于IP然后将所有其它架构的网络融合到IP上。但是在实际的应用中确实对第二层VPN技术有这迫切的需要。二层VPN技术与3层VPN技术相比,部署更简单,而且对运营商PE的压力相比三层VPN要小很多。客户对自己的网络可控性也更强,不需要与运营商互通路由。
下面这个实验我们介绍基于MPLS的第二层VPN技术-AToM(Any Transport over MPLS).即在MPLS上运行二层VPN技术,也就是说在2层(或是2.5层上)再封装2层链路。

 

 

 


R2,R3,R4为R1和R2提供MPLS L2vpn的服务:
基本配置:在R2,R3,R4上启用MPLS
=========================================
hostname R2

ip cef
no ip domain lookup

mpls label range 200 299
mpls label protocol ldp
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!        
interface FastEthernet1/1
ip address 23.2.2.2 255.255.255.0
ip ospf network point-to-point
speed auto
duplex auto
mpls ip
!
router ospf 10
router-id 2.2.2.2
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 23.2.2.0 0.0.0.255 area 0
!
=========================================
hostname R3
!
ip cef
no ip domain lookup
!        
!
multilink bundle-name authenticated
mpls label range 300 399
mpls label protocol ldp
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!        
interface FastEthernet1/0
ip address 23.2.2.3 255.255.255.0
ip ospf network point-to-point
speed auto
duplex auto
mpls ip
!
interface FastEthernet1/1
ip address 34.3.3.3 255.255.255.0
ip ospf network point-to-point
speed auto
duplex auto
mpls ip
!
router ospf 10
router-id 3.3.3.3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 23.2.2.0 0.0.0.255 area 0
network 34.3.3.0 0.0.0.255 area 0
!
=====================================
hostname R4
!
ip cef
no ip domain lookup
!        
!
multilink bundle-name authenticated
mpls label range 400 499
mpls label protocol ldp

interface Loopback0
ip address 4.4.4.4 255.255.255.255
!        
interface FastEthernet1/0
ip address 34.3.3.4 255.255.255.0
ip ospf network point-to-point
speed auto
duplex auto
mpls ip
!
router ospf 10
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 0
network 34.3.3.0 0.0.0.255 area 0
!
=========================================
验证:MPLS网络的标签的分发情况:

R2#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop    
Label  Label or VC   or Tunnel Id      Switched      interface              
200    Pop Label     3.3.3.3/32        0             Fa1/1      23.2.2.3    
201    301           4.4.4.4/32        0             Fa1/1      23.2.2.3    
202    Pop Label     34.3.3.0/24       0             Fa1/1      23.2.2.3    

R3#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop    
Label  Label or VC   or Tunnel Id      Switched      interface              
300    Pop Label     2.2.2.2/32        0             Fa1/0      23.2.2.2    
301    Pop Label     4.4.4.4/32        0             Fa1/1      34.3.3.4    


R4#sh mpls forwarding-table
Local  Outgoing      Prefix            Bytes Label   Outgoing   Next Hop    
Label  Label or VC   or Tunnel Id      Switched      interface              
400    300           2.2.2.2/32        0             Fa1/0      34.3.3.3    
401    Pop Label     3.3.3.3/32        0             Fa1/0      34.3.3.3    
402    Pop Label     23.2.2.0/24       0             Fa1/0      34.3.3.3    

从上面可以看出MPLS网络标签分发正常。


下面来配置客户:在R1和R5看来他们通过MPLS服务商连接就好像是直接连接第二层,在客户与客户之间可以使用私有IP地址,而不像第三层MPLS/VPN那样,客户与客户之间的IP地址要由服务商分配。

这里只要配置客户的IP地址即可:

R1(config)#int f1/0
R1(config-if)#ip addr 192.168.10.1 255.255.255.0
R1(config-if)#no shut

R5(config)#int f1/0
R5(config-if)#ip addr 192.168.10.5 255.255.255.0
R5(config-if)#no shut

在没有部署AToM之前,R1和R5是无法ping通的,来测试:
R1#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
================================================================
下面在服务商的PE上部署AToM:
R2(config)#int f1/0
R2(config-if)#xconnect 4.4.4.4 100 encapsulation mpls
R2(config-if)#no shut

R4(config)#int f1/1
R4(config-if)#xconnect 2.2.2.2 100 encapsulation mpls
R4(config-if)#no shut

上面的配置是在PE和PE之间使用LDP来为AToM隧道分配标签,这个过程和MPLS/VPN中使用MP-iBGP为VPN分配标签的过程十分相似。


下面我们来查看AToM隧道的状态:
R2#sh mpls l2transport vc 100

Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
Fa1/0          Ethernet                   4.4.4.4         100        UP        

R4#sh mpls l2transport vc 100

Local intf     Local circuit              Dest address    VC ID      Status    
-------------  -------------------------- --------------- ---------- ----------
Fa1/1          Ethernet                   2.2.2.2         100        UP        

隧道的状态是建立。

查看LDP的协议的状态:

R2#sh mpls ldp neighbor detail
    Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0     ----------------->这条LDP为MPLS的LDP,使用组播发现邻居。
    TCP connection: 3.3.3.3.56025 - 2.2.2.2.646
    Password: not required, none, in use
    State: Oper; Msgs sent/rcvd: 46/46; Downstream; Last TIB rev sent 10
    Up time: 00:34:26; UID: 1; Peer Id 0;
    LDP discovery sources:
      FastEthernet1/1; Src IP addr: 23.2.2.3
        holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          23.2.2.3        34.3.3.3        3.3.3.3        
    Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
    Peer LDP Ident: 4.4.4.4:0; Local LDP Ident 2.2.2.2:0   ----------------->这条LDP为AToM的LDP,使用单播发现邻居。
    TCP connection: 4.4.4.4.14357 - 2.2.2.2.646
    Password: not required, none, in use
    State: Oper; Msgs sent/rcvd: 17/17; Downstream; Last TIB rev sent 10
    Up time: 00:07:26; UID: 2; Peer Id 1;
    LDP discovery sources:
      Targeted Hello 2.2.2.2 -> 4.4.4.4, active, passive;   ----------------->这里使用基于目标的Hello
        holdtime: infinite, hello interval: 10000 ms
        Addresses bound to peer LDP Ident:
          34.3.3.4        4.4.4.4        
    Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab   ----------------->状态为:建立
    Clients: Dir Adj Client


下面来测试一下L2VPN的效果。

R1#ping 192.168.10.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/52 ms

R5#debug ip icmp
ICMP packet debugging is on
R5#
*Apr  4 14:52:21.999: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Apr  4 14:52:22.003: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Apr  4 14:52:22.019: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Apr  4 14:52:22.039: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.1, topology BASE, dscp 0 topoid 0
*Apr  4 14:52:22.055: ICMP: echo reply sent, src 192.168.10.5, dst 192.168.10.1, topology BASE, dscp 0 topoid 0

R1可以ping通R5的f1/0接口,这样就实现了第二层VPN的目的。

 

posted @ 2020-05-03 22:36  cyrusxx  阅读(244)  评论(0编辑  收藏  举报