Tweet
Bai lab ve MPLS-VPN, TE, IPSec
Chức năng của các con router trong topo mạng
R1, R2: là PE router, kết với các router core trong mang MPLS cua ISP, và kết nối với các con CE của các site khách hàng
R3, R4: là P router, thực hiện chuyển mạch MPLS, và định tuyên IGP trong mạng core ISP
R5, R6: là CE router ở phía khách hàng, kêt nối với các PE của nhà cung cấp dịch vụ.
Các tiến trình:
OSPF process 1: thực hiện định tuyến IGP trong mang core ISP.
OSPF process 100: chay đinh tuyến OSPF với CE của CUS_A.
OSPF process 200: chạy định tuyến OSPF với CE của CUS_B.
BGP AS 1: chạy tính tuyến MP-iBGP giữa các con PE với nhau.
Traffic Engineering: TUNNEL1 : R1->R3->R2 cho khách hàng CUS_A (172.16.1.0/24 , 172.16.2.0/24)
TUNNEL2 : R1->R4->R2 cho khách hàng CUS_B (172.16.3.0/24, 172.16.4.0/24)
IPsec được cấu hình trên các con CE( R5 và R6) ở 2 đầu cuối của khách hàng để đảm bảo dữ liệu được mã hóa khi truyền qua mạng backbone ISP.
File cấu hình:
-------R1------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
ip vrf CUS_A
rd 1:1
route-target export 1:1
route-target import 1:1
bgp next-hop Loopback1
!
ip vrf CUS_B
rd 1:2
route-target export 1:2
route-target import 1:2
bgp next-hop Loopback2
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Loopback1
ip address 100.100.100.100 255.255.255.255
!
interface Loopback2
ip address 200.200.200.200 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
mpls ip
tunnel destination 2.2.2.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 8 explicit name TUNNEL1
tunnel mpls traffic-eng path-option 9 explicit name TUNNEL2
no routing dynamic
!
interface Tunnel2
ip unnumbered Loopback0
mpls ip
tunnel destination 2.2.2.2
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 8 explicit name TUNNEL2
tunnel mpls traffic-eng path-option 9 explicit name TUNNEL1
no routing dynamic
!
interface FastEthernet0/0
ip vrf forwarding CUS_A
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding CUS_B
ip address 172.16.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.13.1 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/1
ip address 192.168.14.1 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 100 vrf CUS_A
router-id 1.1.1.100
log-adjacency-changes
redistribute bgp 1 subnets
passive-interface default
no passive-interface FastEthernet0/0
network 172.16.1.0 0.0.0.255 area 0
!
router ospf 200 vrf CUS_B
router-id 1.1.1.200
log-adjacency-changes
redistribute bgp 1 subnets
passive-interface default
no passive-interface FastEthernet0/1
network 172.16.3.0 0.0.0.255 area 0
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 1.1.1.1
log-adjacency-changes
passive-interface default
no passive-interface Serial1/0
no passive-interface Serial1/1
network 1.1.1.1 0.0.0.0 area 0
network 192.168.13.0 0.0.0.255 area 0
network 192.168.14.0 0.0.0.255 area 0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor group-vpnv4 peer-group
neighbor group-vpnv4 remote-as 1
neighbor group-vpnv4 update-source Loopback0
neighbor 2.2.2.2 peer-group group-vpnv4
no auto-summary
!
address-family vpnv4
neighbor group-vpnv4 send-community extended
neighbor 2.2.2.2 activate
exit-address-family
!
address-family ipv4 vrf CUS_B
redistribute ospf 200 vrf CUS_B
no synchronization
exit-address-family
!
address-family ipv4 vrf CUS_A
redistribute ospf 100 vrf CUS_A
no synchronization
exit-address-family
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 100.100.100.101 255.255.255.255 Tunnel1
ip route 200.200.200.201 255.255.255.255 Tunnel2
!
!
!
ip explicit-path name TUNNEL2 enable
next-address 192.168.14.4
next-address 192.168.24.2
next-address 2.2.2.2
!
ip explicit-path name TUNNEL1 enable
next-address 192.168.13.3
next-address 192.168.23.2
next-address 2.2.2.2
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
------------R2-------------------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
ip vrf CUS_A
rd 1:1
route-target export 1:1
route-target import 1:1
bgp next-hop Loopback1
!
ip vrf CUS_B
rd 1:2
route-target export 1:2
route-target import 1:2
bgp next-hop Loopback2
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
ip address 100.100.100.101 255.255.255.255
!
interface Loopback2
ip address 200.200.200.201 255.255.255.255
!
interface Tunnel1
ip unnumbered Loopback0
mpls ip
tunnel destination 1.1.1.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 8 explicit name TUNNEL1
tunnel mpls traffic-eng path-option 9 explicit name TUNNEL2
no routing dynamic
!
interface Tunnel2
ip unnumbered Loopback0
mpls ip
tunnel destination 1.1.1.1
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng path-option 8 explicit name TUNNEL2
tunnel mpls traffic-eng path-option 9 explicit name TUNNEL1
no routing dynamic
!
interface FastEthernet0/0
ip vrf forwarding CUS_A
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding CUS_B
ip address 172.16.4.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.24.2 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
ip address 192.168.23.2 255.255.255.0
duplex auto
speed auto
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 2000 2000
ip rsvp resource-provider none
!
router ospf 100 vrf CUS_A
router-id 2.2.2.100
log-adjacency-changes
redistribute bgp 1 subnets
passive-interface default
no passive-interface FastEthernet0/0
network 172.16.2.0 0.0.0.255 area 0
!
router ospf 200 vrf CUS_B
router-id 2.2.2.200
log-adjacency-changes
redistribute bgp 1 subnets
passive-interface default
no passive-interface FastEthernet0/1
network 172.16.4.0 0.0.0.255 area 0
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
router-id 2.2.2.2
log-adjacency-changes
passive-interface default
no passive-interface Serial1/1
no passive-interface FastEthernet2/0
network 2.2.2.2 0.0.0.0 area 0
network 100.100.100.101 0.0.0.0 area 0
network 192.168.23.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 0
network 200.200.200.201 0.0.0.0 area 0
!
router bgp 1
no synchronization
bgp log-neighbor-changes
neighbor group-vpnv4 peer-group
neighbor group-vpnv4 remote-as 1
neighbor group-vpnv4 update-source Loopback0
neighbor 1.1.1.1 peer-group group-vpnv4
no auto-summary
!
address-family vpnv4
neighbor group-vpnv4 send-community extended
neighbor 1.1.1.1 activate
exit-address-family
!
address-family ipv4 vrf CUS_B
redistribute ospf 200 vrf CUS_B
no synchronization
exit-address-family
!
address-family ipv4 vrf CUS_A
redistribute ospf 100 vrf CUS_A
no synchronization
exit-address-family
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 100.100.100.100 255.255.255.255 Tunnel1
ip route 200.200.200.200 255.255.255.255 Tunnel2
!
!
!
ip explicit-path name TUNNEL2 enable
next-address 192.168.24.4
next-address 192.168.14.1
next-address 1.1.1.1
!
ip explicit-path name TUNNEL1 enable
next-address 192.168.23.3
next-address 192.168.13.1
next-address 1.1.1.1
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
------------------R3-------------------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.13.3 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
ip address 192.168.23.3 255.255.255.0
duplex auto
speed auto
mpls ip
mpls traffic-eng tunnels
ip rsvp bandwidth 2000 2000
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
log-adjacency-changes
passive-interface default
no passive-interface Serial1/0
no passive-interface FastEthernet2/0
network 3.3.3.3 0.0.0.0 area 0
network 192.168.13.0 0.0.0.255 area 0
network 192.168.23.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
--------------------------R4--------------------------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
multilink bundle-name authenticated
mpls traffic-eng tunnels
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.14.4 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/1
ip address 192.168.24.4 255.255.255.0
mpls ip
mpls traffic-eng tunnels
serial restart-delay 0
ip rsvp bandwidth 2000 2000
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
log-adjacency-changes
passive-interface default
no passive-interface Serial1/0
no passive-interface Serial1/1
network 4.4.4.4 0.0.0.0 area 0
network 192.168.14.0 0.0.0.255 area 0
network 192.168.24.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
!
!
!
!
mpls ldp router-id Loopback0
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
------------------------------R5-------------------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile PF
set transform-set TS
!
!
!
!
!
!
!
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
!
interface Tunnel3
ip unnumbered Loopback0
tunnel source 172.16.1.2
tunnel destination 172.16.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PF
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.3.2 255.255.255.0
duplex auto
speed auto
!
router ospf 100
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/0
network 172.16.1.0 0.0.0.255 area 0
!
router ospf 200
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/1
network 172.16.3.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 6.6.6.6 255.255.255.255 Tunnel3
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
------------------------------R6---------------------------------------------
!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
ip domain name lab.local
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile PF
set transform-set TS
!
!
!
!
!
!
!
!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface Tunnel3
ip unnumbered Loopback0
tunnel source 172.16.2.2
tunnel destination 172.16.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PF
!
interface FastEthernet0/0
ip address 172.16.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.4.2 255.255.255.0
duplex auto
speed auto
!
router ospf 100
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/0
network 172.16.2.0 0.0.0.255 area 0
!
router ospf 200
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/1
network 172.16.4.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 5.5.5.5 255.255.255.255 Tunnel3
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Comment