MPLS L3VPN与ISIS远程LFA的配置示例
目录
简介
本文档介绍如何使用ISIS远程无环备用(LFA)功能配置多协议标签交换(MPLS)第3层VPN。它显示了示例网络场景及其配置和输出,以便更好地了解。
先决条件
要求
本文档没有具体要求,但是,对MPLS的基本了解和对ISIS协议的工作知识肯定会有所帮助。
使用的组件
本文档不限于特定的软件和硬件版本。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
背景信息
ISIS广泛部署在全球各ISP之间,MPLS第3层Vpn是ISP提供的最常见解决方案。在ISP核心基础设施内部,链路故障直接影响性能,因此极需在次秒内进行融合。MPLS隧道链路保护和节点保护等功能可解决这些问题,但需要手动配置。
ISIS远程LFA利用的概念是,对于给定区域,所有ISIS路由器将具有相同的链路状态数据库。如果路由器A需要通过路由器B选择到目的X的备份路径,则路由器A可以选择路由器B作为备份下一跳,前提是路由器B不使用路由器A作为目的X的下一跳。这可以完成,因为所有路由器都有相同的数据库。这是LFA功能的基本思想。现在,此备份路径直接在思科快速转发(CEF)条目中编程,一旦主路由发生故障,将立即使用。然后,路由协议可以按照传统计时器进行收敛。
ISIS远程LFA
要更好地了解远程LFA的工作方式,请考虑下图:
从路由器A到F的流量采用路径A - C - F。如果路由器A和C之间的链路断开。然后,路由器A可以立即将发往F的数据包发送到路由器B,但这不会解决问题。由于链路刚断开,ISIS拓扑不知道变化。如果数据包到达路由器B,路由器B仍将包含旧的路由信息,并且仍将包含通过A路由到F的条目。因此,数据包将在B和A之间循环,直到点拓扑收敛。
要解决此问题,请将数据包从路由器A隧道化到路由器D。路由器D从未使用通过路由器A的路径转到F。现在,当路由器A和C之间的链路发生故障时,立即不会收敛发往路由器F的流量,通过隧道发送到路由器D。现在,当路由器D从路由器A发往路由器F的隧道流量时,它不知道拓扑中的任何此类变化,它会通过其正常路由逻辑转发数据包。因此流量不会受到影响,同时拓扑可以重新收敛。
配置
网络图
具有远程LFA的MPLS第3层VPN的拓扑:
缩写词
CE =客户边缘路由器
PE =提供商边缘路由器
P =提供商路由器
使用的环回接口是192.168.255.X,其中X路由器编号。例如,如果考虑R1,则环回地址为192.168.255.1。
配置
CPE-1-R8
#Basic使用默认路由的CE配置:
interface Ethernet0/0
ip address 192.168.18.8 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.18.1
!
!
CPE-2-R8
#Basic CE配置,使用默认路由。
interface Ethernet0/0
ip address 192.168.79.9 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.79.7
!
!
PE-1-R1
PE配置
interface Loopback1
ip address 192.168.255.1 255.255.255.255
ip router isis TAC
!
interface Ethernet0/0
vrf forwarding A
ip address 192.168.18.1 255.255.255.0
!
# ISIS接口必须是点对点
interface Ethernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0001.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
mpls ldp autoconfig level-2
!
与PE-2-R7的BGP Vpnv4对等
router bgp 65000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.255.7 remote-as 65000
neighbor 192.168.255.7 update-source Loopback1
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 192.168.255.7 activate
neighbor 192.168.255.7 send-community both
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
exit-address-family
!
P1-R2
# P配置
interface Loopback1
ip address 192.168.255.2 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.23.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/2
ip address 192.168.26.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0002.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
P2-R3
# P配置
interface Loopback1
ip address 192.168.255.3 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.23.3 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0003.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
P3-R4
# P配置
interface Loopback1
ip address 192.168.255.4 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.34.4 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.45.4 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0004.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
P4-R5
# P配置
interface Loopback1
ip address 192.168.255.5 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.45.5 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.56.5 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0005.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
P5-R6
# P配置
interface Loopback1
ip address 192.168.255.6 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.56.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.26.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/2
ip address 192.168.67.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0006.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
PE-2-R7
PE配置
interface Loopback1
ip address 192.168.255.7 255.255.255.255
ip router isis TAC
!
# ISIS接口必须是点对点
interface Ethernet0/0
ip address 192.168.67.7 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
vrf forwarding A
ip address 192.168.79.7 255.255.255.0
!
!
#配置ISIS远程LFA
router isis TAC
net 49.0000.0000.0007.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
!
与PE-1-R1的BGP Vpnv4对等
router bgp 65000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.255.1 remote-as 65000
neighbor 192.168.255.1 update-source Loopback1
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 192.168.255.1 activate
neighbor 192.168.255.1 send-community both
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
exit-address-family
!
验证
使用本部分可确认配置能否正常运行。
P1-R2
命令show isis fast-reroute remote-lfa tunnels显示在路由器上构建的远程LFA隧道:
P1-R2#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/2, nexthop 192.168.26.6, end point 192.168.255.5
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.23.3, end point 192.168.255.4
P2-R3
P2-R3#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/1, nexthop 192.168.34.4, end point 192.168.255.5
MPLS-Remote-Lfa2: use Et0/0, nexthop 192.168.23.2, end point 192.168.255.6
P3-R4
P3-R4#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/1, nexthop 192.168.45.5, end point 192.168.255.6
MPLS-Remote-Lfa2: use Et0/0, nexthop 192.168.34.3, end point 192.168.255.2
P4-R5
P4-R5#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/0, nexthop 192.168.45.4, end point 192.168.255.3
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.56.6, end point 192.168.255.2
P5-R6
P5-R6#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/0, nexthop 192.168.56.5, end point 192.168.255.4
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.26.2, end point 192.168.255.3
在核心场景中发生故障,配置LFA时,流量在核心中流动。
在引发链路故障之前,如果检查P-1-R2,您会看到P-1-R2和P-5-R4之间已经形成了目标LDP会话,因为RLFA。如果没有RLFA,路由协议必须检测故障并需要重新收敛。
P-1-R2#show ip route repair-paths 192.168.255.7 Routing entry for 192.168.255.7/32 Known via "isis", distance 115, metric 30, type level-c Redistributing via isis TAC Last update from 192.168.26.6 on Ethernet0/2, 02:23:31 ago Routing Descriptor Blocks: * 192.168.26.6, from 192.168.255.7, 02:23:31 ago, via Ethernet0/2 Route metric is 30, traffic share count is 1 Repair Path: 192.168.255.4, via MPLS-Remote-Lfa6 [RPR]192.168.255.4, from 192.168.255.7, 02:23:31 ago, via MPLS-Remote-Lfa6 Route metric is 20, traffic share count is 1
P-1-R2#show mpls ldp neighbor 192.168.255.4 Peer LDP Ident: 192.168.255.4:0; Local LDP Ident 192.168.255.2:0 TCP connection: 192.168.255.4.32391 - 192.168.255.2.646 State: Oper; Msgs sent/rcvd: 184/183; Downstream Up time: 02:26:09 LDP discovery sources: Targeted Hello 192.168.255.2 -> 192.168.255.4, active, passive Addresses bound to peer LDP Ident: 192.168.255.4 192.168.34.4 192.168.45.4
可以在此观察到,到路由表中PE2-R7的修复路径是通过192.168.255.4(P3-R4)。 作为远程LFA逻辑的一部分,预建了到P3-R4的隧道。因此,每当主链路发生故障时,立即将数据包通过隧道传输到P3-R4,这在预建条目时在线卡级别发生。因此,不会出现流量中断,转发是无缝的。然后,ISIS协议可根据其配置的计时器进行收敛。
P1-R2路由器不需要查找备份路径,因为故障发生之前已经通过P2-R3形成了CEF条目。
P1-R2#show ip cef 192.168.255.7
nexthop 192.168.26.6 Ethernet0/2 label [25|26]
repair: attached-nexthop 192.168.255.4 MPLS-Remote-Lfa6
此图显示了之前解释的确切行为:
P1-R2
为了进行验证,在CE-1-R8通过关闭P1-R2和P5-R6之间的核心链路(Eth 0/2)来重新创建故障场景后,从CE-1-R8对CE-2-R9执行连续ping操作,测试环境中甚至没有观察到一次丢弃。
CE-1-R8#ping 192.168.79.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.79.9, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <Ouput Snipped> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 100 percent (149320/149320), round-trip min/avg/max = 1/1/18 ms
故障排除
目前没有针对此配置的故障排除信息。
反馈