使用ISIS遠端LFA的MPLS L3VPN配置示例
目錄
簡介
本文說明如何使用ISIS遠端無回圈替代(LFA)功能設定多重協定標籤交換(MPLS)第3層Vpn。文中提供一個範例網路情境及其組態和輸出,以便更好瞭解。
必要條件
需求
本文檔沒有具體要求,但是對MPLS的基本瞭解和ISIS協定的工作知識無疑會有所幫助。
採用元件
本文件所述內容不限於特定軟體和硬體版本。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
背景資訊
ISIS在全球的ISP中廣泛部署,MPLS第3層Vpn是ISP提供的最常見解決方案。在ISP核心基礎設施內部,鏈路故障直接影響效能,因此非常希望亞秒級收斂。MPLS隧道鏈路保護和節點保護等功能可以解決這些問題,但需要手動配置。
ISIS遠端LFA利用了以下概念:對於給定的區域,所有ISIS路由器將具有相同的鏈路狀態資料庫。如果路由器A需要通過路由器B選擇到目標X的備份路徑,則路由器A可以選擇路由器B作為備份下一跳,前提是路由器B不使用路由器A作為目標X的下一跳。這可以實現,因為所有路由器都有相同的資料庫。這是LFA功能的基本思想。現在,此備份路徑直接程式設計到思科快速轉發(CEF)條目中,在主路由發生故障後立即使用。這樣,路由協定就可以按照傳統計時器收斂。
ISIS遠端LFA
要更好地瞭解遠端LFA的工作方式,請考慮以下圖表:
流量從路由器A流向採用路徑A—C—F的F。如果路由器A和C之間的鏈路斷開。路由器A隨後可以將目的地為F的資料包立即傳送到路由器B,但這不會解決問題。因為鏈路剛剛斷開,而ISIS拓撲沒有意識到變化。如果資料包到達路由器B,則路由器B仍舊有路由資訊,並且仍具有通過A路由到F的條目。因此,資料包會在B和A之間循環,直到點拓撲收斂。
要解決此問題,請將資料包從路由器A隧道傳送到路由器D。路由器D從未使用通過路由器A的路徑來轉到F。現在,當路由器A和C之間的鏈路發生故障時,在不收斂的情況下立即通過隧道將發往路由器F的流量傳送到路由器D。現在,路由器D在從路由器A獲得發往路由器F的隧道流量時,不會察覺到拓撲的任何變化,而是通過其正常路由邏輯轉發資料包。因此,流量不受影響,同時拓撲可以重新收斂。
設定
網路圖表
帶遠端LFA的MPLS第3層Vpn的拓撲:
縮寫
CE =客戶邊緣路由器
PE =提供商邊緣路由器
P =提供商路由器
使用的環回是192.168.255.X,其中X路由器號。例如,如果考慮R1,則環回是192.168.255.1。
組態
CPE-1-R8
#Basic用預設路由配置CE:
interface Ethernet0/0
ip address 192.168.18.8 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.18.1
!
!
CPE-2-R8
#Basic用預設路由配置CE。
interface Ethernet0/0
ip address 192.168.79.9 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 192.168.79.7
!
!
PE-1-R1
PE配置數量
interface Loopback1
ip address 192.168.255.1 255.255.255.255
ip router isis TAC
!
interface Ethernet0/0
vrf forwarding A
ip address 192.168.18.1 255.255.255.0
!
# ISIS介面必須為點對點
interface Ethernet0/1
ip address 192.168.12.1 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0001.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
mpls ldp autoconfig level-2
!
# BGP Vpnv4與PE-2-R7對等
router bgp 65000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.255.7 remote-as 65000
neighbor 192.168.255.7 update-source Loopback1
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 192.168.255.7 activate
neighbor 192.168.255.7 send-community both
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
exit-address-family
!
P1-R2
# P配置
interface Loopback1
ip address 192.168.255.2 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.12.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.23.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/2
ip address 192.168.26.2 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0002.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
P2-R3
# P配置
interface Loopback1
ip address 192.168.255.3 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.23.3 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.34.3 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0003.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
P3-R4
# P配置
interface Loopback1
ip address 192.168.255.4 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.34.4 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.45.4 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0004.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
P4-R5
# P配置
interface Loopback1
ip address 192.168.255.5 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.45.5 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.56.5 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0005.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
P5-R6
# P配置
interface Loopback1
ip address 192.168.255.6 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.56.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
ip address 192.168.26.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/2
ip address 192.168.67.6 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0006.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
PE-2-R7
PE配置數量
interface Loopback1
ip address 192.168.255.7 255.255.255.255
ip router isis TAC
!
# ISIS介面必須為點對點
interface Ethernet0/0
ip address 192.168.67.7 255.255.255.0
ip router isis TAC
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface Ethernet0/1
vrf forwarding A
ip address 192.168.79.7 255.255.255.0
!
!
#配置ISIS遠端LFA
router isis TAC
net 49.0000.0000.0007.00
is-type level-2-only
metric-style wide
fast-reroute per-prefix level-2 all
fast-reroute remote-lfa level-2 mpls-ldp
!
!
# BGP Vpnv4與PE-1-R1對等
router bgp 65000
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 192.168.255.1 remote-as 65000
neighbor 192.168.255.1 update-source Loopback1
!
address-family ipv4
exit-address-family
!
address-family vpnv4
neighbor 192.168.255.1 activate
neighbor 192.168.255.1 send-community both
exit-address-family
!
address-family ipv4 vrf A
redistribute connected
exit-address-family
!
驗證
使用本節內容,確認您的組態是否正常運作。
P1-R2
show isis fast-reroute remote-lfa tunnels命令顯示路由器上構建的遠端LFA隧道:
P1-R2#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/2, nexthop 192.168.26.6, end point 192.168.255.5
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.23.3, end point 192.168.255.4
P2-R3
P2-R3#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/1, nexthop 192.168.34.4, end point 192.168.255.5
MPLS-Remote-Lfa2: use Et0/0, nexthop 192.168.23.2, end point 192.168.255.6
P3-R4
P3-R4#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/1, nexthop 192.168.45.5, end point 192.168.255.6
MPLS-Remote-Lfa2: use Et0/0, nexthop 192.168.34.3, end point 192.168.255.2
P4-R5
P4-R5#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/0, nexthop 192.168.45.4, end point 192.168.255.3
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.56.6, end point 192.168.255.2
P5-R6
P5-R6#show isis fast-reroute remote-lfa tunnels
Tag TAC - Fast-Reroute Remote-LFA Tunnels: MPLS-Remote-Lfa1: use Et0/0, nexthop 192.168.56.5, end point 192.168.255.4
MPLS-Remote-Lfa2: use Et0/1, nexthop 192.168.26.2, end point 192.168.255.3
核心方案中的故障,配置LFA時核心中的流量。
在導致鏈路故障之前,如果您檢查P-1-R2,您會看到在P-1-R2和P-5-R4之間已經形成了目標LDP會話,作為RLFA的備用路徑。沒有RLFA,路由協定必須檢測故障,並需要重新收斂。
P-1-R2#show ip route repair-paths 192.168.255.7 Routing entry for 192.168.255.7/32 Known via "isis", distance 115, metric 30, type level-c Redistributing via isis TAC Last update from 192.168.26.6 on Ethernet0/2, 02:23:31 ago Routing Descriptor Blocks: * 192.168.26.6, from 192.168.255.7, 02:23:31 ago, via Ethernet0/2 Route metric is 30, traffic share count is 1 Repair Path: 192.168.255.4, via MPLS-Remote-Lfa6 [RPR]192.168.255.4, from 192.168.255.7, 02:23:31 ago, via MPLS-Remote-Lfa6 Route metric is 20, traffic share count is 1
P-1-R2#show mpls ldp neighbor 192.168.255.4 Peer LDP Ident: 192.168.255.4:0; Local LDP Ident 192.168.255.2:0 TCP connection: 192.168.255.4.32391 - 192.168.255.2.646 State: Oper; Msgs sent/rcvd: 184/183; Downstream Up time: 02:26:09 LDP discovery sources: Targeted Hello 192.168.255.2 -> 192.168.255.4, active, passive Addresses bound to peer LDP Ident: 192.168.255.4 192.168.34.4 192.168.45.4
此處可以觀察到,路由表中到PE2-R7的修復路徑是通過192.168.255.4(P3-R4)。 作為遠端LFA邏輯的一部分,隧道預先構建到P3-R4。因此,每當主鏈路發生故障時,資料包都會立即通過隧道傳輸到P3-R4,而此情況線上路卡級別發生,因為條目是預先構建的。因此,沒有流量中斷,並且轉發是無縫的。然後,ISIS協定可以根據其配置的計時器進行收斂。
P1-R2路由器不需要查詢備份路徑,因為在出現故障之前,已經有一個CEF條目通過P2-R3形成。
P1-R2#show ip cef 192.168.255.7
nexthop 192.168.26.6 Ethernet0/2 label [25|26]
repair: attached-nexthop 192.168.255.4 MPLS-Remote-Lfa6
此圖顯示先前說明的確切行為:
P1-R2
為了進行驗證,在通過關閉P1-R2和P5-R6之間的核心鏈路(Eth 0/2)重新建立故障場景後,從CE-1-R8連續向CE-2-R9執行ping操作,即使在測試環境中也未觀察到一次丟棄。
CE-1-R8#ping 192.168.79.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.79.9, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <Ouput Snipped> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 100 percent (149320/149320), round-trip min/avg/max = 1/1/18 ms
疑難排解
目前尚無適用於此組態的具體疑難排解資訊。
意見