通過TE隧道實施MPLS VPN
目錄
簡介
本文提供在MPLS網路中透過流量工程(TE)通道實作多重協定標籤交換(MPLS)VPN的組態範例。為了獲得通過TE隧道的MPLS VPN的優點,兩者應在網路中共存。本文檔說明了各種場景,解釋了通過TE隧道的MPLS VPN內的資料包轉發失敗的原因。它還提供了一種可能的解決方案。
必要條件
需求
本文檔的讀者應瞭解以下主題:
採用元件
本文件所述內容不限於特定軟體和硬體版本。
慣例
如需文件慣例的詳細資訊,請參閱思科技術提示慣例。
背景理論
如本拓撲所示,在簡單的MPLS VPN配置中,提供商邊緣1(PE1)直接從PE2通過多協定邊界網關協定(MPBGP)獲取VPN字首172.16.13.0/24的VPN標籤(標籤1 [L1]),下一跳作為PE2環回地址。PE1還通過標籤分發協定(LDP)從下一跳P1獲取PE2環回地址的標籤(L2)。
將資料轉發到VPN字首172.16.13.13時,PE1使用標籤堆疊{L2 L1},並將L2作為外部標籤。L2由傳輸標籤交換路由器(LSR)交換,P1。P2會彈出外部L2,並將資料包轉發到PE2,僅帶有一個L1。要更好地瞭解為什麼P2會彈出第2層,請參閱RFC 3031 
中有關倒數第二跳彈出消息(PHP)的3.16節。因此,前往VPN IP第4版(IPv4)首碼172.16.13.0/24的封包會透過MPLS網路進行標籤交換。
如果任何P路由器收到帶有L1(VPN標籤)作為唯一外部標籤而不是{L2 L1}標籤堆疊的資料包,則MPLS VPN轉發操作失敗。發生這種情況的原因是,沒有一台P路由器在其標籤轉發資訊庫(LFIB)中包含L1以交換資料包。
MPLS TE使用資源保留協定(RSVP)來交換標籤。當路由器同時配置了TE和Tag Distribution Protocol(TDP)/LDP時,路由器會收到來自LDP和RSVP的指定字首的不同標籤。來自LDP和RSVP的標籤不必在所有情況下都相同。如果通過LDP介面獲知字首,路由器會在轉發表中安裝LDP標籤;如果通過TE隧道介面獲知字首,路由器會在轉發表中安裝RSVP標籤。
在普通TE通道的情況下(在通道上未啟用LDP/TDP),輸入LSR(在TE通道頭端的LSR)使用與通過TE通道學習的所有路由到達TE通道尾端的相同標籤。
例如,有一個從PE1到P2的TE隧道通過隧道學習字首10.11.11.11/32。P2上的隧道尾端是10.5.5.5,PE1中到達10.5.5.5的標籤是L3。然後,PE1使用L3到達目的地10.11.11.11/32,通過TE隧道獲知。
在上述場景中,當PE1和P2之間存在TE隧道時,考慮PE1將資料轉發到客戶邊緣2(CE2)。 如果L4是VPN標籤,則PE1轉發標籤堆疊為{L3 L4}的資料。P1會彈出L3,P2會收到帶有L4的資料包。PE2是唯一可以正確轉髮帶有外部標籤L4的資料包的LSR。P2沒有與PE2之間的MPBGP會話,因此它不會從PE2接收L4。因此,P2對L2一無所知,它會丟棄該資料包。
後面的配置和show輸出演示了這一點,並說明了此問題的一個可能的解決方案。
在CE1和CE2之間進行初始VPN設定,不使用TE隧道
拓撲
組態
此處僅包含組態檔的相關部分:
| PE1 |
|---|
hostname PE1 ip cef ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.2.2.2 255.255.255.255 no ip directed-broadcast ! interface Ethernet2/0/1 ip vrf forwarding aqua ip address 172.16.1.2 255.255.255.0 ! interface Ethernet2/0/2 ip address 10.7.7.2 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip ! router isis passive-interface Loopback0 net 47.1234.2222.2222.2222.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! router bgp 1 bgp log-neighbor-changes neighbor 10.11.11.11 remote-as 1 neighbor 10.11.11.11 update-source Loopback0 ! address-family vpnv4 neighbor 10.11.11.11 activate neighbor 10.11.11.11 send-community extended exit-address-family ! address-family ipv4 neighbor 10.11.11.11 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family |
| PE2 |
|---|
hostname PE2 ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.11.11.11 255.255.255.255 ! interface POS0/1 ip address 10.12.12.10 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip crc 16 clock source internal ! interface POS5/1 ip vrf forwarding aqua ip address 172.16.13.11 255.255.255.0 crc 32 clock source internal ! router isis passive-interface Loopback0 mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 net 47.1234.1010.1010.1010.00 is-type level-1 metric-style wide ! router bgp 1 bgp log-neighbor-changes neighbor 10.2.2.2 remote-as 1 neighbor 10.2.2.2 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.2.2.2 activate neighbor 10.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family ! |
驗證
PE2通過PE1和PE2之間的MPBGP對等獲知PE1 VPN IPv4字首172.16.1.0/24。如下所示:
PE2# show ip route vrf aqua
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
B 172.16.1.0 [200/0] via 10.2.2.2, 16:09:10
C 172.16.13.0 is directly connected, POS5/1
同樣,PE1通過PE1和PE2之間的MPBGP對等獲知PE2 VPN IPv4字首172.16.13.0/24。如下所示:
PE1# show ip route vrf aqua
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
B 172.16.13.0 [200/0] via 10.11.11.11, 16:09:49
C 172.16.1.0 is directly connected, Ethernet2/0/1
PE1# show ip route vrf aqua 172.16.13.13
Routing entry for 172.16.13.0/24
Known via "bgp 1", distance 200, metric 0, type internal
Last update from 10.11.11.11 16:13:19 ago
Routing Descriptor Blocks:
* 10.11.11.11 (Default-IP-Routing-Table), from 10.11.11.11, 16:13:19 ago
Route metric is 0, traffic share count is 1
AS Hops 0, BGP network version 0
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
!--- The label stack used to reach 172.16.13.13 is !--- {17 12308}, where 17 is the outer label to reach next hop 10.11.11.11 !--- and 12308 is the VPN IPv4 label for 172.16.13.0/24.
PE1# show ip cef 10.11.11.11
10.11.11.11/32, version 31, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
via 10.7.7.7, Ethernet2/0/2, 1 dependency
next hop 10.7.7.7, Ethernet2/0/2
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
!--- Outer label 17 is used to reach next hop 10.11.11.11.
因此,CE1可以通過VPN路由和轉發(VRF)例項「aqua」到達CE2網路上的172.16.13.13,該例項在PE1上使用標籤堆疊{17 12308}進行配置,如上文所示。
此ping輸出可確認連線:
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
案例1:TE隧道從PE1到PE2時,通過TE隧道的VPN
拓撲
在使用自動路由通告的PE路由器之間構建TE隧道時,可通過TE隧道介面訪問出口PE BGP下一跳。因此,PE1使用TE標籤到達PE2。
注意:MPLS TE獨立於LDP,這意味著如果您具有從PE到PE的隧道全網狀,則可以在路由器中有效地禁用LDP,並且不需要在TE隧道介面上運行LDP。但是,您必須建立到VPN版本4(VPNv4)路由的BGP下一躍點的所有隧道。在此配置的示例中,您可以看到此BGP下一跳是PE2上的Loopback0(10.11.11.11)。此相同的環回也是從PE1到PE2的隧道的隧道目標。這說明了為什麼在本示例中,如果返回流量也存在從PE2到PE1的隧道,則可以禁用核心中的LDP。然後,從CE到CE的轉發適用於通過TE隧道傳輸的所有VPNv4流量。如果BGP下一躍點與TE隧道目標不同,LDP必須在核心和TE隧道上運行。
組態
PE1上用於建立PE隧道的額外配置如下所示:
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
驗證
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.11.11.11, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 12308}
!--- The label stack to reach 172.16.13.13 is {19 12308}. !--- BGP next hop for the VPNv4 prefix is 10.11.11.11, which is !--- the same as the TE tunnel destination.
PE1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 40, type level-1
Redistributing via isis
Last update from 10.11.11.11 on Tunnel0, 00:02:09 ago
Routing Descriptor Blocks:
* 10.11.11.11, from 10.11.11.11, via Tunnel0
!--- The route is via Tunnel0.
Route metric is 40, traffic share count is 1
現在,確認用於通過Tunnel0到達下一跳10.11.11.11的外部標籤。
PE1# show mpls traffic-eng tunnels tunnel 0
Name: PE1_t0 (Tunnel0) Destination: 10.11.11.11
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 30)
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
InLabel : -
OutLabel : Ethernet2/0/2, 19
!--- Label 19 from RSVP is used to reach destination 10.11.11.11/32.
RSVP Signalling Info:
Src 10.2.2.2, Dst 10.11.11.11, Tun_Id 0, Tun_Instance 31
RSVP Path Info:
My Address: 10.7.7.2
Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.12.12.10
10.11.11.11
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf
Shortest Unconstrained Path Info:
Path Weight: 30 (TE)
Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5
10.12.12.10 10.11.11.11
History:
Tunnel:
Time since created: 17 hours, 17 minutes
Time since path change: 32 minutes, 54 seconds
Current LSP:
Uptime: 32 minutes, 54 seconds
Prior LSP:
ID: path option 10 [14]
Removal Trigger: tunnel shutdown
快速檢視此資訊的另一種方法是使用show命令中的輸出修改器,如下所示:
PE1# show mpls traffic-eng tunnels tunnel 0 | include Label InLabel : - OutLabel : Ethernet2/0/2, 19 !--- This is the label to reach 10.11.11.11.
檢視標籤堆疊。它是19,即TE標籤,用於通過Tunnel0將資料包轉發到下一跳10.11.11.0。
PE1# show tag forwarding-table 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
21 Pop tag 10.11.11.11/32 0 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{19}, via Et2/0/2
00603E2B02410060835887428847 00013000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE1#
因此,PE1將標籤棧{19 12308}發往地址為172.16.13.13的資料包。P1交換標籤19。資料包到達P2,P2將彈出該外部標籤。然後,將資料包轉發到PE2,並且僅帶標籤12308。
在PE2上,接收帶有標籤12308資料包,並根據轉發表中的資訊進行交換。如下所示:
PE2# show tag for tags 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12256
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
注意:未顯示傳出介面,因為傳出標籤是Aggregate。這是因為與標籤關聯的字首是直連路由。
從CE1 ping CE2上的主機,確認通過TE隧道的VPN連線:
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/36 ms CE1#
案例2:TE通道從PE1到P2時,通過TE通道的VPN
拓撲
組態
PE1上基本配置之外的其他TE配置如下所示:
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
驗證
檢查PE1 VRF水線上的字首172.16.13.13的路由。它使用標籤堆疊{19 12308}指向下一個躍點10.11.11.11/32(通過Tunnel0)。
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 12308}
PE1#
標籤19(外部標籤)用於到達下一跳10.11.11.11/32,如下所示:
PE1# show ip cef 10.11.11.11
10.11.11.11/32, version 37
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Tu0, point2point, tags imposed {19}
via 10.5.5.5, Tunnel0, 1 dependency
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19}
PE1# show mpls traffic-eng tunnels tunnel 0
Name: PE1_t0 (Tunnel0) Destination: 10.5.5.5
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
InLabel : -
OutLabel : Ethernet2/0/2, 19
RSVP Signalling Info:
Src 10.2.2.2, Dst 10.5.5.5, Tun_Id 0, Tun_Instance 33
RSVP Path Info:
My Address: 10.7.7.2
Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.5.5.5
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf
Shortest Unconstrained Path Info:
Path Weight: 20 (TE)
Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5
10.5.5.5
History:
Tunnel:
Time since created: 17 hours, 31 minutes
Time since path change: 8 minutes, 49 seconds
Current LSP:
Uptime: 8 minutes, 49 seconds
Selection: reoptimation
Prior LSP:
ID: path option 10 [31]
Removal Trigger: path verification failed
PE1#
PE1# show mpls traffic-eng tunnels tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0/2, 19
PE1#
來自PE1的封包透過標籤堆疊{19 12308}的TE通道傳送。P1收到封包後,會彈出(PHP)標籤19,並傳送標籤堆疊{12308}的封包。show命令可確認這點:
P1> show tag for tag 19
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
19 Pop tag 10.2.2.2 0 [33] 2130 Et2/0 10.8.8.5
P1>
P1> show tag for tag 19 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
19 Pop tag 10.2.2.2 0 [33] 2257 Et2/0 10.8.8.5
MAC/Encaps=14/14, MTU=1504, Tag Stack{}
006009E08B0300603E2B02408847
No output feature configured
P1>
P2收到標籤堆疊為{12308}的資料包時,會檢查其LFIB並丟棄該資料包,因為不存在匹配項。以下是P2上的show命令輸出:
P2# show tag forwarding-table tags 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface P2# P2# 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 P2# P2#
說明
此問題的解決方法是在TE隧道上啟用TDP/LDP,並使其成為標籤交換介面。在解決方案所示的示例中,在PE1的Tunnel0上啟用了TDP。P2配置為接受定向hello並形成定向TDP鄰居。因此,PE1通過LDP從P2接收10.11.11.11的標籤。現在Tunnel0成為標籤交換介面,並且TDP已經對通往10.11.11.11的流量啟用,PE1使用這兩個標籤;本發明利用RSVP標籤到達TE尾端,TDP標籤到達10.11.11.11。
在此方案中,如果以下專案為真,PE1使用標籤堆疊{L2 L3 L1}將資料轉發到CE2:
-
L1是VPN標籤。
-
L2是到達TE尾端的RSVP標籤。
-
L3是到達10.11.11.11的TDP標籤(從P2接收)。
解決方案
解決方式為透過TE通道啟用TDP。
組態
此處顯示的是已啟用TDP的PE1上的TE隧道配置。新增加的產品是粗體的。
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tag-switching ip !--- This enables TDP. tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
以下是TE通道尾端上接受定向TDP hello的額外配置:
P2# show run | i directed-hello tag-switching tdp discovery directed-hello accept !--- This configures P2 to accept directed TDP hellos. P2#
驗證
PE1# show tag tdp neighbor | i Peer
Peer TDP Ident: 10.7.7.7:0; Local TDP Ident 10.2.2.2:0
Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0
PE1#
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 18 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 18 12308}
PE1#
PE1# show mpls traffic-eng tunnels tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0/2, 19
!--- This is the TE label learned via RSVP.
PE1#
PE1# show tag tdp bind 10.11.11.11 32
tib entry: 10.11.11.11/32, rev 20
local binding: tag: 21
remote binding: tsr: 10.7.7.7:0, tag: 17
remote binding: tsr: 10.5.5.5:0, tag: 18
!--- This is the TDP label from P2.
P1收到標籤堆疊為{19 18 12308}的資料包時,它會彈出標籤19,並將標籤堆疊為{18 12308}的資料包傳送到P2。P2檢查其LFIB中的標籤18,然後彈出該標籤,並通過傳出介面PO2/0/0將其傳送到PE1。PE1收到標籤為12308的資料包,並成功將其切換到CE2。
P2# show tag for tag 18
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Pop tag 10.11.11.11/32 117496 POS2/0/0 point2point
P2# show tag tdp discovery
Local TDP Identifier:
10.5.5.5:0
Discovery Sources:
Interfaces:
Ethernet0/3 (tdp): xmit/recv
TDP Id: 10.7.7.7:0
POS2/0/0 (tdp): xmit/recv
TDP Id: 10.11.11.11:0
Directed Hellos:
10.5.5.5 -> 10.2.2.2 (tdp): passive, xmit/recv
TDP Id: 10.2.2.2:0
P2# show tag tdp neighbor 10.2.2.2
Peer TDP Ident: 10.2.2.2:0; Local TDP Ident 10.5.5.5:0
TCP connection: 10.2.2.2.711 - 10.5.5.5.11690
State: Oper; PIEs sent/rcvd: 469/465; Downstream
Up time: 01:41:08
TDP discovery sources:
Directed Hello 10.5.5.5 -> 10.2.2.2, passive
Addresses bound to peer TDP Ident:
10.7.7.2 172.16.47.166 10.2.2.2
PE1# show tag tdp neighbor 10.5.5.5
Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0
TCP connection: 10.5.5.5.11690 - 10.2.2.2.711
State: Oper; PIEs sent/rcvd: 438/441; Downstream
Up time: 01:35:08
TDP discovery sources:
Directed Hello 10.2.2.2 -> 10.5.5.5, active
!--- This indicates the directed neighbor.
Addresses bound to peer TDP Ident:
10.5.5.5 10.12.12.5 10.8.8.5
PE1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 40, type level-1
Redistributing via isis
B Last update from 10.5.5.5 on Tunnel0, 01:52:21 ago
Routing Descriptor Blocks:
* 10.5.5.5, from 10.11.11.11, via Tunnel0
Route metric is 40, traffic share count is 1
從CE1向CE2上的主機發出ping命令可確認該解決方案。
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1#
案例3:未啟用TDP/LDP時,通過P1到P2的TE隧道在CE1和CE2之間建立VPN
拓撲
組態
PE1上的隧道配置如下所示:
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 255 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
驗證
在此處檢驗目的地為CE2 172.16.13.13的資料包如何交換。show ip cef命令輸出顯示,前往目的地172.16.13.13的封包使用標籤堆疊{17 12308}交換:
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
P1收到此資料包時,刪除外部標籤17,並在檢視IP路由表後將資料包切換到Tunnel0。注意此輸出中的implicit-null OutLabel;這意味著傳出介面不是標籤交換。
P1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 52
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {}
via 10.5.5.5, Tunnel0, 0 dependencies
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {}
P1# show mpls traffic-eng tunnel tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0, implicit-null
P1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 882 Tu0 point2point
MAC/Encaps=14/14, MTU=1500, Tag Stack{}, via Et2/0
006009E08B0300603E2B02408847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 30, type level-1
Redistributing via isis
Last update from 10.5.5.5 on Tunnel0, 00:03:20 ago
Routing Descriptor Blocks:
* 10.5.5.5, from 10.11.11.11, via Tunnel0
Route metric is 30, traffic share count is 1
P2收到帶有標籤12308的資料包後,會檢視其轉發表。因為P2無法感知來自CE2的12308標籤,所以它會丟棄資料包。
P2# show tag for tag 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface
這將中斷發往CE2的VPN資料包的路徑。這由ping CE2 172.16.13.13/32確認。
PE1# CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CE1#
解決方案
解決方案是通過隧道啟用LDP/TDP。下一部分將討論此解決方案。
案例4:啟用LDP的P1和P2之間的TE隧道上的VPN
拓撲
組態
在通道上啟用LDP後,P1上的配置如下圖所示。新增加的產品是粗體的。
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 273 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed mpls label protocol ldp tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
驗證
PE1將資料包傳送到帶有標籤堆疊{17 12308}的字首172.16.13.13/32。
PE1#
PE1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
21 17 10.11.11.11/32 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}
00603E2B02410060835887428847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE1#
PE1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 60, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
via 10.7.7.7, Ethernet2/0/2, 1 dependency
next hop 10.7.7.7, Ethernet2/0/2
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
P1收到標籤堆疊為{17 12308}的資料包,並在其LFIB中查詢標籤17。
P1# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 18 10.11.11.11/32 1158 Tu0 point2point
MAC/Encaps=14/18, MTU=1496, Tag Stack{18}, via Et2/0
006009E08B0300603E2B02408847 00012000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1#
P1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 52
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {18}
via 10.5.5.5, Tunnel0, 0 dependencies
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {18}
它顯示標籤17應交換為標籤18。因此,該封包透過標籤堆疊{18 12308}的通道介面進行交換。
P2透過其標籤堆疊{18 12308}的通道介面接收封包。它會彈出標籤18(因為這是倒數第二跳路由器),然後將資料包交換到PE2,並帶標籤12308。
P2# show tag for tag 18 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Pop tag 10.11.11.11/32 127645 PO2/0/0 point2point
MAC/Encaps=4/4, MTU=4474, Tag Stack{}
0F008847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P2#
PE2收到帶有12308標籤的資料包,該資料包成功交換到CE2。
PE2# show tag forwarding tags 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12256
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
CE1# ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
CE1#
案例5:在P1和PE2之間的隧道上的MPLS VPN
拓撲
組態
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 258 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
驗證
PE1將發往172.16.13.13的資料包傳送到帶有標籤堆疊{17 12308}的下一跳10.11.11。
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
P1收到標籤堆疊為{17 12308}的資料包。P1檢視其LFIB表並檢查標籤堆疊{17},並將標籤為{17}的資料包切換到P2。
P1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 411 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0
006009E08B0300603E2B02408847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 685 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0
006009E08B0300603E2B02408847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1#
P1# show ip cef 10.11.11.11
10.11.11.11/32, version 67
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {17}
via 10.11.11.11, Tunnel0, 0 dependencies
next hop 10.11.11.11, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {17}
P2收到標籤堆疊為{17 12308}的資料包。P2,即倒數第二跳路由器,彈出標籤17。
P2# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Pop tag 10.7.7.7 0 [5] 535 PO2/0/0 point2point
MAC/Encaps=4/4, MTU=4474, Tag Stack{}
0F008847
No output feature configured
P2#
然後PE2收到帶有標籤的數12308包。P2知道標籤的目標是12308接的。因此,從CE1到CE2的ping為10。
PE2# show tag for tag 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12776
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
注意:未顯示傳出介面,因為傳出標籤是Aggregate。這是因為與標籤關聯的字首是直連路由。
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1#
已知的問題
請參閱現場通知:有關Cisco IOS®軟體的MPLS VPN with TE和MPLS InterAS建議,瞭解詳細資訊。
結論
當在出口PE上終止TE隧道時,MPLS VPN和TE一起工作,無需任何額外配置。當在任何P路由器上終止TE隧道時(在核心中的PE之前),MPLS VPN流量轉發將失敗,因為到達時資料包的VPN標籤作為外部標籤,而外部標籤不在這些裝置的LFIB中。因此,這些中間路由器無法將資料包轉發到最終目的地VPN客戶網路。在這種情況下,應該在TE通道上啟用LDP/TDP來解決問題。
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
10-Aug-2005 |
初始版本 |
意見