有VRF的GRE隧道的配置示例
简介
本文档提供了在通用路由封装 (GRE) 隧道接口下的 VPN 路由和转发 (VRF) 实例的配置示例。
先决条件
要求
尝试进行此配置之前,请确保满足以下要求:
本文档的读者应掌握以下这些主题的相关知识:
使用的组件
本文档中的信息基于 3725 系列路由器上运行的 Cisco IOS® 软件版本 12.3(4)T1。
使用 Cisco Feature Navigator II(仅限于注册用户),然后搜索 GRE 隧道 IP 源及目标 VRF 成员功能,以了解您需要的其他软件和硬件要求。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。
规则
有关文件规则的更多信息请参见“ Cisco技术提示规则”。
配置
本部分提供有关如何配置本文档所述功能的信息。
该配置的设置方法如下:
-
R1-CE 和 R2-CE 位于 VRF BLUE。
-
R1-CE也位于绿色VRF中,通过使用GRE隧道到达R3-PE。
R1-CE 采用静态主机路由到达 R3-PE(隧道目标位置),可确保 GRE 隧道不会出现递归路由(通过隧道获知隧道目标地址)。
VRF BLUE 和 VRF GREEN 由两家不同的公司拥有,各自之间不会发生路由泄露。此外,R1-CE 和 R2-CE 之间接口上的访问控制列表 (ACL) 只能用于允许这两者之间的 GRE 数据流。
注:要查找有关本文档中使用的命令的其他信息,请使用命令查找工具(仅注册客户)。
网络图
本文档使用以下网络设置:
图 1 – 物理拓扑 
配置
本文档使用以下配置:
| R3-PE(隧道终点) |
|---|
R3-PE# show running-config Building configuration... . ! no ip domain lookup ! ip vrf blue rd 1:1 route-target export 311:311 route-target import 411:411 ! ip vrf green rd 2:2 route-target export 322:322 route-target import 422:422 ! ip cef ! interface Tunnel0 ip vrf forwarding green ip address 200.200.200.3 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 10.10.10.1 tunnel vrf blue !--- Tunnel 0 is part of VRF GREEN; but it uses the tunnel !--- destination and source addresses from the routing !--- table of VRF BLUE, because of this tunnel vrf blue !--- command. ! interface Ethernet0/0 ip vrf forwarding blue ip address 20.20.20.3 255.255.255.0 !--- Connection to the VRF BLUE network and the VRF GREEN !--- network using the GRE tunnel. ! interface Ethernet1/0 ip address 30.30.30.3 255.255.255.0 tag-switching ip ! router bgp 1 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 30.30.30.4 remote-as 1 ! address-family vpnv4 neighbor 30.30.30.4 activate neighbor 30.30.30.4 send-community extended exit-address-family ! address-family ipv4 vrf green redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf blue redistribute connected no auto-summary no synchronization exit-address-family ! ip classless ip route vrf blue 10.10.10.1 255.255.255.255 20.20.20.2 !--- Static Host route to ensure that recursive routing !--- does not occur. no ip http server ! . end |
| R4-PE |
|---|
R4-PE# show running-config Building configuration... . . . no ip domain lookup ! ip vrf blue rd 1:1 route-target export 411:411 route-target import 311:311 ! ip vrf green rd 2:2 route-target export 422:422 route-target import 322:322 ! ip cef ! interface Ethernet0/0 ip address 30.30.30.4 255.255.255.0 tag-switching ip ! interface Ethernet1/0 ip vrf forwarding green ip address 100.100.100.4 255.255.255.0 ! interface Ethernet2/0 ip vrf forwarding blue ip address 40.40.40.4 255.255.255.0 ! router bgp 1 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 30.30.30.3 remote-as 1 ! address-family vpnv4 neighbor 30.30.30.3 activate neighbor 30.30.30.3 send-community extended exit-address-family ! address-family ipv4 vrf green redistribute connected no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf blue redistribute connected no auto-summary no synchronization exit-address-family ! ip classless . . end |
| R1-CE(隧道终点) |
|---|
R1-CE# show running-config Building configuration... . . no ip domain lookup ! ip cef ! interface Tunnel0 ip address 200.200.200.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 20.20.20.3 !--- Both the tunnel source and destination address are in !--- the VRF BLUE, to provide transport for the VRF GREEN !--- network. ! interface Ethernet0/0 description Connection to R2-CE router ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip access-group 100 out !--- Access-group to allow only GRE packets through the !--- R2-CE network. However, R1-CE networks data is in the !--- GRE packet. ! ! ip classless ip route 0.0.0.0 0.0.0.0 Tunnel0 ip route 20.20.20.3 255.255.255.255 10.10.10.2 !--- Static Host route to ensure that recursive routing !--- does not occur. no ip http server ! access-list 100 permit gre host 10.10.10.1 host 20.20.20.3 access-list 100 permit gre host 20.20.20.3 host 10.10.10.1 !--- Permits only GRE packets between the endpoints. ! . . end |
| R2-CE |
|---|
R2-CE# show running-config Building configuration... . . no ip domain lookup ! ip cef ! interface Ethernet0/0 description Connection to R1-CE router ip address 10.10.10.2 255.255.255.0 ip access-group 100 in ip access-group 100 out ! interface Ethernet1/0 ip address 20.20.20.2 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 20.20.20.3 no ip http server ! access-list 100 permit gre host 10.10.10.1 host 20.20.20.3 access-list 100 permit gre host 20.20.20.3 host 10.10.10.1 !--- Permits only GRE packets between the endpoints. . ! end |
| R5-CE |
|---|
R5-CE# show running-config Building configuration... . . no ip domain lookup ! interface Ethernet0/0 ip address 100.100.100.5 255.255.255.0 ! ! ip classless ip route 0.0.0.0 0.0.0.0 100.100.100.4 no ip http server ! . end |
| R6-CE |
|---|
R6-CE# show running-config Building configuration... . . no ip domain lookup ! interface Ethernet0/0 ip address 40.40.40.6 255.255.255.0 ! ! ip classless ip route 0.0.0.0 0.0.0.0 40.40.40.4 no ip http server ! . end |
验证
本部分所提供的信息可用于确认您的配置是否正常工作。
命令输出解释程序工具(仅限注册用户)支持某些 show 命令,使用此工具可以查看对 show 命令输出的分析。
-
show ip route 、show ip route vrf - 在隧道终点发出这些命令能够确保可到达隧道目标位置。这将确保隧道接口会出现。
-
ping - 从 CE 的另一端发出此命令能够确保从 CE 可以到达隧道。
-
show ip bgp vpnv4 all labels — 在PE设备上发出此命令,以查看通过边界网关协议(BGP)分配给其他PE设备的每个前缀的VPN标签。
R3-PE# show ip route vrf blue 10.10.10.1
Routing entry for 10.10.10.1/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 20.20.20.2
Route metric is 0, traffic share count is 1
R3-PE# show ip route vrf green
Routing Table: green
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 200.200.200.0/24 is directly connected, Tunnel0
100.0.0.0/24 is subnetted, 1 subnets
B 100.100.100.0 [200/0] via 30.30.30.4, 01:11:45
R3-PE# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 200.200.200.3/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 20.20.20.3 (Ethernet0/0), destination 10.10.10.1
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 00:44:05, output 00:26:16, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
105 packets input, 11964 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
83 packets output, 10292 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
R3-PE# show ip bgp vpnv4 all labels
Network Next Hop In label/Out label
Route Distinguisher: 1:1 (blue)
20.20.20.0/24 0.0.0.0 16/aggregate(blue)
Route Distinguisher: 2:2 (green)
100.100.100.0/24 30.30.30.4 nolabel/16
200.200.200.0 0.0.0.0 17/aggregate(green)
R4-PE# show ip route vrf blue
Routing Table: blue
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
20.0.0.0/24 is subnetted, 1 subnets
B 20.20.20.0 [200/0] via 30.30.30.3, 01:14:05
R4-PE# show ip route vrf green
Routing Table: green
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
B 200.200.200.0/24 [200/0] via 30.30.30.3, 01:14:10
100.0.0.0/24 is subnetted, 1 subnets
C 100.100.100.0 is directly connected, Ethernet1/0
R1-CE# show ip route 20.20.20.3
Routing entry for 20.20.20.3/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.10.10.2
Route metric is 0, traffic share count is 1
R1-CE# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 200.200.200.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.10.10.1 (Ethernet0/0), destination 20.20.20.3
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 00:26:57, output 00:26:57, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
83 packets input, 10292 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
106 packets output, 12088 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
R5-CE# ping 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/54/80 ms
R5-CE# ping 200.200.200.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/36/72 ms
故障排除
目前没有针对此配置的故障排除信息。
注意事项
下面这些是针对此功能的配置而发现的已知警告。您可以使用 Bug 工具包(仅限注册用户)搜索 Bug。
-
CSCea81266(仅注册客户) — 已解析(R)GRE:发出 clear ip route * 命令后,数据流的传输停止。
-
CSCdx74855(仅注册客户) — 已解析(R)无法ping本地GRE隧道接口的IP地址。
-
CSCdx57718(仅注册客户) — 当Cisco快速转发(CEF)在传出接口上禁用时,GRE隧道中已解决(R)IP数据包丢失问题。
反馈