实现基于 TE 隧道的 MPLS VPN
目录
简介
本文档提供了在MPLS网络中通过流量工程(TE)隧道实施多协议标签交换(MPLS)VPN的示例配置。为了获得MPLS VPN over TE隧道的优势,两者应在网络中共存。本文档说明了解释MPLS VPN over TE隧道内数据包转发可能失败的各种场景。它还提供了可能的解决方案。
先决条件
要求
本文档的读者应掌握以下这些主题的相关知识:
使用的组件
本文档不限于特定的软件和硬件版本。
规则
有关文档规则的详细信息,请参阅 Cisco 技术提示规则。
背景理论
如此拓扑所示,在简单MPLS VPN配置中,提供商边缘1(PE1)通过多协议边界网关协议(MPBGP)从PE2直接获取VPN前缀172.16.13.0/24的VPN标签(标签1 [L1]),下一跳作为PE2环回地址。PE1还通过标签分发协议(LDP)从其下一跳P1获取PE2环回地址的标签(L2)。
当将数据转发到VPN前缀172.16.13.13时,PE1使用标签栈{L2 L1},其中L2为外部标签。L2被传输标签交换机路由器(LSR)交换,P1。P2弹出外部L2,并将数据包仅用一个L1转发到PE2。要更好地理解P2弹出L2的原因,请参阅RFC 3031中关于倒数第二跳弹出(PHP)的3.16节 
。因此,到VPN IP版本4(IPv4)前缀172.16.13.0/24的数据包通过MPLS网络进行标签交换。
如果任何P路由器收到具有L1(VPN标签)作为唯一外部标签而不是{L2 L1}标签堆栈的数据包,则MPLS VPN转发操作将失败。发生这种情况是因为所有P路由器的标签转发信息库(LFIB)中没有L1来交换数据包。
MPLS TE使用资源预留协议(RSVP)交换标签。为TE和标记分发协议(TDP)/LDP配置路由器时,路由器会收到来自LDP和RSVP的不同标签,用于指定前缀。LDP和RSVP的标签在所有情况下都不需要相同。如果前缀是通过LDP接口获取的,路由器会在转发表中安装LDP标签;如果前缀是通过TE隧道接口获取的,路由器会在转发表中安装RSVP标签。
在普通TE隧道(隧道上未启用LDP/TDP)的情况下,入口LSR(TE隧道头端的LSR)使用与用于到达TE隧道尾端的标签相同的标签,用于通过TE隧道获知的所有路由。
例如,从PE1到P2的TE隧道通过隧道学习前缀10.11.11.11/32。P2上的隧道尾端为10.5.5.5,PE1中到达10.5.5.5的标签为L3。PE1随后使用L3到达目的10.11.11.11/32,通过TE隧道获取。
在上述场景中,当PE1和P2之间有TE隧道时,请考虑PE1将数据转发到客户边缘2(CE2)。 如果L4是VPN标签,则PE1会转发带有标签栈{L3 L4}的数据。P1弹出L3,P2接收带L4的数据包。PE2是唯一能够正确转发带有外部标签L4的数据包的LSR。P2没有与PE2的MPBGP会话,因此它不会从PE2接收L4。因此,P2不知道L2,并丢弃该数据包。
后面的配置和显示输出演示了这一点,并说明了解决此问题的一个可能解决方案。
没有 TE 隧道时 CE1 与 CE2 之间 VPN 的初始设置
拓扑
配置
此处仅包含配置文件的相关部分:
| PE1 |
|---|
hostname PE1 ip cef ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.2.2.2 255.255.255.255 no ip directed-broadcast ! interface Ethernet2/0/1 ip vrf forwarding aqua ip address 172.16.1.2 255.255.255.0 ! interface Ethernet2/0/2 ip address 10.7.7.2 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip ! router isis passive-interface Loopback0 net 47.1234.2222.2222.2222.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! router bgp 1 bgp log-neighbor-changes neighbor 10.11.11.11 remote-as 1 neighbor 10.11.11.11 update-source Loopback0 ! address-family vpnv4 neighbor 10.11.11.11 activate neighbor 10.11.11.11 send-community extended exit-address-family ! address-family ipv4 neighbor 10.11.11.11 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family |
| PE2 |
|---|
hostname PE2 ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.11.11.11 255.255.255.255 ! interface POS0/1 ip address 10.12.12.10 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip crc 16 clock source internal ! interface POS5/1 ip vrf forwarding aqua ip address 172.16.13.11 255.255.255.0 crc 32 clock source internal ! router isis passive-interface Loopback0 mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 net 47.1234.1010.1010.1010.00 is-type level-1 metric-style wide ! router bgp 1 bgp log-neighbor-changes neighbor 10.2.2.2 remote-as 1 neighbor 10.2.2.2 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.2.2.2 activate neighbor 10.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family ! |
确认
PE2通过PE1和PE2之间的MPBGP对等获取PE1 VPN IPv4前缀172.16.1.0/24。如下所示:
PE2# show ip route vrf aqua
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
B 172.16.1.0 [200/0] via 10.2.2.2, 16:09:10
C 172.16.13.0 is directly connected, POS5/1
同样,PE1通过PE1和PE2之间的MPBGP对等获取PE2 VPN IPv4前缀172.16.13.0/24。如下所示:
PE1# show ip route vrf aqua
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
B 172.16.13.0 [200/0] via 10.11.11.11, 16:09:49
C 172.16.1.0 is directly connected, Ethernet2/0/1
PE1# show ip route vrf aqua 172.16.13.13
Routing entry for 172.16.13.0/24
Known via "bgp 1", distance 200, metric 0, type internal
Last update from 10.11.11.11 16:13:19 ago
Routing Descriptor Blocks:
* 10.11.11.11 (Default-IP-Routing-Table), from 10.11.11.11, 16:13:19 ago
Route metric is 0, traffic share count is 1
AS Hops 0, BGP network version 0
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
!--- The label stack used to reach 172.16.13.13 is !--- {17 12308}, where 17 is the outer label to reach next hop 10.11.11.11 !--- and 12308 is the VPN IPv4 label for 172.16.13.0/24.
PE1# show ip cef 10.11.11.11
10.11.11.11/32, version 31, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
via 10.7.7.7, Ethernet2/0/2, 1 dependency
next hop 10.7.7.7, Ethernet2/0/2
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
!--- Outer label 17 is used to reach next hop 10.11.11.11.
因此,CE1可以通过VPN路由和转发(VRF)实例“aqua”在CE2网络上到达172.16.13.13,该实例在PE1上使用标签堆栈{17 12308}进行配置,如上所示。
此ping输出确认了连接:
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
第 1 种情况:当TE隧道从PE1到PE2时通过TE隧道的VPN
拓扑
在使用自动路由通告的PE路由器之间构建TE隧道时,出口PE BGP下一跳可通过TE隧道接口到达。因此,PE1使用TE标签到达PE2。
注意:MPLS TE与LDP无关,这意味着,如果您有从PE到PE的全网状隧道,则可以在路由器中有效禁用LDP,而无需在TE隧道接口上运行LDP。但是,您必须构建到VPN版本4(VPNv4)路由的BGP下一跳的所有隧道。在此配置中的示例中,您可以看到此BGP下一跳是PE2上的Loopback0,即10.11.11.11。此环回也是从PE1到PE2的隧道的隧道目标。这解释了为什么在本例中,如果还有从PE2到PE1的隧道对于返回流量,可以在核心中禁用LDP。然后,从CE到CE的转发可以处理通过TE隧道传输的所有VPNv4流量。如果BGP下一跳与TE隧道目标不同,则必须在核心和TE隧道上运行LDP。
配置
PE1上建立PE隧道的其他配置如下所示:
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
确认
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.11.11.11, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 12308}
!--- The label stack to reach 172.16.13.13 is {19 12308}. !--- BGP next hop for the VPNv4 prefix is 10.11.11.11, which is !--- the same as the TE tunnel destination.
PE1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 40, type level-1
Redistributing via isis
Last update from 10.11.11.11 on Tunnel0, 00:02:09 ago
Routing Descriptor Blocks:
* 10.11.11.11, from 10.11.11.11, via Tunnel0
!--- The route is via Tunnel0.
Route metric is 40, traffic share count is 1
现在,确认用于通过Tunnel0到达下一跳10.11.11.11的外部标签。
PE1# show mpls traffic-eng tunnels tunnel 0
Name: PE1_t0 (Tunnel0) Destination: 10.11.11.11
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 30)
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
InLabel : -
OutLabel : Ethernet2/0/2, 19
!--- Label 19 from RSVP is used to reach destination 10.11.11.11/32.
RSVP Signalling Info:
Src 10.2.2.2, Dst 10.11.11.11, Tun_Id 0, Tun_Instance 31
RSVP Path Info:
My Address: 10.7.7.2
Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.12.12.10
10.11.11.11
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf
Shortest Unconstrained Path Info:
Path Weight: 30 (TE)
Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5
10.12.12.10 10.11.11.11
History:
Tunnel:
Time since created: 17 hours, 17 minutes
Time since path change: 32 minutes, 54 seconds
Current LSP:
Uptime: 32 minutes, 54 seconds
Prior LSP:
ID: path option 10 [14]
Removal Trigger: tunnel shutdown
快速查看此信息的另一种方法是使用show命令中的输出修饰符,如下所示:
PE1# show mpls traffic-eng tunnels tunnel 0 | include Label InLabel : - OutLabel : Ethernet2/0/2, 19 !--- This is the label to reach 10.11.11.11.
查看标记堆栈。它是19,即TE标签,用于通过Tunnel0将数据包转发到下一跳10.11.11.0。
PE1# show tag forwarding-table 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
21 Pop tag 10.11.11.11/32 0 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{19}, via Et2/0/2
00603E2B02410060835887428847 00013000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE1#
因此,PE1发送一个发往172.16.13.13的数据包,标签堆栈{19 12308}。P1交换标签19。数据包到达P2,P2弹出该外部标签。然后,数据包将仅转发到标签为12308的PE2。
在PE2上,根据转发表中的信息接收并交换标签为12308的数据包。如下所示:
PE2# show tag for tags 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12256
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
注意:由于传出标记为“聚合”,因此未显示传出接口。这是因为与标签关联的前缀是直连路由。
从CE1对CE2上的主机执行ping操作,确认TE隧道上的VPN连接:
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/36 ms CE1#
第 2 种情况:当TE隧道从PE1到P2时通过TE隧道的VPN
拓扑
配置
PE1上基本配置的其他TE配置如下所示:
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
确认
检查PE1 VRF水上到前缀172.16.13.13的路由。它指向使用标签堆栈{19 12308}的下一跳10.11.11.11/32(通过隧道0)。
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 12308}
PE1#
标签19(外部标签)用于到达下一跳10.11.11.11/32,如下所示:
PE1# show ip cef 10.11.11.11
10.11.11.11/32, version 37
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Tu0, point2point, tags imposed {19}
via 10.5.5.5, Tunnel0, 1 dependency
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19}
PE1# show mpls traffic-eng tunnels tunnel 0
Name: PE1_t0 (Tunnel0) Destination: 10.5.5.5
Status:
Admin: up Oper: up Path: valid Signalling: connected
path option 10, type dynamic (Basis for Setup, path weight 20)
Config Parameters:
Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF
Metric Type: TE (default)
AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based
auto-bw: disabled
InLabel : -
OutLabel : Ethernet2/0/2, 19
RSVP Signalling Info:
Src 10.2.2.2, Dst 10.5.5.5, Tun_Id 0, Tun_Instance 33
RSVP Path Info:
My Address: 10.7.7.2
Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.5.5.5
Record Route: NONE
Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits
RSVP Resv Info:
Record Route: NONE
Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf
Shortest Unconstrained Path Info:
Path Weight: 20 (TE)
Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5
10.5.5.5
History:
Tunnel:
Time since created: 17 hours, 31 minutes
Time since path change: 8 minutes, 49 seconds
Current LSP:
Uptime: 8 minutes, 49 seconds
Selection: reoptimation
Prior LSP:
ID: path option 10 [31]
Removal Trigger: path verification failed
PE1#
PE1# show mpls traffic-eng tunnels tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0/2, 19
PE1#
来自PE1的数据包通过TE隧道发送,标签栈为{19 12308}。P1收到数据包后,会弹出(PHP)标记19并发送标签栈{12308}的数据包。show命令可确认以下情况:
P1> show tag for tag 19
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
19 Pop tag 10.2.2.2 0 [33] 2130 Et2/0 10.8.8.5
P1>
P1> show tag for tag 19 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
19 Pop tag 10.2.2.2 0 [33] 2257 Et2/0 10.8.8.5
MAC/Encaps=14/14, MTU=1504, Tag Stack{}
006009E08B0300603E2B02408847
No output feature configured
P1>
当P2收到标签栈{12308}的数据包时,它会检查其LFIB并丢弃该数据包,因为不存在匹配项。以下是P2上的show 命令输出:
P2# show tag forwarding-table tags 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface P2# P2# 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 P2# P2#
解释
此问题的解决方案是在TE隧道上启用TDP/LDP,并使其成为标记交换接口。在解决方案中所示的示例中,PE1的Tunnel0上启用了TDP。P2配置为接受定向hello并形成定向TDP邻居。因此,PE1通过LDP从P2接收10.11.11.11的标签。既然Tunnel0已成为标记交换接口,并且TDP已为到10.11.11.11的流量启用,PE1将同时使用这两个标签;它使用RSVP标签到达TE尾端,使用TDP标签到达10.11.11.11。
在此方案中,如果以下项正确,PE1将使用标签栈{L2 L3 L1}将数据转发到CE2:
-
L1是VPN标签。
-
L2是到达TE尾端的RSVP标签。
-
L3是到达10.11.11.11的TDP标签(从P2接收)。
解决方案
解决方案是在TE隧道中启用TDP。
配置
此处显示PE1上启用TDP的TE隧道配置。这些添加物是粗体。
| PE1 |
|---|
PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tag-switching ip !--- This enables TDP. tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
以下是TE隧道尾端用于接受定向TDP问询的附加配置:
P2# show run | i directed-hello tag-switching tdp discovery directed-hello accept !--- This configures P2 to accept directed TDP hellos. P2#
确认
PE1# show tag tdp neighbor | i Peer
Peer TDP Ident: 10.7.7.7:0; Local TDP Ident 10.2.2.2:0
Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0
PE1#
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 11
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Tu0, point2point, tags imposed {19 18 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {19 18 12308}
PE1#
PE1# show mpls traffic-eng tunnels tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0/2, 19
!--- This is the TE label learned via RSVP.
PE1#
PE1# show tag tdp bind 10.11.11.11 32
tib entry: 10.11.11.11/32, rev 20
local binding: tag: 21
remote binding: tsr: 10.7.7.7:0, tag: 17
remote binding: tsr: 10.5.5.5:0, tag: 18
!--- This is the TDP label from P2.
当P1收到标签栈{19 18 12308}的数据包时,它会弹出标记19,并将标签栈{18 12308}的数据包发送到P2。P2检查其LFIB的标签18,然后弹出标记并通过传出接口PO2/0/0向PE1发送。PE1收到标签12308的数据包,并成功切换到CE2。
P2# show tag for tag 18
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Pop tag 10.11.11.11/32 117496 POS2/0/0 point2point
P2# show tag tdp discovery
Local TDP Identifier:
10.5.5.5:0
Discovery Sources:
Interfaces:
Ethernet0/3 (tdp): xmit/recv
TDP Id: 10.7.7.7:0
POS2/0/0 (tdp): xmit/recv
TDP Id: 10.11.11.11:0
Directed Hellos:
10.5.5.5 -> 10.2.2.2 (tdp): passive, xmit/recv
TDP Id: 10.2.2.2:0
P2# show tag tdp neighbor 10.2.2.2
Peer TDP Ident: 10.2.2.2:0; Local TDP Ident 10.5.5.5:0
TCP connection: 10.2.2.2.711 - 10.5.5.5.11690
State: Oper; PIEs sent/rcvd: 469/465; Downstream
Up time: 01:41:08
TDP discovery sources:
Directed Hello 10.5.5.5 -> 10.2.2.2, passive
Addresses bound to peer TDP Ident:
10.7.7.2 172.16.47.166 10.2.2.2
PE1# show tag tdp neighbor 10.5.5.5
Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0
TCP connection: 10.5.5.5.11690 - 10.2.2.2.711
State: Oper; PIEs sent/rcvd: 438/441; Downstream
Up time: 01:35:08
TDP discovery sources:
Directed Hello 10.2.2.2 -> 10.5.5.5, active
!--- This indicates the directed neighbor.
Addresses bound to peer TDP Ident:
10.5.5.5 10.12.12.5 10.8.8.5
PE1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 40, type level-1
Redistributing via isis
B Last update from 10.5.5.5 on Tunnel0, 01:52:21 ago
Routing Descriptor Blocks:
* 10.5.5.5, from 10.11.11.11, via Tunnel0
Route metric is 40, traffic share count is 1
从CE1到CE2上的主机执行ping命令可确认解决方案。
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1#
实例3:其它WRR加权修改未启用TDP/LDP时,通过TE隧道从P1到P2在CE1和CE2之间建立VPN
拓扑
配置
PE1上的隧道配置如下所示:
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 255 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
确认
验证发往CE2 172.16.13.13的数据包如何在此处进行交换。show ip cef 命令输出显示,发往目标172.16.13.13的数据包是使用标签堆栈{17 12308}交换的:
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
当P1收到此数据包时,它会删除外部标签17,并在查看IP路由表后将数据包切换到Tunnel0。注意此输出中的隐式-null OutLabel;这表示传出接口未进行标签交换。
P1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 52
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {}
via 10.5.5.5, Tunnel0, 0 dependencies
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {}
P1# show mpls traffic-eng tunnel tunnel 0 | i Label
InLabel : -
OutLabel : Ethernet2/0, implicit-null
P1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 882 Tu0 point2point
MAC/Encaps=14/14, MTU=1500, Tag Stack{}, via Et2/0
006009E08B0300603E2B02408847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1# show ip route 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "isis", distance 115, metric 30, type level-1
Redistributing via isis
Last update from 10.5.5.5 on Tunnel0, 00:03:20 ago
Routing Descriptor Blocks:
* 10.5.5.5, from 10.11.11.11, via Tunnel0
Route metric is 30, traffic share count is 1
一旦P2收到带有标签12308的数据包,它会查看其转发表。由于P2无法识别来自CE2的VPN标记12308,因此它会丢弃数据包。
P2# show tag for tag 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface
这会中断发往CE2的VPN数据包的路径。它通过对CE2 172.16.13.13/32的ping命令来确认。
PE1# CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CE1#
解决方案
解决方案是在隧道上启用LDP/TDP。下一节将讨论此解决方案。
实例4:修改队列极限缓冲区分配启用LDP的P1和P2之间的TE隧道上的VPN
拓扑
配置
在隧道上启用LDP后,P1上的配置将显示如下所示。新增内容以粗体显示。
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 273 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed mpls label protocol ldp tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end ! |
确认
PE1将数据包发送到带有标签堆栈{17 12308}的前缀172.16.13.13/32。
PE1#
PE1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
21 17 10.11.11.11/32 0 Et2/0/2 10.7.7.7
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}
00603E2B02410060835887428847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE1#
PE1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 60, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: 21
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
via 10.7.7.7, Ethernet2/0/2, 1 dependency
next hop 10.7.7.7, Ethernet2/0/2
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17}
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
P1收到标签堆栈{17 12308}的数据包,并查看其LFIB以查找标签17。
P1# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 18 10.11.11.11/32 1158 Tu0 point2point
MAC/Encaps=14/18, MTU=1496, Tag Stack{18}, via Et2/0
006009E08B0300603E2B02408847 00012000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1#
P1# show ip cef 10.11.11.11 detail
10.11.11.11/32, version 52
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {18}
via 10.5.5.5, Tunnel0, 0 dependencies
next hop 10.5.5.5, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {18}
它显示应将标签17交换为标签18。因此,该数据包通过带有标签堆栈{18 12308}的隧道接口交换。
P2通过其带标签堆栈{18 12308}的隧道接口接收数据包。它会弹出标记18(因为它是倒数第二跳路由器),并将数据包交换到带有标签12308的PE2。
P2# show tag for tag 18 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
18 Pop tag 10.11.11.11/32 127645 PO2/0/0 point2point
MAC/Encaps=4/4, MTU=4474, Tag Stack{}
0F008847
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P2#
PE2收到带有标签12308的数据包,该数据包成功将数据包交换到CE2。
PE2# show tag forwarding tags 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12256
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
CE1# ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
CE1#
实例5:其它WRR加权修改在P1和PE2之间的隧道上使用MPLS VPN
拓扑
配置
| PE1 |
|---|
P1# show run interface tunnel 0 Building configuration... Current configuration : 258 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end |
确认
PE1将发往172.16.13.13的数据包发送到其下一跳10.11.11.11,标签栈为{17 12308}。
PE1# show ip cef vrf aqua 172.16.13.13
172.16.13.0/24, version 18, cached adjacency 10.7.7.7
0 packets, 0 bytes
tag information set
local tag: VPN route head
fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
via 10.11.11.11, 0 dependencies, recursive
next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32
valid cached adjacency
tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}
P1收到标签堆栈{17 12308}的数据包。P1查看其LFIB表并检查标记堆栈{17},并将带有标签{17}的数据包切换到P2。
P1# show tag for 10.11.11.11 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 411 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0
006009E08B0300603E2B02408847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Untagged 10.11.11.11/32 685 Tu0 point2point
MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0
006009E08B0300603E2B02408847 00011000
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
P1#
P1# show ip cef 10.11.11.11
10.11.11.11/32, version 67
0 packets, 0 bytes
tag information set
local tag: 17
fast tag rewrite with Tu0, point2point, tags imposed {17}
via 10.11.11.11, Tunnel0, 0 dependencies
next hop 10.11.11.11, Tunnel0
valid adjacency
tag rewrite with Tu0, point2point, tags imposed {17}
P2收到标签堆栈{17 12308}的数据包。P2是倒数第二跳路由器,弹出标签17。
P2# show tag for tag 17 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
17 Pop tag 10.7.7.7 0 [5] 535 PO2/0/0 point2point
MAC/Encaps=4/4, MTU=4474, Tag Stack{}
0F008847
No output feature configured
P2#
然后,PE2接收带有标签12308的数据包。P2知道标签12308的目的地是直连的。因此,从CE1到CE2的ping为10。
PE2# show tag for tag 12308 detail
Local Outgoing Prefix Bytes tag Outgoing Next Hop
tag tag or VC or Tunnel Id switched interface
12308 Aggregate 172.16.13.0/24[V] 12776
MAC/Encaps=0/0, MTU=0, Tag Stack{}
VPN route: aqua
No output feature configured
Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PE2#
注意:由于传出标记为“聚合”,因此未显示传出接口。这是因为与标签关联的前缀是直连路由。
CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1#
已知问题
有关此问题的示例,请参阅 Field Notice:MPLS VPN,带TE和MPLS InterAS建议,有关更多详细信息。
结论
当TE隧道在出口PE上终止时,MPLS VPN和TE将协同工作,而不需要任何额外配置。当TE隧道在任何P路由器上终止(在核心中的PE之前)时,MPLS VPN流量转发失败,因为数据包到达时的外部标签是VPN标签,这些标签不在这些设备的LFIB中。因此,这些中间路由器无法将数据包转发到最终目的地VPN客户网络。在这种情况下,应在TE隧道上启用LDP/TDP以解决问题。
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
1.0 |
10-Aug-2005 |
初始版本 |
反馈