
如图1所示:
 1、AR4连接公司总部财务部、AR6连接分支机构财务部,AR4和AR6属于vpna;
 2、 AR5连接公司总部办公、 AR7连接分支机构办公, AR5和 AR7属于vpnb。
 公司要求通过部署BGP/MPLS IP VPN,实现总部和分支机构的安全互通,同时要求财务和办公区间数据隔离。
配置思路(AR1为pe1,AR2为p、AR3为pe2)
 采用如下的思路配置BGP/MPLS IP VPN:
- P、PE之间配置OSPF,实现骨干网的IP连通性。
- PE、P上配置MPLS基本能力和MPLS LDP,建立MPLS LSP公网隧道,传输VPN数据。
- PE1和PE2上配置VPN实例,其中,vpna使用的VPN-target属性为111:1,vpnb使用的VPN-target属性为222:2,以实现相同VPN间互通,不同VPN间隔离。同时,与CE相连的接口和相应的VPN实例绑定,以接入VPN用户。
- PE1和PE2之间配置MP-IBGP,交换VPN路由信息。
- CE与PE之间配置EBGP,交换VPN路由信息。
AR1:
 dis current-configuration
 [V200R003C00]
sysname pe1
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
ip vpn-instance vpna
 ipv4-family
 route-distinguisher 100:1 //RD标签
 vpn-target 111:1 export-extcommunity //RT标签
 vpn-target 111:1 import-extcommunity //RT标签
ip vpn-instance vpnb
 ipv4-family
 route-distinguisher 100:2
 vpn-target 222:2 export-extcommunity
 vpn-target 222:2 import-extcommunity
mpls lsr-id 1.1.1.9
 mpls
mpls ldp
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip binding vpn-instance vpna
 ip address 10.1.1.2 255.255.255.0
interface GigabitEthernet0/0/1
 ip binding vpn-instance vpnb
 ip address 10.2.1.2 255.255.255.0
interface GigabitEthernet0/0/2
 ip address 172.1.1.1 255.255.255.0
 mpls
 mpls ldp
interface NULL0
interface LoopBack1
 ip address 1.1.1.9 255.255.255.255
bgp 100 // 在PE之间建立MP-IBGP对等体关系
 peer 3.3.3.9 as-number 100
 peer 3.3.3.9 connect-interface LoopBack1
ipv4-family unicast
 undo synchronization
 peer 3.3.3.9 enable
ipv4-family vpnv4
 policy vpn-target
 peer 3.3.3.9 enable
ipv4-family vpn-instance vpna
 import-route direct
 peer 10.1.1.1 as-number 65410
ipv4-family vpn-instance vpnb
 import-route direct
 peer 10.2.1.1 as-number 65420
ospf 1
 area 0.0.0.0
 network 1.1.1.9 0.0.0.0
 network 172.1.1.0 0.0.0.255
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
AR2:
dis current-configuration [V200R003C00] # sysname p # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load flash:/portalpage.zip # drop illegal-mac alarm # wlan ac-global carrier id other ac id 0 # set cpu-usage threshold 80 restore 75 # mpls lsr-id 2.2.2.9 mpls # mpls ldp # #
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 172.1.1.2 255.255.255.0
 mpls
 mpls ldp
interface GigabitEthernet0/0/1
 ip address 172.2.1.1 255.255.255.0
 mpls
 mpls ldp
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack1
 ip address 2.2.2.9 255.255.255.255
ospf 1
 area 0.0.0.0
 network 2.2.2.9 0.0.0.0
 network 172.1.1.0 0.0.0.255
 network 172.2.1.0 0.0.0.255
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
AR3:
 dis current-configuration
 [V200R003C00]
sysname pe2
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
ip vpn-instance vpna
 ipv4-family
 route-distinguisher 200:1
 vpn-target 111:1 export-extcommunity
 vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
 ipv4-family
 route-distinguisher 200:2
 vpn-target 222:2 export-extcommunity
 vpn-target 222:2 import-extcommunity
mpls lsr-id 3.3.3.9
 mpls
mpls ldp
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password cipher % 
     
      
       
      
        % 
       
      
    K8m.Nt84DZ}e#<0`8bmE3Uw}% 
     
      
       
      
        % 
       
      
    
 local-user admin service-type http
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 172.2.1.2 255.255.255.0
 mpls
 mpls ldp
interface GigabitEthernet0/0/1
 ip binding vpn-instance vpna
 ip address 10.3.1.2 255.255.255.0
interface GigabitEthernet0/0/2
 ip binding vpn-instance vpnb
 ip address 10.4.1.2 255.255.255.0
interface NULL0
interface LoopBack1
 ip address 3.3.3.9 255.255.255.255
bgp 100
 peer 1.1.1.9 as-number 100
 peer 1.1.1.9 connect-interface LoopBack1
ipv4-family unicast
 undo synchronization
 peer 1.1.1.9 enable
ipv4-family vpnv4
 policy vpn-target
 peer 1.1.1.9 enable
ipv4-family vpn-instance vpna
 import-route direct
 peer 10.3.1.1 as-number 65430
ipv4-family vpn-instance vpnb
 import-route direct
 peer 10.4.1.1 as-number 65440
ospf 1
 area 0.0.0.0
 network 3.3.3.9 0.0.0.0
 network 172.2.1.0 0.0.0.255
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
AR4:
 
 dis cu 
 dis current-configuration
 [V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65410
 peer 10.1.1.2 as-number 100
ipv4-family unicast
 undo synchronization
 import-route direct
 peer 10.1.1.2 enable
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
AR5:
 dis cu 
 dis current-configuration
 [V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 10.2.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65420
 peer 10.2.1.2 as-number 100
ipv4-family unicast
 undo synchronization
 import-route direct
 peer 10.2.1.2 enable
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
Ar6:
 dis current-configuration
 [V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 10.3.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65430
 peer 10.3.1.2 as-number 100
ipv4-family unicast
 undo synchronization
 import-route direct
 peer 10.3.1.2 enable
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
Ar7:
 dis cu 
 dis current-configuration
 [V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
firewall zone Local
 priority 15
interface GigabitEthernet0/0/0
 ip address 10.4.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
bgp 65440
 peer 10.4.1.2 as-number 100
ipv4-family unicast
 undo synchronization
 import-route direct
 peer 10.4.1.2 enable
user-interface con 0
 authentication-mode password
 user-interface vty 0 4
 user-interface vty 16 20
wlan ac
return
查看:
 执行display mpls ldp session命令可以看到显示结果中Status项为“Operational”。
在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address命令中的参数-asource-ip-address,否则可能ping不通。
在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态
执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE的路由。


















