Generally, for the sake of security and cost, if the branches are not interconnected, the access between the branches must go through the firewall of the Head Office. Both the security effect and the cost are saved.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UAE5-0.jpg "/>
The experiment topology is as follows:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61c0-1.jpg "/>
Due to the existence of the downstream bits and domain tags in the anti-ring mechanism of OSPF, the route may not be received in the outbound VRF of r6. therefore, the downstream bits and domain tags must be disabled in the outbound VRF. The following shows the configuration of the ASA and R6:
ASA
Interface Ethernet0/0
No nameif
No security-level
No ip address
!
Interface Ethernet0/0.100
Vlan 100
Nameif ouside
Security-level 0
Ip address 192.168.100.254 255.255.255.0
!
Interface Ethernet0/0.200
Vlan 200
Nameif inside
Security-level 100
Ip address 192.168.200.254 255.255.255.0
Router ospf 200
Network 192.168.100.0 255.255.255.0 area 0
Log-adj-changes
!
Router ospf 300
Network 192.168.200.0 255.255.255.0 area 0
Log-adj-changes
Redistribute ospf 200 subnets
--------------------------------------------- Split line -------------------------------------
R6:
R6 # SHOW RUN
Building configuration...
Current configuration: 2320 bytes
!
Version 12.4:
Service timestamps debug datetime msec
Service timestamps log datetime msec
No service password-encryption
!
Hostname R6
!
Boot-start-marker
Boot-end-marker
!
!
No aaa new-model
Memory-size iomem 5
!
!
Ip cef
No ip domain lookup
!
!
Ip vrf r6in
Rd 6100
Route-target import 100:100
!
Ip vrf r6out
Rd 6:101
Route-target export
!
Mpls label range 600 699
Mpls label protocol ldp
!
Interface Loopback0
Ip address 6.6.6.6 255.255.255.255
!
Interface FastEthernet0/0
Ip address 192.168.56.6 255.255.255.0
Duplex auto
Speed auto
Mpls ip
!
Interface FastEthernet0/1
No ip address
Duplex auto
Speed auto
!
Interface FastEthernet0/1.100
Encapsulation dot1Q 100
Ip vrf forwarding r6in
Ip address 192.168.100.6 255.255.255.0
!
Interface FastEthernet0/1.200
Encapsulation dot1Q 200
Ip vrf forwarding r6out
Ip address 192.168.200.6 255.255.255.0
!
!
Router ospf 200 vrf r6in
Log-adjacency-changes
Capability vrf-lite
Redistribute bgp 100 subnets
Network 192.168.100.0 0.0.255 area 0
!
Router ospf 300 vrf r6out
Log-adjacency-changes
Capability vrf-lite
Redistribute bgp 100 subnets
Network 192.168.200.0 0.0.0.255 area 0
!
Router ospf 100
Router-id 6.6.6.6
Log-adjacency-changes
Network 6.6.6.6 0.0.0.0 area 0
Network 192.168.56.0 0.0.0.255 area 0
!
Router bgp 100
Bgp router-id 6.6.6.6
No bgp default ipv4-unicast
Bgp log-neighbor-changes
Neighbor 3.3.3.3 remote-as 100
Neighbor 3.3.3.3 update-source Loopback0
Neighbor 4.4.4 remote-as 100
Neighbor 4.4.4 update-source Loopback0
!
Address-family vpnv4
Neighbor 3.3.3.3 activate
Neighbor 3.3.3.3 send-community extended
Neighbor 4.4.4 activate
Neighbor 4.4.4.4 send-community extended
Exit-address-family
!
Address-family ipv4 vrf r6out
Redistribute ospf 300 vrf r6out match internal external 1 external 2 nssa-external 1 nssa-external 2
No synchronization
Exit-address-family
!
Address-family ipv4 vrf r6in
Redistribute ospf 200 vrf r6in match internal external 1 external 2 nssa-external 1 nssa-external 2
No synchronization
Exit-address-family
!
No ip http server
No ip http secure-server
!
Mpls ldp router-id Loopback0
!
!
Control-plane
!
Line con 0
Exec-timeout 0 0
Logging synchronous
Line aux 0
Line vty 0 4
Login
!
!
End
Verification:
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61403-2.jpg "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61526-3.jpg "/>
It can be seen that the VRF has correctly received the route
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UC452-4.jpg "/>
R2-R4 is an IP pack
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UB011-5.jpg "/>
R4-R5 Double Label
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U62F2-6.jpg "/>
R5-R6 is a single-layer label due to PHP pop-up upper-layer labels)
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U631W-7.jpg "/>
R6-ASA is an IP pack
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U64341-8.jpg "/>
The above analysis has proved that the data packet arrived through the ASA