HUB-AND-SPOKE environment of mpls vpn

Last Update:2013-12-27 Source: Internet

Author: User

Tags domain lookup

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Generally, for the sake of security and cost, if the branches are not interconnected, the access between the branches must go through the firewall of the Head Office. Both the security effect and the cost are saved.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UAE5-0.jpg "/>

The experiment topology is as follows:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61c0-1.jpg "/>

Due to the existence of the downstream bits and domain tags in the anti-ring mechanism of OSPF, the route may not be received in the outbound VRF of r6. therefore, the downstream bits and domain tags must be disabled in the outbound VRF. The following shows the configuration of the ASA and R6:

ASA

Interface Ethernet0/0
No nameif
No security-level
No ip address
!
Interface Ethernet0/0.100
Vlan 100
Nameif ouside
Security-level 0
Ip address 192.168.100.254 255.255.255.0
!
Interface Ethernet0/0.200
Vlan 200
Nameif inside
Security-level 100
Ip address 192.168.200.254 255.255.255.0

Router ospf 200
Network 192.168.100.0 255.255.255.0 area 0
Log-adj-changes
!
Router ospf 300
Network 192.168.200.0 255.255.255.0 area 0
Log-adj-changes
Redistribute ospf 200 subnets

--------------------------------------------- Split line -------------------------------------

R6:

R6 # SHOW RUN
Building configuration...

Current configuration: 2320 bytes
!
Version 12.4:
Service timestamps debug datetime msec
Service timestamps log datetime msec
No service password-encryption
!
Hostname R6
!
Boot-start-marker
Boot-end-marker
!
!
No aaa new-model
Memory-size iomem 5
!
!
Ip cef
No ip domain lookup
!
!
Ip vrf r6in
Rd 6100
Route-target import 100:100
!
Ip vrf r6out
Rd 6:101
Route-target export
!
Mpls label range 600 699
Mpls label protocol ldp
!
Interface Loopback0
Ip address 6.6.6.6 255.255.255.255
!
Interface FastEthernet0/0
Ip address 192.168.56.6 255.255.255.0
Duplex auto
Speed auto
Mpls ip
!
Interface FastEthernet0/1
No ip address
Duplex auto
Speed auto
!
Interface FastEthernet0/1.100
Encapsulation dot1Q 100
Ip vrf forwarding r6in
Ip address 192.168.100.6 255.255.255.0
!
Interface FastEthernet0/1.200
Encapsulation dot1Q 200
Ip vrf forwarding r6out
Ip address 192.168.200.6 255.255.255.0
!
!
Router ospf 200 vrf r6in
Log-adjacency-changes
Capability vrf-lite
Redistribute bgp 100 subnets
Network 192.168.100.0 0.0.255 area 0
!
Router ospf 300 vrf r6out
Log-adjacency-changes
Capability vrf-lite
Redistribute bgp 100 subnets
Network 192.168.200.0 0.0.0.255 area 0
!
Router ospf 100
Router-id 6.6.6.6
Log-adjacency-changes
Network 6.6.6.6 0.0.0.0 area 0
Network 192.168.56.0 0.0.0.255 area 0
!
Router bgp 100
Bgp router-id 6.6.6.6
No bgp default ipv4-unicast
Bgp log-neighbor-changes
Neighbor 3.3.3.3 remote-as 100
Neighbor 3.3.3.3 update-source Loopback0
Neighbor 4.4.4 remote-as 100
Neighbor 4.4.4 update-source Loopback0
!
Address-family vpnv4
Neighbor 3.3.3.3 activate
Neighbor 3.3.3.3 send-community extended
Neighbor 4.4.4 activate
Neighbor 4.4.4.4 send-community extended
Exit-address-family
!
Address-family ipv4 vrf r6out
Redistribute ospf 300 vrf r6out match internal external 1 external 2 nssa-external 1 nssa-external 2
No synchronization
Exit-address-family
!
Address-family ipv4 vrf r6in
Redistribute ospf 200 vrf r6in match internal external 1 external 2 nssa-external 1 nssa-external 2
No synchronization
Exit-address-family
!
No ip http server
No ip http secure-server
!

Mpls ldp router-id Loopback0
!
!
Control-plane
!
Line con 0
Exec-timeout 0 0
Logging synchronous
Line aux 0
Line vty 0 4
Login
!
!
End

Verification:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61403-2.jpg "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U61526-3.jpg "/>

It can be seen that the VRF has correctly received the route

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UC452-4.jpg "/>

R2-R4 is an IP pack

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015UB011-5.jpg "/>

R4-R5 Double Label

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U62F2-6.jpg "/>

R5-R6 is a single-layer label due to PHP pop-up upper-layer labels)

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U631W-7.jpg "/>

R6-ASA is an IP pack

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/015U64341-8.jpg "/>

The above analysis has proved that the data packet arrived through the ASA

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More