MPLS VPN环境中访问公共网络或Internet的实现方法

MPLSVPN网络环境中访问公共网络或Internet的若干实现方法上海博达数据通信有限公司冯松柏2013年08月14日路由器项目部2目录目录..................................................................................................................................................2前言..................................................................................................................................................3方案1分布式PE访问外网............................................................................................................3方案特点...................................................................................................................................3实验拓扑...................................................................................................................................3关键配置...................................................................................................................................4实验配置及信息.......................................................................................................................4方案2PE集中式上Internet---supervpn方式................................................................................4方案特点...................................................................................................................................4实验拓扑...................................................................................................................................5关键配置...................................................................................................................................5实验配置及信息.......................................................................................................................7方案3PE集中式上Internet---多vpn方式..................................................................................20方案特点.................................................................................................................................20实验拓扑.................................................................................................................................20详细配置信息.........................................................................................................................20配置运行结果.........................................................................................................................31方案4集中式/分布式CE方式访问公共网络或Internet..........................................................32结语................................................................................................................................................32路由器项目部3前言在行业用户或运营商的MPLSVPN网络中，各种VPN用户或应用通常都有访问公共网络或Internet的需求。要实现这一需求，VPN与VPN之间、VPN与全局网络之间必须是能互通的。但在MPLSVPN的网络环境中，VPN与VPN、VPN与全局网络默认是互相隔离的，不能互相访问。为了实现这个需求，通过查找相关资料和实验验证，共找到3种解决方案，下面对这3种方案的实现方法和特点分别进行介绍。方案1分布式PE访问外网方案特点1.每台PE都与internet直接相连，在PE的VRF中配置指向global地址的缺省路由2.跳出VRF通过全局路由表与公共网络或Internet互通3.可以在上行路径中的任意一台PE上从VPN中弹出，走全局路由；3.在PE的VRF中做NAT转换；4.可以实现双向互访。实验拓扑路由器项目部4关键配置实验配置及信息方案2PE集中式上Internet---supervpn方式方案特点1.通过supervpn方式Route-target控制路由与公共网络或Internet互通2.设备配置及方案还是采用MPLSVPN的方式实现，不影响全局路由表；2.通过MP－BGP的RT属性控制路由条目的导入导出，简单灵活；3.利用BGP路由反射器实现iBGP路由条目的转发，实现全网路由表的同步，可以大量减少BGPpeer对等关系，减小网络管理和维护的复杂程度；其实，这里因为存在supervpn，即使不配置路由反射器，也可以将其它vpn路由引入supervpn。只是没有路由反射器，如果vpn对之间的PE需要建立BGP全连接。4.可以实现双向互访，但各VPN的IP地址不能重叠。另外，如果配置了该superVPN的PE上还有其他vpn端口，并且将supervpn到公网的缺省路由引入，则还需要针对这些vpn，配置nat，否则，此PE直连的CE将无法上公网。路由器项目部5实验拓扑关键配置PE1：ipvrfsuper-vpnrd111:1route-targetexport111:1route-targetimport111:1route-targetimport100:1route-targetimport100:2!路由器项目部6ipvrfvpn2rd100:2route-targetexport100:2route-targetimport100:2route-targetimport111:1!interfaceLoopback3ipvrfforwardingsuper-vpnipaddress172.16.0.3255.255.255.0!routerbgp100bgplog-neighbor-changesneighbor2.2.2.2remote-as100neighbor2.2.2.2update-sourceLoopback0neighbor3.3.3.3remote-as100neighbor3.3.3.3update-sourceLoopback0!address-familyipv4neighbor2.2.2.2activateneighbor3.3.3.3activatenoauto-summarynosynchronizationexit-address-family!address-familyvpnv4neighbor2.2.2.2activateneighbor2.2.2.2send-communityextendedneighbor2.2.2.2route-reflector-client//PE1配置为BGP路由反射器，发送从client学到的iBGP路由给其它Client或非Client，从而实现路由表的同步neighbor3.3.3.3activateneighbor3.3.3.3send-communityextendedneighbor3.3.3.3route-reflector-client//PE1配置为BGP路由反射器，发送从client学到的iBGP路由给其它Client或非Client，从而实现路由表的同步exit-address-family!address-familyipv4vrfvpn2redistributeconnectedredistributestaticnosynchronizationexit-address-family!address-familyipv4vrfsuper-vpnredistributeconnectedredistributestatic路由器项目部7default-informationoriginatenosynchronizationexit-address-family!ipforward-protocolndiproutevrfsuper-vpn0.0.0.00.0.0.0202.0.0.254globalnoiphttpservernoiphttpsecure-server!!ipnatsourcestatic172.17.0.1210.0.0.1vrfsuper-vpnipnatinsidesourcelistsuper-addrinterfaceLoopback210vrfsuper-vpnoverload!ipaccess-liststandardsuper-addrpermitanyPE2：ipvrfvpn1rd100:1route-targetexport100:1route-targetimport100:1route-targetimport111:1!ipvrfvpn2rd100:2route-targetexport100:2route-targetimport100:2route-targetimport111:1PE3：ipvrfvpn1rd100:1route-targetexport100