XRでmpls vpn その3
今回こそはMPLS VPN網を構築する。その2
おなじみのNW構成
前回まででCE-PE間のルーティングは完了し、既に以下の通りmpbgpの設定も完了しているので、これでエンドエンドでの疎通ができるはず。
XR2 config #抜粋 (XR4も似た感じ)
router bgp 65200
bgp router-id 2.2.2.2
address-family ipv4 unicast
network 2.2.2.2/32
!
address-family vpnv4 unicast
!
neighbor 3.3.3.3
remote-as 65200
update-source Loopback0
address-family vpnv4 unicast
!
!
neighbor 10.0.23.3
remote-as 65200
address-family ipv4 unicast
soft-reconfiguration inbound always
!
!
vrf USER1
rd auto
address-family ipv4 unicast
!
neighbor 192.168.12.1
remote-as 65100
address-family ipv4 unicast
route-policy pass in
route-policy pass out
as-override
soft-reconfiguration inbound always
!
!
!
!
mpls ldp
interface GigabitEthernet0/0/0/0
!RR3 config
router bgp 65200 bgp router-id 3.3.3.3 ibgp policy out enforce-modifications address-family ipv4 unicast network 3.3.3.3/32 ! address-family vpnv4 unicast ! neighbor 2.2.2.2 remote-as 65200 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 4.4.4.4 remote-as 65200 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 10.0.23.2 remote-as 65200 address-family ipv4 unicast route-reflector-client next-hop-self ! ! neighbor 10.0.34.4 remote-as 65200 address-family ipv4 unicast route-reflector-client next-hop-self ! ! ! mpls ldp interface GigabitEthernet0/0/0/0 !
XR2、RR3、XR4のloアドレスは物理IFでのibgpで広告。
RR3はルートリフレクタ。
そしてibgpで学習したloアドレス間でmpbgp。
mpbgpもRR3はルートリフレクタ。
CSR1のshow ip routeでは、ちゃんとCSR5のloアドレス(5.5.5.5/32)も見えているので今回こそは大丈夫だろうとping。
CSR1#ping 5.5.5.5 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 U.U.U Success rate is 0 percent (0/5)
んー。
XR2上でshow mpls ldp bindingsを確認してみると、XR4 loアドレスの4.4.4.4が無い。
またしてもいろいろと調べてみる。
「mpls vpn route-reflector」とかで。
その中でふと気づく。
route-reflectorはmpbgpで使っていると。
今の構成はibgpでloアドレスを学習し、mpbgpはloアドレスでpeerを張るという
よく考えたらあまりやらない構成になってた。
たぶんここら辺が原因なんだろうなと思い、素直にIGPをospfで設定しなおしたところ、
XR2上のshow mpls ldp bindingsでXR4 loアドレス(4.4.4.4)が表示され、
エンドエンドの疎通も確認することができた。
CSR1#ping 5.5.5.5 source 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/17 ms
ibgpとmpbgpでうまくいかなかった理由は仕組みを正しく理解していれば原因がわかると思うけど、
それを切り分けるほどのレベルには達していないので、もう少しレベルがあがってから原因を探ろうと思う。
というわけで、とにかく時間がかかったXRでのMPLS VPN構築もなんとか完了させることができた。
以下、各config(抜粋)
CSR1 config
CSR1# interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet1 ip address 192.168.12.1 255.255.255.0 negotiation auto ! router bgp 65100 bgp log-neighbor-changes neighbor 192.168.12.2 remote-as 65200 ! address-family ipv4 network 1.1.1.1 mask 255.255.255.255 neighbor 192.168.12.2 activate exit-address-family !
XR2 config
RP/0/0/CPU0:XR2#sh run
vrf USER1
address-family ipv4 unicast
import route-target
1:1
!
export route-target
1:1
!
!
!
interface Loopback0
ipv4 address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0/0/0
ipv4 address 10.0.23.2 255.255.255.0
!
interface GigabitEthernet0/0/0/1
vrf USER1
ipv4 address 192.168.12.2 255.255.255.0
!
route-policy pass
pass
end-policy
!
router ospf 1
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/0
!
!
!
router bgp 65200
bgp router-id 2.2.2.2
address-family ipv4 unicast
network 2.2.2.2/32
!
address-family vpnv4 unicast
!
neighbor 3.3.3.3
remote-as 65200
update-source Loopback0
address-family vpnv4 unicast
!
!
neighbor 10.0.23.3
remote-as 65200
address-family ipv4 unicast
soft-reconfiguration inbound always
!
!
vrf USER1
rd auto
address-family ipv4 unicast
!
neighbor 192.168.12.1
remote-as 65100
address-family ipv4 unicast
route-policy pass in
route-policy pass out
as-override
soft-reconfiguration inbound always
!
!
!
!
mpls ldp
interface GigabitEthernet0/0/0/0
!RR3 config
RP/0/0/CPU0:RR3#sh run interface Loopback0 ipv4 address 3.3.3.3 255.255.255.255 ! interface GigabitEthernet0/0/0/0 ipv4 address 10.0.23.3 255.255.255.0 ! interface GigabitEthernet0/0/0/2 ipv4 address 10.0.34.3 255.255.255.0 ! router ospf 1 area 0 interface Loopback0 ! interface GigabitEthernet0/0/0/0 ! interface GigabitEthernet0/0/0/2 ! ! ! router bgp 65200 bgp router-id 3.3.3.3 ibgp policy out enforce-modifications address-family ipv4 unicast network 3.3.3.3/32 ! address-family vpnv4 unicast ! neighbor 2.2.2.2 remote-as 65200 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 4.4.4.4 remote-as 65200 update-source Loopback0 address-family vpnv4 unicast route-reflector-client ! ! neighbor 10.0.23.2 remote-as 65200 address-family ipv4 unicast route-reflector-client next-hop-self ! ! neighbor 10.0.34.4 remote-as 65200 address-family ipv4 unicast route-reflector-client next-hop-self ! ! ! mpls ldp interface GigabitEthernet0/0/0/0 ! interface GigabitEthernet0/0/0/2 !
XR4 config
RP/0/0/CPU0:XR4#sh run
vrf USER1
address-family ipv4 unicast
import route-target
1:1
!
export route-target
1:1
!
!
!
interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255
!
interface GigabitEthernet0/0/0/1
vrf USER1
ipv4 address 192.168.45.4 255.255.255.0
!
interface GigabitEthernet0/0/0/2
ipv4 address 10.0.34.4 255.255.255.0
!
route-policy pass
pass
end-policy
!
router ospf 1
area 0
interface Loopback0
!
interface GigabitEthernet0/0/0/2
!
!
!
router bgp 65200
bgp router-id 4.4.4.4
address-family ipv4 unicast
network 4.4.4.4/32
!
address-family vpnv4 unicast
!
neighbor 3.3.3.3
remote-as 65200
update-source Loopback0
address-family vpnv4 unicast
route-reflector-client
!
!
neighbor 10.0.34.3
remote-as 65200
address-family ipv4 unicast
route-reflector-client
soft-reconfiguration inbound
!
!
vrf USER1
rd auto
address-family ipv4 unicast
!
neighbor 192.168.45.5
remote-as 65100
address-family ipv4 unicast
route-policy pass in
route-policy pass out
as-override
!
!
!
!
mpls ldp
interface GigabitEthernet0/0/0/2
!CSR5 config
CSR5#sh run interface Loopback0 ip address 5.5.5.5 255.255.255.255 ! interface GigabitEthernet1 ip address 192.168.45.5 255.255.255.0 negotiation auto ! router bgp 65100 bgp router-id 5.5.5.5 bgp log-neighbor-changes network 5.5.5.5 mask 255.255.255.255 neighbor 192.168.45.4 remote-as 65200 !
そういえば前回どはまりした問題を素晴らしく簡潔に説明されているページがあった。
supportforums.cisco.com
まぁ苦労しながら作業した方がよく覚えると思う。うん。
これでようやく次回はInter-AS option A
