一般企业出于安全和费用的考虑,分公司之间不互联,分公司之间的访问必须通过总公司的防火墙,既达到了安全的效果又节约了费用。

mpls vpn 的HUB-AND-SPOKE环境_MPLS

实验拓扑如下:

 

mpls vpn 的HUB-AND-SPOKE环境_MPLS_02

由于OSPF的防环机制下游比特位和域标记的存在,可能在R6的出VRF收不到路由,所以要在出VRF关闭 下游比特位和域标记。下面给出ASA  和R6的配置其余查看附件:

ASA

 

interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.100
 vlan 100
 nameif ouside
 security-level 0
 ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/0.200
 vlan 200
 nameif inside
 security-level 100
 ip address 192.168.200.254 255.255.255.0

router ospf 200
 network 192.168.100.0 255.255.255.0 area 0
 log-adj-changes
!
router ospf 300
 network 192.168.200.0 255.255.255.0 area 0
 log-adj-changes
 redistribute ospf 200 subnets

 

---------------------------------------------分割线-------------------------------------

R6:

 

R6#SHOW RUN
Building configuration...

Current configuration : 2320 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
ip vrf r6in
 rd 6:100
 route-target import 100:100
!
ip vrf r6out
 rd 6:101
 route-target export 200:100
!
mpls label range 600 699
mpls label protocol ldp
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.56.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.100
 encapsulation dot1Q 100
 ip vrf forwarding r6in
 ip address 192.168.100.6 255.255.255.0
!
interface FastEthernet0/1.200
 encapsulation dot1Q 200
 ip vrf forwarding r6out
 ip address 192.168.200.6 255.255.255.0
!
!
router ospf 200 vrf r6in
 log-adjacency-changes
 capability vrf-lite
 redistribute bgp 100 subnets
 network 192.168.100.0 0.0.0.255 area 0
!
router ospf 300 vrf r6out
 log-adjacency-changes
 capability vrf-lite
 redistribute bgp 100 subnets
 network 192.168.200.0 0.0.0.255 area 0
!
router ospf 100
 router-id 6.6.6.6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 192.168.56.0 0.0.0.255 area 0
!
router bgp 100
 bgp router-id 6.6.6.6
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback0
 neighbor 4.4.4.4 remote-as 100
 neighbor 4.4.4.4 update-source Loopback0
 !
 address-family vpnv4
 neighbor 3.3.3.3 activate
 neighbor 3.3.3.3 send-community extended
 neighbor 4.4.4.4 activate
 neighbor 4.4.4.4 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf r6out
 redistribute ospf 300 vrf r6out match internal external 1 external 2 nssa-external 1 nssa-external 2
 no synchronization
 exit-address-family
 !
 address-family ipv4 vrf r6in
 redistribute ospf 200 vrf r6in match internal external 1 external 2 nssa-external 1 nssa-external 2
 no synchronization
 exit-address-family
!
no ip http server
no ip http secure-server
!

mpls ldp router-id Loopback0
!
!
control-plane
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end

验证:

 

mpls vpn 的HUB-AND-SPOKE环境_ASA_03

 

mpls vpn 的HUB-AND-SPOKE环境_VPN_04

从上图可以看出出VRF已经正确的收了路由

 

mpls vpn 的HUB-AND-SPOKE环境_MPLS_05

R2-R4是IP包

 

mpls vpn 的HUB-AND-SPOKE环境_ASA_06

R4-R5双层标签

 

 

 

mpls vpn 的HUB-AND-SPOKE环境_VPN_07

  

R5-R6是单层标签(由于PHP弹出上层标签)

 

mpls vpn 的HUB-AND-SPOKE环境_MPLS_08

R6-ASA是ip包

 

mpls vpn 的HUB-AND-SPOKE环境_ASA_09

从上面的分析已经证明数据包是通过ASA 到达的