In urmatorul post ne uitam si la alt sistem de operare specific echipamentelor Cisco, acesta fiind IOS XR. Sunt cateva diferente fata de IOS, totusi eu am reusit sa configurez cele necesare pentru scenariul mentionat, fara prea mari eforturi. M-au ajutat foarte mult cunostintele de JunOS (sistemul de operare de pe echipamentele Juniper) si cat de curand voi prezenta o comparatie si intre IOS si JunOS.
Elementele cheie sunt:
- P2 si PE2 ruleaza IOS XR
- P1 si PE1 ruleaza IOS
- intre PE1 si PE2 avem o sesiune iBGP VPNv4 in care PE2 este si Route-Reflector, desi nu era necesar in acest scenariu
- pe fiecare PE am definit doua VRF-uri (VPN-A si VPN-B) cu acelasi plan de adresare, pentru a verifica izolarea corecta atat din control-plane cat si din data-plane
Topologie
Config routere P
P1hostname P1interface Loopback0 ip address 3.3.3.3 255.255.255.255 !Gi2.942 - leg catre PE1 interface GigabitEthernet2.942 encapsulation dot1Q 942 ip address 172.16.32.3 255.255.255.0 ip router isis AS100 mpls ip mpls label protocol ldp !Gi2.943 - leg catre P2 interface GigabitEthernet2.943 encapsulation dot1Q 943 ip address 172.16.43.3 255.255.255.0 ip router isis AS100 mpls ip mpls label protocol ldp router isis AS100 net 49.0001.0030.0300.3003.00 is-type level-2-only passive-interface Loopback0 |
P2hostname P2interface Loopback0 ipv4 address 4.4.4.4 255.255.255.255 !Gi0/0/0/4.845 - leg catre PE2 interface GigabitEthernet0/0/0/4.845 ipv4 address 172.16.45.4 255.255.255.0 encapsulation dot1q 845 !Gi0/0/0/4.943 - leg catre P1 interface GigabitEthernet0/0/0/4.943 ipv4 address 172.16.43.4 255.255.255.0 encapsulation dot1q 943 router isis AS100 is-type level-2-only net 49.0001.0040.0400.4004.00 interface Loopback0 passive address-family ipv4 unicast interface GigabitEthernet0/0/0/4.845 address-family ipv4 unicast interface GigabitEthernet0/0/0/4.943 address-family ipv4 unicast mpls ldp router-id 4.4.4.4 interface GigabitEthernet0/0/0/4.845 interface GigabitEthernet0/0/0/4.943 |
Config routere PE
PE1hostname PE1ip vrf VPN-A rd 1:1 route-target export 100:1 route-target import 100:1 ip vrf VPN-B rd 1:2 route-target export 100:2 route-target import 100:2 interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Loopback10 ip vrf forwarding VPN-A ip address 10.1.1.1 255.255.255.0 ! interface Loopback20 ip vrf forwarding VPN-B ip address 10.1.1.1 255.255.255.0 !Gi2.942 - leg catre P1 interface GigabitEthernet2.942 encapsulation dot1Q 942 ip address 172.16.32.2 255.255.255.0 ip router isis AS100 mpls ip mpls label protocol ldp router isis AS100 net 49.0001.0020.0200.2002.00 is-type level-2-only passive-interface Loopback0 router bgp 100 no bgp default ipv4-unicast !iBGP VPNv4 cu PE2 neighbor 5.5.5.5 remote-as 100 neighbor 5.5.5.5 update-source Loopback0 address-family vpnv4 neighbor 5.5.5.5 activate neighbor 5.5.5.5 send-community extended exit-address-family address-family ipv4 vrf VPN-A redistribute connected exit-address-family address-family ipv4 vrf VPN-B redistribute connected exit-address-family |
PE2hostname PE2vrf VPN-A address-family ipv4 unicast import route-target 100:1 export route-target 100:1 vrf VPN-B address-family ipv4 unicast import route-target 100:2 export route-target 100:2 interface Loopback0 ipv4 address 5.5.5.5 255.255.255.255 interface Loopback10 vrf VPN-A ipv4 address 10.2.2.2 255.255.255.255 interface Loopback20 vrf VPN-B ipv4 address 10.2.2.2 255.255.255.255 !Gi0/0/0/4.845 - leg catre P2 interface GigabitEthernet0/0/0/4.845 ipv4 address 172.16.45.5 255.255.255.0 encapsulation dot1q 845 router isis AS100 is-type level-2-only net 49.0001.0050.0500.5005.00 interface Loopback0 passive address-family ipv4 unicast interface GigabitEthernet0/0/0/4.845 address-family ipv4 unicast router bgp 100 address-family vpnv4 unicast !iBGP VPNv4 cu PE1 neighbor 2.2.2.2 remote-as 100 update-source Loopback0 address-family vpnv4 unicast route-reflector-client vrf VPN-A rd 1:1 address-family ipv4 unicast redistribute connected vrf VPN-B rd 1:2 address-family ipv4 unicast redistribute connected mpls ldp router-id 5.5.5.5 interface GigabitEthernet0/0/0/4.845 |
Acum se poate testa folosind comenzile ping vrf VPN-A 10.2.2.2 source lo10 si ping vrf VPN-B 10.2.2.2 source lo20 de pe routerul PE1. In oglinda, se poate folosi aceleas comenzi si pe routerul PE2.
Pe cei dornici sa aprofundeze ii invit la cursurile academiei Cisco Netschool.
Niciun comentariu:
Trimiteți un comentariu