サマリ
いつぞや Ubuntu DesktopにGNS3 1.3.1を入れてXRvを起動 できることを確認しました。
今回は、比較的昔から実装されているL3VPNを構成します。
でも足回りは前回 IOS XRvではじめてのIS-IS Segment Routing で使ったSegment Routingと組み合わせて構成してみます。
やっぱりSegment Routingで配布したラベルと組み合わせてこそだよね。と言うわけで、れっつごー。
ちなみに、特に理由はありませんがGNS3 1.3.4にアップグレード済みです。
NW構成
HUB1とHUB2は、その地点でキャプチャを取得するために置かれています。
Warning
GNS3 1.3.4になっても、KVM同士の直結リンクをキャプチャ出来ないのです。
アドレス構成は大体こんな感じ。インタフェースのアドレスは数字の小さいルータから数字を割り当てていきます。
10.1.0.0/30の時、R1は10.1.0.1、R2は10.1.0.2と言う感じ。
将来的にIPv6をネタにするかもしれないから、と言う漠然とした理由でIPv6に関する設定が含まれていますが、基本使わないので無視しても問題ありません。
Note
GNS3のトポロジをKVMで構成する場合、プロジェクト内に差分ディスクが保存されます。なので、途中でプロジェクトを停止してもコンフィグは残ります。
逆に、トポロジを維持したままコンフィグだけクリアしたい場合は、
1
|
$ rm -rf <project-directory>/project-files/qemu/*
|
とすれば良いので、良く分からなくなったらとりあえず消して一からやるのも手です。
ただ、XRvに関しては一般的なIOS XRのコンフィグ管理手順を使用することが出来るので、例えば
1
|
#copy running-config config-backup.cfg
|
のように保存し、
1
2
3
4
5
6
7
8
9
10
11
|
#dir usr
Tue Jun 8 15:26:07.871 UTC
Directory of disk0:/usr
63526 -rwx 2696 Tue Jun 8 15:23:26 2015 config-backup.cfg
2377105408 bytes total (1868198912 bytes free)
#configure
(config)#load usr/config-backup.cfg
(config)#commit replace
|
として任意のコンフィグと入れ替えることができますし、コンフィグマネージメントは自分に合った方法でお願いします。
初期コンフィグレーション
まずは前回同様、IS-ISによるコア網内のルーティングを設定してしまいます。
整理がてら書いているだけなので、ここは飛ばしても良いでしょう。
Warning
行数削減のために一部ネストしていない表記が混じっていますが、上手く解釈してください。
R1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
configure
hostname R1
interface Loopback0
ipv4 address 10.0.0.1/32
ipv6 address 2001:db8::1111/128
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.0.1/30
ipv6 address 2001:db8:1::11/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.0.5/30
ipv6 address 2001:db8:1::21/124
no shut
interface GigabitEthernet0/0/0/4
ipv4 address 172.16.1.1/30
ipv6 address 2001:db8:cc::11/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0001.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 1001
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
interface GigabitEthernet0/0/0/4 address-family ipv4 unicast
commit
end
|
R2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
configure
hostname R2
interface Loopback0
ipv4 address 10.0.0.2/32
ipv6 address 2001:db8::2222/128
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.0.2/30
ipv6 address 2001:db8:1::12/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.0.9/30
ipv6 address 2001:db8:1::31/124
no shut
interface GigabitEthernet0/0/0/4
ipv4 address 172.16.2.1/30
ipv6 address 2001:db8:cc::21/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0002.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 10002
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
interface GigabitEthernet0/0/0/4 address-family ipv4 unicast
commit
end
|
R3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
configure
hostname R3
interface Loopback0
ipv4 address 10.0.0.3/32
ipv6 address 2001:db8::3333/128
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.0.13/30
ipv6 address 2001:db8:1::41/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.0.6/30
ipv6 address 2001:db8:1::22/124
no shut
interface GigabitEthernet0/0/0/4
ipv4 address 172.16.3.1/30
ipv6 address 2001:db8:cc::31/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0003.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 1003
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
interface GigabitEthernet0/0/0/4 address-family ipv4 unicast
commit
end
|
R4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
configure
hostname R4
interface Loopback0
ipv4 address 10.0.0.4/32
ipv6 address 2001:db8::4444/128
interface GigabitEthernet0/0/0/0
ipv4 address 10.1.0.14/30
ipv6 address 2001:db8:1::14/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 10.1.0.10/30
ipv6 address 2001:db8:1::a/124
no shut
interface GigabitEthernet0/0/0/4
ipv4 address 172.16.4.1/30
ipv6 address 2001:db8:cc::41/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0004.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 1004
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
interface GigabitEthernet0/0/0/4 address-family ipv4 unicast
commit
end
|
R5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
configure
hostname R5
interface Loopback0
ipv4 address 10.0.0.5/32
ipv6 address 2001:db8::5555/128
interface GigabitEthernet0/0/0/0
ipv4 address 172.16.1.2/30
ipv6 address 2001:db8:cc::12/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 172.16.2.2/30
ipv6 address 2001:db8:cc::22/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0005.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 1005
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
commit
end
|
R6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
configure
hostname R6
interface Loopback0
ipv4 address 10.0.0.6/32
ipv6 address 2001:db8::6666/128
interface GigabitEthernet0/0/0/0
ipv4 address 172.16.3.2/30
ipv6 address 2001:db8:cc::12/124
no shut
interface GigabitEthernet0/0/0/1
ipv4 address 172.16.4.2/30
ipv6 address 2001:db8:cc::22/124
no shut
router isis 1
is-type level-2-only
net 49.0000.0000.0000.0006.00
address-family ipv4 unicast
metric-style wide
segment-routing mpls
interface Loopback0
address-family ipv4 unicast
prefix-sid index 1006
interface GigabitEthernet0/0/0/0 address-family ipv4 unicast
interface GigabitEthernet0/0/0/1 address-family ipv4 unicast
commit
end
|
MPLS L3VPNの設定
まず、コア網内でiBGP網を構成(今回はR1とR4をRoute-Reflectorとして設定)
R1, R4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
configure
router bgp 65000
address-family ipv4 unicast
address-family ipv6 unicast
address-family vpnv4 unicast
address-family vpnv6 unicast
neighbor-group CORE
remote-as 65000
update-source Loopback0
address-family ipv4 unicast route-reflector-client
address-family ipv6 unicast route-reflector-client
address-family vpnv4 unicast route-reflector-client
address-family vpnv6 unicast route-reflector-client
exit
neighbor 10.0.0.1 use neighbor-group CORE
neighbor 10.0.0.2 use neighbor-group CORE
neighbor 10.0.0.3 use neighbor-group CORE
neighbor 10.0.0.4 use neighbor-group CORE
neighbor 10.0.0.5 use neighbor-group CORE
neighbor 10.0.0.6 use neighbor-group CORE
commit
end
|
R2, R3, R5, R6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
configure
router bgp 65000
address-family ipv4 unicast
address-family ipv6 unicast
address-family vpnv4 unicast
address-family vpnv6 unicast
neighbor-group CORE
remote-as 65000
update-source Loopback0
address-family ipv4 unicast route-reflector-client
address-family ipv6 unicast route-reflector-client
address-family vpnv4 unicast route-reflector-client
address-family vpnv6 unicast route-reflector-client
exit
neighbor 10.0.0.1 use neighbor-group CORE
neighbor 10.0.0.4 use neighbor-group CORE
commit
end
|
次に、VRFを作成し、Interfaceへ適用。
R5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
configure
vrf VRF-A address-family ipv4 unicast import route-target 65000:101
vrf VRF-A address-family ipv4 unicast export route-target 65000:101
vrf VRF-A address-family ipv6 unicast import route-target 65000:101
vrf VRF-A address-family ipv6 unicast export route-target 65000:101
vrf VRF-B address-family ipv4 unicast import route-target 65000:102
vrf VRF-B address-family ipv4 unicast export route-target 65000:102
vrf VRF-B address-family ipv6 unicast import route-target 65000:102
vrf VRF-B address-family ipv6 unicast export route-target 65000:102
interface GigabitEthernet0/0/0/2
vrf VRF-A
ipv4 address 10.101.0.1/30
ipv6 address 2001:db8:101::11/124
no shutdown
interface GigabitEthernet0/0/0/3
vrf VRF-B
ipv4 address 10.102.0.1/30
ipv6 address 2001:db8:102::11/124
no shutdown
commit
end
|
R6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
configure
vrf VRF-A address-family ipv4 unicast import route-target 65000:101
vrf VRF-A address-family ipv4 unicast export route-target 65000:101
vrf VRF-A address-family ipv6 unicast import route-target 65000:101
vrf VRF-A address-family ipv6 unicast export route-target 65000:101
vrf VRF-B address-family ipv4 unicast import route-target 65000:102
vrf VRF-B address-family ipv4 unicast export route-target 65000:102
vrf VRF-B address-family ipv6 unicast import route-target 65000:102
vrf VRF-B address-family ipv6 unicast export route-target 65000:102
interface GigabitEthernet0/0/0/2
vrf VRF-A
ipv4 address 10.101.0.5/30
ipv6 address 2001:db8:101::21/124
no shutdown
interface GigabitEthernet0/0/0/3
vrf VRF-B
ipv4 address 10.102.0.5/30
ipv6 address 2001:db8:102::21/124
no shutdown
commit
end
|
収容ユーザの接続方式に合わせて、VRF毎にルーティングの設定(今回はOSPF)。
R5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
configure
router ospf 1
router-id 10.0.0.5
vrf VRF-A redistribute bgp 65000
vrf VRF-A area 0 interface gigabitEthernet0/0/0/2
vrf VRF-B redistribute bgp 65000
vrf VRF-B area 0 interface gigabitEthernet0/0/0/3
router bgp 65000
vrf VRF-A
rd 65000:101
address-family ipv4 unicast
redistribute ospf 1
address-family ipv6 unicast
vrf VRF-B
rd 65000:102
address-family ipv4 unicast
redistribute ospf 1
address-family ipv6 unicast
commit
end
|
R6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
configure
router ospf 1
router-id 10.0.0.6
vrf VRF-A redistribute bgp 65000
vrf VRF-A area 0 interface gigabitEthernet0/0/0/2
vrf VRF-B redistribute bgp 65000
vrf VRF-B area 0 interface gigabitEthernet0/0/0/3
router bgp 65000
vrf VRF-A
rd 65000:101
address-family ipv4 unicast
redistribute ospf 1
address-family ipv6 unicast
vrf VRF-B
rd 65000:102
address-family ipv4 unicast
redistribute ospf 1
address-family ipv6 unicast
commit
end
|
最後に、VPN収容ユーザとの接続設定
CE-A1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# vtysh<<__EOL__
conf t
int lo0
ip add 192.0.2.1/32
int em0
ip add 10.101.0.2/30
no shut
exit
router ospf
network 10.101.0.0/30 area 0
network 192.0.2.1/32 area 0
end
write
exit
__EOL__
|
CE-A2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# vtysh<<__EOL__
conf t
int lo0
ip add 192.0.2.2/32
int em0
ip add 10.101.0.6/30
no shut
exit
router ospf
network 10.101.0.4/30 area 0
network 192.0.2.2/32 area 0
end
write
exit
__EOL__
|
CE-B1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# vtysh<<__EOL__
conf t
int lo0
ip add 192.0.2.1/32
int em0
ip add 10.102.0.2/30
no shut
exit
router ospf
network 10.102.0.0/30 area 0
network 192.0.2.1/32 area 0
end
write
exit
__EOL__
|
CE-B2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# vtysh<<__EOL__
conf t
int lo0
ip add 192.0.2.2/32
int em0
ip add 10.102.0.6/30
no shut
exit
router ospf
network 10.102.0.4/30 area 0
network 192.0.2.2/32 area 0
end
write
exit
__EOL__
|
疎通確認
まずは恒例のpingとそのキャプチャ画像から。
各VPNからpingを実行
1
|
# ping -S 192.0.2.1 192.0.2.2
|
で、まずはVPN-Aのキャプチャ画像
次にVPN-Bのキャプチャ画像
pingが混ざらずに通信出来ていて良かったね。
ちゃんとVRFラベル(24004,24005)とSRラベル(17006)が付与されていて、VPN識別ができたうえでMPLS転送が出来ていることが見て取れる。
この後テーブルを見るけど、24005がVPN-Aで24004がVPN-Bのラベル。
大体こんな感じ。
ルータの情報とか色々確認
まず、R1でMPLS転送テーブルを見ると、こんな感じになっている。
1
2
3
4
5
6
7
8
9
10
11
12
13
|
RP/0/0/CPU0:R1#show mpls forwarding
Tue Jun 9 14:28:30.968 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
17003 Pop No ID Gi0/0/0/1 10.1.0.6 4669
17004 17004 No ID Gi0/0/0/0 10.1.0.2 4742
17004 No ID Gi0/0/0/1 10.1.0.6 0
17005 Pop No ID Gi0/0/0/4 172.16.1.2 20274
17006 17006 No ID Gi0/0/0/1 10.1.0.6 1848868
24000 Pop No ID Gi0/0/0/0 10.1.0.2 0
24001 Pop No ID Gi0/0/0/1 10.1.0.6 0
24002 Pop No ID Gi0/0/0/4 172.16.1.2 0
|
MPLS網の転送先であるR5->R6は、ラベル17006(16000+1006(R6のprefix-sid index 1006))が使用される。これはIS-IS Segment Routingで学習したものだ。
更に、MPLS EdgeとなるR5のMPLS転送テーブルを見ると、VPN識別用のラベルと転送ラベルの両方を確認することが出来る。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
RP/0/0/CPU0:R5#show mpls forwarding
Tue Jun 9 14:31:28.206 UTC
Local Outgoing Prefix Outgoing Next Hop Bytes
Label Label or ID Interface Switched
------ ----------- ------------------ ------------ --------------- ------------
17001 Pop No ID Gi0/0/0/0 172.16.1.1 5862
17003 17003 No ID Gi0/0/0/0 172.16.1.1 0
17004 17004 No ID Gi0/0/0/1 172.16.2.1 513018
17006 17006 No ID Gi0/0/0/0 172.16.1.1 14168
17006 No ID Gi0/0/0/1 172.16.2.1 2300
24000 Pop No ID Gi0/0/0/0 172.16.1.1 0
24001 Pop No ID Gi0/0/0/1 172.16.2.1 0
24002 Aggregate VRF-A: Per-VRF Aggr[V] \
VRF-A 2112
24003 Unlabelled 192.0.2.1/32[V] Gi0/0/0/2 10.101.0.2 3192
24004 Aggregate VRF-B: Per-VRF Aggr[V] \
VRF-B 6776
24005 Unlabelled 192.0.2.1/32[V] Gi0/0/0/3 10.102.0.2 3276
|
また、VRF-Aのルーティングテーブルをサンプルとして挙げると、 B 192.0.2.2/32 [200/11] via 10.0.0.6 (nexthop in vrf default) が確認でき、
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
RP/0/0/CPU0:R5#show route vrf VRF-A
Tue Jun 9 14:40:04.251 UTC
Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
U - per-user static route, o - ODR, L - local, G - DAGR, l - LISP
A - access/subscriber, a - Application route
M - mobile route, (!) - FRR Backup path
Gateway of last resort is not set
C 10.101.0.0/30 is directly connected, 00:53:40, GigabitEthernet0/0/0/2
L 10.101.0.1/32 is directly connected, 00:53:40, GigabitEthernet0/0/0/2
B 10.101.0.4/30 [200/0] via 10.0.0.6 (nexthop in vrf default), 00:48:49
O 192.0.2.1/32 [110/11] via 10.101.0.2, 00:53:37, GigabitEthernet0/0/0/2
B 192.0.2.2/32 [200/11] via 10.0.0.6 (nexthop in vrf default), 00:21:35
|
その 10.0.0.6 のNextHopは 172.16.1.1 or 172.16.2.1 であり、出力時のラベルは 17006 になる(MPLS転送テーブルを見るのだ)
1
2
3
4
5
6
7
8
9
10
11
12
|
RP/0/0/CPU0:R5#show route 10.0.0.6/32
Tue Jun 9 14:43:17.807 UTC
Routing entry for 10.0.0.6/32
Known via "isis 1", distance 115, metric 40, type level-2
Installed Jun 9 14:41:16.136 for 00:02:01
Routing Descriptor Blocks
172.16.1.1, from 10.0.0.6, via GigabitEthernet0/0/0/0
Route metric is 40
172.16.2.1, from 10.0.0.6, via GigabitEthernet0/0/0/1
Route metric is 40
No advertising protos.
|
ただし、P5->P6方向に付与されるVPNラベルについては、R6から通知されたラベルを使用するので、先の画像で言う24005,24005についてはMPBGPを確認する
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
RP/0/0/CPU0:R5#show bgp vpnv4 unicast labels
Tue Jun 9 14:36:37.285 UTC
BGP router identifier 10.0.0.5, local AS number 65000
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0 RD version: 0
BGP main routing table version 27
BGP NSR Initial initsync version 13 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs
Status codes: s suppressed, d damped, h history, * valid, > best
i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Rcvd Label Local Label
Route Distinguisher: 65000:101 (default for vrf VRF-A)
*> 10.101.0.0/30 0.0.0.0 nolabel 24002
*>i10.101.0.4/30 10.0.0.6 24002 nolabel
*> 192.0.2.1/32 10.101.0.2 nolabel 24003
*>i192.0.2.2/32 10.0.0.6 24005 nolabel
Route Distinguisher: 65000:102 (default for vrf VRF-B)
*> 10.102.0.0/30 0.0.0.0 nolabel 24004
*>i10.102.0.4/30 10.0.0.6 24003 nolabel
*> 192.0.2.1/32 10.102.0.2 nolabel 24005
*>i192.0.2.2/32 10.0.0.6 24004 nolabel
Processed 8 prefixes, 8 paths
|
と言う感じ。
今回はここまで
MPLS L3VPNとSegment Routingって案外動作しそうだなー、と言うのがお分かり頂けただろうか。
残るラベル制御と言えば、MPLS-TEやMPLS-TPなどがあると思うのだけど、帯域絞られた仮想環境で帯域保障と言うのも良く分かんないし、明示的な経路制御か(仮想環境だけど)高速切り替え辺りがターゲットか。
とりあえず次回はその辺りを見てみようと思う。
やはり俺のSegment Routingはまちがっている。続 第10話 「それぞれの、テーブルの中のラベルが照らすものは。」