知

V7路由器如何将VPN内部路由与PUBLIC公网实例内路由互引并发布典型配置案例

2019-09-18 发表

0关注
2收藏 3224浏览

孟普

孟普六段

粉丝：2人关注：0人

组网及说明

路由器A、B、C跑OSPF 1，C的G0/1口划入vpn实例1，与D、E跑OSPF 5，因为前期要求VPN里网络与外围不互通，所以划了VPN实例做隔离，但是后期VPN里面有部分用户希望与外围互通。

配置步骤

1.原始隔离配置：

路由A配置:
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.0.0.2 255.255.255.0

路由B配置:
ospf 1
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.0.0.1 255.255.255.0
#

路由器C配置：
ip vpn-instance 1
#
ospf 1
import-route static
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ospf 5 vpn-instance 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255

interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip binding vpn-instance 1
ip address 192.168.2.1 255.255.255.0
#

路由器D配置：
ospf 5
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 20.0.0.1 255.255.255.0
#

路由器E配置：
#
ospf 5
area 0.0.0.0
network 0.0.0.0 255.255.255.255
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 20.0.0.2 255.255.255.0
#

2.默认情况下公网或其他VPN实例的路由信息不能引入到指定的VPN实例中，但是可以通过命令 route-replicate将公网或其他VPN实例的路由信息引入到指定VPN实例中。

在路由器C中的VPN实例里将全局的直连路由和OSPF 1路由引入VPN实例里并发布
ip vpn-instance 1
#
address-family ipv4
route-replicate from public protocol direct advertise
route-replicate from public protocol ospf 1 advertise
#

3.VPN视图下可以通过命令 route-replicate将公网或其他VPN实例的路由信息引入到指定VPN实例中，但是PUBLIC公网实例里不能用该命令引入VPN实例里的路由，那如何将VPN里面的路由发布出去呢？

4.OSPF里面有IMPORT引入路由的命令，但是查询该命令并不能加VPN实例后缀，所有也无法引入VPN实例里的路由。

5.通过在路由器C上面写静态的从PUBLIC到VPN实例的路由，打通路由器C中PUBLIC到VPN实例间的互通，然后在OSPF视图下引入静态路由，这样就可以将VPN里的路由通过OSPF发布出去

ip route-static 4.4.4.4 32 vpn-instance 1 192.168.2.2
ip route-static 5.5.5.5 32 vpn-instance 1 192.168.2.2
ip route-static 20.0.0.0 24 vpn-instance 1 192.168.2.2
ip route-static 192.168.2.0 24 vpn-instance 1 192.168.2.2
#
ospf 1
import-route static
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
#

6.查看外网路由器A上的路由表，发现已经通过OSPF动态学习到了VPN实例下的路由。

dis ip routing-table

Destinations : 20 Routes : 20

Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct 0   0           127.0.0.1       InLoop0
1.1.1.1/32         Direct 0   0           127.0.0.1       InLoop0
2.2.2.2/32         O_INTRA 10 1           10.0.0.1        GE0/0
3.3.3.3/32         O_INTRA 10 2           10.0.0.1        GE0/0
4.4.4.4/32         O_ASE2 150 1           10.0.0.1        GE0/0
5.5.5.5/32         O_ASE2 150 1           10.0.0.1        GE0/0
10.0.0.0/24        Direct 0   0           10.0.0.2        GE0/0
10.0.0.0/32        Direct 0   0           10.0.0.2        GE0/0
10.0.0.2/32        Direct 0   0           127.0.0.1       InLoop0
10.0.0.255/32      Direct 0   0           10.0.0.2        GE0/0
20.0.0.0/24        O_ASE2 150 1           10.0.0.1        GE0/0
127.0.0.0/8        Direct 0   0           127.0.0.1       InLoop0
127.0.0.0/32       Direct 0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct 0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct 0   0           127.0.0.1       InLoop0
192.168.1.0/24     O_INTRA 10 2           10.0.0.1        GE0/0
192.168.2.0/24     O_ASE2 150 1           10.0.0.1        GE0/0
224.0.0.0/4        Direct 0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct 0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct 0   0           127.0.0.1       InLoop0

7.在路由器A上测试到路由E上的互通情况

ping -a 1.1.1.1 5.5.5.5
Ping 5.5.5.5 (5.5.5.5) from 1.1.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 5.5.5.5: icmp_seq=0 ttl=252 time=6.000 ms
56 bytes from 5.5.5.5: icmp_seq=1 ttl=252 time=4.000 ms
56 bytes from 5.5.5.5: icmp_seq=2 ttl=252 time=3.000 ms
56 bytes from 5.5.5.5: icmp_seq=3 ttl=252 time=5.000 ms
56 bytes from 5.5.5.5: icmp_seq=4 ttl=252 time=3.000 ms

--- Ping statistics for 5.5.5.5 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.000/4.200/6.000/1.166 ms
%Sep 18 16:53:53:002 2019 H3C PING/6/PING_STATISTICS: Ping statistics for 5.5.5.5: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packe

配置关键点

VPN视图下可以通过命令 route-replicate将公网或其他VPN实例的路由信息引入到指定VPN实例中，但是PUBLIC公网实例里不能用该命令引入VPN实例里的路由，OSPF里面有IMPORT引入路由的命令，但是并不能加VPN实例后缀，可以通过写静态的从PUBLIC到VPN实例的路由，然后在OSPF视图下引入静态路由，这样就可以将VPN里的路由通过OSPF发布出去。