Jump to content
Калькуляторы

Inter-AS VPN RouterOS Mikrotik

Reply to this topic

ilnur   

ilnur
Posted

Пытаюсь сделать Inter-AS L3 VPN option B на RouterOS.

Подскажите, почему не работает следующая конфигурация?

 

ASBR1

/interface bridge
add name=loopback
/interface vlan
add interface=ether1 name=ASBR1-ASBR2 vlan-id=12
add interface=ether1 name=ASBR1-PE1 vlan-id=11

/ip address
add address=1.1.1.1/32 interface=loopback network=1.1.1.1
add address=12.12.12.1/30 interface=ASBR1-ASBR2
add address=11.11.11.1/30 interface=ASBR1-PE1

/routing ospf instance
set [ find default=yes ] metric-connected=0 metric-static=1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=1.1.1.1
/routing ospf interface
add interface=ASBR1-PE1 network-type=point-to-point
/routing ospf network
add area=backbone network=11.11.11.0/30

/routing bgp instance
set default as=1 router-id=1.1.1.1
/routing bgp peer
add address-families=vpnv4 name=PE1 remote-address=1.1.1.2 remote-as=1 route-reflect=yes update-source=loopback
add address-families=vpnv4 name=ASBR2 remote-address=12.12.12.2 remote-as=2 route-reflect=yes

/mpls interface
set [ find default=yes ] mpls-mtu=1500
/mpls ldp
set enabled=yes lsr-id=1.1.1.1 transport-address=1.1.1.1
/mpls ldp interface
add interface=ASBR1-PE1

/system identity
set name=ASBR1

 

PE1

/interface bridge
add name=loopback
/interface vlan
add interface=ether1 name=ASBR1-PE1 vlan-id=11
add interface=ether1 name=CE1 vlan-id=111

/ip address
add address=1.1.1.2/32 interface=loopback network=1.1.1.2
add address=11.11.11.2/30 interface=ASBR1-PE1
add address=111.111.111.1/30 interface=CE1

/routing ospf instance
set [ find default=yes ] metric-connected=0 metric-static=1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=1.1.1.2
/routing ospf interface
add interface=ASBR1-PE1 network-type=point-to-point
/routing ospf network
add area=backbone network=11.11.11.0/30

/routing bgp instance
set default as=1 router-id=1.1.1.2
/ip route vrf
add export-route-targets=1:1,2:2 import-route-targets=1:1,2:2 interfaces=CE1 route-distinguisher=1:1 routing-mark=CE1
/routing bgp instance vrf
add redistribute-connected=yes routing-mark=CE1
/routing bgp peer
add address-families=vpnv4 name=ASBR1 remote-address=1.1.1.1 remote-as=1 route-reflect=yes update-source=loopback

/mpls interface
set [ find default=yes ] mpls-mtu=1500
/mpls ldp
set enabled=yes lsr-id=1.1.1.2 transport-address=1.1.1.2
/mpls ldp interface
add interface=ASBR1-PE1

/system identity
set name=PE1

 

ASBR2

/interface bridge
add name=loopback
/interface vlan
add interface=ether1 name=ASBR1-ASBR2 vlan-id=12
add interface=ether1 name=ASBR2-PE2 vlan-id=22

/ip address
add address=2.2.2.1/32 interface=loopback network=2.2.2.1
add address=12.12.12.2/30 interface=ASBR1-ASBR2
add address=22.22.22.1/30 interface=ASBR2-PE2

/routing ospf instance
set [ find default=yes ] metric-connected=0 metric-static=1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=2.2.2.1
/routing ospf interface
add interface=ASBR2-PE2 network-type=point-to-point
/routing ospf network
add area=backbone network=22.22.22.0/30

/routing bgp instance
set default as=2 router-id=2.2.2.1
/routing bgp peer
add address-families=vpnv4 name=PE2 remote-address=2.2.2.2 remote-as=2 route-reflect=yes update-source=loopback
add address-families=vpnv4 name=ASBR1 remote-address=12.12.12.1 remote-as=1 route-reflect=yes

/mpls interface
set [ find default=yes ] mpls-mtu=1500
/mpls ldp
set enabled=yes lsr-id=2.2.2.1 transport-address=2.2.2.1
/mpls ldp interface
add interface=ASBR2-PE2

/system identity
set name=ASBR2

 

PE2

/interface bridge
add name=loopback
/interface vlan
add interface=ether1 name=ASBR2-PE2 vlan-id=22
add interface=ether1 name=CE2 vlan-id=222

/ip address
add address=2.2.2.2/32 interface=loopback network=2.2.2.2
add address=22.22.22.2/30 interface=ASBR2-PE2
add address=222.222.222.1/30 interface=CE2

/routing ospf instance
set [ find default=yes ] metric-connected=0 metric-static=1 redistribute-connected=as-type-1 redistribute-static=as-type-1 router-id=2.2.2.2
/routing ospf interface
add interface=ASBR2-PE2 network-type=point-to-point
/routing ospf network
add area=backbone network=22.22.22.0/30

/routing bgp instance
set default as=2 router-id=2.2.2.2
/ip route vrf
add export-route-targets=1:1,2:2 import-route-targets=1:1,2:2 interfaces=CE2 route-distinguisher=2:2 routing-mark=CE2
/routing bgp instance vrf
add redistribute-connected=yes routing-mark=CE2
/routing bgp peer
add address-families=vpnv4 name=ASBR2 remote-address=2.2.2.1 remote-as=2 route-reflect=yes update-source=loopback

/mpls interface
set [ find default=yes ] mpls-mtu=1500
/mpls ldp
set enabled=yes lsr-id=2.2.2.2 transport-address=2.2.2.2
/mpls ldp interface
add interface=ASBR2-PE2

/system identity
set name=PE2

 

Маршруты PE1

[admin@PE1] > routing bgp vpnv4-route print 
Flags: L - label-present 
#   ROUTE-DISTINGUISHER            DST-ADDRESS        GATEWAY            INT   IN-LABEL
0 L 2:2                            222.222.222.0/30   12.12.12.2         ASB         16
1 L 1:1                            111.111.111.0/30                      CE1         16
[admin@PE1] > ip route print where routing-mark =CE1 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADC  111.111.111.0/30   111.111.111.1   CE1                       0
1 ADb  222.222.222.0/30                   12.12.12.2              200

 

Маршруты PE2

[admin@PE2] > routing bgp vpnv4-route print 
Flags: L - label-present 
#   ROUTE-DISTINGUISHER             DST-ADDRESS        GATEWAY             IN..   IN-LABEL
0 L 1:1                             111.111.111.0/30   12.12.12.1          AS..         16
1 L 2:2                             222.222.222.0/30                       CE2          16
[admin@PE2] > ip route print where routing-mark =CE2 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 ADb  111.111.111.0/30                   12.12.12.1              200
1 ADC  222.222.222.0/30   222.222.222.1   CE2                       0

 

Пинги с PE1 на PE2

[admin@PE1] > ping 222.222.222.1 src-address=111.111.111.1 routing-table=CE1 
HOST                                     SIZE TTL TIME  STATUS                        
111.111.111.1                              84  64 1ms   net unreachable               
111.111.111.1                              84  64 2ms   net unreachable               
111.111.111.1                              84  64 4ms   net unreachable               
111.111.111.1                              84  64 4ms   net unreachable

 

Пинги с PE2 на PE1

[admin@PE2] > ping 111.111.111.1 src-address=222.222.222.1 routing-table=CE2 
HOST                                     SIZE TTL TIME  STATUS                
222.222.222.1                              84  64 0ms   net unreachable       
222.222.222.1                              84  64 1ms   net unreachable       
222.222.222.1                              84  64 2ms   net unreachable       
222.222.222.1                              84  64 2ms   net unreachable

post-113782-022916100 1370237790_thumb.png

Share this post

Link to post
Share on other sites

Asco   

Asco
Posted

PE1 и PE2 ничего не знают о next-hop 12.12.12.1 и 12.12.12.2 соответственно.

ASBR1 и ASBR2 должны менять next-hop на ip адреса своих loop при передачи маршрутов внутри своей AS.

Share this post

Link to post
Share on other sites

ilnur   

ilnur
Posted

Asco

попробовал изменить так:

 

ASBR1

[admin@ASBR1] > routing bgp peer print detail 
Flags: X - disabled, E - established 
0 E name="PE1" instance=default remote-address=1.1.1.2 remote-as=1 
    tcp-md5-key="" nexthop-choice=force-self multihop=no route-reflect=yes 
    hold-time=3m ttl=255 in-filter="" out-filter="" address-families=vpnv4 
    update-source=loopback default-originate=never remove-private-as=no 
    as-override=no passive=no use-bfd=no

 

ASBR2

[admin@ASBR2] > routing bgp peer print detail 
Flags: X - disabled, E - established 
0 E name="PE2" instance=default remote-address=2.2.2.2 remote-as=2 tcp-md5-key="" 
    nexthop-choice=force-self multihop=no route-reflect=yes hold-time=3m 
    ttl=255 in-filter="" out-filter="" address-families=vpnv4 
    update-source=loopback default-originate=never remove-private-as=no 
    as-override=no passive=no use-bfd=no

 

Маршруты на PE1

[admin@PE1] > routing bgp vpnv4-route print detail 
Flags: L - label-present 
0 L route-distinguisher=2:2 dst-address=222.222.222.0/30 gateway=1.1.1.1 interface=ASBR1-PE1 
    in-label=16 out-label=16 bgp-as-path="2" bgp-local-pref=100 bgp-origin=incomplete 
    bgp-ext-communities="RT:1:1,RT:2:2" 

1 L route-distinguisher=1:1 dst-address=111.111.111.0/30 interface=CE1 in-label=16 
    bgp-ext-communities="RT:1:1,RT:2:2" 

[admin@PE1] > ip route print detail  where routing-mark =CE1 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
0 ADC  dst-address=111.111.111.0/30 pref-src=111.111.111.1 gateway=CE1 
       gateway-status=CE1 reachable distance=0 scope=10 routing-mark=CE1 

1 ADb  dst-address=222.222.222.0/30 gateway=1.1.1.1 
       gateway-status=1.1.1.1 recursive via 11.11.11.1 ASBR1-PE1 distance=200 scope=40 
       target-scope=30 routing-mark=CE1 bgp-as-path="2" bgp-local-pref=100 
       bgp-origin=incomplete bgp-ext-communities="RT:1:1,RT:2:2"

 

Маршруты на PE2

[admin@PE2] > routing bgp vpnv4-route print detail 
Flags: L - label-present 
0 L route-distinguisher=1:1 dst-address=111.111.111.0/30 gateway=2.2.2.1 
    interface=ASBR2-PE2 in-label=16 out-label=16 bgp-as-path="1" 
    bgp-local-pref=100 bgp-origin=incomplete 
    bgp-ext-communities="RT:1:1,RT:2:2" 

1 L route-distinguisher=2:2 dst-address=222.222.222.0/30 interface=CE2 
    in-label=16 bgp-ext-communities="RT:1:1,RT:2:2" 
[admin@PE2] > ip route print detail  where routing-mark =CE2 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
0 ADb  dst-address=111.111.111.0/30 gateway=2.2.2.1 
       gateway-status=2.2.2.1 recursive via 22.22.22.1 ASBR2-PE2 distance=200 
       scope=40 target-scope=30 routing-mark=CE2 bgp-as-path="1" 
       bgp-local-pref=100 bgp-origin=incomplete 
       bgp-ext-communities="RT:1:1,RT:2:2" 

1 ADC  dst-address=222.222.222.0/30 pref-src=222.222.222.1 gateway=CE2 
       gateway-status=CE2 reachable distance=0 scope=10 routing-mark=CE2

 

Пинги:

[admin@PE1] > ping 222.222.222.1 src-address=111.111.111.1 routing-table=CE1 
HOST                                     SIZE TTL TIME  STATUS                                 
111.111.111.1                              84  64 1ms   net unreachable                        
111.111.111.1                              84  64 3ms   net unreachable                        
111.111.111.1                              84  64 3ms   net unreachable                        
111.111.111.1                              84  64 4ms   net unreachable     

[admin@PE2] > ping 111.111.111.1 src-address=222.222.222.1 routing-table=CE2 
HOST                                     SIZE TTL TIME  STATUS                     
222.222.222.1                              84  64 0ms   net unreachable            
222.222.222.1                              84  64 1ms   net unreachable            
222.222.222.1                              84  64 1ms   net unreachable            
222.222.222.1                              84  64 1ms   net unreachable

Share this post

Link to post
Share on other sites

Asco   

Asco
Posted

А у вас mpls вообще работает в пределах одной as?

Повесьте тестовый ip на asbr1 в vrf ce1 и ip на asbr2 в vrf ce2.

 

ping ce1-asbr1 работает, если в качестве соурса взять се1?

ping ce1-asbr2 работает, если в качестве соурса взять се1?

Share this post

Link to post
Share on other sites

ilnur   

ilnur
Posted

Повесил тестовые сети в тот же vrf что и CE на ASBR1(10.10.10.1/30) и ASBR2(20.20.20.1/30)

 

Пинги

 

ASBR1-CE1

[admin@ASBR1] > ping 111.111.111.1 src-address=10.10.10.1 routing-table=CE1 
HOST                                     SIZE TTL TIME  STATUS                                                                  
111.111.111.1                              56  64 2ms  
111.111.111.1                              56  64 2ms  
111.111.111.1                              56  64 4ms  
111.111.111.1                              56  64 4ms  
111.111.111.1                              56  64 0ms  

[admin@PE1] > ping 10.10.10.1 src-address=111.111.111.1 routing-table=CE1 
HOST                                     SIZE TTL TIME  STATUS                 
10.10.10.1                                 56  64 1ms  
10.10.10.1                                 56  64 1ms  
10.10.10.1                                 56  64 2ms  
10.10.10.1                                 56  64 2ms

 

ASBR2-CE2

[admin@ASBR2] > ping 222.222.222.1 src-address=20.20.20.1 routing-table=CE2 
HOST                                     SIZE TTL TIME  STATUS                    
222.222.222.1                              56  64 0ms  
222.222.222.1                              56  64 1ms  
222.222.222.1                              56  64 1ms  
222.222.222.1                              56  64 1ms  

[admin@PE2] > ping 20.20.20.1 src-address=222.222.222.1 routing-table=CE2 
HOST                                     SIZE TTL TIME  STATUS                   
20.20.20.1                                 56  64 1ms  
20.20.20.1                                 56  64 1ms  
20.20.20.1                                 56  64 1ms  
20.20.20.1                                 56  64 2ms

 

C mpls внутри каждой as вроде все ок

[admin@ASBR1] > mpls ldp neighbor print 
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello, 
V - vpls 
#      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN
0 DO   1.1.1.2         1.1.1.1         1.1.1.2:0                  no 

[admin@PE1] > mpls ldp neighbor print 
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hell
V - vpls 
#      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN
0 DO   1.1.1.1         1.1.1.2         1.1.1.1:0                  no 


[admin@ASBR2] > mpls ldp neighbor print 
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello, 
V - vpls 
#      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN
0 DO   2.2.2.2         2.2.2.1         2.2.2.2:0                  no 

[admin@PE2] > mpls ldp neighbor print 
Flags: X - disabled, D - dynamic, O - operational, T - sending-targeted-hello, 
V - vpls 
#      TRANSPORT       LOCAL-TRANSPORT PEER                       SEN
0 DO   2.2.2.1         2.2.2.2         2.2.2.1:0                  no

 

Но после включения в vrf тестовых сетей на ASBR-ах, появились пинги между CE1 и CE2

[admin@PE2] > ping 111.111.111.1 src-address=222.222.222.1 routing-table=CE2 
HOST                                     SIZE TTL TIME  STATUS                   
111.111.111.1                              56  62 3ms  
111.111.111.1                              56  62 3ms  
sent=1 received=64 packet-loss=-6300% min-rtt=3ms avg-rtt=7ms max-rtt=12ms

[admin@PE1] > ping 222.222.222.1 src-address=111.111.111.1 routing-table=CE1 
HOST                                     SIZE TTL TIME  STATUS                 
222.222.222.1                              56  62 8ms  
222.222.222.1                              56  62 8ms  
222.222.222.1                              56  62 8ms  
   sent=3 received=192 packet-loss=-6300% min-rtt=1ms avg-rtt=10ms max-rtt=18ms

Share this post

Link to post
Share on other sites

Asco   

Asco
Posted

На asbr нужно локально заводить требуемый vrf, или посмотрпеть есть ли аналог в МТ как в cisco - no bgp default route-target filter

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Followers 0
Go to topic listing Активное оборудование Ethernet, IP, MPLS, SDN/NFV...