实现基于 TE 隧道的 MPLS VPN

您所在的位置：网站首页 › 什么是MPLS RSVP-TE隧道协议 › 实现基于 TE 隧道的 MPLS VPN

实现基于 TE 隧道的 MPLS VPN

2023-12-06 10:04| 来源: 网络整理| 查看: 265

目录简介先决条件要求使用的组件规则背景理论没有 TE 隧道时 CE1 与 CE2 之间 VPN 的初始设置拓扑配置确认第 1 种情况：当TE隧道从PE1到PE2时通过TE隧道的VPN 拓扑配置确认第 2 种情况：当TE隧道从PE1到P2时通过TE隧道的VPN 拓扑配置确认解释解决方案实例3：其它WRR加权修改未启用TDP/LDP时，通过TE隧道从P1到P2在CE1和CE2之间建立VPN 拓扑配置确认解决方案实例4：修改队列极限缓冲区分配启用LDP的P1和P2之间的TE隧道上的VPN 拓扑配置确认实例5：其它WRR加权修改在P1和PE2之间的隧道上使用MPLS VPN 拓扑配置确认已知问题结论相关信息简介

本文档提供了在MPLS网络中通过流量工程(TE)隧道实施多协议标签交换(MPLS)VPN的示例配置。为了获得MPLS VPN over TE隧道的优势，两者应在网络中共存。本文档说明了解释MPLS VPN over TE隧道内数据包转发可能失败的各种场景。它还提供了可能的解决方案。

先决条件要求

本文档的读者应掌握以下这些主题的相关知识：

MPLS流量工程和增强功能

配置基本 MPLS VPN

使用的组件

本文档不限于特定的软件和硬件版本。

规则

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

背景理论

如此拓扑所示，在简单MPLS VPN配置中，提供商边缘1(PE1)通过多协议边界网关协议(MPBGP)从PE2直接获取VPN前缀172.16.13.0/24的VPN标签（标签1 [L1]），下一跳作为PE2环回地址。PE1还通过标签分发协议(LDP)从其下一跳P1获取PE2环回地址的标签(L2)。

当将数据转发到VPN前缀172.16.13.13时，PE1使用标签栈{L2 L1}，其中L2为外部标签。L2被传输标签交换机路由器(LSR)交换，P1。P2弹出外部L2，并将数据包仅用一个L1转发到PE2。要更好地理解P2弹出L2的原因，请参阅RFC 3031中关于倒数第二跳弹出(PHP)的3.16节。因此，到VPN IP版本4(IPv4)前缀172.16.13.0/24的数据包通过MPLS网络进行标签交换。

如果任何P路由器收到具有L1（VPN标签）作为唯一外部标签而不是{L2 L1}标签堆栈的数据包，则MPLS VPN转发操作将失败。发生这种情况是因为所有P路由器的标签转发信息库(LFIB)中没有L1来交换数据包。

MPLS TE使用资源预留协议(RSVP)交换标签。为TE和标记分发协议(TDP)/LDP配置路由器时，路由器会收到来自LDP和RSVP的不同标签，用于指定前缀。LDP和RSVP的标签在所有情况下都不需要相同。如果前缀是通过LDP接口获取的，路由器会在转发表中安装LDP标签；如果前缀是通过TE隧道接口获取的，路由器会在转发表中安装RSVP标签。

在普通TE隧道（隧道上未启用LDP/TDP）的情况下，入口LSR（TE隧道头端的LSR）使用与用于到达TE隧道尾端的标签相同的标签，用于通过TE隧道获知的所有路由。

例如，从PE1到P2的TE隧道通过隧道学习前缀10.11.11.11/32。P2上的隧道尾端为10.5.5.5,PE1中到达10.5.5.5的标签为L3。PE1随后使用L3到达目的10.11.11.11/32，通过TE隧道获取。

在上述场景中，当PE1和P2之间有TE隧道时，请考虑PE1将数据转发到客户边缘2(CE2)。如果L4是VPN标签，则PE1会转发带有标签栈{L3 L4}的数据。P1弹出L3,P2接收带L4的数据包。PE2是唯一能够正确转发带有外部标签L4的数据包的LSR。P2没有与PE2的MPBGP会话，因此它不会从PE2接收L4。因此，P2不知道L2，并丢弃该数据包。

后面的配置和显示输出演示了这一点，并说明了解决此问题的一个可能解决方案。

没有 TE 隧道时 CE1 与 CE2 之间 VPN 的初始设置拓扑

配置

此处仅包含配置文件的相关部分：

PE1 hostname PE1 ip cef ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.2.2.2 255.255.255.255 no ip directed-broadcast ! interface Ethernet2/0/1 ip vrf forwarding aqua ip address 172.16.1.2 255.255.255.0 ! interface Ethernet2/0/2 ip address 10.7.7.2 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip ! router isis passive-interface Loopback0 net 47.1234.2222.2222.2222.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! router bgp 1 bgp log-neighbor-changes neighbor 10.11.11.11 remote-as 1 neighbor 10.11.11.11 update-source Loopback0 ! address-family vpnv4 neighbor 10.11.11.11 activate neighbor 10.11.11.11 send-community extended exit-address-family ! address-family ipv4 neighbor 10.11.11.11 activate no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family

PE2 hostname PE2 ! ip vrf aqua rd 100:1 route-target export 1:1 route-target import 1:1 ! mpls traffic-eng tunnels ! interface Loopback0 ip address 10.11.11.11 255.255.255.255 ! interface POS0/1 ip address 10.12.12.10 255.255.255.0 ip router isis mpls traffic-eng tunnels tag-switching ip crc 16 clock source internal ! interface POS5/1 ip vrf forwarding aqua ip address 172.16.13.11 255.255.255.0 crc 32 clock source internal ! router isis passive-interface Loopback0 mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 net 47.1234.1010.1010.1010.00 is-type level-1 metric-style wide ! router bgp 1 bgp log-neighbor-changes neighbor 10.2.2.2 remote-as 1 neighbor 10.2.2.2 update-source Loopback0 no auto-summary ! address-family vpnv4 neighbor 10.2.2.2 activate neighbor 10.2.2.2 send-community extended exit-address-family ! address-family ipv4 vrf aqua redistribute connected no auto-summary no synchronization exit-address-family !

确认

PE2通过PE1和PE2之间的MPBGP对等获取PE1 VPN IPv4前缀172.16.1.0/24。如下所示：

PE2# show ip route vrf aqua Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is not set 10.0.0.0/24 is subnetted, 2 subnets B 172.16.1.0 [200/0] via 10.2.2.2, 16:09:10 C 172.16.13.0 is directly connected, POS5/1

同样，PE1通过PE1和PE2之间的MPBGP对等获取PE2 VPN IPv4前缀172.16.13.0/24。如下所示：

PE1# show ip route vrf aqua Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR Gateway of last resort is not set 10.0.0.0/24 is subnetted, 2 subnets B 172.16.13.0 [200/0] via 10.11.11.11, 16:09:49 C 172.16.1.0 is directly connected, Ethernet2/0/1 PE1# show ip route vrf aqua 172.16.13.13 Routing entry for 172.16.13.0/24 Known via "bgp 1", distance 200, metric 0, type internal Last update from 10.11.11.11 16:13:19 ago Routing Descriptor Blocks: * 10.11.11.11 (Default-IP-Routing-Table), from 10.11.11.11, 16:13:19 ago Route metric is 0, traffic share count is 1 AS Hops 0, BGP network version 0 PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 11, cached adjacency 10.7.7.7 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32 valid cached adjacency tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308} !--- The label stack used to reach 172.16.13.13 is !--- {17 12308}, where 17 is the outer label to reach next hop 10.11.11.11 !--- and 12308 is the VPN IPv4 label for 172.16.13.0/24. PE1# show ip cef 10.11.11.11 10.11.11.11/32, version 31, cached adjacency 10.7.7.7 0 packets, 0 bytes tag information set local tag: 21 fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17} via 10.7.7.7, Ethernet2/0/2, 1 dependency next hop 10.7.7.7, Ethernet2/0/2 valid cached adjacency tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17} !--- Outer label 17 is used to reach next hop 10.11.11.11.

因此，CE1可以通过VPN路由和转发(VRF)实例“aqua”在CE2网络上到达172.16.13.13，该实例在PE1上使用标签堆栈{17 12308}进行配置，如上所示。

此ping输出确认了连接：

CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 第 1 种情况：当TE隧道从PE1到PE2时通过TE隧道的VPN 拓扑

在使用自动路由通告的PE路由器之间构建TE隧道时，出口PE BGP下一跳可通过TE隧道接口到达。因此，PE1使用TE标签到达PE2。

注意：MPLS TE与LDP无关，这意味着，如果您有从PE到PE的全网状隧道，则可以在路由器中有效禁用LDP，而无需在TE隧道接口上运行LDP。但是，您必须构建到VPN版本4(VPNv4)路由的BGP下一跳的所有隧道。在此配置中的示例中，您可以看到此BGP下一跳是PE2上的Loopback0，即10.11.11.11。此环回也是从PE1到PE2的隧道的隧道目标。这解释了为什么在本例中，如果还有从PE2到PE1的隧道对于返回流量，可以在核心中禁用LDP。然后，从CE到CE的转发可以处理通过TE隧道传输的所有VPNv4流量。如果BGP下一跳与TE隧道目标不同，则必须在核心和TE隧道上运行LDP。

配置

PE1上建立PE隧道的其他配置如下所示：

PE1 PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end

确认 PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 11 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Tu0, point2point, tags imposed {19 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.11.11.11, Tunnel0 via 10.11.11.11/32 valid adjacency tag rewrite with Tu0, point2point, tags imposed {19 12308} !--- The label stack to reach 172.16.13.13 is {19 12308}. !--- BGP next hop for the VPNv4 prefix is 10.11.11.11, which is !--- the same as the TE tunnel destination. PE1# show ip route 10.11.11.11 Routing entry for 10.11.11.11/32 Known via "isis", distance 115, metric 40, type level-1 Redistributing via isis Last update from 10.11.11.11 on Tunnel0, 00:02:09 ago Routing Descriptor Blocks: * 10.11.11.11, from 10.11.11.11, via Tunnel0 !--- The route is via Tunnel0. Route metric is 40, traffic share count is 1

现在，确认用于通过Tunnel0到达下一跳10.11.11.11的外部标签。

PE1# show mpls traffic-eng tunnels tunnel 0 Name: PE1_t0 (Tunnel0) Destination: 10.11.11.11 Status: Admin: up Oper: up Path: valid Signalling: connected path option 10, type dynamic (Basis for Setup, path weight 30) Config Parameters: Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF Metric Type: TE (default) AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based auto-bw: disabled InLabel : - OutLabel : Ethernet2/0/2, 19 !--- Label 19 from RSVP is used to reach destination 10.11.11.11/32. RSVP Signalling Info: Src 10.2.2.2, Dst 10.11.11.11, Tun_Id 0, Tun_Instance 31 RSVP Path Info: My Address: 10.7.7.2 Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.12.12.10 10.11.11.11 Record Route: NONE Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits RSVP Resv Info: Record Route: NONE Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf Shortest Unconstrained Path Info: Path Weight: 30 (TE) Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5 10.12.12.10 10.11.11.11 History: Tunnel: Time since created: 17 hours, 17 minutes Time since path change: 32 minutes, 54 seconds Current LSP: Uptime: 32 minutes, 54 seconds Prior LSP: ID: path option 10 [14] Removal Trigger: tunnel shutdown

快速查看此信息的另一种方法是使用show命令中的输出修饰符，如下所示：

PE1# show mpls traffic-eng tunnels tunnel 0 | include Label InLabel : - OutLabel : Ethernet2/0/2, 19 !--- This is the label to reach 10.11.11.11.

查看标记堆栈。它是19，即TE标签，用于通过Tunnel0将数据包转发到下一跳10.11.11.0。

PE1# show tag forwarding-table 10.11.11.11 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 21 Pop tag 10.11.11.11/32 0 Tu0 point2point MAC/Encaps=14/18, MTU=1500, Tag Stack{19}, via Et2/0/2 00603E2B02410060835887428847 00013000 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PE1#

因此，PE1发送一个发往172.16.13.13的数据包，标签堆栈{19 12308}。P1交换标签19。数据包到达P2,P2弹出该外部标签。然后，数据包将仅转发到标签为12308的PE2。

在PE2上，根据转发表中的信息接收并交换标签为12308的数据包。如下所示：

PE2# show tag for tags 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 12308 Aggregate 172.16.13.0/24[V] 12256 MAC/Encaps=0/0, MTU=0, Tag Stack{} VPN route: aqua No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PE2#

注意：由于传出标记为“聚合”，因此未显示传出接口。这是因为与标签关联的前缀是直连路由。

从CE1对CE2上的主机执行ping操作，确认TE隧道上的VPN连接：

CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/36 ms CE1# 第 2 种情况：当TE隧道从PE1到P2时通过TE隧道的VPN 拓扑

配置

PE1上基本配置的其他TE配置如下所示：

PE1 PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end !

确认

检查PE1 VRF水上到前缀172.16.13.13的路由。它指向使用标签堆栈{19 12308}的下一跳10.11.11.11/32（通过隧道0）。

PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 11 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Tu0, point2point, tags imposed {19 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32 valid adjacency tag rewrite with Tu0, point2point, tags imposed {19 12308} PE1#

标签19（外部标签）用于到达下一跳10.11.11.11/32，如下所示：

PE1# show ip cef 10.11.11.11 10.11.11.11/32, version 37 0 packets, 0 bytes tag information set local tag: 21 fast tag rewrite with Tu0, point2point, tags imposed {19} via 10.5.5.5, Tunnel0, 1 dependency next hop 10.5.5.5, Tunnel0 valid adjacency tag rewrite with Tu0, point2point, tags imposed {19} PE1# show mpls traffic-eng tunnels tunnel 0 Name: PE1_t0 (Tunnel0) Destination: 10.5.5.5 Status: Admin: up Oper: up Path: valid Signalling: connected path option 10, type dynamic (Basis for Setup, path weight 20) Config Parameters: Bandwidth: 0 kbps (Global) Priority: 7 7 Affinity: 0x0/0xFFFF Metric Type: TE (default) AutoRoute: enabled LockDown: disabled Loadshare: 0 bw-based auto-bw: disabled InLabel : - OutLabel : Ethernet2/0/2, 19 RSVP Signalling Info: Src 10.2.2.2, Dst 10.5.5.5, Tun_Id 0, Tun_Instance 33 RSVP Path Info: My Address: 10.7.7.2 Explicit Route: 10.7.7.7 10.8.8.7 10.8.8.5 10.5.5.5 Record Route: NONE Tspec: ave rate=0 kbits, burst=1000 bytes, peak rate=0 kbits RSVP Resv Info: Record Route: NONE Fspec: ave rate=0 kbits, burst=1000 bytes, peak rate=Inf Shortest Unconstrained Path Info: Path Weight: 20 (TE) Explicit Route: 10.7.7.2 10.7.7.7 10.8.8.7 10.8.8.5 10.5.5.5 History: Tunnel: Time since created: 17 hours, 31 minutes Time since path change: 8 minutes, 49 seconds Current LSP: Uptime: 8 minutes, 49 seconds Selection: reoptimation Prior LSP: ID: path option 10 [31] Removal Trigger: path verification failed PE1# PE1# show mpls traffic-eng tunnels tunnel 0 | i Label InLabel : - OutLabel : Ethernet2/0/2, 19 PE1#

来自PE1的数据包通过TE隧道发送，标签栈为{19 12308}。P1收到数据包后，会弹出(PHP)标记19并发送标签栈{12308}的数据包。show命令可确认以下情况：

P1> show tag for tag 19 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 19 Pop tag 10.2.2.2 0 [33] 2130 Et2/0 10.8.8.5 P1> P1> show tag for tag 19 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 19 Pop tag 10.2.2.2 0 [33] 2257 Et2/0 10.8.8.5 MAC/Encaps=14/14, MTU=1504, Tag Stack{} 006009E08B0300603E2B02408847 No output feature configured P1>

当P2收到标签栈{12308}的数据包时，它会检查其LFIB并丢弃该数据包，因为不存在匹配项。以下是P2上的show 命令输出：

P2# show tag forwarding-table tags 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface P2# P2# 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 7w4d: TAG: Et0/3: recvd: CoS=0, TTL=253, Tag(s)=12308 P2# P2# 解释

此问题的解决方案是在TE隧道上启用TDP/LDP，并使其成为标记交换接口。在解决方案中所示的示例中，PE1的Tunnel0上启用了TDP。P2配置为接受定向hello并形成定向TDP邻居。因此，PE1通过LDP从P2接收10.11.11.11的标签。既然Tunnel0已成为标记交换接口，并且TDP已为到10.11.11.11的流量启用，PE1将同时使用这两个标签；它使用RSVP标签到达TE尾端，使用TDP标签到达10.11.11.11。

在此方案中，如果以下项正确，PE1将使用标签栈{L2 L3 L1}将数据转发到CE2:

L1是VPN标签。

L2是到达TE尾端的RSVP标签。

L3是到达10.11.11.11的TDP标签（从P2接收）。

解决方案

解决方案是在TE隧道中启用TDP。

配置

此处显示PE1上启用TDP的TE隧道配置。这些添加物是粗体。

PE1 PE1# show run interface tunnel 0 ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast no ip route-cache distributed tag-switching ip !--- This enables TDP. tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end !

以下是TE隧道尾端用于接受定向TDP问询的附加配置：

P2# show run | i directed-hello tag-switching tdp discovery directed-hello accept !--- This configures P2 to accept directed TDP hellos. P2# 确认 PE1# show tag tdp neighbor | i Peer Peer TDP Ident: 10.7.7.7:0; Local TDP Ident 10.2.2.2:0 Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0 PE1# PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 11 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Tu0, point2point, tags imposed {19 18 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.5.5.5, Tunnel0 via 10.11.11.11/32 valid adjacency tag rewrite with Tu0, point2point, tags imposed {19 18 12308} PE1# PE1# show mpls traffic-eng tunnels tunnel 0 | i Label InLabel : - OutLabel : Ethernet2/0/2, 19 !--- This is the TE label learned via RSVP. PE1# PE1# show tag tdp bind 10.11.11.11 32 tib entry: 10.11.11.11/32, rev 20 local binding: tag: 21 remote binding: tsr: 10.7.7.7:0, tag: 17 remote binding: tsr: 10.5.5.5:0, tag: 18 !--- This is the TDP label from P2.

当P1收到标签栈{19 18 12308}的数据包时，它会弹出标记19，并将标签栈{18 12308}的数据包发送到P2。P2检查其LFIB的标签18，然后弹出标记并通过传出接口PO2/0/0向PE1发送。PE1收到标签12308的数据包，并成功切换到CE2。

P2# show tag for tag 18 Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 18 Pop tag 10.11.11.11/32 117496 POS2/0/0 point2point P2# show tag tdp discovery Local TDP Identifier: 10.5.5.5:0 Discovery Sources: Interfaces: Ethernet0/3 (tdp): xmit/recv TDP Id: 10.7.7.7:0 POS2/0/0 (tdp): xmit/recv TDP Id: 10.11.11.11:0 Directed Hellos: 10.5.5.5 -> 10.2.2.2 (tdp): passive, xmit/recv TDP Id: 10.2.2.2:0 P2# show tag tdp neighbor 10.2.2.2 Peer TDP Ident: 10.2.2.2:0; Local TDP Ident 10.5.5.5:0 TCP connection: 10.2.2.2.711 - 10.5.5.5.11690 State: Oper; PIEs sent/rcvd: 469/465; Downstream Up time: 01:41:08 TDP discovery sources: Directed Hello 10.5.5.5 -> 10.2.2.2, passive Addresses bound to peer TDP Ident: 10.7.7.2 172.16.47.166 10.2.2.2 PE1# show tag tdp neighbor 10.5.5.5 Peer TDP Ident: 10.5.5.5:0; Local TDP Ident 10.2.2.2:0 TCP connection: 10.5.5.5.11690 - 10.2.2.2.711 State: Oper; PIEs sent/rcvd: 438/441; Downstream Up time: 01:35:08 TDP discovery sources: Directed Hello 10.2.2.2 -> 10.5.5.5, active !--- This indicates the directed neighbor. Addresses bound to peer TDP Ident: 10.5.5.5 10.12.12.5 10.8.8.5 PE1# show ip route 10.11.11.11 Routing entry for 10.11.11.11/32 Known via "isis", distance 115, metric 40, type level-1 Redistributing via isis B Last update from 10.5.5.5 on Tunnel0, 01:52:21 ago Routing Descriptor Blocks: * 10.5.5.5, from 10.11.11.11, via Tunnel0 Route metric is 40, traffic share count is 1

从CE1到CE2上的主机执行ping命令可确认解决方案。

CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms CE1# 实例3：其它WRR加权修改未启用TDP/LDP时，通过TE隧道从P1到P2在CE1和CE2之间建立VPN 拓扑

配置

PE1上的隧道配置如下所示：

PE1 P1# show run interface tunnel 0 Building configuration... Current configuration : 255 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end

确认

验证发往CE2 172.16.13.13的数据包如何在此处进行交换。show ip cef 命令输出显示，发往目标172.16.13.13的数据包是使用标签堆栈{17 12308}交换的：

PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 18, cached adjacency 10.7.7.7 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32 valid cached adjacency tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}

当P1收到此数据包时，它会删除外部标签17，并在查看IP路由表后将数据包切换到Tunnel0。注意此输出中的隐式-null OutLabel;这表示传出接口未进行标签交换。

P1# show ip cef 10.11.11.11 detail 10.11.11.11/32, version 52 0 packets, 0 bytes tag information set local tag: 17 fast tag rewrite with Tu0, point2point, tags imposed {} via 10.5.5.5, Tunnel0, 0 dependencies next hop 10.5.5.5, Tunnel0 valid adjacency tag rewrite with Tu0, point2point, tags imposed {} P1# show mpls traffic-eng tunnel tunnel 0 | i Label InLabel : - OutLabel : Ethernet2/0, implicit-null P1# show tag for 10.11.11.11 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 17 Untagged 10.11.11.11/32 882 Tu0 point2point MAC/Encaps=14/14, MTU=1500, Tag Stack{}, via Et2/0 006009E08B0300603E2B02408847 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P1# show ip route 10.11.11.11 Routing entry for 10.11.11.11/32 Known via "isis", distance 115, metric 30, type level-1 Redistributing via isis Last update from 10.5.5.5 on Tunnel0, 00:03:20 ago Routing Descriptor Blocks: * 10.5.5.5, from 10.11.11.11, via Tunnel0 Route metric is 30, traffic share count is 1

一旦P2收到带有标签12308的数据包，它会查看其转发表。由于P2无法识别来自CE2的VPN标记12308，因此它会丢弃数据包。

P2# show tag for tag 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface

这会中断发往CE2的VPN数据包的路径。它通过对CE2 172.16.13.13/32的ping命令来确认。

PE1# CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CE1# 解决方案

解决方案是在隧道上启用LDP/TDP。下一节将讨论此解决方案。

实例4：修改队列极限缓冲区分配启用LDP的P1和P2之间的TE隧道上的VPN 拓扑

配置

在隧道上启用LDP后，P1上的配置将显示如下所示。新增内容以粗体显示。

PE1 P1# show run interface tunnel 0 Building configuration... Current configuration : 273 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed mpls label protocol ldp tunnel destination 10.5.5.5 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end !

确认

PE1将数据包发送到带有标签堆栈{17 12308}的前缀172.16.13.13/32。

PE1# PE1# show tag for 10.11.11.11 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 21 17 10.11.11.11/32 0 Et2/0/2 10.7.7.7 MAC/Encaps=14/18, MTU=1500, Tag Stack{17} 00603E2B02410060835887428847 00011000 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PE1# PE1# show ip cef 10.11.11.11 detail 10.11.11.11/32, version 60, cached adjacency 10.7.7.7 0 packets, 0 bytes tag information set local tag: 21 fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17} via 10.7.7.7, Ethernet2/0/2, 1 dependency next hop 10.7.7.7, Ethernet2/0/2 valid cached adjacency tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17} PE1# show ip cef vrf aqua 172.16.13.13 172.16.13.0/24, version 18, cached adjacency 10.7.7.7 0 packets, 0 bytes tag information set local tag: VPN route head fast tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308} via 10.11.11.11, 0 dependencies, recursive next hop 10.7.7.7, Ethernet2/0/2 via 10.11.11.11/32 valid cached adjacency tag rewrite with Et2/0/2, 10.7.7.7, tags imposed {17 12308}

P1收到标签堆栈{17 12308}的数据包，并查看其LFIB以查找标签17。

P1# show tag for tag 17 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 17 18 10.11.11.11/32 1158 Tu0 point2point MAC/Encaps=14/18, MTU=1496, Tag Stack{18}, via Et2/0 006009E08B0300603E2B02408847 00012000 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P1# P1# show ip cef 10.11.11.11 detail 10.11.11.11/32, version 52 0 packets, 0 bytes tag information set local tag: 17 fast tag rewrite with Tu0, point2point, tags imposed {18} via 10.5.5.5, Tunnel0, 0 dependencies next hop 10.5.5.5, Tunnel0 valid adjacency tag rewrite with Tu0, point2point, tags imposed {18}

它显示应将标签17交换为标签18。因此，该数据包通过带有标签堆栈{18 12308}的隧道接口交换。

P2通过其带标签堆栈{18 12308}的隧道接口接收数据包。它会弹出标记18（因为它是倒数第二跳路由器），并将数据包交换到带有标签12308的PE2。

P2# show tag for tag 18 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 18 Pop tag 10.11.11.11/32 127645 PO2/0/0 point2point MAC/Encaps=4/4, MTU=4474, Tag Stack{} 0F008847 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P2#

PE2收到带有标签12308的数据包，该数据包成功将数据包交换到CE2。

PE2# show tag forwarding tags 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 12308 Aggregate 172.16.13.0/24[V] 12256 MAC/Encaps=0/0, MTU=0, Tag Stack{} VPN route: aqua No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PE2# CE1# ping 172.16.13.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms CE1# 实例5：其它WRR加权修改在P1和PE2之间的隧道上使用MPLS VPN 拓扑

配置 PE1 P1# show run interface tunnel 0 Building configuration... Current configuration : 258 bytes ! interface Tunnel0 ip unnumbered Loopback0 no ip directed-broadcast ip route-cache distributed tunnel destination 10.11.11.11 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng path-option 10 dynamic end

确认

PE1将发往172.16.13.13的数据包发送到其下一跳10.11.11.11，标签栈为{17 12308}。

P1收到标签堆栈{17 12308}的数据包。P1查看其LFIB表并检查标记堆栈{17}，并将带有标签{17}的数据包切换到P2。

P1# show tag for 10.11.11.11 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 17 Untagged 10.11.11.11/32 411 Tu0 point2point MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0 006009E08B0300603E2B02408847 00011000 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P1# show tag for tag 17 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 17 Untagged 10.11.11.11/32 685 Tu0 point2point MAC/Encaps=14/18, MTU=1500, Tag Stack{17}, via Et2/0 006009E08B0300603E2B02408847 00011000 No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 P1# P1# show ip cef 10.11.11.11 10.11.11.11/32, version 67 0 packets, 0 bytes tag information set local tag: 17 fast tag rewrite with Tu0, point2point, tags imposed {17} via 10.11.11.11, Tunnel0, 0 dependencies next hop 10.11.11.11, Tunnel0 valid adjacency tag rewrite with Tu0, point2point, tags imposed {17}

P2收到标签堆栈{17 12308}的数据包。P2是倒数第二跳路由器，弹出标签17。

P2# show tag for tag 17 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 17 Pop tag 10.7.7.7 0 [5] 535 PO2/0/0 point2point MAC/Encaps=4/4, MTU=4474, Tag Stack{} 0F008847 No output feature configured P2#

然后，PE2接收带有标签12308的数据包。P2知道标签12308的目的地是直连的。因此，从CE1到CE2的ping为10。

PE2# show tag for tag 12308 detail Local Outgoing Prefix Bytes tag Outgoing Next Hop tag tag or VC or Tunnel Id switched interface 12308 Aggregate 172.16.13.0/24[V] 12776 MAC/Encaps=0/0, MTU=0, Tag Stack{} VPN route: aqua No output feature configured Per-packet load-sharing, slots: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PE2#

注意：由于传出标记为“聚合”，因此未显示传出接口。这是因为与标签关联的前缀是直连路由。

有关此问题的示例，请参阅 Field Notice：MPLS VPN，带TE和MPLS InterAS建议，有关更多详细信息。

结论

当TE隧道在出口PE上终止时，MPLS VPN和TE将协同工作，而不需要任何额外配置。当TE隧道在任何P路由器上终止（在核心中的PE之前）时，MPLS VPN流量转发失败，因为数据包到达时的外部标签是VPN标签，这些标签不在这些设备的LFIB中。因此，这些中间路由器无法将数据包转发到最终目的地VPN客户网络。在这种情况下，应在TE隧道上启用LDP/TDP以解决问题。

相关信息 对初学者的MPLS 常见问题 如何排除 MPLS VPN 故障 使用 OSPF 的 MPLS 基本流量工程配置示例 配置基本 MPLS VPN MPLS VPN 上 LSP 故障排除 MPLS 支持页 技术支持 - Cisco Systems

【本文地址】

公司简介

联系我们