Cisco IOS MPLS PE-CE OSPF routingの設定方法

MPLS VPNについて、PE-CE間のルーティングとしてOSPFを用いる方法についてまとめます。疎通可能にするためには、BGP VPNv4によってOSPFを伝播させる必要があります。

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# redistribute ospf <proc> match [ internal | external | nssa-external ]

Router(config)# router ospf <proc> vrf <vrf>
Router(config-router)# redistribute bgp <as> subnets
Router(config-router)# domain-id <domain-id>

構成図

以下の構成で動作確認を行います。PEルータ間は予めMPLS neighborおよびbgp vpnv4 neighborが確立されています。

 OSPF area 0  OSPF proc 12 area 1                            OSPF proc 34 area 1   EIGRP
<-----------><------------------>                            <------------------><------->
                              VPN                           VPN
          e0/1      e0/0      e0/1      e0/0      e0/1      e0/0      e0/1     e0/0
          .1+--------+.1      .2+--------+.2      .3+--------+.3      .4+--------+.4
        ----+  CE1   +----------+  PE2   +----------+  PE3   +----------+  CE4   +----
            +--------+          +--------+          +--------+          +--------+
192.168.1.0/24      192.168.12.0/24     155.1.23.0/24       192.168.34.0/24     192.168.4.0/24

            CE1 Loopback0       PE2 Loopback0       PE3 Loopback0       PE4 Loopback0
            10.1.1.1/32         150.1.2.2/32        150.1.3.3/32        10.4.4.4/32

 [CE1]
<omitted>

 [PE2]
interface Ethernet0/0
 ip address 155.1.23.2 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding VPN
 ip address 192.168.12.2 255.255.255.0
!
router ospf 12 vrf VPN
 log-adjacency-changes
 network 192.168.12.2 0.0.0.0 area 1
!
router ospf 1
 log-adjacency-changes
 network 150.1.2.2 0.0.0.0 area 0
 network 155.1.23.2 0.0.0.0 area 0
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.3.3 remote-as 100
 neighbor 150.1.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.3.3 activate
  neighbor 150.1.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family

 [CE3]
<omitted>

 [CE4]
<omitted>

設定全文は下記ファイルです。詳細設定は下記を参照ください。

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.12.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 half-duplex
 no keepalive
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 12
 log-adjacency-changes
 network 10.1.1.1 0.0.0.0 area 1
 network 192.168.1.1 0.0.0.0 area 0
 network 192.168.12.1 0.0.0.0 area 1
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.2.2 255.255.255.255
!
interface Ethernet0/0
 ip address 155.1.23.2 255.255.255.0
 half-duplex
 mpls ip
!
interface Ethernet0/1
 ip vrf forwarding VPN
 ip address 192.168.12.2 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 12 vrf VPN
 log-adjacency-changes
 network 192.168.12.2 0.0.0.0 area 1
!
router ospf 1
 log-adjacency-changes
 network 150.1.2.2 0.0.0.0 area 0
 network 155.1.23.2 0.0.0.0 area 0
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.3.3 remote-as 100
 neighbor 150.1.3.3 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.3.3 activate
  neighbor 150.1.3.3 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.3.3 255.255.255.255
!
interface Ethernet0/0
 ip vrf forwarding VPN
 ip address 192.168.34.3 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.23.3 255.255.255.0
 half-duplex
 mpls ip
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router ospf 34 vrf VPN
 log-adjacency-changes
 network 192.168.34.3 0.0.0.0 area 1
!
router ospf 1
 log-adjacency-changes
 network 150.1.3.3 0.0.0.0 area 0
 network 155.1.23.3 0.0.0.0 area 0
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 150.1.2.2 remote-as 100
 neighbor 150.1.2.2 update-source Loopback0
 !
 address-family vpnv4
  neighbor 150.1.2.2 activate
  neighbor 150.1.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CE4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.4.4.4 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.4.4 255.255.255.0
 half-duplex
 no keepalive
!
interface Ethernet0/1
 ip address 192.168.34.4 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router eigrp 1
 redistribute ospf 34 metric 1 1 1 1 1
 network 192.168.4.0
 no auto-summary
!
router ospf 34
 log-adjacency-changes
 redistribute eigrp 1 subnets
 network 10.4.4.4 0.0.0.0 area 1
 network 192.168.34.4 0.0.0.0 area 1
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

仕様説明

PE-CE OSPF routing

PE-CE間でOSPFルーティングを行うには、BGP ipv4 vrfとOSPF間の再配送を定義する必要があります。なお、OSPFをBGPに再配送するには注意が必要です。デフォルトではOSPF intra areaのみが再配送されますので、inter area, external areaを再配送したい場合は”match external”というキーワードが必要になります。

Router(config)# router bgp <local_as>
Router(config-router)# address-family ipv4 vrf <vrf>
Router(config-router-af)# redistribute ospf <proc> match [ internal | external | nssa-external ]

Router(config)# router ospf <proc> vrf <vrf>
Router(config-router)# redistribute bgp <as> subnets

domain id

MP BGPで伝播可能なOSPFの情報は、OSPFのprefixのみです。すなわち、LSA type 1, 2のようなトポロジに関する情報は、MP BGPを経由する際にLSA type 3に変換されてしまいます。従って、CE間で同一areaであってもMP BGP経由で伝播されたprefixはOSPF inter areaまたはOSPF external areaとなります。

LSA type 3に変換されたprefixがOSPF inter areaとなるかOSPF external areaとなるかは、domain id次第です。domain idが同一であればinter areaとして取り扱い、domain idが異なればexternal areaとして取り扱います。domain idを明示的に指定しない場合はOSPF process idより自動生成されますが、以下のコマンドでdomain idを明示的に指定する事もできます。

Router(config)# router ospf <proc> vrf <vrf>
Router(config-router)# domain-id <domain-id>

area 0, superbackbone接続

OSPFにおけるMP BGP網はsuperbackboneと呼ばれ、特殊な仕様になっております。OSPFにおけるbackbone areaとして取り扱われるため、area 0とsuperbackboneが直接つながっていない場合はvirtual-linkが必要になります。

Router(config)# router bgp <local_as>
Router(config-router)# area <area> virtual-link <router_id>

PE-CE OSPF routing

設定投入

PE-CE間で、OSPF routingを定義します。

 [PE2]
router bgp 100
 address-family ipv4 vrf VPN
  redistribute ospf 12 match internal external 2
!
router ospf 12 vrf VPN
 redistribute bgp 100 subnets

 [PE3]
router bgp 100
 address-family ipv4 vrf VPN
  redistribute ospf 34 match internal external 2
!
router ospf 34 vrf VPN
 redistribute bgp 100 subnets

動作確認

CE間でprefixを交換し、疎通可能である事を確認します。また、MP BGP経由で伝播されたprefixがOSPF external areaとして取り扱われている事も確認できます。

 [CE1]
CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, Ethernet0/0
O E2 192.168.4.0/24 [110/20] via 192.168.12.2, 00:02:18, Ethernet0/0
     10.0.0.0/32 is subnetted, 2 subnets
C       10.1.1.1 is directly connected, Loopback0
O E2    10.4.4.4 [110/11] via 192.168.12.2, 00:02:18, Ethernet0/0
O E2 192.168.34.0/24 [110/1] via 192.168.12.2, 00:02:18, Ethernet0/0
C    192.168.1.0/24 is directly connected, Ethernet0/1
CE1#
CE1#
CE1#ping 10.4.4.4 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/77/96 ms
CE1#

domain id

domain idの確認

PEルータのOSPF domain idを確認します。デフォルトの状態ではOSPF process idと同じ値が設定されていることが読み取れます。

 [PE2]
PE2#show ip ospf 12
 Routing Process "ospf 12" with ID 192.168.12.2
   Domain ID type 0x0005, value 0.0.0.12
 Start time: 00:05:09.456, Time elapsed: 00:34:04.696
 Supports only single TOS(TOS0) routes

 [PE3]
PE3#show ip ospf 34
 Routing Process "ospf 34" with ID 192.168.34.3
   Domain ID type 0x0005, value 0.0.0.34
 Start time: 00:16:00.212, Time elapsed: 00:23:29.048
 Supports only single TOS(TOS0) routes

設定投入

PEルータ間でdomain idが同一になるように設定します。

 [PE2]
router ospf 12 vrf VPN
 domain-id 0.0.0.23

 [PE3]
router ospf 34 vrf VPN
 domain-id 0.0.0.23

動作確認

PE2, PE3のOSPF process再起動後、MP BGP経由で伝播されたルートがexternal areaからinternal areaに変わった事を確認します。

 [PE2, PE3]
clear ip ospf process

 [CE1]
CE1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, Ethernet0/0
O E2 192.168.4.0/24 [110/20] via 192.168.12.2, 00:00:40, Ethernet0/0
     10.0.0.0/32 is subnetted, 2 subnets
C       10.1.1.1 is directly connected, Loopback0
O IA    10.4.4.4 [110/21] via 192.168.12.2, 00:00:45, Ethernet0/0
O IA 192.168.34.0/24 [110/11] via 192.168.12.2, 00:00:45, Ethernet0/0
C    192.168.1.0/24 is directly connected, Ethernet0/1
CE1#

area 0 superbackbone接続

デフォルトの動作確認

OSPF area 0 (CE1 e0/1)からEIGRP domain (CE4 e0/0)への疎通ができません。PE2を見ると、OSPF area 0 domainへのprefixはOSPF databaseには存在するもののルーティングテーブルには見当たらない事が読み取れます。

 [CE1]
CE1#ping 192.168.4.4 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
...
Success rate is 0 percent (0/3)
CE1#

 [PE2]
PE2#show ip route vrf VPN | include 192.168.1.0
PE2#
PE2#show ip ospf 12 database summary 192.168.1.0

            OSPF Router with ID (192.168.12.2) (Process ID 12)

                Summary Net Link States (Area 1)

  LS age: 627
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 192.168.1.0 (summary Network Number)
  Advertising Router: 10.1.1.1
  LS Seq Number: 80000001
  Checksum: 0xC1F9
  Length: 28
  Network Mask: /24
        TOS: 0  Metric: 10

PE2#

設定投入

area 0とsuperbackbone(MP BGP網)間を接続するために、virtual linkを設定します。

 [CE1]
router ospf 12
 area 1 virtual-link 192.168.12.2

 [PE2]
router ospf 12 vrf VPN
 area 1 virtual-link 10.1.1.1

動作確認

PE2のルーティングテーブルにOSPF area 0(192.168.1.0/24)へのprefixがインストールされ、OSPF area 0 (CE1 e0/1)からEIGRP domain (CE4 e0/0)への疎通が可能になった事を確認します。

 [PE2]
PE2#show ip ospf 12 neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.1.1.1          0   FULL/  -           -        192.168.12.1    OSPF_VL0
10.1.1.1          1   FULL/DR         00:00:36    192.168.12.1    Ethernet0/1
PE2#
PE2#
PE2#show ip route vrf VPN | include 192.168.1.0
O    192.168.1.0/24 [110/20] via 192.168.12.1, 00:00:38, Ethernet0/1
PE2#
PE2#

 [CE1]
CE1#ping 192.168.4.4 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/103/176 ms
CE1#

Tips

vrf-lite

virtual-linkの代わりにcapability vrf-liteを使用した実装も可能です。capability vrf-liteで検索すると、”type 3以上のLSA受信を可能にする”との記事が散見されますが、vrf-liteにはarea 0のsummary LSAを受信するようにする効果もあります。

先程のvirtual-linkの設定を削除し、PE2においてcapability vrf-liteを有効にします。

 [CE1]
router ospf 12
 no area 1 virtual-link 192.168.12.2

 [PE2]
router ospf 12 vrf VPN
 no area 1 virtual-link 10.1.1.1
 capability vrf-lite

capability vrf-liteにより、area 0 summary prefixである192.168.1.0/24がルーティングテーブルに載るようになった事を確認します。

PE2#show ip route vrf VPN | include 192.168.1.0
O IA 192.168.1.0/24 [110/20] via 192.168.12.1, 00:01:21, Ethernet0/1
PE2#