Cisco IOS MPLS over GREの設定方法

MPLSとGRE tunnelを併用する方法についてまとめます。実践でも使用しませんし、CCIE R&S試験範囲を超過するような高度な内容ですが、プロトコル理解の観点では有用なケーススタディです。

MPLS GRE

設定意図

MPLS hello packetはudp 646で224.0.0.2宛てに送信されます。224.0.0.2はttl 1で全マルチキャストルータ宛てに送信されます。従って、MPLS neighbor同士は隣接している必要があります。

逆にいえば、MPLS neighbor同士が隣接してない(MPLSに対応していないルータが間に挟まっている)場合は、GRE tunnel経由でneighborを確立するなどの工夫が必要になってきます。

動作確認

以下の環境でMPLSの動作確認を行います。R2はMPLSに対応していないルータと仮定し、R1, R3間でMPLS neighborを確立させます。

         VPN_A                                        VPN_A
          e0/1    e0/0      e0/0    e0/1      e0/0    e0/1
          .1+------+.1      .2+------+.2      .3+------+.3
        ----+ PE1  +----------+  P2  +----------+ PE3  +----
            +------+          +------+          +------+
192.168.1.0/24   192.168.12.0/24   192.168.23.0/24   192.168.3.0/24

         PE1 Loopback0      P2 Loopback0     PE3 Loopback0
          10.1.1.1/24       10.2.2.2/24       10.3.3.3/24

 [PE1]
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface Loopback0
 ip address 200.1.1.1 255.255.255.0
!
interface Loopback100
 ip address 200.11.11.11 255.255.255.0
!
interface Tunnel13
 ip address 200.0.13.1 255.255.255.0
 mpls ip
 tunnel source Loopback0
 tunnel destination 200.3.3.3
!
interface Ethernet0/0
 ip address 200.0.12.1 255.255.255.0
!
interface Ethernet0/1
 ip vrf forwarding VPN_A
 ip address 192.168.1.1 255.255.255.0
 no keepalive
!
router rip
 version 2
 passive-interface Tunnel13
 network 200.0.12.0
 network 200.1.1.0
 no auto-summary
!
router bgp 100
 no bgp default ipv4-unicast
 neighbor 200.33.33.33 remote-as 100
 neighbor 200.33.33.33 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.33.33.33 activate
  neighbor 200.33.33.33 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
  redistribute connected
  no synchronization
 exit-address-family
!
ip route 200.33.33.0 255.255.255.0 200.0.13.3
!
mpls ldp router-id Loopback100


 [P2]
interface Loopback0
 ip address 200.2.2.2 255.255.255.0
!
interface Ethernet0/0
 ip address 200.0.12.2 255.255.255.0
!
interface Ethernet0/1
 ip address 200.0.23.2 255.255.255.0
!
router rip
 version 2
 network 200.0.12.0
 network 200.0.23.0
 network 200.2.2.0
 no auto-summary

 [PE3]
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
interface Loopback0
 ip address 200.3.3.3 255.255.255.0
!
interface Loopback100
 ip address 200.33.33.33 255.255.255.0
!
interface Tunnel13
 ip address 200.0.13.3 255.255.255.0
 mpls ip
 tunnel source Loopback0
 tunnel destination 200.1.1.1
!
interface Ethernet0/0
 ip address 200.0.23.3 255.255.255.0
!
interface Ethernet0/1
 ip vrf forwarding VPN_A
 ip address 192.168.3.3 255.255.255.0
 no keepalive
!
router rip
 version 2
 passive-interface Tunnel13
 network 200.0.23.0
 network 200.3.3.0
 no auto-summary
!
router bgp 100
 no bgp default ipv4-unicast
 neighbor 200.11.11.11 remote-as 100
 neighbor 200.11.11.11 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.11.11.11 activate
  neighbor 200.11.11.11 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
  redistribute connected
  no synchronization
 exit-address-family
!
ip route 200.11.11.0 255.255.255.0 200.0.13.1
!
mpls ldp router-id Loopback100

なお、設定全文は下記ファイルです。

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 200.1.1.1 255.255.255.0
!
interface Loopback100
 ip address 200.11.11.11 255.255.255.0
!
interface Tunnel13
 ip address 200.0.13.1 255.255.255.0
 mpls ip
 tunnel source Loopback0
 tunnel destination 200.3.3.3
!
interface Ethernet0/0
 ip address 200.0.12.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip vrf forwarding VPN_A
 ip address 192.168.1.1 255.255.255.0
 half-duplex
 no keepalive
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 passive-interface Tunnel13
 network 200.0.12.0
 network 200.1.1.0
 no auto-summary
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 200.33.33.33 remote-as 100
 neighbor 200.33.33.33 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.33.33.33 activate
  neighbor 200.33.33.33 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
  redistribute connected
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
ip route 200.33.33.0 255.255.255.0 200.0.13.3
!
!
!
!
!
mpls ldp router-id Loopback100
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname P2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 200.2.2.2 255.255.255.0
!
interface Ethernet0/0
 ip address 200.0.12.2 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 200.0.23.2 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 network 200.0.12.0
 network 200.0.23.0
 network 200.2.2.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
ip vrf VPN_A
 rd 100:1
 route-target export 100:1
 route-target import 100:1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 200.3.3.3 255.255.255.0
!
interface Loopback100
 ip address 200.33.33.33 255.255.255.0
!
interface Tunnel13
 ip address 200.0.13.3 255.255.255.0
 mpls ip
 tunnel source Loopback0
 tunnel destination 200.1.1.1
!
interface Ethernet0/0
 ip address 200.0.23.3 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip vrf forwarding VPN_A
 ip address 192.168.3.3 255.255.255.0
 half-duplex
 no keepalive
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 passive-interface Tunnel13
 network 200.0.23.0
 network 200.3.3.0
 no auto-summary
!
router bgp 100
 no bgp default ipv4-unicast
 bgp log-neighbor-changes
 neighbor 200.11.11.11 remote-as 100
 neighbor 200.11.11.11 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.11.11.11 activate
  neighbor 200.11.11.11 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf VPN_A
  redistribute connected
  no synchronization
 exit-address-family
!
ip http server
ip forward-protocol nd
ip route 200.11.11.0 255.255.255.0 200.0.13.1
!
!
!
!
!
mpls ldp router-id Loopback100
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

設定説明

PE1, PE3間でGRE tunnelを作成します。この時、recursive routingが発生しないよう、passive interfaceやdistribution-listなどの工夫を必要に応じて行って下さい。

 [PE1]
interface Tunnel13
 ip address 200.0.13.1 255.255.255.0
 tunnel source Loopback0
 tunnel destination 200.3.3.3
!
router rip
 passive-interface Tunnel13

 [PE3]
interface Tunnel13
 ip address 200.0.13.3 255.255.255.0
 mpls ip
 tunnel source Loopback0
 tunnel destination 200.1.1.1
!
router rip
 passive-interface Tunnel13

このようにGRE経由でMPLSによるルーティングを行いたい場合は、MPLS neighborとBGP VPNv4 neighborがGRE経由で送受信されるように設定しなければなりません。

Loopback 0はGREを確立するために使用されているので、MPLS neighbor, BGP VPNv4 neighborを確立するために新たにLoopback 100を作成します。さらに、このLoopback 100間の通信がGRE経由になるようstatic routeを定義します。

 [PE1]
interface Loopback100
 ip address 200.11.11.11 255.255.255.0
!
ip route 200.33.33.0 255.255.255.0 200.0.13.3

 [PE3]
interface Loopback100
 ip address 200.33.33.33 255.255.255.0
!
ip route 200.11.11.0 255.255.255.0 200.0.13.1

GRE経由でMPLS neighborを確立させます。

 [PE1]
interface Tunnel13
 mpls ip
!
mpls ldp router-id Loopback100

 [PE3]
interface Tunnel13
 mpls ip
!
mpls ldp router-id Loopback100

GRE経由でBPG VPNv4 neighborを確立されます。

 [PE1]
router bgp 100
 no bgp default ipv4-unicast
 neighbor 200.33.33.33 remote-as 100
 neighbor 200.33.33.33 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.33.33.33 activate

 [PE3]
router bgp 100
 no bgp default ipv4-unicast
 neighbor 200.11.11.11 remote-as 100
 neighbor 200.11.11.11 update-source Loopback100
 !
 address-family vpnv4
  neighbor 200.11.11.11 activate

動作確認

PE1 VPN_A, PE3 VPN_A間で疎通可能である事を確認します。

PE1#ping vrf VPN_A 192.168.3.3 source Ethernet 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/48/108 ms
PE1#

上記pingを観察すると以下の通りです。GREでカプセル化されtunnelを通り、また、GREの内側にはlableが付与されている事が分かります。

Ethernet II, Src: cc:00:02:b4:00:00 (cc:00:02:b4:00:00), Dst: cc:01:02:b4:00:00 (cc:01:02:b4:00:00)
Internet Protocol, Src: 200.1.1.1 (200.1.1.1), Dst: 200.3.3.3 (200.3.3.3)
Generic Routing Encapsulation (MPLS label switched packet)
MultiProtocol Label Switching Header, Label: 21, Exp: 0, S: 1, TTL: 255
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.3.3 (192.168.3.3)
Internet Control Message Protocol