通过全局路由表的方式实现MPLS VPN上互联网的方法探究

一.概述：
  MPLS VPN中，如果CE有三根线，一根连接内网，一根专线连接MPLS的PE,一根直接连接互联网，那么内网通过CE上互联网比较容易：CE通过MPLS VPN的明细路由走PE，一条默认路由到连接互联网的设备。但是有时情况没那么简单，CE只有一根专线连接PE，并且还需通过PE上互联网，这就需要有方法把上互联网的流量和MPLS VPN的流量分开，本文采用全局路由的方式来实现。
  参考链接：http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml

二.基本思路：
A.

三.测试拓扑：

四.基本配置：
A.CE1
interface Loopback0
     ip address 4.4.4.4 255.255.255.255
interface Loopback1
     ip address 192.168.1.1 255.255.255.0
interface Loopback2
     ip address 192.168.10.1 255.255.255.0
interface Ethernet0/0
     ip address 10.1.1.1 255.255.255.0
     no shut
ip route 0.0.0.0 0.0.0.0 10.1.1.2
B.PE1：
ip vrf A
     rd 100:1
     route-target export 1:1
     route-target import 1:1
interface Loopback0
     ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0
     ip address 12.1.1.1 255.255.255.0
     mpls ip
     no shut
interface Ethernet0/1
     ip vrf forwarding A

PE-2#show mpls forwarding-table
Local  Outgoing    Prefix            Bytes tag  Outgoing   Next Hop  
tag    tag or VC   or Tunnel Id      switched   interface            
16     Pop tag     12.1.1.0/24       0          Et0/0      23.1.1.2   
17     17          1.1.1.1/32        0          Et0/0      23.1.1.2   
18     Pop tag     2.2.2.2/32        0          Et0/0      23.1.1.2   
19     16          192.168.1.0/24    0          Et0/0      23.1.1.2   
20     Untagged    192.168.2.0/24    0          Et0/1      10.1.2.1   
21     Untagged    192.168.2.0/24[V] 6410       Et0/1      10.1.2.1   
22     Pop tag     26.1.1.0/24       0          Et0/0      23.1.1.2

D.MPLS VPN验证：
CE-1#traceroute 192.168.2.1 source 192.168.1.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

 1 10.1.1.2 188 msec 52 msec 64 msec
 2 12.1.1.2 [MPLS: Labels 19/21 Exp 0] 156 msec 144 msec 140 msec
 3 10.1.2.2 [MPLS: Label 21 Exp 0] 96 msec 100 msec 124 msec
 4 10.1.2.1 172 msec 160 msec *
六.IPsec VPN配置：
A.PE1：
①第一阶段策略：
crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
crypto isakmp key cisco address 192.168.2.1
②第二阶段策略：
crypto ipsec transform-set transet esp-3des esp-md5-hmac
     mode transport
③ 配置ipsec profile
crypto ipsec profile ipsec_profile
     set transform-set transet
④配置tunnel接口，并应用ipsec profile
interface Tunnel0
     ip address 172.16.1.1 255.255.255.0
     ip mtu 1400
     tunnel source Loopback1
     tunnel destination 192.168.2.1
     tunnel protection ipsec profile ipsec_profile
B.PE2：
①第一阶段策略：
crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     group 2
crypto isakmp key cisco address 192.168.1.1
②第二阶段策略：
crypto ipsec transform-set transet esp-3des esp-md5-hmac
     mode transport
③ 配置ipsec profile
crypto ipsec profile ipsec_profile
     set transform-set transet
④配置tunnel接口，并应用ipsec profile
interface Tunnel0
     ip address 172.16.1.2 255.255.255.0
     ip mtu 1400
     tunnel source Loopback1
     tunnel destination 192.168.1.1
     tunnel protection ipsec profile ipsec_profile
C.配置静态路由：
----也可以用动态路由来代替
①PE1：
ip route 192.168.20.0 255.255.255.0 Tunnel0
②PE2：
ip route 192.168.10.0 255.255.255.0 Tunnel0
D.IPSec VPN验证：
①ping：
CE-1#ping 192.168.20.1 source 192.168.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 156/186/232 ms
②查看isakmp sa和加解密：
CE-1#show crypto isakmp sa
dst             src             state          conn-id slot status
192.168.2.1     192.168.1.1     QM_IDLE              2    0 ACTIVE

CE-1#show crypto engine connections active

 ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
  2 Tunnel0              172.16.1.1      set    HMAC_MD5+3DES_56_C        0        0
2001 Tunnel0              192.168.1.1     set    3DES+MD5                  4        0
2002 Tunnel0              192.168.1.1     set    3DES+MD5                  0        4
七.通过PE上互联网配置：
A.CE1：
interface Loopback2
     ip nat inside
interface Ethernet0/0
     ip nat outside
ip access-list extended PAT
     deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
     permit ip 192.168.0.0 0.0.255.255 any
ip nat pool NATPOOL 202.100.1.1 202.100.1.2 netmask 255.255.255.0
ip nat inside source list PAT pool NATPOOL overload
B.PE1：
ip route vrf A 0.0.0.0 0.0.0.0 67.1.1.6 global
ip route 202.100.1.0 255.255.255.0 Ethernet0/1 10.1.1.1
ip route vrf A 202.100.1.0 255.255.255.0 10.1.1.1
---IGP重分布静态路由已经配置
C.CE2：
interface Loopback2
     ip nat inside
interface Ethernet0/0
     ip nat outside
ip access-list extended PAT
     deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
     permit ip 192.168.0.0 0.0.255.255 any
ip nat pool NATPOOL 202.100.2.1 202.100.2.2 netmask 255.255.255.0
ip nat inside source list PAT pool NATPOOL overload
D.PE2：
ip route vrf A 0.0.0.0 0.0.0.0 67.1.1.6 global
ip route 202.100.2.0 255.255.255.0 Ethernet0/1 10.1.2.1
ip route vrf A 202.100.2.0 255.255.255.0 10.1.2.1
---IGP重分布静态路由已经配置
E.IGW：
interface Loopback0
     ip address 6.6.6.6 255.255.255.255
interface Ethernet0/0
     ip address 26.1.1.6 255.255.255.0
     no shut
     mpls ip
interface Ethernet0/1
     ip address 67.1.1.6 255.255.255.0
     no shut
access-list 10 permit 202.100.1.0 0.0.0.255
access-list 10 permit 202.100.2.0 0.0.0.255
access-list 10 permit 26.1.1.0 0.0.0.255
router ospf 1
     router-id 6.6.6.6
     passive-interface default
     no passive-interface Ethernet0/0
     network 26.1.1.0 0.0.0.255 area 0
     network 67.1.1.0 0.0.0.255 area 0
     distribute-list 10 in Ethernet0/0
router bgp 100
     no synchronization
     bgp router-id 6.6.6.6
     network 202.100.1.0
     network 202.100.2.0
     neighbor 67.1.1.7 remote-as 200
     no auto-summary
F.R7：
interface Loopback0
     ip address 7.7.7.7 255.255.255.255
interface Loopback1
     ip address 202.100.3.7 255.255.255.0
interface Ethernet0/0
     ip address 67.1.1.7 255.255.255.0
     no shut
router bgp 200

Gateway of last resort is not set

B    202.100.2.0/24[20/20] via 67.1.1.6, 00:11:34
C    202.100.3.0/24 is directly connected, Loopback1
    67.0.0.0/24 is subnetted, 1 subnets
C       67.1.1.0 is directly connected, Ethernet0/0
    7.0.0.0/32 is subnetted, 1 subnets
C       7.7.7.7 is directly connected, Loopback0
B    202.100.1.0/24[20/20] via 67.1.1.6, 00:12:04

IGW#SHOW IP ROUte
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

O E2 202.100.2.0/24 [110/20] via 26.1.1.2, 00:04:54, Ethernet0/0
B    202.100.3.0/24[20/0] via 67.1.1.7, 00:42:18
    6.0.0.0/32 is subnetted, 1 subnets
C       6.6.6.6 is directly connected, Loopback0
    67.0.0.0/24 is subnetted, 1 subnets
C       67.1.1.0 is directly connected, Ethernet0/1
O E2 202.100.1.0/24 [110/20] via 26.1.1.2, 00:04:54, Ethernet0/0
    26.0.0.0/24 is subnetted, 1 subnets
C       26.1.1.0 is directly connected, Ethernet0/0

CE-1#TR 202.100.3.7 SOUrce 192.168.10.1

Type escape sequence to abort.
Tracing the route to 202.100.3.7

 1 10.1.1.2 88 msec 124 msec 52 msec
 2 12.1.1.2 [MPLS: Label 21 Exp 0] 92 msec 140 msec 120 msec
 3 26.1.1.6 108 msec 168 msec 164 msec
 4 67.1.1.7 172 msec 200 msec *
CE-1#
CE-2#TRaceroute 202.100.3.7 SOUrce 192.168.20.1

Type escape sequence to abort.
Tracing the route to 202.100.3.7

 1 10.1.2.2 52 msec 108 msec 84 msec
 2 23.1.1.2 [MPLS: Label 21 Exp 0] 60 msec 60 msec 140 msec
 3 26.1.1.6 104 msec 148 msec 172 msec
 4 67.1.1.7 160 msec 144 msec *