2.MPLS LDP 认证、标签控制与过滤 实验.doc

Service Professional Outstanding Teamwork ObtainMPLS LDP验证、标签控制与过滤实验V0.12012-6-25Author顾赟TELPHONEOrganizationLastUpdate2013-6-22目录1实验目的32拓扑与需求32.1网络拓扑及地址规划32.2需求概述33配置与实现43.1实验步骤43.2配置MPLS43.3 结果测试43.3.1查看LDP邻居43.3.2查看LDP接口63.3.3查看LIB73.3.4查看LFIB83.4 配置LDP认证93.5 配置LDP控制出站标签通告93.6 配置LDP入站标签过滤111 实验目的1、理解MPLS LDP的认证、控制标签通告与入站标签过滤基本配置和原理。2 拓扑与需求2.1 网络拓扑及地址规划设备名称IP地址接口备注R112.1.1.1/24F0/01.1.1.1/32Lo0R212.1.1.2/24F0/023.1.1.2/24F1/02.2.2.2/32Lo0R323.1.1.3/24F1/03.3.3.3/32Lo02.2 需求概述1、全网配置OSPF，再配置MPLS协议，并且在R1和R2上配置LDP认证。2、在R2上配置LDP基于出站的标签通告，只允许R2将前缀为1.1.1.1的标签宣告给R3。3、在R3配置LDP基于进站的标签过滤，只允许从邻居R2宣告前缀为1.1.1.1的标签。3 配置与实现3.1 实验步骤1、搭建拓扑，配置IP。2、配置OSPF，保证全网畅通。4、启用MPLS协议。其中在R2上使用LDP自动配置（只有OSPF支持该特性）。5、在R1和R2上配置LDP认证。6、在R2上配置LDP基于出站的标签通告。7、还原第6步操作，配置LDP基于进站的标签过滤。3.2 配置MPLSR1(config)#mpls label range 100 199/指定本地分配标签的范围R1(config)#interface f0/0R1(config-if)#mpls ip/指定MPLS协议，默认是LDPR2(config)#mpls label range 200 299R2(config)#router ospf 1R2(config-if)#mpls ldp autoconfig/指定LDP自动配置，即不需要在每个接口下配置MPLSR3(config)#mpls label range 300 399R3(config)#interface f1/0R3(config-if)#mpls ip针对OSPF的LDP自动配置，可以只为一个指定的区域启用LDP。同样还可以在某个特定的接口上禁用自动配置，在接口上禁用LDP自动配置的接口模式命令为：no mpls ldp igp autoconfig。3.3 结果测试3.3.1 查看LDP邻居R1#show mpls ldp neighbor detail Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 1.1.1.1:0 TCP connection: 2.2.2.2.21174 - 1.1.1.1.646; MD5 on State: Oper; Msgs sent/rcvd: 80/80; Downstream; Last TIB rev sent 10 Up time: 01:03:20; UID: 2; Peer Id 0; LDP discovery sources: FastEthernet0/0; Src IP addr: 12.1.1.2 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 12.1.1.2 23.1.1.2 2.2.2.2 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estabR2#show mpls ldp neighbor detail Peer LDP Ident: 3.3.3.3:0; Local LDP Ident 2.2.2.2:0 TCP connection: 3.3.3.3.14765 - 2.2.2.2.646 State: Oper; Msgs sent/rcvd: 85/84; Downstream; Last TIB rev sent 10 Up time: 01:06:40; UID: 2; Peer Id 1; LDP discovery sources: FastEthernet1/0; Src IP addr: 23.1.1.3 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 23.1.1.3 3.3.3.3 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab Peer LDP Ident: 1.1.1.1:0; Local LDP Ident 2.2.2.2:0 TCP connection: 1.1.1.1.646 - 2.2.2.2.21174; MD5 on State: Oper; Msgs sent/rcvd: 81/80; Downstream; Last TIB rev sent 10 Up time: 01:03:47; UID: 3; Peer Id 0; LDP discovery sources: FastEthernet0/0; Src IP addr: 12.1.1.1 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 12.1.1.1 1.1.1.1 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estabR3#show mpls ldp neighbor detail Peer LDP Ident: 2.2.2.2:0; Local LDP Ident 3.3.3.3:0 TCP connection: 2.2.2.2.646 - 3.3.3.3.14765 State: Oper; Msgs sent/rcvd: 84/85; Downstream; Last TIB rev sent 10 Up time: 01:07:07; UID: 1; Peer Id 0; LDP discovery sources: FastEthernet1/0; Src IP addr: 23.1.1.2 holdtime: 15000 ms, hello interval: 5000 ms Addresses bound to peer LDP Ident: 12.1.1.2 23.1.1.2 2.2.2.2 Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab3.3.2 查看LDP接口R1#show mpls interfaces detail/查看LDP接口信息Interface FastEthernet0/0: IP labeling enabled (ldp): Interface config/LDP基于接口 LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 1500R2#show mpls interfaces detailInterface FastEthernet0/0: IP labeling enabled (ldp): IGP config/LDP基于IGP LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 1500Interface FastEthernet1/0: IP labeling enabled (ldp): IGP config LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 1500R3#show mpls interfaces detail Interface FastEthernet1/0: IP labeling enabled (ldp): Interface config LSP Tunnel labeling not enabled BGP tagging not enabled Tagging operational Fast Switching Vectors: IP to MPLS Fast Switching Vector MPLS Turbo Vector MTU = 15003.3.3 查看LIBR1#show mpls ip binding 1.1.1.1/32 in label: imp-null /本地捆绑的标签 out label: 200 lsr: 2.2.2.2:0 /远程捆绑的标签 2.2.2.2/32 in label: 100 out label: imp-null lsr: 2.2.2.2:0 inuse/正被LFIB所使用的标签 3.3.3.3/32 in label: 101 out label: 201 lsr: 2.2.2.2:0 inuse 12.1.1.0/24 in label: imp-null /隐式空标签，用于倒数第二跳弹出（PHP） out label: imp-null lsr: 2.2.2.2:0 23.1.1.0/24 in label: 102 out label: imp-null lsr: 2.2.2.2:0 inuseR2#show mpls ip binding 1.1.1.1/32 in label: 200 out label: 300 lsr: 3.3.3.3:0 out label: imp-null lsr: 1.1.1.1:0 inuse 2.2.2.2/32 in label: imp-null out label: 301 lsr: 3.3.3.3:0 out label: 100 lsr: 1.1.1.1:0 3.3.3.3/32 in label: 201 out label: imp-null lsr: 3.3.3.3:0 inuse out label: 101 lsr: 1.1.1.1:0 12.1.1.0/24 in label: imp-null out label: 302 lsr: 3.3.3.3:0 out label: imp-null lsr: 1.1.1.1:0 23.1.1.0/24 in label: imp-null out label: imp-null lsr: 3.3.3.3:0 out label: 102 lsr: 1.1.1.1:0R3#show mpls ip binding 1.1.1.1/32 in label: 300 out label: 200 lsr: 2.2.2.2:0 inuse 2.2.2.2/32 in label: 301 out label: imp-null lsr: 2.2.2.2:0 inuse 3.3.3.3/32 in label: imp-null out label: 201 lsr: 2.2.2.2:0 12.1.1.0/24 in label: 302 out label: imp-null lsr: 2.2.2.2:0 inuse 23.1.1.0/24 in label: imp-null out label: imp-null lsr: 2.2.2.2:0 3.3.4 查看LFIBR1#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface100 Pop tag 2.2.2.2/32 0 Fa0/0 12.1.1.2101 201 3.3.3.3/32 0 Fa0/0 12.1.1.2102 Pop tag 23.1.1.0/24 0 Fa0/0 12.1.1.2R2#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface200 Pop tag 1.1.1.1/32 0 Fa0/0 12.1.1.1201 Pop tag 3.3.3.3/32 0 Fa1/0 23.1.1.3R3#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface300 200 1.1.1.1/32 0 Fa1/0 23.1.1.2301 Pop tag 2.2.2.2/32 0 Fa1/0 23.1.1.2302 Pop tag 12.1.1.0/24 0 Fa1/0 23.1.1.23.4 LDP认证R1(config)#mpls ldp neighbor 2.2.2.2 password cisco/为LDP对等体配置MD5密码R1(config)#*Mar 1 00:39:00.483: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is DOWN (Sessions MD5 password changed)R1(config)#*Mar 1 00:39:06.415: %TCP-6-BADAUTH: No MD5 digest from 2.2.2.2(53506) to 1.1.1.1(646)R1(config)#*Mar 1 00:39:19.627: %LDP-5-NBRCHG: LDP Neighbor 2.2.2.2:0 (1) is UP*Mar 1 00:39:00.187: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is DOWN (Received error notification from peer: Holddown time expir)R2(config)#mpls ldp neighbor 1.1.1.1 password ciscoR2(config)#*Mar 1 00:39:19.247: %LDP-5-NBRCHG: LDP Neighbor 1.1.1.1:0 (1) is UPMD5会在每一个发送出去的TCP分段中加入一个摘要值，这个摘要只能由配置了正确密码的LDP对等体之间进行检查。3.5 配置LDP控制出站标签通告R2(config)#access-list 1 permit host 1.1.1.1/允许宣告的LDP前缀R2(config)#access-list 3 permit host 3.3.3.3/对该邻居（LDP RID）进行标签宣告R2(config)#no mpls ldp advertise-labels/不向外宣告任何标签绑定信息R2(config)#mpls ldp advertise-labels for 1 to 3/路由器R2只将1.1.1.1的标签发送给R3在配置LDP出站标签通告时，千万不要忘记配置no mpls ldp advertise-labels。否则，LSR仍然会通过LDP通告所有前缀的标签。标签的宣告是通过LDP RID进行鉴别的。R2#show mpls ldp bindings advertisement-acls Advertisement spec: Prefix acl = 1; Peer acl = 3 tib entry: 1.1.1.1/32, rev 16 Advert acl(s): Prefix acl 1; Peer acl 3 tib entry: 2.2.2.2/32, rev 12 tib entry: 3.3.3.3/32, rev 13 tib entry: 12.1.1.0/24, rev 14 tib entry: 23.1.1.0/24, rev 15只有前缀1.1.1.1/32被通告给了LDP对等体3.3.3.3。R1#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface100 Untagged 2.2.2.2/32 0 Fa0/0 12.1.1.2101 Untagged 3.3.3.3/32 0 Fa0/0 12.1.1.2102 Untagged 23.1.1.0/24 0 Fa0/0 12.1.1.2R3#show mpls forwarding-tableLocal Outgoing Prefix Bytes tag Outgoing Next Hoptag tag or VC or Tunnel Id switched interface300 200 1.1.1.1/32 0 Fa1/0 23.1.1.2301 Untagged 2.2.2.2/32 0 Fa1/0 23.1.1.2302 Untagged 12.1.1.0/24 0 Fa1/0 23.1.1.2可以看到，R3只有前缀为1.1.1.1/32在LFIB中捆绑了标签，其余都为Untagged。R1#traceroute 3.3.3.3Type escape sequence to abort.Tracing the route to 3.3.3.3 1 12.1.1.2 36 msec 64 msec 28 msec 2 23.1.1.3 60 msec * 96 msecR3#traceroute 1.1.1.