目  錄

1 ADVPN

1.1 ADVPN簡介

1.1.1 VAM協議介紹

1.1.2 ADVPN組網結構

1.1.3 ADVPN工作機製

1.1.4 穿越NAT的ADVPN隧道

1.2 ADVPN配置任務簡介

1.3 配置VAM Server

1.3.1 VAM Server配置任務簡介

1.3.2 創建ADVPN域

1.3.3 開啟VAM Server功能

1.3.4 配置VAM Server的預共享密鑰

1.3.5 配置Hub組

1.3.6 配置VAM Server的監聽端口號

1.3.7 配置VAM協議報文的安全參數

1.3.8 配置對VAM Client的身份認證方式

1.3.9 配置Keepalive報文參數

1.3.10 配置請求報文重傳參數

1.4 配置VAM Client

1.4.1 VAM Client配置任務簡介

1.4.2 創建VAM Client

1.4.3 開啟VAM Client功能

1.4.4 配置VAM Server的地址

1.4.5 配置VAM Client所屬的ADVPN域

1.4.6 配置VAM Client的預共享密鑰

1.4.7 配置請求報文重傳參數

1.4.8 配置VAM Client連接超時的靜默時間

1.4.9 配置認證用戶名和密碼

1.5 配置路由

1.6 配置ADVPN隧道

1.7 配置IPsec保護ADVPN隧道報文

1.8 開啟ADVPN日誌功能

1.9 ADVPN顯示和維護

1.9.1 顯示ADVPN相關信息

1.9.2 清除ADVPN相關信息

1.10 ADVPN典型配置舉例

1.10.1 IPv4 Full-Mesh類型ADVPN典型配置舉例

1.10.2 IPv6 Full-Mesh類型ADVPN典型配置舉例

1.10.3 IPv4 Hub-Spoke類型ADVPN典型配置舉例

1.10.4 IPv6 Hub-Spoke類型ADVPN典型配置舉例

1.10.5 IPv4劃分多個Hub組ADVPN典型配置舉例

1.10.6 IPv6劃分多個Hub組ADVPN典型配置舉例

1.10.7 IPv4 Full-Mesh穿越NAT類型ADVPN典型配置舉例

 

1 ADVPN

1.1  ADVPN簡介

ADVPN（Auto Discovery Virtual Private Network，自動發現虛擬專用網絡）是一種基於VAM（VPN Address Management，VPN地址管理）協議的動態VPN技術。

在企業網各分支機構使用動態地址接入公網的情況下，可以利用ADVPN在各分支機構間建立VPN。

1.1.1  VAM協議介紹

VAM協議負責收集、維護和分發動態變化的公網地址等信息，采用Client/Server模型。ADVPN網絡中的節點（稱為ADVPN節點）作為VAM Client。當公網地址變化時，VAM Client將當前公網地址注冊到VAM Server。ADVPN節點通過VAM協議從VAM Server獲取另一端ADVPN節點的當前公網地址，從而實現在兩個節點之間動態建立跨越IP核心網絡的ADVPN隧道。

1.1.2  ADVPN組網結構

ADVPN通過ADVPN域區分不同的VPN網絡，ADVPN域由域ID來標識。屬於同一個VPN的VAM Client需要規劃到相同的ADVPN域中，且一個VAM Client隻能屬於一個ADVPN域；VAM Server可以同時為多個ADVPN域服務，管理多個ADVPN域的VAM Client。

ADVPN節點分為如下兩類：

·     Hub：ADVPN網絡的中心設備。它是路由信息交換的中心。

·     Spoke：ADVPN網絡的分支設備，通常是企業分支機構的網關。該節點不會轉發收到的其它ADVPN節點的數據。

根據數據轉發方式的不同，ADVPN組網結構分為如下兩種：

·     Full-Mesh（全互聯）網絡：Spoke和Spoke之間可以建立隧道直接通信。

·     Hub-Spoke網絡：Spoke之間不能建立隧道直接通信，隻能通過Hub轉發數據。

當一個ADVPN域中的ADVPN節點數目較多時，由於某些原因（如動態路由協議鄰居數限製等），Hub無法管理全部的ADVPN節點。此時，可以將ADVPN網絡劃分為多個Hub組，每個Hub組中包含一個或多個Hub，及一部分Spoke節點，以減輕Hub節點的負擔。

1. Full-Mesh網絡

如圖1-1所示，在Full-Mesh網絡中，Spoke向VAM Server注冊後獲得Spoke所屬ADVPN域所在Hub組中Hub的信息，並與Hub建立永久的ADVPN隧道。當兩個Spoke之間有數據報文交互時，Spoke從VAM Server獲取對端Spoke的公網地址，並在Spoke之間直接建立隧道。Spoke之間的隧道是動態的，當在一段時間（Spoke-Spoke隧道空閑超時時間）內沒有數據報文交互時，則刪除該隧道。

圖1-1 Full-Mesh網絡示意圖

 

2. Hub-Spoke網絡

如圖1-2所示，在Hub-Spoke網絡中，Spoke向VAM Server注冊後獲得Spoke所屬ADVPN域所在Hub組中Hub的信息，並與Hub建立永久的ADVPN隧道。兩個Spoke之間有數據報文交互時，該報文通過Hub轉發，不會在Spoke之間建立隧道。Hub既作為路由信息交換的中心，又作為數據轉發的中心。

圖1-2 Hub-Spoke網絡示意圖

 

3. 劃分多個Hub組網絡

如圖1-3所示，劃分多個Hub組網絡中，Hub組的劃分方式為：

·     所有Hub必須屬於同一個Hub組，該Hub組作為骨幹區域。骨幹區域采用Full-Mesh組網，即Hub向VAM Server注冊後獲得骨幹區域中所有Hub的信息，並在每兩個Hub之間都建立永久的ADVPN隧道。

·     將Spoke部署到除骨幹區域外的其他Hub組中。這些Hub組內至少有1個Hub，可以使用Full-Mesh組網也可以使用Hub-Spoke組網。Spoke向VAM Server注冊後獲得Spoke所屬ADVPN域所在Hub組中Hub的信息，並與Hub建立永久的ADVPN隧道。一個Hub組內的Spoke隻與本組的Hub建立ADVPN隧道，不與其他Hub組的Hub建立ADVPN隧道。

同一個Hub組內，隧道建立方式和數據轉發方式由其組網方式決定。不同Hub組間，數據需要通過本組的Hub轉發到目的組的Hub，再由目的組Hub轉發到對應的Spoke。

為了減少Hub跨組轉發數據時的壓力，可以允許不同組的Spoke直接建立隧道，但該隧道是動態的，當在一段時間（Spoke-Spoke隧道空閑超時時間）內沒有數據報文交互時，則刪除該隧道。

圖1-3 劃分多個Hub組網絡示意圖

 

1.1.3  ADVPN工作機製

ADVPN對VAM Server和VAM Client的地址具有一定要求：

·     VAM Server隻需要具有公網地址，且該公網地址必須靜態配置，不能動態變化。

·     VAM Client需要具有公網地址和私網地址。公網地址是VAM Client連接IP核心網絡的接口的地址，既可以靜態配置也可以動態獲取。私網地址是ADVPN隧道接口的地址，必須靜態配置。在同一個ADVPN域內，同一個Hub組內的VAM Client的私網地址應該屬於同一個網段。

ADVPN的關鍵是通過VAM Client的私網地址獲取動態變化的公網地址，以便建立ADVPN隧道、轉發報文。ADVPN的工作過程分為連接初始化、注冊、隧道建立、路由學習和報文轉發四個階段，下麵對這四個階段做簡單說明。

1. 連接初始化階段

如圖1-4所示，連接初始化階段用來協商完整性驗證、加密算法及密鑰，其過程為：

(1)     Client通過連接請求報文將自己支持的完整性驗證算法、加密算法等發送給Server。

(2)     Server按照優先級從高到低的順序從自己支持的算法列表中依次選擇算法，與Client發送的算法列表進行匹配。如果存在相同的算法，則Server通過連接響應報文將該算法發送給Client；如果不存在相同的算法，則算法協商失敗，斷開連接。

(3)     如果協商結果為不對VAM協議報文進行加密或認證（Server上配置不需要加密或認證），則Server和Client不必生成加密密鑰或完整性驗證密鑰。否則，Server和Client都根據預共享密鑰生成加密密鑰和完整性驗證密鑰。

(4)     Client和Server分別利用生成的加密密鑰和完整性驗證密鑰對初始化完成報文進行保護，並發送給對端。如果對端能夠正確解密和驗證該報文，則算法、密鑰協商成功，後續的VAM協議報文都通過協商的算法和密鑰進行保護。否則，協商失敗，斷開連接。

圖1-4 連接初始化流程圖

 

2. 注冊階段

如圖1-5所示，注冊階段的具體過程為：

(1)     Client向Server發送注冊請求報文，注冊請求報文中包括Client的公網地址、私網地址、連接的私網網段等信息。

(2)     Server收到注冊請求報文後，根據配置決定是否對該Client進行身份認證。如果配置為不認證，則直接注冊Client信息並向Client發送注冊成功響應；如果配置為認證，Server向Client回應身份認證請求，並指明需要的認證方法。VAM支持PAP和CHAP兩種認證方式。

(3)     Client向Server提交自己的身份信息。

(4)     Server通過AAA對Client進行認證和計費。認證和計費成功後，Server向Client發送注冊成功響應報文，注冊成功報文中攜帶Server下發給Client的Hub信息。

圖1-5 注冊流程圖

 

3. 隧道建立階段

Spoke要和Hub建立永久隧道，一個Spoke可以和任意多個Hub建立永久隧道。如果在一個ADVPN域中有多個Hub，則Hub之間需要建立永久隧道。具體隧道建立流程如圖1-6所示。

圖1-6 隧道建立流程圖

 

(1)     發起隧道建立請求

¡     Hub-Spoke隧道：Spoke收到Server下發的Hub信息後，檢查與這些Hub之間是否存在隧道。如果隧道不存在，則向Hub發送隧道建立請求報文。

¡     Hub-Hub隧道：Hub收到Server下發的已注冊成功的Hub信息後，檢查與這些Hub之間是否存在隧道。如果隧道不存在，則向其發送隧道建立請求報文。

¡     Spoke-Spoke隧道：在Full-Mesh組網中，Spoke收到某個數據報文後，若沒有查到相應的能夠轉發該報文的隧道，則會向Server發送地址解析請求，根據得到的地址解析響應向對端Spoke發起隧道建立請求。

(2)     隧道對端收到隧道建立請求後，保存隧道信息，並向請求發起方發送隧道建立成功響應報文。

4. 路由學習和報文轉發階段

ADVPN節點可以通過以下兩種方式學習私網路由：

·     通過靜態或動態路由協議學習：ADVPN網絡連接的各個私網及ADVPN隧道接口上都需要配置靜態路由或動態路由協議，實現私網路由的連通。ADVPN隧道建立以後，路由協議通過隧道進行鄰居發現、路由更新，並建立路由表。ADVPN隧道可以看作是私網中的一條普通鏈路，負責連接不同的私網網段。完成私網路由的學習後，Spoke接收到它連接的私網用戶訪問其他私網的報文時，查找路由表找到私網下一跳的地址。Spoke通過VAM Server查詢私網下一跳對應的公網地址，並將該公網地址作為隧道的目的地址對報文進行封裝。封裝後的報文通過ADVPN隧道發送給對端。

·     向VAM Server注冊和查詢私網網段：ADVPN節點將本地連接的私網網段信息注冊到VAM Server。Spoke接收到它連接的私網用戶訪問其他私網的報文時，將報文的目的地址發送給VAM Server，通過VAM Server查詢連接該目的地址所在私網網段的ADVPN節點的信息（包括ADVPN節點的公網和私網地址），並在本地生成到達該私網網段的路由，路由下一跳為該ADVPN節點。完成查詢後，Spoke將查詢到的ADVPN節點的公網地址作為隧道的目的地址對報文進行封裝。封裝後的報文通過ADVPN隧道發送給對端。

在ADVPN網絡中，如果同時使用了上述兩種私網路由學習方式，則Spoke接收到它連接的私網用戶訪問其他私網的報文時，會同時將私網路由的下一跳地址和報文的目的地址發送給VAM Server，VAM Server優先根據目的地址進行查詢，即優先采用向VAM Server注冊和查詢私網網段方式。如果同時通過上述兩種方式學習到了到達同一私網網段的路由，則優先選擇路由優先級小的路由轉發報文。

 

1.1.4  穿越NAT的ADVPN隧道

當隧道發起方在NAT網關後側時，則可以建立穿越NAT的Spoke-Spoke隧道；如果隧道接收方在NAT網關後側，則數據包要由Hub轉發，直到接收方發起隧道建立請求。如果雙方都在NAT網關後側，則它們都無法與對方建立隧道，所有的數據包都隻能從Hub轉發。

如果NAT網關采用Endpoint-Independent Mapping（不關心對端地址和端口轉換模式），隧道接收方在NAT網關後側時，也可以建立穿越NAT的Spoke-Spoke隧道。

1.2  ADVPN配置任務簡介

搭建ADVPN網絡時，一般先配置VAM Server，然後配置Hub設備，最後配置Spoke設備。ADVPN網絡中的設備作為Hub還是Spoke，需要在VAM Server上進行指定。

ADVPN配置任務如下：

(1)     配置VAM Server

(2)     配置ADVPN節點

a.     配置VAM Client

b.     配置路由

c.     配置ADVPN隧道

d.     （可選）配置IPsec保護ADVPN隧道報文

e.     （可選）開啟ADVPN日誌功能

1.3  配置VAM Server

1.3.1  VAM Server配置任務簡介

VAM Server配置任務如下：

(1)     創建ADVPN域

(2)     開啟VAM Server功能

(3)     配置VAM Server的預共享密鑰

(4)     配置Hub組

(5)     （可選）配置VAM Server的監聽端口號

(6)     （可選）配置VAM協議報文的安全參數

(7)     （可選）配置對VAM Client的身份認證方式

(8)     （可選）配置Keepalive報文參數

(9)     （可選）配置請求報文重傳參數

1.3.2  創建ADVPN域

(1)     進入係統視圖。

system-view

(2)     創建ADVPN域，並進入ADVPN域視圖。

vam server advpn-domain domain-name id domain-id

1.3.3  開啟VAM Server功能

(1)     進入係統視圖。

system-view

(2)     開啟VAM Server功能。請選擇其中一項進行配置。

¡     在係統視圖下，開啟所有或指定ADVPN域的VAM Server功能。

vam server enable [ advpn-domain domain-name ]

¡     請依次執行以下命令，開啟指定ADVPN域的VAM Server功能。

vam server advpn-domain domain-name [ id domain-id ]

server enable

缺省情況下，VAM Server功能處於關閉狀態。

1.3.4  配置VAM Server的預共享密鑰

1. 功能簡介

預共享密鑰用於生成加密/完整性驗證的密鑰：

·     在連接初始化階段預共享密鑰用來生成驗證和加密連接請求、連接響應報文的初始密鑰。

·     如果選擇對後續的報文進行加密和驗證，則預共享密鑰還用來生成驗證和加密後續報文的連接密鑰。

VAM Client/VAM Server通過報文解密、完整性驗證是否成功，可以判斷二者的預共享密鑰是否相同，從而實現對VAM Server/VAM Client的身份認證。

2. 配置限製和指導

同一個ADVPN域內的VAM Server和VAM Client上配置的預共享密鑰必須一致。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     配置VAM Server的預共享密鑰。

pre-shared-key { cipher | simple } string

缺省情況下，未配置VAM Server的預共享密鑰。

1.3.5  配置Hub組

1. 功能簡介

在大規模組網情況下，將ADVPN域劃分為多個Hub組可以方便管理。創建Hub組後，可以按照Spoke的私網地址網段或地址範圍，將Spoke劃分到不同的Hub組中，並為每個Hub組指定一個或多個Hub。VAM Server隻向VAM Client下發其所屬的Hub組內的Hub信息。VAM Client隻與本Hub組內的Hub建立永久ADVPN隧道。

缺省情況下，不允許跨Hub組建立Spoke-Spoke直連隧道，如果配置了跨Hub組建立Spoke-Spoke直連隧道的規則，則在Hub上線後，VAM Server將指定的規則下發到Hub。在Hub轉發私網數據報文的同時，會將數據報文與收到的規則進行匹配。如果匹配成功，Hub向發送該數據報文的Spoke發送重定向報文。Spoke收到重定向報文後，將被重定向的數據報文的目的地址發送給VAM Server，向VAM Server查詢連接該目的地址所在私網網段的Spoke節點的信息，並與該Spoke建立直連隧道。

跨Hub組Spoke-Spoke直連隧道建立前，數據報文仍由Hub進行轉發。直連隧道建立後，數據報文將直接發送到直連路由下一跳所對應的Spoke，而不再經過Hub中轉。

當VAM Client向VAM Server注冊時，根據VAM Client的私網地址將VAM Client劃分到對應的ADVPN域Hub組中：

(1)     根據Hub組名稱字典序依次匹配各Hub組內配置的Hub私網地址。

(2)     如果匹配上，則VAM Client為Hub，並被劃分到該Hub組；如果VAM Client不是Hub，再根據Hub組名稱字典序依次匹配各Hub組內配置的Spoke私網地址範圍。

(3)     如果匹配上，則VAM Client為Spoke，並被劃分到該Hub組；否則，VAM Client既不是Hub也不是Spoke，注冊失敗。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     創建Hub組，並進入Hub組視圖。

hub-group group-name

(4)     配置Hub的私網地址。

（IPv4網絡）

hub private-address private-ip-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]

（IPv6網絡）

hub ipv6 private-address private-ipv6-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]

缺省情況下，沒有配置Hub私網地址。

每個Hub組必須至少配置一個Hub私網地址。

(5)     配置Spoke的私網地址範圍。

（IPv4網絡）

spoke private-address { network ip-address { mask-length | mask } | range start-ipv4-address end-ipv4-address }

（IPv6網絡）

spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }

缺省情況下，沒有配置Spoke的私網地址範圍。每個Hub組可以配置多個Spoke的IPv4和IPv6私網地址範圍。

(6)     配置跨Hub組建立Spoke-Spoke直連隧道的規則。

（IPv4網絡）

shortcut interest { acl { acl-number | name acl-name } | all }

（IPv6網絡）

shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } | all }

缺省情況下，沒有配置跨Hub組建立Spoke-Spoke直連隧道的規則，不允許跨Hub組建立Spoke-Spoke直連隧道。

1.3.6  配置VAM Server的監聽端口號

1. 配置限製和指導

VAM Server的監聽端口號與VAM Client上指定的VAM Server的端口號必須一致。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     配置VAM Server的監聽端口號。

vam server listen-port port-number

缺省情況下，VAM Server的監聽端口號為18000。

1.3.7  配置VAM協議報文的安全參數

1. 功能簡介

該配置用來設置VAM協議報文的驗證、加密算法。VAM Server根據配置的報文完整性驗證、加密算法以及優先級與VAM Client發送的算法列表進行協商，協商後的算法分別作為兩端協議報文的完整性驗證算法和加密算法。

VAM Server與VAM Client固定使用SHA-1驗證算法和AES-CBC-128加密算法對連接初始化請求和響應報文進行完整性驗證和加密；使用協商出來的驗證算法和加密算法對其他VAM協議報文進行完整性驗證和加密。

2. 配置限製和指導

驗證/加密算法在配置中的出現順序決定其使用優先級。配置中越靠前的驗證/加密算法，其優先級越高。

修改驗證/加密算法對已經注冊的VAM Client沒有影響，新注冊的VAM Client將采用修改後的算法進行協商。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     配置VAM協議報文的驗證算法。

authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } *

缺省情況下，VAM協議報文的驗證算法為SHA-1。

(4)     配置VAM協議報文的加密算法。

encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } *

缺省情況下，按照優先級由高到低依次使用AES-CBC-256、AES-CBC-192、AES-CBC-128、AES-CTR-256、AES-CTR-192、AES-CTR-128、3DES-CBC、DES-CBC算法。

1.3.8  配置對VAM Client的身份認證方式

1. 功能簡介

該配置用來設置VAM Server對VAM Client的認證方式，包括不認證或采用AAA認證，采用AAA認證時，可選擇PAP或CHAP認證方式。隻有通過身份認證的VAM Client才可以接入到ADVPN域。VAM Server端AAA的具體配置請參見“安全配置指導”中的“AAA”。

2. 配置限製和指導

如果配置時指定的認證ISP域不存在，則VAM Server對VAM Client的身份認證會失敗。

修改認證方式對已經注冊的VAM Client沒有影響，新注冊的VAM Client將按照修改後的認證方式進行身份認證。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     配置VAM Server對VAM Client的身份認證方式。

authentication-method { none | { chap | pap } [ domain isp-name ] }

缺省情況下，VAM Server使用CHAP方式，對VAM Client進行身份認證，認證使用的ISP域為用戶配置的缺省ISP域。

1.3.9  配置Keepalive報文參數

1. 功能簡介

VAM Client和VAM Server之間通過Keepalive報文保持聯係。該配置用來設置VAM Client發送Keepalive報文的時間間隔和重發次數。當VAM Client注冊成功後，VAM Server會將配置的參數在注冊響應中下發給VAM Client，同一個ADVPN域中所有VAM Client的Keepalive報文參數都是相同的。

VAM Client按照VAM Server指定的時間間隔向VAM Server發送Keepalive報文，VAM Server收到Keepalive報文後回複響應報文。當Keepalive報文的重發次數達到指定的值仍沒有收到VAM Server的響應時，VAM Client認為與VAM Server的連接中斷，不再發送Keepalive報文。當VAM Server在時間間隔×重發次數的時間內沒有收到VAM Client的Keepalive報文，則認為與VAM Client的連接中斷，會刪除該VAM Client的信息並將其下線。

2. 配置限製和指導

如果VAM Server改變Keepalive報文參數，則修改後的參數隻對新注冊的VAM Client生效，已經注冊的VAM Client不受影響。

如果VAM Server與VAM Client間存在配置了動態NAT的設備，則Keepalive報文的發送時間間隔應小於NAT表項的老化時間，從而保證NAT表項不會老化。

請根據實際組網情況，合理配置VAM Client發送Keepalive報文的時間間隔和重發次數。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     配置VAM Client向VAM Server發送Keepalive報文的時間間隔和重試次數。

keepalive interval interval retry retries

缺省情況下，VAM Client發送Keepalive報文的時間間隔為180秒，重試次數是3次。

1.3.10  配置請求報文重傳參數

1. 功能簡介

VAM Server向VAM Client發送請求報文後，如果在指定的時間間隔內沒有收到響應報文，VAM Server將重新發送該請求報文，直到收到響應報文或者VAM Client Keepalive超時（即VAM Server在Keepalive報文發送時間間隔×重發次數的時間內沒有收到VAM Client的Keepalive報文）為止。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入ADVPN域視圖。

vam server advpn-domain domain-name [ id domain-id ]

(3)     配置VAM Server重發請求報文的時間間隔。

retry interval interval

缺省情況下，VAM Server重發請求報文的時間間隔為5秒。

1.4  配置VAM Client

1.4.1  VAM Client配置任務簡介

VAM Client配置任務如下：

(1)     創建VAM Client

(2)     開啟VAM Client功能

(3)     配置VAM Server的地址

(4)     配置VAM Client所屬的ADVPN域

(5)     配置VAM Client的預共享密鑰

(6)     （可選）配置請求報文重傳參數

(7)     （可選）配置VAM Client連接超時的靜默時間

(8)     （可選）配置認證用戶名和密碼

1.4.2  創建VAM Client

(1)     進入係統視圖。

system-view

(2)     創建VAM Client，並進入VAM Client視圖。

vam client name client-name

1.4.3  開啟VAM Client功能

(1)     進入係統視圖。

system-view

(2)     開啟VAM Client功能。請選擇其中一項進行配置。

¡     開啟VAM Client的VAM Client功能。

vam client enable [ name client-name ]。

¡     請依次執行以下命令開啟指定VAM Client的VAM Client功能。

vam client name client-name

client enable

缺省情況下， VAM Client功能處於關閉狀態。

1.4.4  配置VAM Server的地址

1. 功能簡介

可以為一個VAM Client配置兩個VAM Server，一個主VAM Server，一個備VAM Server。VAM Client會同時向主VAM Server和備VAM Server進行注冊，如果都注冊成功，VAM Client會優先使用先注冊成功的VAM Server向其下發的信息。當該VAM Server故障時，VAM Client再使用另外一個VAM Server下發的信息。

2. 配置限製和指導

如果主VAM Server和備VAM Server的地址相同（配置了相同的地址或通過域名解析到相同的地址），則隻有主VAM Server有效。

VAM Client上指定的VAM Server端口號，必須和VAM Server上配置的監聽端口號一致。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置主VAM Server的地址。

server primary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]

缺省情況下，沒有配置主VAM Server的地址。

(4)     （可選）配置備VAM Server的地址。

server secondary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]

缺省情況下，沒有配置備VAM Server的地址。

1.4.5  配置VAM Client所屬的ADVPN域

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置VAM Client所屬的ADVPN域。

advpn-domain domain-name

缺省情況下，VAM Client不屬於任何ADVPN域。

1.4.6  配置VAM Client的預共享密鑰

1. 功能簡介

預共享密鑰用於生成加密/完整性驗證的密鑰：

·     在連接初始化階段預共享密鑰用來生成驗證和加密連接請求、連接響應報文的初始密鑰。

·     如果選擇對後續的報文進行加密和驗證，則預共享密鑰還用來生成驗證和加密後續報文的連接密鑰。

VAM Client/VAM Server通過報文解密、完整性驗證是否成功，可以判斷二者的預共享密鑰是否相同，從而實現對VAM Server/VAM Client的身份認證。

2. 配置限製和指導

同一個ADVPN域內的VAM Client和VAM Server上配置的預共享密鑰必須一致。

3. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置VAM Client的預共享密鑰。

pre-shared-key { cipher | simple } string

缺省情況下，未配置預共享密鑰。

1.4.7  配置請求報文重傳參數

1. 功能簡介

VAM Client向VAM Server發送請求報文後，如果在指定的時間間隔內沒有收到響應報文，VAM Client將重新發送請求報文。如果重新發送請求報文的次數超過指定的重發次數，則VAM Client認為VAM Server不可達。

私網注冊請求報文和節點信息更新請求報文不受重發次數的限製，將會按照指定的時間間隔一直發送，直至VAM Client下線。

VAM Client發送Keepalive報文的時間間隔和重發次數由VAM Server的配置決定。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置VAM協議報文重傳參數。

retry interval interval count retries

缺省情況下，VAM協議報文重發間隔時間為5秒，重傳次數為3次。

1.4.8  配置VAM Client連接超時的靜默時間

1. 功能簡介

VAM Client在與VAM Server連接超時後，會進入靜默狀態，此時VAM Client不處理任何報文。當靜默時間到達後，VAM Client將重新發起連接請求。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置VAM Client連接超時的靜默時間。

dumb-time time-interval

缺省情況下，VAM Client連接超時的靜默時間為120秒。

1.4.9  配置認證用戶名和密碼

1. 功能簡介

配置VAM Client的用戶名和密碼，用於向VAM Server進行身份認證。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     進入VAM Client視圖。

vam client name client-name

(3)     配置認證用戶名和密碼。

user username password { cipher | simple } string

缺省情況下，沒有配置認證用戶名和密碼。

1.5  配置路由

ADVPN客戶端IPv4私網支持的路由協議為OSPF、RIP和BGP：

·     采用OSPF路由協議時，如果是Full-Mesh網絡，OSPF接口的網絡類型需要配置為broadcast；如果是Hub-Spoke網絡，OSPF接口的網絡類型需要配置為p2mp。OSPF的具體配置請參見“三層技術-IP路由配置指導”中的“OSPF”。

·     采用RIP路由協議時，不支持Full-Mesh網絡，僅支持Hub-Spoke網絡，且需要關閉水平分割功能。RIP的具體配置請參見“三層技術-IP路由配置指導”中的“RIP”。

·     采用BGP路由協議時，如果是Full-Mesh網絡，需要通過路由策略等配置，保證一端Spoke學習到的到達對端私網路由的下一跳為對端Spoke的地址（EBGP不支持Full-Mesh網絡）；如果是Hub-Spoke網絡，需要通過路由策略等配置，保證一端Spoke學習到的到達對端私網路由的下一跳為Hub的地址。BGP和路由策略的具體配置請參見“三層技術-IP路由配置指導”中的“BGP”和“路由策略”。

ADVPN客戶端IPv6私網支持的路由協議為OSPFv3、RIPng和IPv6 BGP：

·     采用OSPFv3路由協議時，如果是Full-Mesh網絡，OSPFv3接口的網絡類型需要配置為broadcast；如果是Hub-Spoke網絡，OSPFv3接口的網絡類型需要配置為p2mp。OSPFv3的具體配置請參見“三層技術-IP路由配置指導”中的“OSPFv3”。

·     采用RIPng路由協議時，隻支持Full-Mesh網絡。RIPng的具體配置請參見“三層技術-IP路由配置指導”中的“RIPng”。

·     采用IPv6 BGP路由協議時，如果是Full-Mesh網絡，需要通過路由策略等配置，保證一端Spoke學習到的到達對端私網路由的下一跳為對端Spoke的地址（EBGP不支持Full-Mesh網絡）；如果是Hub-Spoke網絡，需要通過路由策略等配置，保證一端Spoke學習到的到達對端私網路由的下一跳為Hub的地址。IPv6 BGP和路由策略的具體配置請參見“三層技術-IP路由配置指導”中的“BGP”和“路由策略”。

1.6  配置ADVPN隧道

1. 配置限製和指導

如果設備上配置了多個使用GRE封裝的ADVPN隧道接口，且隧道的源端地址或源接口相同時，不同GRE封裝的ADVPN隧道接口的GRE Key必須不同。關於GRE Key的詳細介紹請參見“三層技術-IP業務配置指導”中的“GRE”。

關於Tunnel接口的詳細介紹，請參見“三層技術-IP業務配置指導”中的“隧道”。關於interface tunnel、source和tunnel dfbit enable命令以及Tunnel接口下更多配置命令的詳細介紹，請參見“三層技術-IP業務命令參考”中的“隧道”。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     創建ADVPN隧道類型的Tunnel接口，並進入Tunnel接口視圖。

interface tunnel number [ mode advpn { gre | udp } [ ipv6 ] ]

在隧道的兩端應配置相同的隧道模式，否則可能造成報文傳輸失敗。

(3)     配置Tunnel接口的私網地址。

（IPv4網絡）

ip address ip-address { mask | mask-length } [ sub ]

（IPv6網絡）

ipv6 address ipv6-address prefix-length

缺省情況下，Tunnel接口上沒有配置私網地址。

在同一個Hub組中，所有Tunnel接口的地址應該配置為同一個網段。

(4)     配置ADVPN隧道的源端地址或源接口。

source { ip-address | interface-type interface-number }

缺省情況下，沒有配置ADVPN隧道的源端地址和源接口。

如果設置的是源端地址，則該地址將作為封裝後隧道報文的源地址；如果設置的是源接口，則該接口的地址將作為封裝後隧道報文的源地址。

(5)     （可選）設置封裝後隧道報文的DF（Don’t Fragment，不分片）標誌。

tunnel dfbit enable

缺省情況下，未設置隧道報文的不分片標誌，即轉發隧道報文時允許分片。

(6)     （可選）配置ADVPN報文的源UDP端口號。

advpn source-port port-number

缺省情況下，ADVPN報文的源UDP端口號為18001。

本命令隻有在UDP封裝模式的ADVPN隧道類型的Tunnel接口下才能配置。

如果Tunnel接口下執行vam client命令時指定了compatible參數，則該Tunnel接口配置的源端口號必須和其他Tunnel接口不同。

(7)     配置Tunnel接口綁定的VAM Client。

（IPv4網絡）

vam client client-name [ compatible advpn0 ]

（IPv6網絡）

vam ipv6 client client-name

缺省情況下，Tunnel隧道接口沒有綁定任何VAM Client。

一個VAM Client隻能與一個Tunnel接口綁定。

(8)     （可選）配置ADVPN隧道的私網信息。

（IPv4網絡）

advpn network ip-address { mask-length | mask } [ preference preference-value ]

（IPv6網絡）

advpn ipv6 network prefix prefix-length [ preference preference-value ]

缺省情況下，沒有配置ADVPN隧道的私網信息。

私網路由的優先級建議高於其他動態路由協議，低於靜態路由。

(9)     （可選）配置ADVPN隧道的Keepalive報文發送周期及最大發送次數。

keepalive interval interval retry retries

缺省情況下，ADVPN隧道的Keepalive報文發送周期為180秒，最大發送次數為3次。

在同一個ADVPN域中，所有Tunnel接口的Keepalive報文發送周期及最大發送次數必須一致。

(10)     （可選）配置Spoke-Spoke類型ADVPN隧道的空閑超時時間。

advpn session idle-time time-interval

缺省情況下，Spoke-Spoke類型ADVPN隧道的空閑超時時間為600秒。

修改此參數，已經建立的Spoke-Spoke類型ADVPN隧道會使用修改後的參數值重新開始計時。

(11)     （可選）配置ADVPN隧道建立失敗的靜默時間。

advpn session dumb-time time-interval

缺省情況下，ADVPN隧道建立失敗的靜默時間為120秒。

修改此參數後，已經建立的ADPVN隧道不會改變靜默時間，之後建立的ADPVN隧道會使用修改後的靜默時間。

(12)     （可選）配置ADVPN隧道的組名

advpn group group-name

缺省情況下，未配置ADVPN隧道的組名。

隻能在Spoke上進行此配置。

(13)     （可選）配置ADVPN隧道組名與QoS策略的對應關係

advpn map group group-name qos-policy policy-name outbound

缺省情況下，未配置ADVPN隧道組名與QoS策略的對應關係。

隻能在Hub上進行此配置。

1.7  配置IPsec保護ADVPN隧道報文

設備支持用IPsec安全框架來保護ADVPN隧道數據報文和控製報文的傳遞，其基本配置思路如下：

(1)     配置IPsec安全提議：指定安全協議、認證算法和加密算法、封裝模式等。

(2)     配置IKE協商方式的IPsec安全框架。

(3)     在ADVPN隧道接口上應用IKE協商方式的IPsec安全框架。

詳細配置請參見“安全配置指導”中的“IPsec”。

1.8  開啟ADVPN日誌功能

1. 功能簡介

設備生成的ADVPN日誌信息將被發送到設備的信息中心，通過設置信息中心的參數，決定日誌信息的輸出規則（即是否允許輸出以及輸出方向）。有關信息中心參數的配置請參見“網絡管理和監控配置指導”中的“信息中心”。

2. 配置步驟

(1)     進入係統視圖。

system-view

(2)     開啟ADVPN日誌功能。

advpn logging enable

缺省情況下，ADVPN日誌功能處於關閉狀態。

1.9  ADVPN顯示和維護

1.9.1  顯示ADVPN相關信息

可在任意視圖下執行以下命令：

·     顯示注冊到VAM Server上的VAM Client的IPv4私網地址和公網地址映射信息。

display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ]

·     顯示注冊到VAM Server上的VAM Client的IPv6私網地址和公網地址映射信息。

display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ]

·     顯示注冊到VAM Server上的VAM Client的IPv4私網信息。

display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ]

·     顯示注冊到VAM Server上的VAM Client的IPv6私網信息。

display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ]

·     顯示VAM Server上ADVPN域的統計信息。

display vam server statistics [ advpn-domain domain-name ]

·     顯示VAM Client的狀態機信息。

display vam client fsm [ name client-name ]

·     顯示VAM Client的統計信息。

display vam client statistics [ name client-name ]

·     顯示VAM Client收到的VAM Server下發的跨Hub組建立IPv4 Spoke-Spoke直連隧道的規則。

display vam client shortcut interest [ name client-name ]

·     顯示VAM Client收到的VAM Server下發的跨Hub組建立IPv6 Spoke-Spoke直連隧道的規則。

display vam client shortcut ipv6 interest [ name client-name ]

·     顯示ADVPN隧道組名與QoS策略的對應關係。

display advpn group-qos-map [ interface tunnel number [ group group-name ] ]

·     顯示IPv4 ADVPN隧道的信息。

display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ]

·     顯示IPv6 ADVPN隧道的信息。

display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ]

·     顯示不同狀態下ADVPN會話的個數。

display advpn session count

1.9.2  清除ADVPN相關信息

請在用戶視圖下執行以下命令：

 

·     清除注冊到VAM Server上的IPv4私網地址和公網地址映射信息。

reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ]

·     清除注冊到VAM Server上的IPv6私網地址和公網地址映射信息。

reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ]

·     清除VAM Server上ADVPN域的統計信息。

reset vam server statistics [ advpn-domain domain-name ]

·     重置VAM Client的狀態機。

reset vam client [ ipv6 ] fsm [ name client-name ]

·     清除VAM Client的統計信息。

reset vam client statistics [ name client-name ]

·     刪除IPv4 ADVPN隧道。

reset advpn session [ interface tunnel number [ private-address private-ip-address ] ]

·     刪除IPv6 ADVPN隧道。

reset advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ]

·     清除IPv4 ADVPN隧道的統計信息。

reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ]

·     清除IPv6 ADVPN隧道的統計信息。

reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ]

1.10  ADVPN典型配置舉例

1.10.1  IPv4 Full-Mesh類型ADVPN典型配置舉例

1. 組網需求

·     在IPv4 Full-Mesh的組網方式下，主、備VAM Server負責管理、維護各個節點的信息；AAA服務器負責對VAM Client進行認證和計費管理；兩個Hub互為備份，負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

·     同一ADVPN域中，任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。

2. 組網圖

圖1-7 IPv4 Full-Mesh類型ADVPN組網圖

‌

 

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1.0.0.1/24	Spoke 1	GE0/0/1	1.0.0.3/24
	Tunnel1	192.168.0.1/24		GE0/0/2	192.168.1.1/24
Hub 2	GE0/0/1	1.0.0.2/24		Tunnel1	192.168.0.3/24
	Tunnel1	192.168.0.2/24	Spoke 2	GE0/0/1	1.0.0.4/24
AAA server		1.0.0.10/24		GE0/0/2	192.168.2.1/24
Primary server	GE0/0/1	1.0.0.11/24		Tunnel1	192.168.0.4/24
Secondary server	GE0/0/1	1.0.0.12/24

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812

[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1。

<Hub1> system-view

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2。

<Hub2> system-view

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2，密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11

[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel 1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

7. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke1的DR優先級配置為0，以使Spoke1不參與DR/BDR選舉。

[Spoke1] interface tunnel1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

8. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11

[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 0

[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.0] quit

[Spoke2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke2的DR優先級配置為0，以使Spoke2不參與DR/BDR選舉。

[Spoke2] interface tunnel1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

9. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[PrimaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Spoke  No   0H 28M 25S

0          192.168.0.4      1.0.0.4                     Spoke  No   0H 19M 15S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[SecondaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Spoke  No   0H 28M 25S

0          192.168.0.4      1.0.0.4                     Spoke  No   0H 19M 15S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.0.2      1.0.0.2                     --    H-H   Success    0H 46M  8S

192.168.0.3      1.0.0.3                     --    H-S   Success    0H 27M 27S

192.168.0.4      1.0.0.4                     --    H-S   Success    0H 18M 18S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address  Public address              Port  Type  State      Holding time

192.168.0.1      1.0.0.1                     --    S-H   Success    0H 46M  8S

192.168.0.2      1.0.0.2                     --    S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.0.4。

[Spoke1] ping 192.168.0.4

Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break

56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 192.168.0.4 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.0.1      1.0.0.1                     --    S-H   Success    0H 46M  8S

192.168.0.2      1.0.0.2                     --    S-H   Success    0H 46M  8S

192.168.0.4      1.0.0.4                     --    S-S   Success    0H  0M  1S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。

1.10.2  IPv6 Full-Mesh類型ADVPN典型配置舉例

1. 組網需求

·     在IPv6 Full-Mesh的組網方式下，主、備VAM Server負責管理、維護各個節點的信息；AAA服務器負責對VAM Client進行認證和計費管理；兩個Hub互為備份，負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

·     同一ADVPN域中，任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。

2. 組網圖

圖1-8 IPv6 Full-Mesh類型ADVPN組網圖

‌

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1::1/64	Spoke 1	GE0/0/1	1::3/64
	Tunnel1	192:168::1/64		GE0/0/2	192:168:1::1/64
Hub 2	GE0/0/1	1::2/64		Tunnel1	192:168::3/64
	Tunnel1	192:168::2/64	Spoke 2	GE0/0/1	1::4/64
AAA server		1::10/64		GE0/0/2	192:168:2::1/64
Primary server	GE0/0/1	1::11/64		Tunnel1	192:168::4/64
Secondary server	GE0/0/1	1::12/64

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812

[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv6私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2

# 指定Hub組內Spoke的IPv6私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1。

<Hub1> system-view

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置主、被VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub1] ospfv3 1

[Hub1-ospfv3-1] router-id 0.0.0.1

[Hub1-ospfv3-1] area 0

[Hub1-ospfv3-1-area-0.0.0.0] quit

[Hub1-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝模式的IPv6 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn gre ipv6

[Hub1-Tunnel1] ipv6 address 192:168::1 64

[Hub1-Tunnel1] ipv6 address fe80::1 link-local

[Hub1-Tunnel1] vam ipv6 client Hub1

[Hub1-Tunnel1] ospfv3 1 area 0

[Hub1-Tunnel1] ospfv3 network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2。

<Hub2> system-view

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ipv6-address 1::11

[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub2] ospfv3 1

[Hub2-ospfv3-1] router-id 0.0.0.2

[Hub2-ospfv3-1] area 0

[Hub2-ospfv3-1-area-0.0.0.0] quit

[Hub2-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn gre ipv6

[Hub2-Tunnel1] ipv6 address 192:168::2 64

[Hub1-Tunnel1] ipv6 address fe80::2 link-local

[Hub2-Tunnel1] vam ipv6 client Hub2

[Hub2-Tunnel1] ospfv3 1 area 0

[Hub2-Tunnel1] ospfv3 network-type broadcast

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

7. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11

[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke1] ospfv3 1

[Spoke1-ospfv3-1] router-id 0.0.0.3

[Spoke1-ospfv3-1] area 0

[Spoke1-ospfv3-1-area-0.0.0.0] quit

[Spoke1-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke1的DR優先級配置為0，以使Spoke1不參與DR/BDR選舉。

[Spoke1] interface tunnel1 mode advpn gre ipv6

[Spoke1-Tunnel1] ipv6 address 192:168::3 64

[Spoke1-Tunnel1] ipv6 address fe80::3 link-local

[Spoke1-Tunnel1] vam ipv6 client Spoke1

[Spoke1-Tunnel1] ospfv3 1 area 0

[Spoke1-Tunnel1] ospfv3 network-type broadcast

[Spoke1-Tunnel1] ospfv3 dr-priority 0

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

8. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11

[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke2] ospfv3 1

[Spoke2-ospfv3-1] router-id 0.0.0.4

[Spoke2-ospfv3-1] area 0

[Spoke2-ospfv3-1-area-0.0.0.0] quit

[Spoke2-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke2的DR優先級配置為0，以使Spoke2不參與DR/BDR選舉。

[Spoke2] interface tunnel1 mode advpn gre ipv6

[Spoke2-Tunnel1] ipv6 address 192:168::4 64

[Spoke2-Tunnel1] ipv6 address fe80::4 link-local

[Spoke2-Tunnel1] vam ipv6 client Spoke2

[Spoke2-Tunnel1] ospfv3 1 area 0

[Spoke2-Tunnel1] ospfv3 network-type broadcast

[Spoke2-Tunnel1] ospfv3 dr-priority 0

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

9. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv6私網地址映射信息。

[PrimaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Spoke  No   0H 28M 25S

0          192:168::4            1::4                   Spoke  No   0H 19M 15S

# 顯示注冊到備VAM Server的所有VAM Client的IPv6私網地址映射信息。

[SecondaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Spoke  No   0H 28M 25S

0          192:168::4            1::4                   Spoke  No   0H 19M 15S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv6 ADVPN隧道信息。

[Hub1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 3

Private address       Public address        Port  Type  State      Holding time

192:168::2            1::2                  --    H-H   Success    0H 46M  8S

192:168::3            1::3                  --    H-S   Success    0H 27M 27S

192:168::4            1::4                  --    H-S   Success    0H 18M 18S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv6 ADVPN隧道信息。

[Spoke1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 2

Private address       Public address        Port  Type  State      Holding time

192:168::1            1::1                  --    S-H   Success    0H 46M  8S

192:168::2            1::2                  --    S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192:168::4。

[Spoke1] ping ipv6 192:168::4

Ping6(56 data bytes) 192:168::4 --> 192:168::4, press CTRL_C to break

56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms

56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms

56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms

56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms

56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms

 

--- Ping6 statistics for 192:168::4 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms

# 顯示Spoke1上的IPv6 ADVPN隧道信息。

[Spoke1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 3

Private address       Public address        Port  Type  State      Holding time

192:168::1            1::1                  --    S-H   Success    0H 46M  8S

192:168::2            1::2                  --    S-H   Success    0H 46M  8S

192.168::4            1::4                  --    S-S   Success    0H  0M  1S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。

1.10.3  IPv4 Hub-Spoke類型ADVPN典型配置舉例

1. 組網需求

·     在IPv4 Hub-Spoke的組網方式下，數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息；AAA服務器負責對VAM Client進行認證和計費管理；兩個Hub互為備份，負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

2. 組網圖

圖1-9 IPv4 Hub-Spoke類型ADVPN組網圖

‌

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1.0.0.1/24	Spoke 1	GE0/0/1	1.0.0.3/24
	Tunnel1	192.168.0.1/24		GE0/0/2	192.168.1.1/24
Hub 2	GE0/0/1	1.0.0.2/24		Tunnel1	192.168.0.3/24
	Tunnel1	192.168.0.2/24	Spoke 2	GE0/0/1	1.0.0.4/24
AAA server		1.0.0.10/24		GE0/0/2	192.168.2.1/24
Primary server	GE0/0/1	1.0.0.11/24		Tunnel1	192.168.0.4/24
Secondary server	GE0/0/1	1.0.0.12/24

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812

[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1。

<Hub1> system-view

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type p2mp

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2。

<Hub2> system-view

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2，密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11

[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type p2mp

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

7. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type p2mp

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

8. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11

[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 0

[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.0] quit

[Spoke2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type p2mp

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

9. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[PrimaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Spoke  No   0H 28M 25S

0          192.168.0.4      1.0.0.4                     Spoke  No   0H 19M 15S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[SecondaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Spoke  No   0H 28M 25S

0          192.168.0.4      1.0.0.4                     Spoke  No   0H 19M 15S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.0.2      1.0.0.2                     --    H-H   Success    0H 46M  8S

192.168.0.3      1.0.0.3                     --    H-S   Success    0H 27M 27S

192.168.0.4      1.0.0.4                     --    H-S   Success    0H 18M 18S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address  Public address              Port  Type  State      Holding time

192.168.0.1      1.0.0.1                     --    S-H   Success    0H 46M  8S

192.168.0.2      1.0.0.2                     --    S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.0.4。

[Spoke1] ping 192.168.0.4

Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break

56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 192.168.0.4 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms

1.10.4  IPv6 Hub-Spoke類型ADVPN典型配置舉例

1. 組網需求

·     在IPv6 Hub-Spoke的組網方式下，數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息；AAA服務器負責對VAM Client進行認證和計費管理；兩個Hub互為備份，負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

2. 組網圖

圖1-10 IPv6 Hub-Spoke類型ADVPN組網圖

‌

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1::1/64	Spoke 1	GE0/0/1	1::3/64
	Tunnel1	192:168::1/64		GE0/0/2	192:168:1::1/64
Hub 2	GE0/0/1	1::2/64		Tunnel1	192:168::3/64
	Tunnel1	192:168::2/64	Spoke 2	GE0/0/1	1::4/64
AAA server		1::10/64		GE0/0/2	192:168:2::1/64
Primary server	GE0/0/1	1::11/64		Tunnel1	192:168::4/64
Secondary server	GE0/0/1	1::12/64

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812

[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv6私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2

# 指定Hub組內Spoke的IPv6私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1。

<Hub1> system-view

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub1] ospfv3 1

[Hub1-ospfv3-1] router-id 0.0.0.1

[Hub1-ospfv3-1] area 0

[Hub1-ospfv3-1-area-0.0.0.0] quit

[Hub1-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn gre ipv6

[Hub1-Tunnel1] ipv6 address 192:168::1 64

[Hub1-Tunnel1] ipv6 address fe80::1 link-local

[Hub1-Tunnel1] vam ipv6 client Hub1

[Hub1-Tunnel1] ospfv3 1 area 0

[Hub1-Tunnel1] ospfv3 network-type p2mp

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2。

<Hub2> system-view

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ipv6-address 1::11

[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub2] ospfv3 1

[Hub2-ospfv3-1] router-id 0.0.0.2

[Hub2-ospfv3-1] area 0

[Hub2-ospfv3-1-area-0.0.0.0] quit

[Hub2-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn gre ipv6

[Hub2-Tunnel1] ipv6 address 192:168::2 64

[Hub2-Tunnel1] ipv6 address fe80::2 link-local

[Hub2-Tunnel1] vam ipv6 client Hub2

[Hub2-Tunnel1] ospfv3 1 area 0

[Hub2-Tunnel1] ospfv3 network-type p2mp

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

7. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11

[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke1] ospfv3 1

[Spoke1-ospfv3-1] router-id 0.0.0.3

[Spoke1-ospfv3-1] area 0

[Spoke1-ospfv3-1-area-0.0.0.0] quit

[Spoke1-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel1 mode advpn gre ipv6

[Spoke1-Tunnel1] ipv6 address 192:168::3 64

[Spoke1-Tunnel1] ipv6 address fe80::3 link-local

[Spoke1-Tunnel1] vam ipv6 client Spoke1

[Spoke1-Tunnel1] ospfv3 1 area 0

[Spoke1-Tunnel1] ospfv3 network-type p2mp

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

8. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11

[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12

# 開啟VAM Client的功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke2] ospfv3 1

[Spoke2-ospfv3-1] router-id 0.0.0.4

[Spoke2-ospfv3-1] area 0

[Spoke2-ospfv3-1-area-0.0.0.0] quit

[Spoke2-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置GRE封裝的IPv6 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel1 mode advpn gre ipv6

[Spoke2-Tunnel1] ipv6 address 192:168::4 64

[Spoke2-Tunnel1] ipv6 address fe80::4 link-local

[Spoke2-Tunnel1] vam ipv6 client Spoke2

[Spoke2-Tunnel1] ospfv3 1 area 0

[Spoke2-Tunnel1] ospfv3 network-type p2mp

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

9. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv6私網地址映射信息。

[PrimaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Spoke  No   0H 28M 25S

0          192:168::4            1::4                   Spoke  No   0H 19M 15S

# 顯示注冊到備VAM Server的所有VAM Client的IPv6私網地址映射信息。

[SecondaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Spoke  No   0H 28M 25S

0          192:168::4            1::4                   Spoke  No   0H 19M 15S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv6 ADVPN隧道信息。

[Hub1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 3

Private address       Public address        Port  Type  State      Holding time

192:168::2            1::2                  --    H-H   Success    0H 46M  8S

192:168::3            1::3                  --    H-S   Success    0H 27M 27S

192:168::4            1::4                  --    H-S   Success    0H 18M 18S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv6 ADVPN隧道信息。

[Spoke1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 2

Private address       Public address        Port  Type  State      Holding time

192:168::1            1::1                  --    S-H   Success    0H 46M  8S

192:168::2            1::2                  --    S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192:168::4。

[Spoke1] ping ipv6 192:168::4

Ping6(56 data bytes) 192:168::4 --> 192:168::4, press CTRL_C to break

56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms

56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms

56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms

56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms

56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms

 

--- Ping6 statistics for 192:168::4 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms

1.10.5  IPv4劃分多個Hub組ADVPN典型配置舉例

1. 組網需求

ADVPN域中包含的ADVPN節點較多，通過劃分多個Hub組來減輕Hub的負擔。具體需求如下：

·     主、備VAM Server負責管理、維護各個節點的信息。

·     AAA服務器負責對VAM Client進行認證和計費管理。

·     將ADVPN域劃分為三個Hub組：Hub1、Hub2和Hub3屬於Hub組0；Hub1、Hub2、Spoke1和Spoke2屬於Hub組1，兩個Hub互為備份；Hub3、Spoke3和Spoke4屬於Hub組2。

·     Hub組1和Hub組2內采用Full-Mesh組網方式。

·     允許所有的Spoke建立跨Hub組的Spoke-Spoke直連隧道。

2. 組網圖

圖1-11 IPv4劃分多個Hub組ADVPN組網圖

‌

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1.0.0.1/24	Spoke 1	GE0/0/1	1.0.0.4/24
	Tunnel1	192.168.1.1/24		GE0/0/2	192.168.10.1/24
	Tunnel2	192.168.0.1/24		Tunnel1	192.168.1.3/24
Hub 2	GE0/0/1	1.0.0.2/24	Spoke 2	GE0/0/1	1.0.0.5/24
	Tunnel1	192.168.1.2/24		GE0/0/2	192.168.20.1/24
	Tunnel2	192.168.0.2/24		GE0/0/3	192.168.30.1/24
Hub 3	GE0/0/1	1.0.0.3/24		Tunnel1	192.168.1.4/24
	Tunnel1	192.168.2.1/24	Spoke 3	GE0/0/1	1.0.0.6/24
	Tunnel2	192.168.0.3/24		GE0/0/2	192.168.40.1/24
AAA server		1.0.0.10/24		Tunnel1	192.168.2.2/24
Primary server	GE0/0/1	1.0.0.11/24	Spoke 4	GE0/0/1	1.0.0.7/24
Secondary server	GE0/0/1	1.0.0.12/24		GE0/0/2	192.168.50.1/24
				GE0/0/3	192.168.60.1/24
				Tunnel1	192.168.2.3/24

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812

[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 創建Hub組1。

[PrimaryServer-vam-server-domain-abc] hub-group 1

# 指定Hub組內Hub的IPv4私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1

[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0

# 允許建立跨組Spoke-Spoke直連隧道。

[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all

[PrimaryServer-vam-server-domain-abc-hub-group-1] quit

# 創建Hub組2。

[PrimaryServer-vam-server-domain-abc] hub-group 2

# 指定Hub組內Hub的IPv4私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-2] hub private-address 192.168.2.1

# 指定Hub組內Spoke的IPv4私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke private-address network 192.168.2.0 255.255.255.0

# 允許建立跨組Spoke-Spoke直連隧道。

[PrimaryServer-vam-server-domain-abc-hub-group-2] shortcut interest all

[PrimaryServer-vam-server-domain-abc-hub-group-2] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1Group0。

<Hub1> system-view

[Hub1] vam client name Hub1Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1Group0] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1Group0] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1Group0] client enable

[Hub1-vam-client-Hub1Group0] quit

# 創建VAM Client Hub1Group1。

[Hub1] vam client name Hub1Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1Group1] server primary ip-address 1.0.0.11

[Hub1-vam-client-Hub1Group1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1Group1] client enable

[Hub1-vam-client-Hub1Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] area 1

[Hub1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.1] quit

[Hub1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn udp

[Hub1-Tunnel1] ip address 192.168.1.1 255.255.255.0

[Hub1-Tunnel1] vam client Hub1Group1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel2。

[Hub1] interface tunnel2 mode advpn udp

[Hub1-Tunnel2] ip address 192.168.0.1 255.255.255.0

[Hub1-Tunnel2] vam client Hub1Group0

[Hub1-Tunnel2] ospf network-type broadcast

[Hub1-Tunnel2] source gigabitethernet 0/0/1

[Hub1-Tunnel2] tunnel protection ipsec profile abc

[Hub1-Tunnel2] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2Group0。

<Hub2> system-view

[Hub2] vam client name Hub2Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2Group0] server primary ip-address 1.0.0.11

[Hub2-vam-client-Hub2Group0] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2Group0] client enable

[Hub2-vam-client-Hub2Group0] quit

# 創建VAM Client Hub2Group1。

[Hub2] vam client name Hub2Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2Group1] server primary ip-address 1.0.0.11

[Hub2-vam-client-Hub2Group1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2Group1] client enable

[Hub2-vam-client-Hub2Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] area 1

[Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

[Hub2-ospf-1-area-0.0.0.1] quit

[Hub2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn udp

[Hub2-Tunnel1] ip address 192.168.1.2 255.255.255.0

[Hub2-Tunnel1] vam client Hub2Group1

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel2。

[Hub2] interface tunnel2 mode advpn udp

[Hub2-Tunnel2] ip address 192.168.0.2 255.255.255.0

[Hub2-Tunnel2] vam client Hub2Group0

[Hub2-Tunnel2] ospf network-type broadcast

[Hub2-Tunnel2] source gigabitethernet 0/0/1

[Hub2-Tunnel2] tunnel protection ipsec profile abc

[Hub2-Tunnel2] quit

7. 配置Hub3

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub3Group0。

<Hub3> system-view

[Hub3] vam client name Hub3Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub3-vam-client-Hub3Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub3，密碼為hub3。

[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3

# 配置VAM Server的IP地址。

[Hub3-vam-client-Hub3Group0] server primary ip-address 1.0.0.11

[Hub3-vam-client-Hub3Group0] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub3-vam-client-Hub3Group0] client enable

[Hub3-vam-client-Hub3Group0] quit

# 創建VAM Client Hub3Group1。

[Hub3] vam client name Hub3Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub3-vam-client-Hub3Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub3，密碼為hub3。

[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3

# 配置VAM Server的IP地址。

[Hub3-vam-client-Hub3Group1] server primary ip-address 1.0.0.11

[Hub3-vam-client-Hub3Group1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Hub3-vam-client-Hub3Group1] client enable

[Hub3-vam-client-Hub3Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub3] ike keychain abc

[Hub3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub3-ike-keychain-abc] quit

[Hub3] ike profile abc

[Hub3-ike-profile-abc] keychain abc

[Hub3-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub3] ipsec transform-set abc

[Hub3-ipsec-transform-set-abc] encapsulation-mode transport

[Hub3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub3-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub3-ipsec-transform-set-abc] quit

[Hub3] ipsec profile abc isakmp

[Hub3-ipsec-profile-isakmp-abc] transform-set abc

[Hub3-ipsec-profile-isakmp-abc] ike-profile abc

[Hub3-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Hub3] ospf 1

[Hub3-ospf-1] area 0

[Hub3-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub3-ospf-1-area-0.0.0.0] quit

[Hub3-ospf-1] area 2

[Hub3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255

[Hub3-ospf-1-area-0.0.0.2] quit

[Hub3-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub3] interface tunnel1 mode advpn udp

[Hub3-Tunnel1] ip address 192.168.2.1 255.255.255.0

[Hub3-Tunnel1] vam client Hub3Group1

[Hub3-Tunnel1] ospf network-type broadcast

[Hub3-Tunnel1] source gigabitethernet 0/0/1

[Hub3-Tunnel1] tunnel protection ipsec profile abc

[Hub3-Tunnel1] quit

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel2。

[Hub3] interface tunnel2 mode advpn udp

[Hub3-Tunnel2] ip address 192.168.0.3 255.255.255.0

[Hub3-Tunnel2] vam client Hub3Group0

[Hub3-Tunnel2] ospf network-type broadcast

[Hub3-Tunnel2] source gigabitethernet 0/0/1

[Hub3-Tunnel2] tunnel protection ipsec profile abc

[Hub3-Tunnel2] quit

8. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 1

[Spoke1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.1] network 192.168.10.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.1] quit

[Spoke1-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke1的DR優先級配置為0，以使Spoke1不參與DR/BDR選舉。

[Spoke1] interface tunnel1 mode advpn udp

[Spoke1-Tunnel1] ip address 192.168.1.3 255.255.255.0

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] advpn network 192.168.10.0 255.255.255.0

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

9. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11

[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 1

[Spoke2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.1] network 192.168.30.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.1] quit

[Spoke2-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke2的DR優先級配置為0，以使Spoke2不參與DR/BDR選舉。

[Spoke2] interface tunnel1 mode advpn udp

[Spoke2-Tunnel1] ip address 192.168.1.4 255.255.255.0

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] advpn network 192.168.20.0 255.255.255.0

[Spoke2-Tunnel1] advpn network 192.168.30.0 255.255.255.0

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

10. 配置Spoke3

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke3。

<Spoke3> system-view

[Spoke3] vam client name Spoke3

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke3-vam-client-Spoke3] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke3，密碼為spoke3。

[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3

# 配置VAM Server的IP地址。

[Spoke3-vam-client-Spoke3] server primary ip-address 1.0.0.11

[Spoke3-vam-client-Spoke3] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke3-vam-client-Spoke3] client enable

[Spoke3-vam-client-Spoke3] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke3] ike keychain abc

[Spoke3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke3-ike-keychain-abc] quit

[Spoke3] ike profile abc

[Spoke3-ike-profile-abc] keychain abc

[Spoke3-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke3] ipsec transform-set abc

[Spoke3-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke3-ipsec-transform-set-abc] quit

[Spoke3] ipsec profile abc isakmp

[Spoke3-ipsec-profile-isakmp-abc] transform-set abc

[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke3-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke3] ospf 1

[Spoke3-ospf-1] area 2

[Spoke3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255

[Spoke3-ospf-1-area-0.0.0.2] network 192.168.40.0 0.0.0.255

[Spoke3-ospf-1-area-0.0.0.2] quit

[Spoke3-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke3的DR優先級配置為0，以使Spoke3不參與DR/BDR選舉。

[Spoke3] interface tunnel 1 mode advpn udp

[Spoke3-Tunnel1] ip address 192.168.2.2 255.255.255.0

[Spoke3-Tunnel1] vam client Spoke3

[Spoke3-Tunnel1] ospf network-type broadcast

[Spoke3-Tunnel1] ospf dr-priority 0

[Spoke3-Tunnel1] advpn network 192.168.40.0 255.255.255.0

[Spoke3-Tunnel1] source gigabitethernet 0/0/1

[Spoke3-Tunnel1] tunnel protection ipsec profile abc

[Spoke3-Tunnel1] quit

11. 配置Spoke4

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke4。

<Spoke4> system-view

[Spoke4] vam client name Spoke4

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke4-vam-client-Spoke4] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke4，密碼為spoke4。

[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4

# 配置VAM Server的IP地址。

[Spoke4-vam-client-Spoke4] server primary ip-address 1.0.0.11

[Spoke4-vam-client-Spoke4] server secondary ip-address 1.0.0.12

# 開啟VAM Client功能。

[Spoke4-vam-client-Spoke4] client enable

[Spoke4-vam-client-Spoke4] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke4] ike keychain abc

[Spoke4-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Spoke4-ike-keychain-abc] quit

[Spoke4] ike profile abc

[Spoke4-ike-profile-abc] keychain abc

[Spoke4-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke4] ipsec transform-set abc

[Spoke4-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke4-ipsec-transform-set-abc] quit

[Spoke4] ipsec profile abc isakmp

[Spoke4-ipsec-profile-isakmp-abc] transform-set abc

[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke4-ipsec-profile-isakmp-abc] quit

(4)     配置OSPF路由

# 配置私網的路由信息。

[Spoke4] ospf 1

[Spoke4-ospf-1] area 2

[Spoke4-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255

[Spoke4-ospf-1-area-0.0.0.2] network 192.168.50.0 0.0.0.255

[Spoke4-ospf-1-area-0.0.0.2] network 192.168.60.0 0.0.0.255

[Spoke4-ospf-1-area-0.0.0.2] quit

[Spoke4-ospf-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke4的DR優先級配置為0，以使Spoke4不參與DR/BDR選舉。

[Spoke4] interface tunnel1 mode advpn udp

[Spoke4-Tunnel1] ip address 192.168.2.3 255.255.255.0

[Spoke4-Tunnel1] vam client Spoke4

[Spoke4-Tunnel1] ospf network-type broadcast

[Spoke4-Tunnel1] ospf dr-priority 0

[Spoke4-Tunnel1] advpn network 192.168.50.0 255.255.255.0

[Spoke4-Tunnel1] advpn network 192.168.60.0 255.255.255.0

[Spoke4-Tunnel1] source gigabitethernet 0/0/1

[Spoke4-Tunnel1] tunnel protection ipsec profile abc

[Spoke4-Tunnel1] quit

12. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[PrimaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 10

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Hub    No   0H 28M 25S

1          192.168.1.1      1.0.0.1                     Hub    No   0H 52M  7S

1          192.168.1.2      1.0.0.2                     Hub    No   0H 47M 31S

1          192.168.1.3      1.0.0.4                     Spoke  No   0H 18M 26S

1          192.168.1.4      1.0.0.5                     Spoke  No   0H 28M 25S

2          192.168.2.1      1.0.0.3                     Hub    No   0H 28M 25S

2          192.168.2.2      1.0.0.6                     Spoke  No   0H 25M 40S

2          192.168.2.3      1.0.0.7                     Spoke  No   0H 25M 31S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[SecondaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 10

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    No   0H 52M  7S

0          192.168.0.2      1.0.0.2                     Hub    No   0H 47M 31S

0          192.168.0.3      1.0.0.3                     Hub    No   0H 28M 25S

1          192.168.1.1      1.0.0.1                     Hub    No   0H 52M  7S

1          192.168.1.2      1.0.0.2                     Hub    No   0H 47M 31S

1          192.168.1.3      1.0.0.4                     Spoke  No   0H 18M 26S

1          192.168.1.4      1.0.0.5                     Spoke  No   0H 28M 25S

2          192.168.2.1      1.0.0.3                     Hub    No   0H 28M 25S

2          192.168.2.2      1.0.0.6                     Spoke  No   0H 25M 40S

2          192.168.2.3      1.0.0.7                     Spoke  No   0H 25M 31S

以上顯示信息表示Hub1、Hub2、Hub3、Spoke1、Spoke2、Spoke3和Spoke4均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.1.2      1.0.0.2                     18001 H-H   Success    0H 46M  8S

192.168.1.3      1.0.0.3                     18001 H-S   Success    0H 27M 27S

192.168.1.4      1.0.0.4                     18001 H-S   Success    0H 18M 18S

 

Interface         : Tunnel2

Number of sessions: 2

Private address  Public address              Port  Type  State      Holding time

192.168.0.2      1.0.0.2                     18001 H-H   Success    0H 46M  8S

192.168.0.3      1.0.0.3                     18001 H-H   Success    0H 27M 27S

以上顯示信息表示Hub1與Hub2、Hub3、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address  Public address              Port  Type  State      Holding time

192.168.1.1      1.0.0.1                     18001 S-H   Success    0H 46M  8S

192.168.1.2      1.0.0.2                     18001 S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 顯示Spoke3上的IPv4 ADVPN隧道信息。

[Spoke3] display advpn session

Interface         : Tunnel1

Number of sessions: 1

Private address  Public address              Port  Type  State      Holding time

192.168.2.1      1.0.0.3                     18001 S-H   Success    0H 46M  8S

以上顯示信息表示Spoke3與Hub3建立了Hub-Spoke永久隧道。Spoke4上的顯示信息與Spoke3類似。

1.10.6  IPv6劃分多個Hub組ADVPN典型配置舉例

1. 組網需求

ADVPN域中包含的ADVPN節點較多，通過劃分多個Hub組來減輕Hub的負擔。具體需求如下：

·     主、備VAM Server負責管理、維護各個節點的信息。

·     AAA服務器負責對VAM Client進行認證和計費管理。

·     將ADVPN域劃分為三個Hub組：Hub1、Hub2和Hub3屬於Hub組0；Hub1、Hub2、Spoke1和Spoke2屬於Hub組1，兩個Hub互為備份；Hub3、Spoke3和Spoke4屬於Hub組2。

·     Hub組1和Hub組2內采用Full-Mesh組網方式。

·     允許所有的Spoke建立跨Hub組的Spoke-Spoke直連隧道。

2. 組網圖

圖1-12 IPv6劃分多個Hub組ADVPN組網圖

‌

設備	接口	IP地址	設備	接口	IP地址
Hub 1	GE0/0/1	1::1/64	Spoke 1	GE0/0/1	1::4/64
	Tunnel1	192:168:1::1/64		GE0/0/2	192:168:10::1/64
	Tunnel2	192:168::1/64		Tunnel1	192:168:1::3/64
Hub 2	GE0/0/1	1::2/64	Spoke 2	GE0/0/1	1::5/64
	Tunnel1	192:168:1::2/64		GE0/0/2	192:168:20::1/64
	Tunnel2	192:168::2/64		GE0/0/3	192:168:30::1/64
Hub 3	GE0/0/1	1::3/64		Tunnel1	192:168:1::4/64
	Tunnel1	192:168:2::1/64	Spoke 3	GE0/0/1	1::6/64
	Tunnel2	192:168::3/64		GE0/0/2	192:168:40::1/64
AAA server		1::10/64		Tunnel1	192:168:2::2/64
Primary server	GE0/0/1	1::11/64	Spoke 4	GE0/0/1	1::7/64
Secondary server	GE0/0/1	1::12/64		GE0/0/2	192:168:50::1/64
				GE0/0/3	192:168:60::1/64
				Tunnel1	192:168:2::3/64

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812

[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv6私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::3

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 創建Hub組1。

[PrimaryServer-vam-server-domain-abc] hub-group 1

# 指定Hub組內Hub的IPv6私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::1

[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::2

# 指定Hub組內Spoke的IPv6私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke ipv6 private-address network 192:168:1::0 64

# 允許建立跨組Spoke-Spoke直連隧道。

[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all

[PrimaryServer-vam-server-domain-abc-hub-group-1] quit

# 創建Hub組2。

[PrimaryServer-vam-server-domain-abc] hub-group 2

# 指定Hub組內Hub的IPv6私網地址。

[PrimaryServer-vam-server-domain-abc-hub-group-2] hub ipv6 private-address 192:168:2::1

# 指定Hub組內Spoke的IPv6私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64

[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all

[PrimaryServer-vam-server-domain-abc-hub-group-2] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1Group0。

<Hub1> system-view

[Hub1] vam client name Hub1Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1Group0] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1Group0] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1Group0] client enable

[Hub1-vam-client-Hub1Group0] quit

# 創建VAM Client Hub1Group1。

[Hub1] vam client name Hub1Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1Group1] server primary ipv6-address 1::11

[Hub1-vam-client-Hub1Group1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1Group1] client enable

[Hub1-vam-client-Hub1Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub1] ospfv3 1

[Hub1-ospfv3-1] router-id 0.0.0.1

[Hub1-ospfv3-1] area 0

[Hub1-ospfv3-1-area-0.0.0.0] quit

[Hub1-ospfv3-1] area 1

[Hub1-ospfv3-1-area-0.0.0.1] quit

[Hub1-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel1 mode advpn udp ipv6

[Hub1-Tunnel1] ipv6 address 192:168:1::1 64

[Hub1-Tunnel1] ipv6 address fe80::1:1 link-local

[Hub1-Tunnel1] vam ipv6 client Hub1Group1

[Hub1-Tunnel1] ospfv3 1 area 1

[Hub1-Tunnel1] ospfv3 network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel2。

[Hub1] interface tunnel2 mode advpn udp ipv6

[Hub1-Tunnel2] ipv6 address 192:168::1 64

[Hub1-Tunnel2] ipv6 address fe80::1 link-local

[Hub1-Tunnel2] vam ipv6 client Hub1Group0

[Hub1-Tunnel2] ospfv3 1 area 0

[Hub1-Tunnel2] ospfv3 network-type broadcast

[Hub1-Tunnel2] source gigabitethernet 0/0/1

[Hub1-Tunnel2] tunnel protection ipsec profile abc

[Hub1-Tunnel2] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2Group0。

<Hub2> system-view

[Hub2] vam client name Hub2Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2Group0] server primary ipv6-address 1::11

[Hub2-vam-client-Hub2Group0] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2Group0] client enable

[Hub2-vam-client-Hub2Group0] quit

# 創建VAM Client Hub2Group1。

[Hub2] vam client name Hub2Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2Group1] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2Group1] server primary ipv6-address 1::11

[Hub2-vam-client-Hub2Group1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2Group1] client enable

[Hub2-vam-client-Hub2Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub2] ospfv3 1

[Hub2-ospfv3-1] router-id 0.0.0.2

[Hub2-ospfv3-1] area 0

[Hub2-ospfv3-1-area-0.0.0.0] quit

[Hub2-ospfv3-1] area 1

[Hub2-ospfv3-1-area-0.0.0.1] quit

[Hub2-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn udp ipv6

[Hub2-Tunnel1] ipv6 address 192:168:1::2 64

[Hub2-Tunnel1] ipv6 address fe80::1:2 link-local

[Hub2-Tunnel1] vam ipv6 client Hub2Group1

[Hub2-Tunnel1] ospfv3 1 area 1

[Hub2-Tunnel1] ospfv3 network-type broadcast

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel2。

[Hub2] interface tunnel2 mode advpn udp ipv6

[Hub2-Tunnel2] ipv6 address 192:168::2 64

[Hub2-Tunnel2] ipv6 address fe80::2 link-local

[Hub2-Tunnel2] vam ipv6 client Hub2Group0

[Hub2-Tunnel2] ospfv3 1 area 0

[Hub2-Tunnel2] ospfv3 network-type broadcast

[Hub2-Tunnel2] source gigabitethernet 0/0/1

[Hub2-Tunnel2] tunnel protection ipsec profile abc

[Hub2-Tunnel2] quit

7. 配置Hub3

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub3Group0。

<Hub3> system-view

[Hub3] vam client name Hub3Group0

# 配置VAM Client所屬的ADVPN域為abc。

[Hub3-vam-client-Hub3Group0] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub3，密碼為hub3。

[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3

# 配置VAM Server的IP地址。

[Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11

[Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub3-vam-client-Hub3Group0] client enable

[Hub3-vam-client-Hub3Group0] quit

# 創建VAM Client Hub3Group1。

[Hub3] vam client name Hub3Group1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub3-vam-client-Hub3Group1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub3，密碼為hub3。

[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3

# 配置VAM Server的IP地址。

[Hub3-vam-client-Hub3Group1] server primary ipv6-address 1::11

[Hub3-vam-client-Hub3Group1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Hub3-vam-client-Hub3Group1] client enable

[Hub3-vam-client-Hub3Group1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Hub3] ike keychain abc

[Hub3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub3-ike-keychain-abc] quit

[Hub3] ike profile abc

[Hub3-ike-profile-abc] keychain abc

[Hub3-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub3] ipsec transform-set abc

[Hub3-ipsec-transform-set-abc] encapsulation-mode transport

[Hub3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub3-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub3-ipsec-transform-set-abc] quit

[Hub3] ipsec profile abc isakmp

[Hub3-ipsec-profile-isakmp-abc] transform-set abc

[Hub3-ipsec-profile-isakmp-abc] ike-profile abc

[Hub3-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Hub3] ospfv3 1

[Hub3-ospfv3-1] router-id 0.0.0.3

[Hub3-ospfv3-1] area 0

[Hub3-ospfv3-1-area-0.0.0.0] quit

[Hub3-ospfv3-1] area 2

[Hub3-ospfv3-1-area-0.0.0.2] quit

[Hub3-ospfv3-1] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。

[Hub3] interface tunnel1 mode advpn udp ipv6

[Hub3-Tunnel1] ipv6 address 192:168:2::1 64

[Hub3-Tunnel1] ipv6 address fe80::2:1 link-local

[Hub3-Tunnel1] vam ipv6 client Hub3Group1

[Hub3-Tunnel1] ospfv3 1 area 2

[Hub3-Tunnel1] ospfv3 network-type broadcast

[Hub3-Tunnel1] source gigabitethernet 0/0/1

[Hub3-Tunnel1] tunnel protection ipsec profile abc

[Hub3-Tunnel1] quit

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel2。

[Hub3] interface tunnel2 mode advpn udp ipv6

[Hub3-Tunnel2] ipv6 address 192:168::3 64

[Hub3-Tunnel2] ipv6 address fe80::3 link-local

[Hub3-Tunnel2] vam ipv6 client Hub3Group0

[Hub3-Tunnel2] ospfv3 1 area 0

[Hub3-Tunnel2] ospfv3 network-type broadcast

[Hub3-Tunnel2] source gigabitethernet 0/0/1

[Hub3-Tunnel2] tunnel protection ipsec profile abc

[Hub3-Tunnel2] quit

8. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11

[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke1] ospfv3 1

[Spoke1-ospfv3-1] router-id 0.0.0.4

[Spoke1-ospfv3-1] area 1

[Spoke1-ospfv3-1-area-0.0.0.1] quit

[Spoke1-ospfv3-1] quit

[Spoke1] interface gigabitethernet 0/0/2

[Spoke1-GigabitEthernet0/0/2] ospfv3 1 area 1

[Spoke1-GigabitEthernet0/0/2] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke1的DR優先級配置為0，以使Spoke1不參與DR/BDR選舉。

[Spoke1] interface tunnel1 mode advpn udp ipv6

[Spoke1-Tunnel1] ipv6 address 192:168:1::3 64

[Spoke1-Tunnel1] ipv6 address fe80::1:3 link-local

[Spoke1-Tunnel1] vam ipv6 client Spoke1

[Spoke1-Tunnel1] ospfv3 1 area 1

[Spoke1-Tunnel1] ospfv3 network-type broadcast

[Spoke1-Tunnel1] ospfv3 dr-priority 0

[Spoke1-Tunnel1] advpn ipv6 network 192:168:10::0 64

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

9. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11

[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke2] ospfv3 1

[Spoke2-ospfv3-1] router-id 0.0.0.5

[Spoke2-ospfv3-1] area 1

[Spoke2-ospfv3-1-area-0.0.0.1] quit

[Spoke2-ospfv3-1] quit

[Spoke1] interface gigabitethernet 0/0/2

[Spoke1-GigabitEthernet0/0/2] ospfv3 1 area 1

[Spoke1-GigabitEthernet0/0/2] quit

[Spoke1] interface gigabitethernet 0/0/3

[Spoke1-GigabitEthernet0/0/3] ospfv3 1 area 1

[Spoke1-GigabitEthernet0/0/3] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke2的DR優先級配置為0，以使Spoke2不參與DR/BDR選舉。

[Spoke2] interface tunnel1 mode advpn udp ipv6

[Spoke2-Tunnel1] ipv6 address 192:168:1::4 64

[Spoke2-Tunnel1] ipv6 address fe80::1:4 link-local

[Spoke2-Tunnel1] vam ipv6 client Spoke2

[Spoke2-Tunnel1] ospfv3 1 area 1

[Spoke2-Tunnel1] ospfv3 network-type broadcast

[Spoke2-Tunnel1] ospfv3 dr-priority 0

[Spoke2-Tunnel1] advpn ipv6 network 192:168:20::0 64

[Spoke2-Tunnel1] advpn ipv6 network 192:168:30::0 64

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

10. 配置Spoke3

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke3。

<Spoke3> system-view

[Spoke3] vam client name Spoke3

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke3-vam-client-Spoke3] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke3，密碼為spoke3。

[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3

# 配置VAM Server的IP地址。

[Spoke3-vam-client-Spoke3] server primary ipv6-address 1::11

[Spoke3-vam-client-Spoke3] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke3-vam-client-Spoke3] client enable

[Spoke3-vam-client-Spoke3] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke3] ike keychain abc

[Spoke3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke3-ike-keychain-abc] quit

[Spoke3] ike profile abc

[Spoke3-ike-profile-abc] keychain abc

[Spoke3-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke3] ipsec transform-set abc

[Spoke3-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke3-ipsec-transform-set-abc] quit

[Spoke3] ipsec profile abc isakmp

[Spoke3-ipsec-profile-isakmp-abc] transform-set abc

[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke3-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke3] ospfv3 1

[Spoke3-ospfv3-1] router-id 0.0.0.6

[Spoke3-ospfv3-1] area 2

[Spoke3-ospfv3-1-area-0.0.0.2] quit

[Spoke3-ospfv3-1] quit

[Spoke3] interface gigabitethernet 0/0/2

[Spoke3-GigabitEthernet0/0/2] ospfv3 1 area 2

[Spoke3-GigabitEthernet0/0/2] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke3的DR優先級配置為0，以使Spoke3不參與DR/BDR選舉。

[Spoke3] interface tunnel1 mode advpn udp ipv6

[Spoke3-Tunnel1] ipv6 address 192:168:2::2 64

[Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local

[Spoke3-Tunnel1] vam ipv6 client Spoke3

[Spoke3-Tunnel1] ospfv3 1 area 2

[Spoke3-Tunnel1] ospfv3 network-type broadcast

[Spoke3-Tunnel1] ospfv3 dr-priority 0

[Spoke3-Tunnel1] advpn ipv6 network 192:168:40::0 64

[Spoke3-Tunnel1] source gigabitethernet 0/0/1

[Spoke3-Tunnel1] tunnel protection ipsec profile abc

[Spoke3-Tunnel1] quit

11. 配置Spoke4

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke4。

<Spoke4> system-view

[Spoke4] vam client name Spoke4

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke4-vam-client-Spoke4] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke4，密碼為spoke4。

[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4

# 配置VAM Server的IP地址。

[Spoke4-vam-client-Spoke4] server primary ipv6-address 1::11

[Spoke4-vam-client-Spoke4] server secondary ipv6-address 1::12

# 開啟VAM Client功能。

[Spoke4-vam-client-Spoke4] client enable

[Spoke4-vam-client-Spoke4] quit

(3)     配置IPsec安全框架

# 配置IKE框架。

[Spoke4] ike keychain abc

[Spoke4-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke4-ike-keychain-abc] quit

[Spoke4] ike profile abc

[Spoke4-ike-profile-abc] keychain abc

[Spoke4-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke4] ipsec transform-set abc

[Spoke4-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke4-ipsec-transform-set-abc] quit

[Spoke4] ipsec profile abc isakmp

[Spoke4-ipsec-profile-isakmp-abc] transform-set abc

[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke4-ipsec-profile-isakmp-abc] quit

(4)     配置OSPFv3路由

# 啟動OSPFv3，以發布私網的路由信息。

[Spoke4] ospfv3 1

[Spoke4-ospfv3-1] router-id 0.0.0.7

[Spoke4-ospfv3-1] area 2

[Spoke4-ospfv3-1-area-0.0.0.2] quit

[Spoke4-ospfv3-1] quit

[Spoke4] interface gigabitethernet 0/0/2

[Spoke4-GigabitEthernet0/0/2] ospfv3 1 area 2

[Spoke4-GigabitEthernet0/0/2] quit

[Spoke4] interface gigabitethernet 0/0/3

[Spoke4-GigabitEthernet0/0/3] ospfv3 1 area 2

[Spoke4-GigabitEthernet0/0/3] quit

(5)     配置ADVPN隧道

# 配置UDP封裝的IPv6 ADVPN隧道接口Tunnel1。將Spoke4的DR優先級配置為0，以使Spoke4不參與DR/BDR選舉。

[Spoke4] interface tunnel1 mode advpn udp ipv6

[Spoke4-Tunnel1] ipv6 address 192:168:2::3 64

[Spoke4-Tunnel1] ipv6 address fe80::2:3 link-local

[Spoke4-Tunnel1] vam ipv6 client Spoke4

[Spoke4-Tunnel1] ospfv3 1 area 2

[Spoke4-Tunnel1] ospfv3 network-type broadcast

[Spoke4-Tunnel1] ospfv3 dr-priority 0

[Spoke4-Tunnel1] advpn ipv6 network 192:168:50::0 64

[Spoke4-Tunnel1] advpn ipv6 network 192:168:60::0 64

[Spoke4-Tunnel1] source gigabitethernet 0/0/1

[Spoke4-Tunnel1] tunnel protection ipsec profile abc

[Spoke4-Tunnel1] quit

12. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv6私網地址映射信息。

[PrimaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 10

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Hub    No   0H 28M 25S

1          192:168:1::1          1::1                   Hub    No   0H 52M  7S

1          192:168:1::2          1::2                   Hub    No   0H 47M 31S

1          192:168:1::3          1::4                   Spoke  No   0H 18M 26S

1          192:168:1::4          1::5                   Spoke  No   0H 28M 25S

2          192:168:2::1          1::3                   Hub    No   0H 28M 25S

2          192:168:2::2          1::6                   Spoke  No   0H 25M 40S

2          192:168:2::3          1::7                   Spoke  No   0H 25M 31S

# 顯示注冊到備VAM Server的所有VAM Client的IPv6私網地址映射信息。

[SecondaryServer] display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 10

Group      Private address       Public address         Type   NAT  Holding time

0          192:168::1            1::1                   Hub    No   0H 52M  7S

0          192:168::2            1::2                   Hub    No   0H 47M 31S

0          192:168::3            1::3                   Hub    No   0H 28M 25S

1          192:168:1::1          1::1                   Hub    No   0H 52M  7S

1          192:168:1::2          1::2                   Hub    No   0H 47M 31S

1          192:168:1::3          1::4                   Spoke  No   0H 18M 26S

1          192:168:1::4          1::5                   Spoke  No   0H 28M 25S

2          192:168:2::1          1::3                   Hub    No   0H 28M 25S

2          192:168:2::2          1::6                   Spoke  No   0H 25M 40S

2          192:168:2::3          1::7                   Spoke  No   0H 25M 31S

以上顯示信息表示Hub1、Hub2、Hub3、Spoke1、Spoke2、Spoke3和Spoke4均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv6 ADVPN隧道信息。

[Hub1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 3

Private address       Public address        Port  Type  State      Holding time

192:168:1::2          1::2                  18001 H-H   Success    0H 46M  8S

192:168:1::3          1::3                  18001 H-S   Success    0H 27M 27S

192:168:1::4          1::4                  18001 H-S   Success    0H 18M 18S

 

Interface         : Tunnel2

Number of sessions: 2

Private address       Public address        Port  Type  State      Holding time

192:168::2            1::2                  18001 H-H   Success    0H 46M  8S

192:168::3            1::3                  18001 H-H   Success    0H 27M 27S

以上顯示信息表示Hub1與Hub2、Hub3、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv6 ADVPN隧道信息。

[Spoke1] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 2

Private address       Public address        Port  Type  State      Holding time

192:168:1::1          1::1                  18001 S-H   Success    0H 46M  8S

192:168:1::2          1::2                  18001 S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 顯示Spoke3上的IPv6 ADVPN隧道信息。

[Spoke3] display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 1

Private address       Public address        Port  Type  State      Holding time

192:168:2::1          1::3                  18001 S-H   Success    0H 46M  8S

以上顯示信息表示Spoke3與Hub3建立了Hub-Spoke永久隧道。Spoke4上的顯示信息與Spoke3類似。

1.10.7  IPv4 Full-Mesh穿越NAT類型ADVPN典型配置舉例

1. 組網需求

·     在IPv4 Full-Mesh的組網方式下，主、備VAM Server負責管理、維護各個節點的信息；AAA服務器負責對VAM Client進行認證和計費管理；兩個Hub互為備份，負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

·     同一ADVPN域中，任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。

·     VAM Server和各個節點均在NAT網關之後。

2. 組網圖

圖1-13 IPv4 Full-Mesh穿越NAT類型ADVPN組網圖

‌

設備	接口		IP地址		設備		接口		IP地址
Hub 1		GE0/0/1		10.0.0.2/24		Spoke 1		GE0/0/1		10.0.0.2/24
		Tunnel1		192.168.0.1/24				GE0/0/2		192.168.1.1/24
Hub 2		GE0/0/1		10.0.0.3/24				Tunnel1		192.168.0.3/24
		Tunnel1		192.168.0.2/24		Spoke 2		GE0/0/1		10.0.0.2/24
NAT1		GE0/0/1		1.0.0.1/24				GE0/0/2		192.168.2.1/24
		GE0/0/2		10.0.0.1/24				Tunnel1		192.168.0.4/24
NAT2		GE0/0/1		1.0.0.2/24		NAT4		GE0/0/1		1.0.0.4/24
		GE0/0/2		10.0.0.1/24				GE0/0/2		10.0.0.1/24
NAT3		GE0/0/1		1.0.0.3/24		AAA server				10.0.0.2/24
		GE0/0/2		10.0.0.1/24		Primary server		GE0/0/1		10.0.0.3/24
						Secondary server		GE0/0/1		10.0.0.4/24

 

3. 配置主VAM Server

(1)     配置各個接口的IP地址（略）

(2)     配置AAA認證

# 配置RADIUS方案。

<PrimaryServer> system-view

[PrimaryServer] radius scheme abc

[PrimaryServer-radius-abc] primary authentication 10.0.0.2 1812

[PrimaryServer-radius-abc] primary accounting 10.0.0.2 1813

[PrimaryServer-radius-abc] key authentication simple 123

[PrimaryServer-radius-abc] key accounting simple 123

[PrimaryServer-radius-abc] user-name-format without-domain

[PrimaryServer-radius-abc] quit

[PrimaryServer] radius session-control enable

# 配置ISP域的AAA方案。

[PrimaryServer] domain abc

[PrimaryServer-isp-abc] authentication advpn radius-scheme abc

[PrimaryServer-isp-abc] accounting advpn radius-scheme abc

[PrimaryServer-isp-abc] quit

[PrimaryServer] domain default enable abc

(3)     配置VAM Server

# 創建ADVPN域abc。

[PrimaryServer] vam server advpn-domain abc id 1

# 創建Hub組0。

[PrimaryServer-vam-server-domain-abc] hub-group 0

# 指定Hub組內的Hub：

# Hub1：IPv4私網地址為192.168.0.1，公網地址為1.0.0.1（NAT轉換後的地址），ADVPN報文的源UDP端口號為4001（NAT轉換後的UDP端口號）。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 public-address 1.0.0.1 advpn-port 4001

# Hub2：IPv4私網地址為192.168.0.2，公網地址為1.0.0.1（NAT轉換後的地址），ADVPN報文的源UDP端口號為4002（NAT轉換後的UDP端口號）。

[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 public-address 1.0.0.1 advpn-port 4002

# 指定Hub組內Spoke的IPv4私網地址範圍。

[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0

[PrimaryServer-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[PrimaryServer-vam-server-domain-abc] authentication-method chap

# 配置VAM Client發送Keepalive報文的時間間隔為10秒，重發次數為3次。

[PrimaryServer-vam-server-domain-abc] keepalive interval 10 retry 3

# 開啟該ADVPN域的VAM Server功能。

[PrimaryServer-vam-server-domain-abc] server enable

[PrimaryServer-vam-server-domain-abc] quit

(4)     配置默認路由。

[PrimaryServer] ip route-static 0.0.0.0 0 10.0.0.1

4. 配置備VAM Server

除IP地址外，備VAM Server的ADVPN配置與主VAM Server相同，不再贅述。

5. 配置Hub1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub1。

<Hub1> system-view

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1，密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置主VAM Server的IP地址為1.0.0.4（NAT轉換後的地址），端口號為4001（NAT轉換後的端口號）。

[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.4 port 4001

# 配置備VAM Server的IP地址為1.0.0.4（NAT轉換後的地址），端口號為4002（NAT轉換後的端口號）。

[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.4 port 4002

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(3)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

# 配置默認路由。

[Hub1] ip route-static 0.0.0.0 0 10.0.0.1

(4)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel 1 mode advpn udp

[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source gigabitethernet 0/0/1

[Hub1-Tunnel1] quit

6. 配置Hub2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Hub2。

<Hub2> system-view

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub2，密碼為hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.4 port 4001

[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.4 port 4002

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(3)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

# 配置默認路由。

[Hub2] ip route-static 0.0.0.0 0 10.0.0.1

(4)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel1 mode advpn udp

[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] source gigabitethernet 0/0/1

[Hub2-Tunnel1] quit

7. 配置Spoke1

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke1。

<Spoke1> system-view

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke1，密碼為spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.4 port 4001

[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.4 port 4002

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(3)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

# 配置默認路由。

[Spoke1] ip route-static 0.0.0.0 0 10.0.0.1

(4)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke1的DR優先級配置為0，以使Spoke1不參與DR/BDR選舉。

[Spoke1] interface tunnel1 mode advpn udp

[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

[Spoke1-Tunnel1] quit

8. 配置Spoke2

(1)     配置各接口的IP地址（略）

(2)     配置VAM Client

# 創建VAM Client Spoke2。

<Spoke2> system-view

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為spoke2，密碼為spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.4 port 4001

[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.4 port 4002

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(3)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 0

[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-1-area-0.0.0.0] quit

[Spoke2-ospf-1] quit

# 配置默認路由。

[Spoke2] ip route-static 0.0.0.0 0 10.0.0.1

(4)     配置ADVPN隧道

# 配置UDP封裝的IPv4 ADVPN隧道接口Tunnel1。將Spoke2的DR優先級配置為0，以使Spoke2不參與DR/BDR選舉。

[Spoke2] interface tunnel1 mode advpn udp

[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

[Spoke2-Tunnel1] quit

9. 配置NAT1

(1)     配置各接口的IP地址（略）

(2)     配置NAT內部服務器

# 配置ACL 2000，允許對內部網絡中10.0.0.0/24網段的報文進行地址轉換。

<NAT1> system-view

[NAT1] acl basic 2000

[NAT1-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255

[NAT1-acl-basic-2000] quit

# 在接口GigabitEthernet0/0/1上配置NAT內部服務器，允許外網ADVPN節點使用地址1.0.0.1訪問內網Hub1和Hub2。Hub1和Hub2使用的ADVPN報文源UDP端口號均為缺省值18001，NAT映射的外網端口號分別為4001和4002。

[NAT1] interface gigabitethernet 0/0/1

[NAT1-GigabitEthernet0/0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.2 18001

[NAT1-GigabitEthernet0/0/1] nat server protocol udp global current-interface 4002 inside 10.0.0.3 18001

[NAT1-GigabitEthernet0/0/1] nat outbound 2000

[NAT1-GigabitEthernet0/0/1] quit

# 在接口GigabitEthernet0/0/2上開啟NAT hairpin功能。

[NAT1] interface gigabitethernet 0/0/2

[NAT1-GigabitEthernet0/0/2] nat hairpin enable

[NAT1-GigabitEthernet0/0/2] quit

10. 配置NAT2

(1)     配置各接口的IP地址（略）

(2)     配置NAT內部服務器

# 配置ACL 2000，允許對內部網絡中10.0.0.0/24網段的報文進行地址轉換。

<NAT2> system-view

[NAT2] acl basic 2000

[NAT2-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255

[NAT2-acl-basic-2000] quit

# 創建地址組1。

[NAT2] nat address-group 1

# 添加地址組成員1.0.0.2。

[NAT2-nat-address-group-1] address 1.0.0.2 1.0.0.2

[NAT2-nat-address-group-1] quit

# 在接口GigabitEthernet0/0/1上配置內網可以進行目的地址轉換。

[NAT2] interface gigabitethernet 0/0/1

[NAT2-GigabitEthernet0/0/1] nat outbound 2000 address-group 1

[NAT2-GigabitEthernet0/0/1] quit

# 配置PAT方式下的地址轉換模式為EIM，即隻要是來自相同源地址和源端口號的且匹配ACL 2000的報文，不論其目的地址是否相同，通過PAT轉換後，其源地址和源端口號都被轉換為同一個外部地址和端口號。

[NAT2] nat mapping-behavior endpoint-independent acl 2000

11. 配置NAT3

NAT3的配置與NAT2的配置相似，這裏省略。

12. 配置NAT4

(1)     配置各接口的IP地址（略）

(2)     配置NAT內部服務器

# 在接口GigabitEthernet0/0/1上配置NAT內部服務器，允許外網VAM Client使用地址1.0.0.4訪問內網的VAM Server。VAM報文的源UDP端口號固定為18000，主、備VAM server通過NAT映射的外網端口號分別為4001和4002。

<NAT4> system-view

[NAT4] interface gigabitethernet 0/0/1

[NAT4-GigabitEthernet0/0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.3 18000

[NAT4-GigabitEthernet0/0/1] nat server protocol udp global current-interface 4002 inside 10.0.0.4 18000

13. 驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[PrimaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    Yes  0H 52M  7S

0          192.168.0.2      1.0.0.1                     Hub    Yes  0H 47M 31S

0          192.168.0.3      1.0.0.2                     Spoke  Yes  0H 28M 25S

0          192.168.0.4      1.0.0.3                     Spoke  Yes  0H 19M 15S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[SecondaryServer] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.0.0.1                     Hub    Yes  0H 52M  7S

0          192.168.0.2      1.0.0.1                     Hub    Yes  0H 47M 31S

0          192.168.0.3      1.0.0.2                     Spoke  Yes  0H 28M 25S

0          192.168.0.4      1.0.0.3                     Spoke  Yes  0H 19M 15S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.0.2      1.0.0.1                     4002  H-H   Success    0H 46M  8S

192.168.0.3      1.0.0.2                     2001  H-S   Success    0H 27M 27S

192.168.0.4      1.0.0.3                     2001  H-S   Success    0H 18M 18S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address  Public address              Port  Type  State      Holding time

192.168.0.1      1.0.0.1                     4001  S-H   Success    0H 46M  8S

192.168.0.2      1.0.0.1                     4002  S-H   Success    0H 46M  8S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.0.4。

[Spoke1] ping 192.168.0.4

Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break

56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 192.168.0.4 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address  Public address              Port  Type  State      Holding time

192.168.0.1      1.0.0.1                     4001  S-H   Success    0H 46M  8S

192.168.0.2      1.0.0.1                     4002  S-H   Success    0H 46M  8S

192.168.0.4      1.0.0.3                     2001  S-S   Success    0H  0M  1S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。