• 產品與解決方案
  • 行業解決方案
  • 服務
  • 支持
  • 合作夥伴
  • 關於我們

01-綜合配置舉例

目錄

03-H3C MSR係列路由器 MPLS over ADVPN典型配置舉例

本章節下載 03-H3C MSR係列路由器 MPLS over ADVPN典型配置舉例  (754.47 KB)

03-H3C MSR係列路由器 MPLS over ADVPN典型配置舉例

ADVPN over MPLS典型配置舉例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copyright © 2024 bobty下载软件 版權所有,保留一切權利。

非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。

除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。

本文檔中的信息可能變動,恕不另行通知。



1 ADVPN over MPLS典型配置舉例

1.1  簡介

MPLSMultiprotocol Label Switching,多協議標簽交換)是目前應用比較廣泛的一種骨幹網技術。MPLS在無連接的IP網絡上引入麵向連接的標簽交換概念,將第三層路由技術和第二層交換技術相結合,充分發揮了IP路由的靈活性和二層交換的簡潔性。

LDP(Label Distribution Protocol,標簽分發協議)用來動態建立LSP。通過LDP,LSR可以把網絡層的IP路由信息映射到MPLS的標簽交換路徑上。

ADVPN(Auto Discovery Virtual Private Network,自動發現虛擬專用網絡)是一種基於VAM(VPN Address Management,VPN地址管理)協議的動態VPN技術。

ADVPN over MPLS可以幫助企業網各分支機構使用動態地址接入MPLS LDP公網的情況下,可以利用ADVPN在各分支機構間建立VPN。

1.2  Full-Mesh類型ADVPN over MPLS典型配置舉例(路由應用)

1.2.1  適用產品和版本

本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。

1.2.2  組網需求

·     Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。

·     在IPv4 Full-Mesh的組網方式下,主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

·     同一ADVPN域中,任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。

表1-1 IPv4 Full-Mesh類型ADVPN over MPLS組網圖

設備

接口

IP地址

設備

接口

IP地址

Hub 1

GE1/0/1

1.5.1.1/30

Spoke 1

GE1/0/1

3.5.1.1/30

 

Loopback0

1.1.1.1/32

 

Loopback0

3.3.3.3/32

 

Tunnel1

192.168.0.1/24

 

Tunnel1

192.168.0.3/24

Hub 2

GE1/0/1

2.5.1.1/30

 

GE1/0/2

192.168.1.1/24

 

Loopback0

2.2.2.2/32

Spoke 2

GE1/0/1

4.5.1.1/30

 

Tunnel1

192.168.0.2/24

 

Loopback0

4.4.4.4/32

Router

GE1/0/1

1.5.1.2/30

 

Tunnel1

192.168.0.4/24

 

GE1/0/2

2.5.1.2/30

 

GE1/0/2

192.168.2.1/24

 

GE1/0/3

3.5.1.2/30

Primary server

GE1/0/1

5.6.1.3/24

 

GE1/0/4

4.5.1.2/30

 

Loopback0

6.6.6.6/32

 

GE1/0/5

5.6.1.1/24

Secondary server

GE1/0/1

5.6.1.4/24

 

Loopback0

5.5.5.5/32

 

Loopback0

7.7.7.7/32

AAA server

 

5.6.1.2/24

 

 

 

1.2.3  配置步驟

1. 配置主VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Primary server> system-view

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24

[Primary server-GigabitEthernet1/0/1] quit

[Primary server] interface loopback 0

[Primary server-LoopBack0] ip address 6.6.6.6 32

[Primary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Primary server] ospf 1

[Primary server-ospf-1] area 0

[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0

[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255

[Primary server-ospf-1-area-0.0.0.0] quit

[Primary server-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Primary server] mpls lsr-id 6.6.6.6

[Primary server] mpls ldp

[Primary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] mpls enable

[Primary server-GigabitEthernet1/0/1] mpls ldp enable

[Primary server-GigabitEthernet1/0/1] quit

(4)     配置AAA認證

# 配置RADIUS方案。

[Primary server] radius scheme abc

[Primary server-radius-abc] primary authentication 5.6.1.2 1812

[Primary server-radius-abc] primary accounting 5.6.1.2 1813

[Primary server-radius-abc] key authentication simple 123

[Primary server-radius-abc] key accounting simple 123

[Primary server-radius-abc] user-name-format without-domain

[Primary server-radius-abc] quit

[Primary server] radius session-control enable

# 配置ISP域的AAA方案。

[Primary server] domain abc

[Primary server-isp-abc] authentication advpn radius-scheme abc

[Primary server-isp-abc] accounting advpn radius-scheme abc

[Primary server-isp-abc] quit

[Primary server] domain default enable abc

(5)     配置VAM Server

# 創建ADVPN域abc。

[Primary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Primary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Primary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Primary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Primary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Primary server-vam-server-domain-abc] server enable

[Primary server-vam-server-domain-abc] quit

2. 配置備VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Secondary server> system-view

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24

[Secondary server-GigabitEthernet1/0/1] quit

[Secondary server] interface loopback 0

[Secondary server-LoopBack0] ip address 7.7.7.7 32

[Secondary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Secondary server] ospf 1

[Secondary server-ospf-1] area 0

[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0

[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255

[Secondary server-ospf-1-area-0.0.0.0] quit

[Secondary server-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Secondary server] mpls lsr-id 7.7.7.7

[Secondary server] mpls ldp

[Secondary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] mpls enable

[Secondary server-GigabitEthernet1/0/1] mpls ldp enable

[Secondary server-GigabitEthernet1/0/1] quit

(4)     配置AAA認證

# 配置RADIUS方案。

[Secondary server] radius scheme abc

[Secondary server-radius-abc] primary authentication 5.6.1.2 1812

[Secondary server-radius-abc] primary accounting 5.6.1.2 1813

[Secondary server-radius-abc] key authentication simple 123

[Secondary server-radius-abc] key accounting simple 123

[Secondary server-radius-abc] user-name-format without-domain

[Secondary server-radius-abc] quit

[Secondary server] radius session-control enable

# 配置ISP域的AAA方案。

[Secondary server] domain abc

[Secondary server-isp-abc] authentication advpn radius-scheme abc

[Secondary server-isp-abc] accounting advpn radius-scheme abc

[Secondary server-isp-abc] quit

[Secondary server] domain default enable abc

(5)     配置VAM Server

# 創建ADVPN域abc。

[Secondary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Secondary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Secondary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Secondary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Secondary server-vam-server-domain-abc] server enable

[Secondary server-vam-server-domain-abc] quit

3. 配置Router

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30

[Router-GigabitEthernet1/0/1] quit

[Router] interface gigabitethernet 1/0/2

[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30

[Router-GigabitEthernet1/0/2] quit

[Router] interface gigabitethernet 1/0/3

[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30

[Router-GigabitEthernet1/0/3] quit

[Router] interface gigabitethernet 1/0/4

[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30

[Router-GigabitEthernet1/0/4] quit

[Router] interface gigabitethernet 1/0/5

[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24

[Router-GigabitEthernet1/0/5] quit

[Router] interface loopback 0

[Router-LoopBack0] ip address 5.5.5.5 32

[Router-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Router] ospf 1

[Router-ospf-1] area 0

[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255

[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0

[Router-ospf-1-area-0.0.0.0] quit

[Router-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Router] mpls lsr-id 5.5.5.5

[Router] mpls ldp

[Router-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5

[Router-if-range] mpls enable

[Router-if-range] mpls ldp enable

[Router-if-range] quit

4. 配置Hub1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub1> system-view

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30

[Hub1-GigabitEthernet1/0/1] quit

[Hub1] interface loopback 0

[Hub1-LoopBack0] ip address 1.1.1.1 32

[Hub1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub1] mpls lsr-id 1.1.1.1

[Hub1] mpls ldp

[Hub1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] mpls enable

[Hub1-GigabitEthernet1/0/1] mpls ldp enable

[Hub1-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Hub1。

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1,密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6

[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel 1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 24

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source loopback 0

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 2

[Hub1-ospf-2] area 0

[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-2-area-0.0.0.0] quit

[Hub1-ospf-2] quit

5. 配置Hub2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub2> system-view

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30

[Hub2-GigabitEthernet1/0/1] quit

[Hub2] interface loopback 0

[Hub2-LoopBack0] ip address 2.2.2.2 32

[Hub2-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub2] mpls lsr-id 2.2.2.2

[Hub2] mpls ldp

[Hub2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] mpls enable

[Hub2-GigabitEthernet1/0/1] mpls ldp enable

[Hub2-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Hub2。

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6

[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel 1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 24

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] source loopback 0

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 2

[Hub2-ospf-2] area 0

[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-2-area-0.0.0.0] quit

[Hub2-ospf-2] quit

6. 配置Spoke1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke1> system-view

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30

[Spoke1-GigabitEthernet1/0/1] quit

[Spoke1] interface gigabitethernet 1/0/2

[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24

[Spoke1-GigabitEthernet1/0/2] quit

[Spoke1] interface loopback 0

[Spoke1-LoopBack0] ip address 3.3.3.3 32

[Spoke1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke1] mpls lsr-id 3.3.3.3

[Spoke1] mpls ldp

[Spoke1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] mpls enable

[Spoke1-GigabitEthernet1/0/1] mpls ldp enable

[Spoke1-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke1。

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6

[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel 1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 24

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source loopback 0

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 2

[Spoke1-ospf-2] area 0

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] quit

[Spoke1-ospf-2] quit

7. 配置Spoke2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke2> system-view

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30

[Spoke2-GigabitEthernet1/0/1] quit

[Spoke2] interface gigabitethernet 1/0/2

[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24

[Spoke2-GigabitEthernet1/0/2] quit

[Spoke2] interface loopback 0

[Spoke2-LoopBack0] ip address 4.4.4.4 32

[Spoke2-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 0

[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0

[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3

[Spoke2-ospf-1-area-0.0.0.0] quit

[Spoke2-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke2] mpls lsr-id 4.4.4.4

[Spoke2] mpls ldp

[Spoke2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] mpls enable

[Spoke2-GigabitEthernet1/0/1] mpls ldp enable

[Spoke2-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke2。

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6

[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel 1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 24

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source loopback 0

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 2

[Spoke2-ospf-2] area 0

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] quit

[Spoke2-ospf-2] quit

1.2.4  驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Primaryserver] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 10M 30S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 10M 31S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 9M 27S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 9M 51S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Secondaryserver] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 11M 49S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 11M 50S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 10M 45S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 11M 10S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.2          2.2.2.2              --    H-H   Success      0H 12M 23S

192.168.0.3          3.3.3.3              --    H-S   Success      0H 11M 19S

192.168.0.4          4.4.4.4              --    H-S   Success      0H 11M 44S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 11M 0S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 11M 0S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.2.1。

[Spoke1] ping -a 192.168.1.1 192.168.2.1

Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 192.168.2.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息,產生了與Spoke2臨時建立的IPv4 ADVPN隧道。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 12M 44S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 12M 44S

192.168.0.4          4.4.4.4              --    S-S   Success      0H 1M 0S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。

1.2.5  配置文件

1. Primary server

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 6.6.6.6 0.0.0.0

#

 mpls lsr-id 6.6.6.6

#

mpls ldp

#

interface LoopBack0

 ip address 6.6.6.6 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.3 255.255.255.0

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

2. Secondary server

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 7.7.7.7 0.0.0.0

#

 mpls lsr-id 7.7.7.7

#

mpls ldp

#

interface LoopBack0

 ip address 7.7.7.7 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.4 255.255.255.0

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

3. Router

#

ospf 1

 area 0.0.0.0

  network 1.5.1.0 0.0.0.3

  network 2.5.1.0 0.0.0.3

  network 3.5.1.0 0.0.0.3

  network 4.5.1.0 0.0.0.3

  network 5.5.5.5 0.0.0.0

  network 5.6.1.0 0.0.0.255

#

 mpls lsr-id 5.5.5.5

#

mpls ldp

#

interface LoopBack0

 ip address 5.5.5.5 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 2.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/3

 ip address 3.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/4

 ip address 4.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/5

 ip address 5.6.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

4. Hub1

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.1 255.255.255.0

 ospf network-type broadcast

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub1 password simple hub1

 client enable

#

5. Hub2

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 2.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 2.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.2 255.255.255.0

 ospf network-type broadcast

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub2 password simple hub2

 client enable

#

6. Spoke1

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 3.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.1.0 0.0.0.255

#

 mpls lsr-id 3.3.3.3

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 3.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 192.168.1.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.3 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke1 password simple spoke1

 client enable

#

7. Spoke2

#

ospf 1

 area 0.0.0.0

  network 4.4.4.4 0.0.0.0

  network 4.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.2.0 0.0.0.255

#

 mpls lsr-id 4.4.4.4

#

mpls ldp

#

interface LoopBack0

 ip address 4.4.4.4 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 4.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.2.1 255.255.255.252

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.4 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke2 password simple spoke2

 client enable

#

1.3  Hub-Spoke類型ADVPN over MPLS典型配置舉例(路由應用)

1.3.1  適用產品和版本

本舉例是在的版本上進行配置和驗證的。

1.3.2  組網需求

·     Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。

·     在IPv4 Hub-Spoke的組網方式下,數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

表1-2 IPv4 Hub-Spoke類型ADVPN over MPLS組網圖

設備

接口

IP地址

設備

接口

IP地址

Hub 1

GE1/0/1

1.5.1.1/30

Spoke 1

GE1/0/1

3.5.1.1/30

 

Loopback0

1.1.1.1/32

 

Loopback0

3.3.3.3/32

 

Tunnel1

192.168.0.1/24

 

Tunnel1

192.168.0.3/24

Hub 2

GE1/0/1

2.5.1.1/30

 

GE1/0/2

192.168.1.1/24

 

Loopback0

2.2.2.2/32

Spoke 2

GE1/0/1

4.5.1.1/30

 

Tunnel1

192.168.0.2/24

 

Loopback0

4.4.4.4/32

Router

GE1/0/1

1.5.1.2/30

 

Tunnel1

192.168.0.4/24

 

GE1/0/2

2.5.1.2/30

 

GE1/0/2

192.168.2.1/24

 

GE1/0/3

3.5.1.2/30

Primary server

GE1/0/1

5.6.1.3/24

 

GE1/0/4

4.5.1.2/30

 

Loopback0

6.6.6.6/32

 

GE1/0/5

5.6.1.1/24

Secondary server

GE1/0/1

5.6.1.4/24

 

Loopback0

5.5.5.5/32

 

Loopback0

7.7.7.7/32

AAA server

 

5.6.1.2/24

 

 

 

1.3.3  配置步驟

1. 配置主VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Primary server> system-view

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24

[Primary server-GigabitEthernet1/0/1] quit

[Primary server] interface loopback 0

[Primary server-LoopBack0] ip address 6.6.6.6 32

[Primary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Primary server] ospf 1

[Primary server-ospf-1] area 0

[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0

[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255

[Primary server-ospf-1-area-0.0.0.0] quit

[Primary server-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Primary server] isis 1

[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00

[Primary server-isis-1] is-level level-2

[Primary server-isis-1] quit

[Primary server] interface range gigabitethernet 1/0/1 loopback 0

[Primary server-if-range] isis enable 1

[Primary server-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Primary server] mpls lsr-id 6.6.6.6

[Primary server] mpls ldp

[Primary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] mpls enable

[Primary server-GigabitEthernet1/0/1] mpls ldp enable

[Primary server-GigabitEthernet1/0/1] quit

(5)     配置AAA認證

# 配置RADIUS方案。

[Primary server] radius scheme abc

[Primary server-radius-abc] primary authentication 5.6.1.2 1812

[Primary server-radius-abc] primary accounting 5.6.1.2 1813

[Primary server-radius-abc] key authentication simple 123

[Primary server-radius-abc] key accounting simple 123

[Primary server-radius-abc] user-name-format without-domain

[Primary server-radius-abc] quit

[Primary server] radius session-control enable

# 配置ISP域的AAA方案。

[Primary server] domain abc

[Primary server-isp-abc] authentication advpn radius-scheme abc

[Primary server-isp-abc] accounting advpn radius-scheme abc

[Primary server-isp-abc] quit

[Primary server] domain default enable abc

(6)     配置VAM Server

# 創建ADVPN域abc。

[Primary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Primary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Primary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Primary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Primary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Primary server-vam-server-domain-abc] server enable

[Primary server-vam-server-domain-abc] quit

2. 配置備VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Secondary server> system-view

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24

[Secondary server-GigabitEthernet1/0/1] quit

[Secondary server] interface loopback 0

[Secondary server-LoopBack0] ip address 7.7.7.7 32

[Secondary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Secondary server] ospf 1

[Secondary server-ospf-1] area 0

[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0

[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255

[Secondary server-ospf-1-area-0.0.0.0] quit

[Secondary server-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Secondary server] isis 1

[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00

[Secondary server-isis-1] is-level level-2

[Secondary server-isis-1] quit

[Secondary server] interface range gigabitethernet 1/0/1 loopback 0

[Secondary server-if-range] isis enable 1

[Secondary server-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Secondary server] mpls lsr-id 7.7.7.7

[Secondary server] mpls ldp

[Secondary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] mpls enable

[Secondary server-GigabitEthernet1/0/1] mpls ldp enable

[Secondary server-GigabitEthernet1/0/1] quit

(5)     配置AAA認證

# 配置RADIUS方案。

[Secondary server] radius scheme abc

[Secondary server-radius-abc] primary authentication 5.6.1.2 1812

[Secondary server-radius-abc] primary accounting 5.6.1.2 1813

[Secondary server-radius-abc] key authentication simple 123

[Secondary server-radius-abc] key accounting simple 123

[Secondary server-radius-abc] user-name-format without-domain

[Secondary server-radius-abc] quit

[Secondary server] radius session-control enable

# 配置ISP域的AAA方案。

[Secondary server] domain abc

[Secondary server-isp-abc] authentication advpn radius-scheme abc

[Secondary server-isp-abc] accounting advpn radius-scheme abc

[Secondary server-isp-abc] quit

[Secondary server] domain default enable abc

(6)     配置VAM Server

# 創建ADVPN域abc。

[Secondary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Secondary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Secondary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Secondary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Secondary server-vam-server-domain-abc] server enable

[Secondary server-vam-server-domain-abc] quit

3. 配置Router

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30

[Router-GigabitEthernet1/0/1] quit

[Router] interface gigabitethernet 1/0/2

[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30

[Router-GigabitEthernet1/0/2] quit

[Router] interface gigabitethernet 1/0/3

[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30

[Router-GigabitEthernet1/0/3] quit

[Router] interface gigabitethernet 1/0/4

[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30

[Router-GigabitEthernet1/0/4] quit

[Router] interface gigabitethernet 1/0/5

[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24

[Router-GigabitEthernet1/0/5] quit

[Router] interface loopback 0

[Router-LoopBack0] ip address 5.5.5.5 32

[Router-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Router] ospf 1

[Router-ospf-1] area 0

[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255

[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0

[Router-ospf-1-area-0.0.0.0] quit

[Router-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Router] isis 1

[Router-isis-1] network-entity 49.0001.0050.0500.5005.00

[Router-isis-1] is-level level-2

[Router-isis-1] quit

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0

[Router-if-range] isis enable 1

[Router-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Router] mpls lsr-id 5.5.5.5

[Router] mpls ldp

[Router-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5

[Router-if-range] mpls enable

[Router-if-range] mpls ldp enable

[Router-if-range] quit

4. 配置Hub1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub1> system-view

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30

[Hub1-GigabitEthernet1/0/1] quit

[Hub1] interface loopback 0

[Hub1-LoopBack0] ip address 1.1.1.1 32

[Hub1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Hub1] isis 1

[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00

[Hub1-isis-1] is-level level-2

[Hub1-isis-1] quit

[Hub1] interface range gigabitethernet 1/0/1 loopback 0

[Hub1-if-range] isis enable 1

[Hub1-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub1] mpls lsr-id 1.1.1.1

[Hub1] mpls ldp

[Hub1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] mpls enable

[Hub1-GigabitEthernet1/0/1] mpls ldp enable

[Hub1-GigabitEthernet1/0/1] quit

(5)     配置VAM Client

# 創建VAM Client Hub1。

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1,密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6

[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(6)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(7)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel 1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 24

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type p2mp

[Hub1-Tunnel1] source loopback 0

[Hub1-Tunnel1] tunnel protection ipsec profile abc

# 配置Hub1的私網OSPF2接口cost值為1,防止Spoke之間的流量來回路徑不一致。

[Hub1-Tunnel1] ospf cost 1

[Hub1-Tunnel1] quit

(8)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 2

[Hub1-ospf-2] area 0

[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-2-area-0.0.0.0] quit

[Hub1-ospf-2] quit

5. 配置Hub2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub2> system-view

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30

[Hub2-GigabitEthernet1/0/1] quit

[Hub2] interface loopback 0

[Hub2-LoopBack0] ip address 2.2.2.2 32

[Hub2-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Hub2] isis 1

[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00

[Hub2-isis-1] is-level level-2

[Hub2-isis-1] quit

[Hub2] interface range gigabitethernet 1/0/1 loopback 0

[Hub2-if-range] isis enable 1

[Hub2-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub2] mpls lsr-id 2.2.2.2

[Hub2] mpls ldp

[Hub2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] mpls enable

[Hub2-GigabitEthernet1/0/1] mpls ldp enable

[Hub2-GigabitEthernet1/0/1] quit

(5)     配置VAM Client

# 創建VAM Client Hub2。

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6

[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(6)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(7)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel 1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 24

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type p2mp

[Hub2-Tunnel1] source loopback 0

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

(8)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 2

[Hub2-ospf-2] area 0

[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-2-area-0.0.0.0] quit

[Hub2-ospf-2] quit

6. 配置Spoke1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke1> system-view

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30

[Spoke1-GigabitEthernet1/0/1] quit

[Spoke1] interface gigabitethernet 1/0/2

[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24

[Spoke1-GigabitEthernet1/0/2] quit

[Spoke1] interface loopback 0

[Spoke1-LoopBack0] ip address 3.3.3.3 32

[Spoke1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke1] mpls lsr-id 3.3.3.3

[Spoke1] mpls ldp

[Spoke1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] mpls enable

[Spoke1-GigabitEthernet1/0/1] mpls ldp enable

[Spoke1-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke1。

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6

[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel 1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 24

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type p2mp

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source loopback 0

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 2

[Spoke1-ospf-2] area 0

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] quit

[Spoke1-ospf-2] quit

7. 配置Spoke2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke2> system-view

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30

[Spoke2-GigabitEthernet1/0/1] quit

[Spoke2] interface gigabitethernet 1/0/2

[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24

[Spoke2-GigabitEthernet1/0/2] quit

[Spoke2] interface loopback 0

[Spoke2-LoopBack0] ip address 4.4.4.4 32

[Spoke2-LoopBack0] quit

(2)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Spoke2] isis 1

[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00

[Spoke2-isis-1] is-level level-2

[Spoke2-isis-1] quit

[Spoke2] interface range gigabitethernet 1/0/1 loopback 0

[Spoke2-if-range] isis enable 1

[Spoke2-if-range] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke2] mpls lsr-id 4.4.4.4

[Spoke2] mpls ldp

[Spoke2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] mpls enable

[Spoke2-GigabitEthernet1/0/1] mpls ldp enable

[Spoke2-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke2。

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6

[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel 1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 24

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type p2mp

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source loopback 0

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 2

[Spoke2-ospf-2] area 0

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] quit

[Spoke2-ospf-2] quit

1.3.4  驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Primaryserver]display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 5M 52S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 4M 34S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 2M 52S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 1M 38S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Secondaryserver]display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 6M 19S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 5M 8S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 3M 35S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 2M 27S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1]display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.2          2.2.2.2              --    H-H   Success      0H 6M 33S

192.168.0.3          3.3.3.3              --    H-S   Success      0H 4M 50S

192.168.0.4          4.4.4.4              --    H-S   Success      0H 3M 36S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1]display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 5M 25S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 5M 25S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.2.1。

[Spoke1]ping -a 192.168.1.1 192.168.2.1

Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms

56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms

 

--- Ping statistics for 192.168.2.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息,沒有產生與Spoke2臨時建立的IPv4 ADVPN隧道,說明是流量是通過Hub轉發的。

[Spoke1]display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 7M 43S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 7M 43S

Spoke2上的顯示信息與Spoke1類似。

1.3.5  配置文件

1. Primary server

#

isis 1

 is-level level-2

 network-entity 49.0001.0060.0600.6006.00

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 6.6.6.6 0.0.0.0

#

 mpls lsr-id 6.6.6.6

#

mpls ldp

#

interface LoopBack0

 ip address 6.6.6.6 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.3 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

2. Secondary server

#

isis 1

 is-level level-2

 network-entity 49.0001.0070.0700.7007.00

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 7.7.7.7 0.0.0.0

#

 mpls lsr-id 7.7.7.7

#

mpls ldp

#

interface LoopBack0

 ip address 7.7.7.7 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.4 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

3. Router

#

isis 1

 is-level level-2

 network-entity 49.0001.0050.0500.5005.00

#

ospf 1

 area 0.0.0.0

  network 1.5.1.0 0.0.0.3

  network 2.5.1.0 0.0.0.3

  network 3.5.1.0 0.0.0.3

  network 5.5.5.5 0.0.0.0

  network 5.6.1.0 0.0.0.255

#

 mpls lsr-id 5.5.5.5

#

mpls ldp

#

interface LoopBack0

 ip address 5.5.5.5 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 2.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/3

 ip address 3.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/4

 ip address 4.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/5

 ip address 5.6.1.1 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

4. Hub1

#

isis 1

 is-level level-2

 network-entity 49.0001.0010.0100.1001.00

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.1 255.255.255.0

 ospf cost 1

 ospf network-type p2mp

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub1 password simple hub1

 client enable

#

5. Hub2

#

isis 1

 is-level level-2

 network-entity 49.0001.0020.0200.2002.00

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 2.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 2.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.2 255.255.255.0

 ospf network-type p2mp

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub2 password simple hub2

 client enable

#

6. Spoke1

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 3.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.1.0 0.0.0.255

#

 mpls lsr-id 3.3.3.3

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 3.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.1.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.3 255.255.255.0

 ospf network-type p2mp

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke1 password simple spoke1

 client enable

#

7. Spoke2

#

isis 1

 is-level level-2

 network-entity 49.0001.0040.0400.4004.00

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.2.0 0.0.0.255

#

 mpls lsr-id 4.4.4.4

#

mpls ldp

#

interface LoopBack0

 ip address 4.4.4.4 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 4.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.2.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.4 255.255.255.0

 ospf network-type p2mp

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke2 password simple spoke2

 client enable

#

1.4  Full-Mesh類型ADVPN over MPLS典型配置舉例(安全應用)

1.4.1  適用產品和版本

本舉例是在F5000-AI160的E8371版本上進行配置和驗證的。

1.4.2  組網需求

·     Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。

·     在IPv4 Full-Mesh的組網方式下,主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

·     同一ADVPN域中,任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。

表1-3 IPv4 Full-Mesh類型ADVPN over MPLS組網圖

設備

接口

IP地址

設備

接口

IP地址

Hub 1

GE1/0/1

1.5.1.1/30

Spoke 1

GE1/0/1

3.5.1.1/30

 

Loopback0

1.1.1.1/32

 

Loopback0

3.3.3.3/32

 

Tunnel1

192.168.0.1/24

 

Tunnel1

192.168.0.3/24

Hub 2

GE1/0/1

2.5.1.1/30

 

GE1/0/2

192.168.1.1/24

 

Loopback0

2.2.2.2/32

Spoke 2

GE1/0/1

4.5.1.1/30

 

Tunnel1

192.168.0.2/24

 

Loopback0

4.4.4.4/32

Router

GE1/0/1

1.5.1.2/30

 

Tunnel1

192.168.0.4/24

 

GE1/0/2

2.5.1.2/30

 

GE1/0/2

192.168.2.1/24

 

GE1/0/3

3.5.1.2/30

Primary server

GE1/0/1

5.6.1.3/24

 

GE1/0/4

4.5.1.2/30

 

Loopback0

6.6.6.6/32

 

GE1/0/5

5.6.1.1/24

Secondary server

GE1/0/1

5.6.1.4/24

 

Loopback0

5.5.5.5/32

 

Loopback0

7.7.7.7/32

AAA server

 

5.6.1.2/24

 

 

 

1.4.3  配置步驟

1. 配置主VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Primary server> system-view

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24

[Primary server-GigabitEthernet1/0/1] quit

[Primary server] interface loopback 0

[Primary server-LoopBack0] ip address 6.6.6.6 32

[Primary server-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Primary server] security-zone name untrust

[Primary server-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Primary server-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使VAM Server可以向公網發送協議和業務報文,具體配置步驟如下。

[Primary server] security-policy ip

[Primary server-security-policy-ip] rule name publicout

[Primary server-security-policy-ip-0-publicout] source-zone local

[Primary server-security-policy-ip-0-publicout] destination-zone untrust

[Primary server-security-policy-ip-0-publicout] action pass

[Primary server-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使VAM Server可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Primary server-security-policy-ip] rule name publicin

[Primary server-security-policy-ip-1-publicin] source-zone untrust

[Primary server-security-policy-ip-1-publicin] destination-zone local

[Primary server-security-policy-ip-1-publicin] action pass

[Primary server-security-policy-ip-1-publicin] quit

[Primary server-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Primary server] ospf 1

[Primary server-ospf-1] area 0

[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0

[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255

[Primary server-ospf-1-area-0.0.0.0] quit

[Primary server-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Primary server] mpls lsr-id 6.6.6.6

[Primary server] mpls ldp

[Primary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] mpls enable

[Primary server-GigabitEthernet1/0/1] mpls ldp enable

[Primary server-GigabitEthernet1/0/1] quit

(6)     配置AAA認證

# 配置RADIUS方案。

[Primary server] radius scheme abc

[Primary server-radius-abc] primary authentication 5.6.1.2 1812

[Primary server-radius-abc] primary accounting 5.6.1.2 1813

[Primary server-radius-abc] key authentication simple 123

[Primary server-radius-abc] key accounting simple 123

[Primary server-radius-abc] user-name-format without-domain

[Primary server-radius-abc] quit

[Primary server] radius session-control enable

# 配置ISP域的AAA方案。

[Primary server] domain abc

[Primary server-isp-abc] authentication advpn radius-scheme abc

[Primary server-isp-abc] accounting advpn radius-scheme abc

[Primary server-isp-abc] quit

[Primary server] domain default enable abc

(7)     配置VAM Server

# 創建ADVPN域abc。

[Primary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Primary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Primary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Primary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Primary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Primary server-vam-server-domain-abc] server enable

[Primary server-vam-server-domain-abc] quit

2. 配置備VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Secondary server> system-view

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24

[Secondary server-GigabitEthernet1/0/1] quit

[Secondary server] interface loopback 0

[Secondary server-LoopBack0] ip address 7.7.7.7 32

[Secondary server-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Secondary server] security-zone name untrust

[Secondary server-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Secondary server-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使VAM Server可以向公網發送協議和業務報文,具體配置步驟如下。

[Secondary server] security-policy ip

[Secondary server-security-policy-ip] rule name publicout

[Secondary server-security-policy-ip-0-publicout] source-zone local

[Secondary server-security-policy-ip-0-publicout] destination-zone untrust

[Secondary server-security-policy-ip-0-publicout] action pass

[Secondary server-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使VAM Server可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Secondary server-security-policy-ip] rule name publicin

[Secondary server-security-policy-ip-1-publicin] source-zone untrust

[Secondary server-security-policy-ip-1-publicin] destination-zone local

[Secondary server-security-policy-ip-1-publicin] action pass

[Secondary server-security-policy-ip-1-publicin] quit

[Secondary server-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Secondary server] ospf 1

[Secondary server-ospf-1] area 0

[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0

[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255

[Secondary server-ospf-1-area-0.0.0.0] quit

[Secondary server-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Secondary server] mpls lsr-id 7.7.7.7

[Secondary server] mpls ldp

[Secondary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] mpls enable

[Secondary server-GigabitEthernet1/0/1] mpls ldp enable

[Secondary server-GigabitEthernet1/0/1] quit

(6)     配置AAA認證

# 配置RADIUS方案。

[Secondary server] radius scheme abc

[Secondary server-radius-abc] primary authentication 5.6.1.2 1812

[Secondary server-radius-abc] primary accounting 5.6.1.2 1813

[Secondary server-radius-abc] key authentication simple 123

[Secondary server-radius-abc] key accounting simple 123

[Secondary server-radius-abc] user-name-format without-domain

[Secondary server-radius-abc] quit

[Secondary server] radius session-control enable

# 配置ISP域的AAA方案。

[Secondary server] domain abc

[Secondary server-isp-abc] authentication advpn radius-scheme abc

[Secondary server-isp-abc] accounting advpn radius-scheme abc

[Secondary server-isp-abc] quit

[Secondary server] domain default enable abc

(7)     配置VAM Server

# 創建ADVPN域abc。

[Secondary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Secondary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Secondary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Secondary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Secondary server-vam-server-domain-abc] server enable

[Secondary server-vam-server-domain-abc] quit

3. 配置Router

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30

[Router-GigabitEthernet1/0/1] quit

[Router] interface gigabitethernet 1/0/2

[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30

[Router-GigabitEthernet1/0/2] quit

[Router] interface gigabitethernet 1/0/3

[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30

[Router-GigabitEthernet1/0/3] quit

[Router] interface gigabitethernet 1/0/4

[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30

[Router-GigabitEthernet1/0/4] quit

[Router] interface gigabitethernet 1/0/5

[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24

[Router-GigabitEthernet1/0/5] quit

[Router] interface loopback 0

[Router-LoopBack0] ip address 5.5.5.5 32

[Router-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Router] ospf 1

[Router-ospf-1] area 0

[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255

[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0

[Router-ospf-1-area-0.0.0.0] quit

[Router-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Router] mpls lsr-id 5.5.5.5

[Router] mpls ldp

[Router-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5

[Router-if-range] mpls enable

[Router-if-range] mpls ldp enable

[Router-if-range] quit

4. 配置Hub1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub1> system-view

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30

[Hub1-GigabitEthernet1/0/1] quit

[Hub1] interface loopback 0

[Hub1-LoopBack0] ip address 1.1.1.1 32

[Hub1-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Hub1] security-zone name untrust

[Hub1-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Hub1-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使Hub1可以向公網發送協議和業務報文,具體配置步驟如下。

[Hub1] security-policy ip

[Hub1-security-policy-ip] rule name publicout

[Hub1-security-policy-ip-0-publicout] source-zone local

[Hub1-security-policy-ip-0-publicout] destination-zone untrust

[Hub1-security-policy-ip-0-publicout] action pass

[Hub1-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使Hub1可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Hub1-security-policy-ip] rule name publicin

[Hub1-security-policy-ip-1-publicin] source-zone untrust

[Hub1-security-policy-ip-1-publicin] destination-zone local

[Hub1-security-policy-ip-1-publicin] action pass

[Hub1-security-policy-ip-1-publicin] quit

# 配置名稱為private的安全策規則,使Hub1可以轉發Spoke之間的業務報文,具體配置步驟如下。

[Hub1-security-policy-ip] rule name private

[Hub1-security-policy-ip-2-private] source-zone untrust

[Hub1-security-policy-ip-2-private] destination-zone untrust

[Hub1-security-policy-ip-2-private] action pass

[Hub1-security-policy-ip-2-private] quit

[Hub1-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub1] mpls lsr-id 1.1.1.1

[Hub1] mpls ldp

[Hub1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] mpls enable

[Hub1-GigabitEthernet1/0/1] mpls ldp enable

[Hub1-GigabitEthernet1/0/1] quit

(6)     配置VAM Client

# 創建VAM Client Hub1。

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1,密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6

[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(7)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(8)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel 1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 24

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] source loopback 0

[Hub1-Tunnel1] tunnel protection ipsec profile abc

[Hub1-Tunnel1] quit

(9)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 2

[Hub1-ospf-2] area 0

[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-2-area-0.0.0.0] quit

[Hub1-ospf-2] quit

5. 配置Hub2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub2> system-view

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30

[Hub2-GigabitEthernet1/0/1] quit

[Hub2] interface loopback 0

[Hub2-LoopBack0] ip address 2.2.2.2 32

[Hub2-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Hub2] security-zone name untrust

[Hub2-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Hub2-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使Hub2可以向公網發送協議和業務報文,具體配置步驟如下。

[Hub2] security-policy ip

[Hub2-security-policy-ip] rule name publicout

[Hub2-security-policy-ip-0-publicout] source-zone local

[Hub2-security-policy-ip-0-publicout] destination-zone untrust

[Hub2-security-policy-ip-0-publicout] action pass

[Hub2-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使Hub2可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Hub2-security-policy-ip] rule name publicin

[Hub2-security-policy-ip-1-publicin] source-zone untrust

[Hub2-security-policy-ip-1-publicin] destination-zone local

[Hub2-security-policy-ip-1-publicin] action pass

[Hub2-security-policy-ip-1-publicin] quit

# 配置名稱為private的安全策規則,使Hub2可以轉發Spoke之間的業務報文,具體配置步驟如下。

[Hub2-security-policy-ip] rule name private

[Hub2-security-policy-ip-2-private] source-zone untrust

[Hub2-security-policy-ip-2-private] destination-zone untrust

[Hub2-security-policy-ip-2-private] action pass

[Hub2-security-policy-ip-2-private] quit

[Hub2-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub2] mpls lsr-id 2.2.2.2

[Hub2] mpls ldp

[Hub2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] mpls enable

[Hub2-GigabitEthernet1/0/1] mpls ldp enable

[Hub2-GigabitEthernet1/0/1] quit

(6)     配置VAM Client

# 創建VAM Client Hub2。

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6

[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(7)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(8)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel 1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 24

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] source loopback 0

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

(9)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 2

[Hub2-ospf-2] area 0

[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-2-area-0.0.0.0] quit

[Hub2-ospf-2] quit

6. 配置Spoke1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke1> system-view

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30

[Spoke1-GigabitEthernet1/0/1] quit

[Spoke1] interface gigabitethernet 1/0/2

[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24

[Spoke1-GigabitEthernet1/0/2] quit

[Spoke1] interface loopback 0

[Spoke1-LoopBack0] ip address 3.3.3.3 32

[Spoke1-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Spoke1] security-zone name untrust

[Spoke1-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Spoke1-security-zone-Untrust] quit

[Spoke1] security-zone name trust

[Spoke1-security-zone-Trust] import interface gigabitethernet 1/0/2

[Spoke1-security-zone-Trust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使Spoke1可以向公網發送協議和業務報文,具體配置步驟如下。

[Spoke1] security-policy ip

[Spoke1-security-policy-ip] rule name publicout

[Spoke1-security-policy-ip-0-publicout] source-zone local

[Spoke1-security-policy-ip-0-publicout] destination-zone untrust

[Spoke1-security-policy-ip-0-publicout] action pass

[Spoke1-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使Spoke1可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Spoke1-security-policy-ip] rule name publicin

[Spoke1-security-policy-ip-1-publicin] source-zone untrust

[Spoke1-security-policy-ip-1-publicin] destination-zone local

[Spoke1-security-policy-ip-1-publicin] action pass

[Spoke1-security-policy-ip-1-publicin] quit

# 配置名稱為privateout的安全策規則,使Spoke1可以向公網發送私網業務報文,具體配置步驟如下。

[Spoke1-security-policy-ip] rule name privateout

[Spoke1-security-policy-ip-2-private] source-zone trust

[Spoke1-security-policy-ip-2-private] destination-zone untrust

[Spoke1-security-policy-ip-2-private] action pass

[Spoke1-security-policy-ip-2-private] quit

# 配置名稱為privateout的安全策規則,使Spoke1可以接收公網發送的私網業務報文,具體配置步驟如下。

[Spoke1-security-policy-ip] rule name privatein

[Spoke1-security-policy-ip-3-privatein] source-zone untrust

[Spoke1-security-policy-ip-3-privatein] destination-zone trust

[Spoke1-security-policy-ip-3-privatein] action pass

[Spoke1-security-policy-ip-3-privatein] quit

[Spoke1-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke1] mpls lsr-id 3.3.3.3

[Spoke1] mpls ldp

[Spoke1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] mpls enable

[Spoke1-GigabitEthernet1/0/1] mpls ldp enable

[Spoke1-GigabitEthernet1/0/1] quit

(6)     配置VAM Client

# 創建VAM Client Spoke1。

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6

[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(7)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(8)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel 1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 24

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source loopback 0

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

(9)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 2

[Spoke1-ospf-2] area 0

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] quit

[Spoke1-ospf-2] quit

7. 配置Spoke2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke2> system-view

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30

[Spoke2-GigabitEthernet1/0/1] quit

[Spoke2] interface gigabitethernet 1/0/2

[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24

[Spoke2-GigabitEthernet1/0/2] quit

[Spoke2] interface loopback 0

[Spoke2-LoopBack0] ip address 4.4.4.4 32

[Spoke2-LoopBack0] quit

(2)     配置接口加入安全域。

# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。

[Spoke2] security-zone name untrust

[Spoke2-security-zone-Untrust] import interface gigabitethernet 1/0/1

[Spoke2-security-zone-Untrust] quit

[Spoke2] security-zone name trust

[Spoke2-security-zone-Trust] import interface gigabitethernet 1/0/2

[Spoke2-security-zone-Trust] quit

(3)     配置安全策略

# 配置名稱為publicout的安全策規則,使Spoke2可以向公網發送協議和業務報文,具體配置步驟如下。

[Spoke2] security-policy ip

[Spoke2-security-policy-ip] rule name publicout

[Spoke2-security-policy-ip-0-publicout] source-zone local

[Spoke2-security-policy-ip-0-publicout] destination-zone untrust

[Spoke2-security-policy-ip-0-publicout] action pass

[Spoke2-security-policy-ip-0-publicout] quit

# 配置名稱為publicin的安全策規則,使Spoke2可以接收公網發送的協議和業務報文,具體配置步驟如下。

[Spoke2-security-policy-ip] rule name publicin

[Spoke2-security-policy-ip-1-publicin] source-zone untrust

[Spoke2-security-policy-ip-1-publicin] destination-zone local

[Spoke2-security-policy-ip-1-publicin] action pass

[Spoke2-security-policy-ip-1-publicin] quit

# 配置名稱為privateout的安全策規則,使Spoke2可以向公網發送私網業務報文,具體配置步驟如下。

[Spoke2-security-policy-ip] rule name privateout

[Spoke2-security-policy-ip-2-private] source-zone trust

[Spoke2-security-policy-ip-2-private] destination-zone untrust

[Spoke2-security-policy-ip-2-private] action pass

[Spoke2-security-policy-ip-2-private] quit

# 配置名稱為privateout的安全策規則,使Spoke2可以接收公網發送的私網業務報文,具體配置步驟如下。

[Spoke2-security-policy-ip] rule name privatein

[Spoke2-security-policy-ip-3-privatein] source-zone untrust

[Spoke2-security-policy-ip-3-privatein] destination-zone trust

[Spoke2-security-policy-ip-3-privatein] action pass

[Spoke2-security-policy-ip-3-privatein] quit

[Spoke2-security-policy-ip] quit

(4)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke2] ospf 1

[Spoke2-ospf-1] area 0

[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0

[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3

[Spoke2-ospf-1-area-0.0.0.0] quit

[Spoke2-ospf-1] quit

(5)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke2] mpls lsr-id 4.4.4.4

[Spoke2] mpls ldp

[Spoke2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] mpls enable

[Spoke2-GigabitEthernet1/0/1] mpls ldp enable

[Spoke2-GigabitEthernet1/0/1] quit

(6)     配置VAM Client

# 創建VAM Client Spoke2。

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6

[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(7)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(8)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel 1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 24

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source loopback 0

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

(9)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 2

[Spoke2-ospf-2] area 0

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] quit

[Spoke2-ospf-2] quit

1.4.4  驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Primaryserver] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 10M 30S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 10M 31S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 9M 27S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 9M 51S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Secondaryserver] display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 11M 49S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 11M 50S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 10M 45S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 11M 10S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.2          2.2.2.2              --    H-H   Success      0H 12M 23S

192.168.0.3          3.3.3.3              --    H-S   Success      0H 11M 19S

192.168.0.4          4.4.4.4              --    H-S   Success      0H 11M 44S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 11M 0S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 11M 0S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.2.1。

[Spoke1] ping -a 192.168.1.1 192.168.2.1

Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 192.168.2.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息,產生了與Spoke2臨時建立的IPv4 ADVPN隧道。

[Spoke1] display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 12M 44S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 12M 44S

192.168.0.4          4.4.4.4              --    S-S   Success      0H 1M 0S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。

1.4.5  配置文件

1. Primary server

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 6.6.6.6 0.0.0.0

#

 mpls lsr-id 6.6.6.6

#

mpls ldp

#

interface LoopBack0

 ip address 6.6.6.6 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.3 255.255.255.0

 mpls enable

 mpls ldp enable

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

security-policy ip

 rule 0 name publicout

  action pass

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

#

2. Secondary server

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 7.7.7.7 0.0.0.0

#

 mpls lsr-id 7.7.7.7

#

mpls ldp

#

interface LoopBack0

 ip address 7.7.7.7 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.4 255.255.255.0

 mpls enable

 mpls ldp enable

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

security-policy ip

 rule 0 name publicout

  action pass

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

#

3. Router

#

ospf 1

 area 0.0.0.0

  network 1.5.1.0 0.0.0.3

  network 2.5.1.0 0.0.0.3

  network 3.5.1.0 0.0.0.3

  network 4.5.1.0 0.0.0.3

  network 5.5.5.5 0.0.0.0

  network 5.6.1.0 0.0.0.255

#

 mpls lsr-id 5.5.5.5

#

mpls ldp

#

interface LoopBack0

 ip address 5.5.5.5 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 2.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/3

 ip address 3.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/4

 ip address 4.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/5

 ip address 5.6.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

4. Hub1

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.1 255.255.255.0

 ospf network-type broadcast

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub1

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub1 password simple hub1

 client enable

#

security-policy ip

 rule 0 name publicout

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

 rule 2 name private

  action pass

  source-zone untrust

  destination-zone untrust

#

5. Hub2

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 2.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 2.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.2 255.255.255.0

 ospf network-type broadcast

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub2 password simple hub2

 client enable

#

security-policy ip

 rule 0 name publicout

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

 rule 2 name private

  action pass

  source-zone untrust

  destination-zone untrust

#

6. Spoke1

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 3.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.1.0 0.0.0.255

#

 mpls lsr-id 3.3.3.3

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface GigabitEthernet1/0/1

 port link-mode route

 ip address 3.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip address 192.168.1.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.3 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke1

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke1 password simple spoke1

 client enable

#

security-policy ip

 rule 0 name publicout

  action pass

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

 rule 2 name privateout

  action pass

  source-zone trust

  destination-zone untrust

 rule 3 name privatein

  action pass

  source-zone untrust

  destination-zone trust

#

7. Spoke2

#

ospf 1

 area 0.0.0.0

  network 4.4.4.4 0.0.0.0

  network 4.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.2.0 0.0.0.255

#

 mpls lsr-id 4.4.4.4

#

mpls ldp

#

interface LoopBack0

 ip address 4.4.4.4 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 4.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.2.1 255.255.255.252

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.4 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke2

#

security-zone name Trust

 import interface GigabitEthernet1/0/2

#

security-zone name Untrust

 import interface GigabitEthernet1/0/1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke2 password simple spoke2

 client enable

#

security-policy ip

 rule 0 name publicout

  action pass

  source-zone local

  destination-zone untrust

 rule 1 name publicin

  action pass

  source-zone untrust

  destination-zone local

 rule 2 name privateout

  action pass

  source-zone trust

  destination-zone untrust

 rule 3 name privatein

  action pass

  source-zone untrust

  destination-zone trust

#

1.5  Hub-Spoke類型ADVPN over MPLS典型配置舉例(安全應用)

1.5.1  適用產品和版本

本舉例是在F5000-AI160的E8371版本上進行配置和驗證的。

1.5.2  組網需求

·     Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。

·     在IPv4 Hub-Spoke的組網方式下,數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。

·     Spoke與Hub之間建立永久的ADVPN隧道。

表1-4 IPv4 Hub-Spoke類型ADVPN over MPLS組網圖

設備

接口

IP地址

設備

接口

IP地址

Hub 1

GE1/0/1

1.5.1.1/30

Spoke 1

GE1/0/1

3.5.1.1/30

 

Loopback0

1.1.1.1/32

 

Loopback0

3.3.3.3/32

 

Tunnel1

192.168.0.1/24

 

Tunnel1

192.168.0.3/24

Hub 2

GE1/0/1

2.5.1.1/30

 

GE1/0/2

192.168.1.1/24

 

Loopback0

2.2.2.2/32

Spoke 2

GE1/0/1

4.5.1.1/30

 

Tunnel1

192.168.0.2/24

 

Loopback0

4.4.4.4/32

Router

GE1/0/1

1.5.1.2/30

 

Tunnel1

192.168.0.4/24

 

GE1/0/2

2.5.1.2/30

 

GE1/0/2

192.168.2.1/24

 

GE1/0/3

3.5.1.2/30

Primary server

GE1/0/1

5.6.1.3/24

 

GE1/0/4

4.5.1.2/30

 

Loopback0

6.6.6.6/32

 

GE1/0/5

5.6.1.1/24

Secondary server

GE1/0/1

5.6.1.4/24

 

Loopback0

5.5.5.5/32

 

Loopback0

7.7.7.7/32

AAA server

 

5.6.1.2/24

 

 

 

1.5.3  配置步驟

1. 配置主VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Primary server> system-view

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24

[Primary server-GigabitEthernet1/0/1] quit

[Primary server] interface loopback 0

[Primary server-LoopBack0] ip address 6.6.6.6 32

[Primary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Primary server] ospf 1

[Primary server-ospf-1] area 0

[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0

[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255

[Primary server-ospf-1-area-0.0.0.0] quit

[Primary server-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Primary server] isis 1

[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00

[Primary server-isis-1] is-level level-2

[Primary server-isis-1] quit

[Primary server] interface range gigabitethernet 1/0/1 loopback 0

[Primary server-if-range] isis enable 1

[Primary server-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Primary server] mpls lsr-id 6.6.6.6

[Primary server] mpls ldp

[Primary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Primary server] interface gigabitethernet 1/0/1

[Primary server-GigabitEthernet1/0/1] mpls enable

[Primary server-GigabitEthernet1/0/1] mpls ldp enable

[Primary server-GigabitEthernet1/0/1] quit

(5)     配置AAA認證

# 配置RADIUS方案。

[Primary server] radius scheme abc

[Primary server-radius-abc] primary authentication 5.6.1.2 1812

[Primary server-radius-abc] primary accounting 5.6.1.2 1813

[Primary server-radius-abc] key authentication simple 123

[Primary server-radius-abc] key accounting simple 123

[Primary server-radius-abc] user-name-format without-domain

[Primary server-radius-abc] quit

[Primary server] radius session-control enable

# 配置ISP域的AAA方案。

[Primary server] domain abc

[Primary server-isp-abc] authentication advpn radius-scheme abc

[Primary server-isp-abc] accounting advpn radius-scheme abc

[Primary server-isp-abc] quit

[Primary server] domain default enable abc

(6)     配置VAM Server

# 創建ADVPN域abc。

[Primary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Primary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Primary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Primary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Primary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Primary server-vam-server-domain-abc] server enable

[Primary server-vam-server-domain-abc] quit

2. 配置備VAM Server

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Secondary server> system-view

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24

[Secondary server-GigabitEthernet1/0/1] quit

[Secondary server] interface loopback 0

[Secondary server-LoopBack0] ip address 7.7.7.7 32

[Secondary server-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Secondary server] ospf 1

[Secondary server-ospf-1] area 0

[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0

[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255

[Secondary server-ospf-1-area-0.0.0.0] quit

[Secondary server-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Secondary server] isis 1

[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00

[Secondary server-isis-1] is-level level-2

[Secondary server-isis-1] quit

[Secondary server] interface range gigabitethernet 1/0/1 loopback 0

[Secondary server-if-range] isis enable 1

[Secondary server-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Secondary server] mpls lsr-id 7.7.7.7

[Secondary server] mpls ldp

[Secondary server-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Secondary server] interface gigabitethernet 1/0/1

[Secondary server-GigabitEthernet1/0/1] mpls enable

[Secondary server-GigabitEthernet1/0/1] mpls ldp enable

[Secondary server-GigabitEthernet1/0/1] quit

(5)     配置AAA認證

# 配置RADIUS方案。

[Secondary server] radius scheme abc

[Secondary server-radius-abc] primary authentication 5.6.1.2 1812

[Secondary server-radius-abc] primary accounting 5.6.1.2 1813

[Secondary server-radius-abc] key authentication simple 123

[Secondary server-radius-abc] key accounting simple 123

[Secondary server-radius-abc] user-name-format without-domain

[Secondary server-radius-abc] quit

[Secondary server] radius session-control enable

# 配置ISP域的AAA方案。

[Secondary server] domain abc

[Secondary server-isp-abc] authentication advpn radius-scheme abc

[Secondary server-isp-abc] accounting advpn radius-scheme abc

[Secondary server-isp-abc] quit

[Secondary server] domain default enable abc

(6)     配置VAM Server

# 創建ADVPN域abc。

[Secondary server] vam server advpn-domain abc id 1

# 創建Hub組0。

[Secondary server-vam-server-domain-abc] hub-group 0

# 指定Hub組內Hub的IPv4私網地址。

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1

[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2

# 指定Hub組內Spoke的IPv4私網地址範圍。

[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24

[Secondary server-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的預共享密鑰為123456。

[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456

# 配置對VAM Client進行CHAP認證。

[Secondary server-vam-server-domain-abc] authentication-method chap

# 開啟該ADVPN域的VAM Server功能。

[Secondary server-vam-server-domain-abc] server enable

[Secondary server-vam-server-domain-abc] quit

3. 配置Router

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Router> system-view

[Router] interface gigabitethernet 1/0/1

[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30

[Router-GigabitEthernet1/0/1] quit

[Router] interface gigabitethernet 1/0/2

[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30

[Router-GigabitEthernet1/0/2] quit

[Router] interface gigabitethernet 1/0/3

[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30

[Router-GigabitEthernet1/0/3] quit

[Router] interface gigabitethernet 1/0/4

[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30

[Router-GigabitEthernet1/0/4] quit

[Router] interface gigabitethernet 1/0/5

[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24

[Router-GigabitEthernet1/0/5] quit

[Router] interface loopback 0

[Router-LoopBack0] ip address 5.5.5.5 32

[Router-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Router] ospf 1

[Router-ospf-1] area 0

[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3

[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255

[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0

[Router-ospf-1-area-0.0.0.0] quit

[Router-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Router] isis 1

[Router-isis-1] network-entity 49.0001.0050.0500.5005.00

[Router-isis-1] is-level level-2

[Router-isis-1] quit

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0

[Router-if-range] isis enable 1

[Router-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Router] mpls lsr-id 5.5.5.5

[Router] mpls ldp

[Router-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5

[Router-if-range] mpls enable

[Router-if-range] mpls ldp enable

[Router-if-range] quit

4. 配置Hub1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub1> system-view

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30

[Hub1-GigabitEthernet1/0/1] quit

[Hub1] interface loopback 0

[Hub1-LoopBack0] ip address 1.1.1.1 32

[Hub1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub1] ospf 1

[Hub1-ospf-1] area 0

[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3

[Hub1-ospf-1-area-0.0.0.0] quit

[Hub1-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Hub1] isis 1

[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00

[Hub1-isis-1] is-level level-2

[Hub1-isis-1] quit

[Hub1] interface range gigabitethernet 1/0/1 loopback 0

[Hub1-if-range] isis enable 1

[Hub1-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub1] mpls lsr-id 1.1.1.1

[Hub1] mpls ldp

[Hub1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub1] interface gigabitethernet 1/0/1

[Hub1-GigabitEthernet1/0/1] mpls enable

[Hub1-GigabitEthernet1/0/1] mpls ldp enable

[Hub1-GigabitEthernet1/0/1] quit

(5)     配置VAM Client

# 創建VAM Client Hub1。

[Hub1] vam client name Hub1

# 配置VAM Client所屬的ADVPN域為abc。

[Hub1-vam-client-Hub1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub1-vam-client-Hub1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為hub1,密碼為hub1。

[Hub1-vam-client-Hub1] user hub1 password simple hub1

# 配置VAM Server的IP地址。

[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6

[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub1-vam-client-Hub1] client enable

[Hub1-vam-client-Hub1] quit

(6)     配置IPsec安全框架

# 配置IKE框架。

[Hub1] ike keychain abc

[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub1-ike-keychain-abc] quit

[Hub1] ike profile abc

[Hub1-ike-profile-abc] keychain abc

[Hub1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub1] ipsec transform-set abc

[Hub1-ipsec-transform-set-abc] encapsulation-mode transport

[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub1-ipsec-transform-set-abc] quit

[Hub1] ipsec profile abc isakmp

[Hub1-ipsec-profile-isakmp-abc] transform-set abc

[Hub1-ipsec-profile-isakmp-abc] ike-profile abc

[Hub1-ipsec-profile-isakmp-abc] quit

(7)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub1] interface tunnel 1 mode advpn gre

[Hub1-Tunnel1] ip address 192.168.0.1 24

[Hub1-Tunnel1] vam client Hub1

[Hub1-Tunnel1] ospf network-type p2mp

[Hub1-Tunnel1] source loopback 0

[Hub1-Tunnel1] tunnel protection ipsec profile abc

# 配置Hub1的私網OSPF2接口cost值為1,防止Spoke之間的流量來回路徑不一致。

[Hub1-Tunnel1] ospf cost 1

[Hub1-Tunnel1] quit

(8)     配置OSPF路由

# 配置私網的路由信息。

[Hub1] ospf 2

[Hub1-ospf-2] area 0

[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub1-ospf-2-area-0.0.0.0] quit

[Hub1-ospf-2] quit

5. 配置Hub2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Hub2> system-view

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30

[Hub2-GigabitEthernet1/0/1] quit

[Hub2] interface loopback 0

[Hub2-LoopBack0] ip address 2.2.2.2 32

[Hub2-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Hub2] ospf 1

[Hub2-ospf-1] area 0

[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3

[Hub2-ospf-1-area-0.0.0.0] quit

[Hub2-ospf-1] quit

(3)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Hub2] isis 1

[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00

[Hub2-isis-1] is-level level-2

[Hub2-isis-1] quit

[Hub2] interface range gigabitethernet 1/0/1 loopback 0

[Hub2-if-range] isis enable 1

[Hub2-if-range] quit

(4)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Hub2] mpls lsr-id 2.2.2.2

[Hub2] mpls ldp

[Hub2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Hub2] interface gigabitethernet 1/0/1

[Hub2-GigabitEthernet1/0/1] mpls enable

[Hub2-GigabitEthernet1/0/1] mpls ldp enable

[Hub2-GigabitEthernet1/0/1] quit

(5)     配置VAM Client

# 創建VAM Client Hub2。

[Hub2] vam client name Hub2

# 配置VAM Client所屬的ADVPN域為abc。

[Hub2-vam-client-Hub2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Hub2-vam-client-Hub2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。

[Hub2-vam-client-Hub2] user hub2 password simple hub2

# 配置VAM Server的IP地址。

[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6

[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Hub2-vam-client-Hub2] client enable

[Hub2-vam-client-Hub2] quit

(6)     配置IPsec安全框架

# 配置IKE框架。

[Hub2] ike keychain abc

[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Hub2-ike-keychain-abc] quit

[Hub2] ike profile abc

[Hub2-ike-profile-abc] keychain abc

[Hub2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub2] ipsec transform-set abc

[Hub2-ipsec-transform-set-abc] encapsulation-mode transport

[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub2-ipsec-transform-set-abc] quit

[Hub2] ipsec profile abc isakmp

[Hub2-ipsec-profile-isakmp-abc] transform-set abc

[Hub2-ipsec-profile-isakmp-abc] ike-profile abc

[Hub2-ipsec-profile-isakmp-abc] quit

(7)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Hub2] interface tunnel 1 mode advpn gre

[Hub2-Tunnel1] ip address 192.168.0.2 24

[Hub2-Tunnel1] vam client Hub2

[Hub2-Tunnel1] ospf network-type p2mp

[Hub2-Tunnel1] source loopback 0

[Hub2-Tunnel1] tunnel protection ipsec profile abc

[Hub2-Tunnel1] quit

(8)     配置OSPF路由

# 配置私網的路由信息。

[Hub2] ospf 2

[Hub2-ospf-2] area 0

[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Hub2-ospf-2-area-0.0.0.0] quit

[Hub2-ospf-2] quit

6. 配置Spoke1

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke1> system-view

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30

[Spoke1-GigabitEthernet1/0/1] quit

[Spoke1] interface gigabitethernet 1/0/2

[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24

[Spoke1-GigabitEthernet1/0/2] quit

[Spoke1] interface loopback 0

[Spoke1-LoopBack0] ip address 3.3.3.3 32

[Spoke1-LoopBack0] quit

(2)     配置公網OSPF路由

# 配置OSPF 1路由發布公網路由信息。

[Spoke1] ospf 1

[Spoke1-ospf-1] area 0

[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3

[Spoke1-ospf-1-area-0.0.0.0] quit

[Spoke1-ospf-1] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke1] mpls lsr-id 3.3.3.3

[Spoke1] mpls ldp

[Spoke1-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke1] interface gigabitethernet 1/0/1

[Spoke1-GigabitEthernet1/0/1] mpls enable

[Spoke1-GigabitEthernet1/0/1] mpls ldp enable

[Spoke1-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke1。

[Spoke1] vam client name Spoke1

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。

[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6

[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke1] interface tunnel 1 mode advpn gre

[Spoke1-Tunnel1] ip address 192.168.0.3 24

[Spoke1-Tunnel1] vam client Spoke1

[Spoke1-Tunnel1] ospf network-type p2mp

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] source loopback 0

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke1] ospf 2

[Spoke1-ospf-2] area 0

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255

[Spoke1-ospf-2-area-0.0.0.0] quit

[Spoke1-ospf-2] quit

7. 配置Spoke2

(1)     配置接口IP地址

# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。

<Spoke2> system-view

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30

[Spoke2-GigabitEthernet1/0/1] quit

[Spoke2] interface gigabitethernet 1/0/2

[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24

[Spoke2-GigabitEthernet1/0/2] quit

[Spoke2] interface loopback 0

[Spoke2-LoopBack0] ip address 4.4.4.4 32

[Spoke2-LoopBack0] quit

(2)     配置公網IS-IS路由

# 配置ISIS路由發布公網路由信息。

[Spoke2] isis 1

[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00

[Spoke2-isis-1] is-level level-2

[Spoke2-isis-1] quit

[Spoke2] interface range gigabitethernet 1/0/1 loopback 0

[Spoke2-if-range] isis enable 1

[Spoke2-if-range] quit

(3)     使能MPLS和LDP功能

# 配置本節點的LSR ID,並全局使能LSR的LDP能力。

[Spoke2] mpls lsr-id 4.4.4.4

[Spoke2] mpls ldp

[Spoke2-ldp] quit

# 使能接口的MPLS能力和接口的LDP支持IPv4能力。

[Spoke2] interface gigabitethernet 1/0/1

[Spoke2-GigabitEthernet1/0/1] mpls enable

[Spoke2-GigabitEthernet1/0/1] mpls ldp enable

[Spoke2-GigabitEthernet1/0/1] quit

(4)     配置VAM Client

# 創建VAM Client Spoke2。

[Spoke2] vam client name Spoke2

# 配置VAM Client所屬的ADVPN域為abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的預共享密鑰為123456。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。

[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6

[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7

# 開啟VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

(5)     配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

(6)     配置ADVPN隧道

# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。

[Spoke2] interface tunnel 1 mode advpn gre

[Spoke2-Tunnel1] ip address 192.168.0.4 24

[Spoke2-Tunnel1] vam client Spoke2

[Spoke2-Tunnel1] ospf network-type p2mp

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] source loopback 0

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

(7)     配置OSPF路由

# 配置私網的路由信息。

[Spoke2] ospf 2

[Spoke2-ospf-2] area 0

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255

[Spoke2-ospf-2-area-0.0.0.0] quit

[Spoke2-ospf-2] quit

1.5.4  驗證配置

# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Primaryserver]display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 5M 52S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 4M 34S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 2M 52S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 1M 38S

# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。

[Secondaryserver]display vam server address-map

ADVPN domain name: abc

Total private address mappings: 4

Group      Private address  Public address              Type   NAT  Holding time

0          192.168.0.1      1.1.1.1                     Hub    No   0H 6M 19S

0          192.168.0.2      2.2.2.2                     Hub    No   0H 5M 8S

0          192.168.0.3      3.3.3.3                     Spoke  No   0H 3M 35S

0          192.168.0.4      4.4.4.4                     Spoke  No   0H 2M 27S

以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。

# 顯示Hub1上的IPv4 ADVPN隧道信息。

[Hub1]display advpn session

Interface         : Tunnel1

Number of sessions: 3

Private address      Public address       Port  Type  State        Holding time

192.168.0.2          2.2.2.2              --    H-H   Success      0H 6M 33S

192.168.0.3          3.3.3.3              --    H-S   Success      0H 4M 50S

192.168.0.4          4.4.4.4              --    H-S   Success      0H 3M 36S

以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。

# 顯示Spoke1上的IPv4 ADVPN隧道信息。

[Spoke1]display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 5M 25S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 5M 25S

以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。

# 在Spoke1上ping Spoke2的私網地址192.168.2.1。

[Spoke1]ping -a 192.168.1.1 192.168.2.1

Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break

56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms

56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms

56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms

56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms

 

--- Ping statistics for 192.168.2.1 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms

# 顯示Spoke1上的IPv4 ADVPN隧道信息,沒有產生與Spoke2臨時建立的IPv4 ADVPN隧道,說明是流量是通過Hub轉發的。

[Spoke1]display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192.168.0.1          1.1.1.1              --    S-H   Success      0H 7M 43S

192.168.0.2          2.2.2.2              --    S-H   Success      0H 7M 43S

Spoke2上的顯示信息與Spoke1類似。

1.5.5  配置文件

1. Primary server

#

isis 1

 is-level level-2

 network-entity 49.0001.0060.0600.6006.00

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 6.6.6.6 0.0.0.0

#

 mpls lsr-id 6.6.6.6

#

mpls ldp

#

interface LoopBack0

 ip address 6.6.6.6 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.3 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

2. Secondary server

#

isis 1

 is-level level-2

 network-entity 49.0001.0070.0700.7007.00

#

ospf 1

 area 0.0.0.0

  network 5.6.1.0 0.0.0.255

  network 7.7.7.7 0.0.0.0

#

 mpls lsr-id 7.7.7.7

#

mpls ldp

#

interface LoopBack0

 ip address 7.7.7.7 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 5.6.1.4 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

 radius session-control enable

#

radius scheme abc

 primary authentication 5.6.1.2

 primary accounting 5.6.1.2

 key authentication simple 123

 key accounting simple 123

 user-name-format without-domain

#

domain abc

 authentication advpn radius-scheme abc

 accounting advpn radius-scheme abc

#

 domain default enable abc

#

vam server advpn-domain abc id 1

 pre-shared-key simple 123456

 server enable

 hub-group 0

  hub private-address 192.168.0.1

  hub private-address 192.168.0.2

  spoke private-address range 192.168.0.0 192.168.0.255

#

3. Router

#

isis 1

 is-level level-2

 network-entity 49.0001.0050.0500.5005.00

#

ospf 1

 area 0.0.0.0

  network 1.5.1.0 0.0.0.3

  network 2.5.1.0 0.0.0.3

  network 3.5.1.0 0.0.0.3

  network 5.5.5.5 0.0.0.0

  network 5.6.1.0 0.0.0.255

#

 mpls lsr-id 5.5.5.5

#

mpls ldp

#

interface LoopBack0

 ip address 5.5.5.5 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 2.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/3

 ip address 3.5.1.2 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/4

 ip address 4.5.1.2 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/5

 ip address 5.6.1.1 255.255.255.0

 isis enable 1

 mpls enable

 mpls ldp enable

#

4. Hub1

#

isis 1

 is-level level-2

 network-entity 49.0001.0010.0100.1001.00

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 1.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.1 255.255.255.0

 ospf cost 1

 ospf network-type p2mp

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub1 password simple hub1

 client enable

#

5. Hub2

#

isis 1

 is-level level-2

 network-entity 49.0001.0020.0200.2002.00

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 2.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 2.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.2 255.255.255.0

 ospf network-type p2mp

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Hub2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Hub2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user hub2 password simple hub2

 client enable

#

6. Spoke1

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 3.5.1.0 0.0.0.3

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.1.0 0.0.0.255

#

 mpls lsr-id 3.3.3.3

#

mpls ldp

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface GigabitEthernet1/0/1

 ip address 3.5.1.1 255.255.255.252

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.1.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.3 255.255.255.0

 ospf network-type p2mp

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke1

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke1 password simple spoke1

 client enable

#

7. Spoke2

#

isis 1

 is-level level-2

 network-entity 49.0001.0040.0400.4004.00

#

ospf 2

 area 0.0.0.0

  network 192.168.0.0 0.0.0.255

  network 192.168.2.0 0.0.0.255

#

 mpls lsr-id 4.4.4.4

#

mpls ldp

#

interface LoopBack0

 ip address 4.4.4.4 255.255.255.255

 isis enable 1

#

interface GigabitEthernet1/0/1

 ip address 4.5.1.1 255.255.255.252

 isis enable 1

 mpls enable

 mpls ldp enable

#

interface GigabitEthernet1/0/2

 ip address 192.168.2.1 255.255.255.0

#

interface Tunnel1 mode advpn gre

 ip address 192.168.0.4 255.255.255.0

 ospf network-type p2mp

 ospf dr-priority 0

 source LoopBack0

 tunnel protection ipsec profile abc

 vam client Spoke2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

#

vam client name Spoke2

 advpn-domain abc

 server primary ip-address 6.6.6.6

 server secondary ip-address 7.7.7.7

 pre-shared-key simple 123456

 user spoke2 password simple spoke2

 client enable

#

不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!

BOB登陆
官網
聯係我們