- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
03-H3C MSR係列路由器 MPLS over ADVPN典型配置舉例
本章節下載: 03-H3C MSR係列路由器 MPLS over ADVPN典型配置舉例 (754.47 KB)
ADVPN over MPLS典型配置舉例
Copyright © 2024 bobty下载软件 版權所有,保留一切權利。
非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。
除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。
本文檔中的信息可能變動,恕不另行通知。
1.2 Full-Mesh類型ADVPN over MPLS典型配置舉例(路由應用)
1.3 Hub-Spoke類型ADVPN over MPLS典型配置舉例(路由應用)
1.4 Full-Mesh類型ADVPN over MPLS典型配置舉例(安全應用)
1.5 Hub-Spoke類型ADVPN over MPLS典型配置舉例(安全應用)
MPLS(Multiprotocol Label Switching,多協議標簽交換)是目前應用比較廣泛的一種骨幹網技術。MPLS在無連接的IP網絡上引入麵向連接的標簽交換概念,將第三層路由技術和第二層交換技術相結合,充分發揮了IP路由的靈活性和二層交換的簡潔性。
LDP(Label Distribution Protocol,標簽分發協議)用來動態建立LSP。通過LDP,LSR可以把網絡層的IP路由信息映射到MPLS的標簽交換路徑上。
ADVPN(Auto Discovery Virtual Private Network,自動發現虛擬專用網絡)是一種基於VAM(VPN Address Management,VPN地址管理)協議的動態VPN技術。
ADVPN over MPLS可以幫助企業網各分支機構使用動態地址接入MPLS LDP公網的情況下,可以利用ADVPN在各分支機構間建立VPN。
本配置舉例是在MSR3610-X1路由器Release 6749版本上進行配置和驗證的。
· Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。
· 在IPv4 Full-Mesh的組網方式下,主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。
· Spoke與Hub之間建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。
表1-1 IPv4 Full-Mesh類型ADVPN over MPLS組網圖
|
設備 |
接口 |
IP地址 |
設備 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(4) 配置AAA認證
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(5) 配置VAM Server
# 創建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Primary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(4) 配置AAA認證
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(5) 配置VAM Server
# 創建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所屬的ADVPN域為abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為hub1,密碼為hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所屬的ADVPN域為abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Primaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 10M 30S
0 192.168.0.2 2.2.2.2 Hub No 0H 10M 31S
0 192.168.0.3 3.3.3.3 Spoke No 0H 9M 27S
0 192.168.0.4 4.4.4.4 Spoke No 0H 9M 51S
# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Secondaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 11M 49S
0 192.168.0.2 2.2.2.2 Hub No 0H 11M 50S
0 192.168.0.3 3.3.3.3 Spoke No 0H 10M 45S
0 192.168.0.4 4.4.4.4 Spoke No 0H 11M 10S
以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。
# 顯示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 12M 23S
192.168.0.3 3.3.3.3 -- H-S Success 0H 11M 19S
192.168.0.4 4.4.4.4 -- H-S Success 0H 11M 44S
以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。
# 顯示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 11M 0S
192.168.0.2 2.2.2.2 -- S-H Success 0H 11M 0S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。
# 在Spoke1上ping Spoke2的私網地址192.168.2.1。
[Spoke1] ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
# 顯示Spoke1上的IPv4 ADVPN隧道信息,產生了與Spoke2臨時建立的IPv4 ADVPN隧道。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 12M 44S
192.168.0.2 2.2.2.2 -- S-H Success 0H 12M 44S
192.168.0.4 4.4.4.4 -- S-S Success 0H 1M 0S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 4.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 4.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.252
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
本舉例是在的版本上進行配置和驗證的。
· Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。
· 在IPv4 Hub-Spoke的組網方式下,數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。
· Spoke與Hub之間建立永久的ADVPN隧道。
表1-2 IPv4 Hub-Spoke類型ADVPN over MPLS組網圖
|
設備 |
接口 |
IP地址 |
設備 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Primary server] isis 1
[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00
[Primary server-isis-1] is-level level-2
[Primary server-isis-1] quit
[Primary server] interface range gigabitethernet 1/0/1 loopback 0
[Primary server-if-range] isis enable 1
[Primary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(5) 配置AAA認證
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(6) 配置VAM Server
# 創建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Primary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Secondary server] isis 1
[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00
[Secondary server-isis-1] is-level level-2
[Secondary server-isis-1] quit
[Secondary server] interface range gigabitethernet 1/0/1 loopback 0
[Secondary server-if-range] isis enable 1
[Secondary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(5) 配置AAA認證
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(6) 配置VAM Server
# 創建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Router] isis 1
[Router-isis-1] network-entity 49.0001.0050.0500.5005.00
[Router-isis-1] is-level level-2
[Router-isis-1] quit
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0
[Router-if-range] isis enable 1
[Router-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Hub1] isis 1
[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00
[Hub1-isis-1] is-level level-2
[Hub1-isis-1] quit
[Hub1] interface range gigabitethernet 1/0/1 loopback 0
[Hub1-if-range] isis enable 1
[Hub1-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 創建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所屬的ADVPN域為abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為hub1,密碼為hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
# 配置Hub1的私網OSPF2接口cost值為1,防止Spoke之間的流量來回路徑不一致。
[Hub1-Tunnel1] ospf cost 1
[Hub1-Tunnel1] quit
(8) 配置OSPF路由
# 配置私網的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Hub2] isis 1
[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00
[Hub2-isis-1] is-level level-2
[Hub2-isis-1] quit
[Hub2] interface range gigabitethernet 1/0/1 loopback 0
[Hub2-if-range] isis enable 1
[Hub2-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 創建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所屬的ADVPN域為abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(8) 配置OSPF路由
# 配置私網的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Spoke2] isis 1
[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00
[Spoke2-isis-1] is-level level-2
[Spoke2-isis-1] quit
[Spoke2] interface range gigabitethernet 1/0/1 loopback 0
[Spoke2-if-range] isis enable 1
[Spoke2-if-range] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Primaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 5M 52S
0 192.168.0.2 2.2.2.2 Hub No 0H 4M 34S
0 192.168.0.3 3.3.3.3 Spoke No 0H 2M 52S
0 192.168.0.4 4.4.4.4 Spoke No 0H 1M 38S
# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Secondaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 6M 19S
0 192.168.0.2 2.2.2.2 Hub No 0H 5M 8S
0 192.168.0.3 3.3.3.3 Spoke No 0H 3M 35S
0 192.168.0.4 4.4.4.4 Spoke No 0H 2M 27S
以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。
# 顯示Hub1上的IPv4 ADVPN隧道信息。
[Hub1]display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 6M 33S
192.168.0.3 3.3.3.3 -- H-S Success 0H 4M 50S
192.168.0.4 4.4.4.4 -- H-S Success 0H 3M 36S
以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。
# 顯示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 5M 25S
192.168.0.2 2.2.2.2 -- S-H Success 0H 5M 25S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。
# 在Spoke1上ping Spoke2的私網地址192.168.2.1。
[Spoke1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms
# 顯示Spoke1上的IPv4 ADVPN隧道信息,沒有產生與Spoke2臨時建立的IPv4 ADVPN隧道,說明是流量是通過Hub轉發的。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 7M 43S
192.168.0.2 2.2.2.2 -- S-H Success 0H 7M 43S
Spoke2上的顯示信息與Spoke1類似。
#
isis 1
is-level level-2
network-entity 49.0001.0060.0600.6006.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0070.0700.7007.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0050.0500.5005.00
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0010.0100.1001.00
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf cost 1
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0020.0200.2002.00
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0040.0400.4004.00
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
本舉例是在F5000-AI160的E8371版本上進行配置和驗證的。
· Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。
· 在IPv4 Full-Mesh的組網方式下,主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。
· Spoke與Hub之間建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的兩個Spoke之間在有數據時動態建立ADVPN隧道。
表1-3 IPv4 Full-Mesh類型ADVPN over MPLS組網圖
|
設備 |
接口 |
IP地址 |
設備 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Primary server] security-zone name untrust
[Primary server-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Primary server-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使VAM Server可以向公網發送協議和業務報文,具體配置步驟如下。
[Primary server] security-policy ip
[Primary server-security-policy-ip] rule name publicout
[Primary server-security-policy-ip-0-publicout] source-zone local
[Primary server-security-policy-ip-0-publicout] destination-zone untrust
[Primary server-security-policy-ip-0-publicout] action pass
[Primary server-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使VAM Server可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Primary server-security-policy-ip] rule name publicin
[Primary server-security-policy-ip-1-publicin] source-zone untrust
[Primary server-security-policy-ip-1-publicin] destination-zone local
[Primary server-security-policy-ip-1-publicin] action pass
[Primary server-security-policy-ip-1-publicin] quit
[Primary server-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(6) 配置AAA認證
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(7) 配置VAM Server
# 創建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Primary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Secondary server] security-zone name untrust
[Secondary server-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Secondary server-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使VAM Server可以向公網發送協議和業務報文,具體配置步驟如下。
[Secondary server] security-policy ip
[Secondary server-security-policy-ip] rule name publicout
[Secondary server-security-policy-ip-0-publicout] source-zone local
[Secondary server-security-policy-ip-0-publicout] destination-zone untrust
[Secondary server-security-policy-ip-0-publicout] action pass
[Secondary server-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使VAM Server可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Secondary server-security-policy-ip] rule name publicin
[Secondary server-security-policy-ip-1-publicin] source-zone untrust
[Secondary server-security-policy-ip-1-publicin] destination-zone local
[Secondary server-security-policy-ip-1-publicin] action pass
[Secondary server-security-policy-ip-1-publicin] quit
[Secondary server-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(6) 配置AAA認證
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(7) 配置VAM Server
# 創建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Hub1] security-zone name untrust
[Hub1-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Hub1-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使Hub1可以向公網發送協議和業務報文,具體配置步驟如下。
[Hub1] security-policy ip
[Hub1-security-policy-ip] rule name publicout
[Hub1-security-policy-ip-0-publicout] source-zone local
[Hub1-security-policy-ip-0-publicout] destination-zone untrust
[Hub1-security-policy-ip-0-publicout] action pass
[Hub1-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使Hub1可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Hub1-security-policy-ip] rule name publicin
[Hub1-security-policy-ip-1-publicin] source-zone untrust
[Hub1-security-policy-ip-1-publicin] destination-zone local
[Hub1-security-policy-ip-1-publicin] action pass
[Hub1-security-policy-ip-1-publicin] quit
# 配置名稱為private的安全策規則,使Hub1可以轉發Spoke之間的業務報文,具體配置步驟如下。
[Hub1-security-policy-ip] rule name private
[Hub1-security-policy-ip-2-private] source-zone untrust
[Hub1-security-policy-ip-2-private] destination-zone untrust
[Hub1-security-policy-ip-2-private] action pass
[Hub1-security-policy-ip-2-private] quit
[Hub1-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 創建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所屬的ADVPN域為abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為hub1,密碼為hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(9) 配置OSPF路由
# 配置私網的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Hub2] security-zone name untrust
[Hub2-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Hub2-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使Hub2可以向公網發送協議和業務報文,具體配置步驟如下。
[Hub2] security-policy ip
[Hub2-security-policy-ip] rule name publicout
[Hub2-security-policy-ip-0-publicout] source-zone local
[Hub2-security-policy-ip-0-publicout] destination-zone untrust
[Hub2-security-policy-ip-0-publicout] action pass
[Hub2-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使Hub2可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Hub2-security-policy-ip] rule name publicin
[Hub2-security-policy-ip-1-publicin] source-zone untrust
[Hub2-security-policy-ip-1-publicin] destination-zone local
[Hub2-security-policy-ip-1-publicin] action pass
[Hub2-security-policy-ip-1-publicin] quit
# 配置名稱為private的安全策規則,使Hub2可以轉發Spoke之間的業務報文,具體配置步驟如下。
[Hub2-security-policy-ip] rule name private
[Hub2-security-policy-ip-2-private] source-zone untrust
[Hub2-security-policy-ip-2-private] destination-zone untrust
[Hub2-security-policy-ip-2-private] action pass
[Hub2-security-policy-ip-2-private] quit
[Hub2-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 創建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所屬的ADVPN域為abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(9) 配置OSPF路由
# 配置私網的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Spoke1] security-zone name untrust
[Spoke1-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Spoke1-security-zone-Untrust] quit
[Spoke1] security-zone name trust
[Spoke1-security-zone-Trust] import interface gigabitethernet 1/0/2
[Spoke1-security-zone-Trust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使Spoke1可以向公網發送協議和業務報文,具體配置步驟如下。
[Spoke1] security-policy ip
[Spoke1-security-policy-ip] rule name publicout
[Spoke1-security-policy-ip-0-publicout] source-zone local
[Spoke1-security-policy-ip-0-publicout] destination-zone untrust
[Spoke1-security-policy-ip-0-publicout] action pass
[Spoke1-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使Spoke1可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Spoke1-security-policy-ip] rule name publicin
[Spoke1-security-policy-ip-1-publicin] source-zone untrust
[Spoke1-security-policy-ip-1-publicin] destination-zone local
[Spoke1-security-policy-ip-1-publicin] action pass
[Spoke1-security-policy-ip-1-publicin] quit
# 配置名稱為privateout的安全策規則,使Spoke1可以向公網發送私網業務報文,具體配置步驟如下。
[Spoke1-security-policy-ip] rule name privateout
[Spoke1-security-policy-ip-2-private] source-zone trust
[Spoke1-security-policy-ip-2-private] destination-zone untrust
[Spoke1-security-policy-ip-2-private] action pass
[Spoke1-security-policy-ip-2-private] quit
# 配置名稱為privateout的安全策規則,使Spoke1可以接收公網發送的私網業務報文,具體配置步驟如下。
[Spoke1-security-policy-ip] rule name privatein
[Spoke1-security-policy-ip-3-privatein] source-zone untrust
[Spoke1-security-policy-ip-3-privatein] destination-zone trust
[Spoke1-security-policy-ip-3-privatein] action pass
[Spoke1-security-policy-ip-3-privatein] quit
[Spoke1-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 創建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(9) 配置OSPF路由
# 配置私網的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置接口加入安全域。
# 請根據組網圖中規劃的信息,將接口加入對應的安全域,具體配置步驟如下。
[Spoke2] security-zone name untrust
[Spoke2-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Spoke2-security-zone-Untrust] quit
[Spoke2] security-zone name trust
[Spoke2-security-zone-Trust] import interface gigabitethernet 1/0/2
[Spoke2-security-zone-Trust] quit
(3) 配置安全策略
# 配置名稱為publicout的安全策規則,使Spoke2可以向公網發送協議和業務報文,具體配置步驟如下。
[Spoke2] security-policy ip
[Spoke2-security-policy-ip] rule name publicout
[Spoke2-security-policy-ip-0-publicout] source-zone local
[Spoke2-security-policy-ip-0-publicout] destination-zone untrust
[Spoke2-security-policy-ip-0-publicout] action pass
[Spoke2-security-policy-ip-0-publicout] quit
# 配置名稱為publicin的安全策規則,使Spoke2可以接收公網發送的協議和業務報文,具體配置步驟如下。
[Spoke2-security-policy-ip] rule name publicin
[Spoke2-security-policy-ip-1-publicin] source-zone untrust
[Spoke2-security-policy-ip-1-publicin] destination-zone local
[Spoke2-security-policy-ip-1-publicin] action pass
[Spoke2-security-policy-ip-1-publicin] quit
# 配置名稱為privateout的安全策規則,使Spoke2可以向公網發送私網業務報文,具體配置步驟如下。
[Spoke2-security-policy-ip] rule name privateout
[Spoke2-security-policy-ip-2-private] source-zone trust
[Spoke2-security-policy-ip-2-private] destination-zone untrust
[Spoke2-security-policy-ip-2-private] action pass
[Spoke2-security-policy-ip-2-private] quit
# 配置名稱為privateout的安全策規則,使Spoke2可以接收公網發送的私網業務報文,具體配置步驟如下。
[Spoke2-security-policy-ip] rule name privatein
[Spoke2-security-policy-ip-3-privatein] source-zone untrust
[Spoke2-security-policy-ip-3-privatein] destination-zone trust
[Spoke2-security-policy-ip-3-privatein] action pass
[Spoke2-security-policy-ip-3-privatein] quit
[Spoke2-security-policy-ip] quit
(4) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 創建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(9) 配置OSPF路由
# 配置私網的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Primaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 10M 30S
0 192.168.0.2 2.2.2.2 Hub No 0H 10M 31S
0 192.168.0.3 3.3.3.3 Spoke No 0H 9M 27S
0 192.168.0.4 4.4.4.4 Spoke No 0H 9M 51S
# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Secondaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 11M 49S
0 192.168.0.2 2.2.2.2 Hub No 0H 11M 50S
0 192.168.0.3 3.3.3.3 Spoke No 0H 10M 45S
0 192.168.0.4 4.4.4.4 Spoke No 0H 11M 10S
以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。
# 顯示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 12M 23S
192.168.0.3 3.3.3.3 -- H-S Success 0H 11M 19S
192.168.0.4 4.4.4.4 -- H-S Success 0H 11M 44S
以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。
# 顯示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 11M 0S
192.168.0.2 2.2.2.2 -- S-H Success 0H 11M 0S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。
# 在Spoke1上ping Spoke2的私網地址192.168.2.1。
[Spoke1] ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
# 顯示Spoke1上的IPv4 ADVPN隧道信息,產生了與Spoke2臨時建立的IPv4 ADVPN隧道。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 12M 44S
192.168.0.2 2.2.2.2 -- S-H Success 0H 12M 44S
192.168.0.4 4.4.4.4 -- S-S Success 0H 1M 0S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1與Spoke2建立了Spoke-Spoke臨時隧道。Spoke2上的顯示信息與Spoke1類似。
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
mpls enable
mpls ldp enable
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
#
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
mpls enable
mpls ldp enable
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
#
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 4.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
security-policy ip
rule 0 name publicout
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name private
action pass
source-zone untrust
destination-zone untrust
#
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
security-policy ip
rule 0 name publicout
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name private
action pass
source-zone untrust
destination-zone untrust
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name privateout
action pass
source-zone trust
destination-zone untrust
rule 3 name privatein
action pass
source-zone untrust
destination-zone trust
#
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 4.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.252
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name privateout
action pass
source-zone trust
destination-zone untrust
rule 3 name privatein
action pass
source-zone untrust
destination-zone trust
#
本舉例是在F5000-AI160的E8371版本上進行配置和驗證的。
· Hub、Spoke、Router、Server通過MPLS LDP動態建立LSP,使這些設備的環回地址互訪的報文能夠通過MPLS進行傳輸。
· 在IPv4 Hub-Spoke的組網方式下,數據通過Hub-Spoke隧道進行轉發。主、備VAM Server負責管理、維護各個節點的信息;AAA服務器負責對VAM Client進行認證和計費管理;兩個Hub互為備份,負責數據的轉發和路由信息的交換。
· Spoke與Hub之間建立永久的ADVPN隧道。
表1-4 IPv4 Hub-Spoke類型ADVPN over MPLS組網圖
|
設備 |
接口 |
IP地址 |
設備 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Primary server] isis 1
[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00
[Primary server-isis-1] is-level level-2
[Primary server-isis-1] quit
[Primary server] interface range gigabitethernet 1/0/1 loopback 0
[Primary server-if-range] isis enable 1
[Primary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(5) 配置AAA認證
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(6) 配置VAM Server
# 創建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Primary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Secondary server] isis 1
[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00
[Secondary server-isis-1] is-level level-2
[Secondary server-isis-1] quit
[Secondary server] interface range gigabitethernet 1/0/1 loopback 0
[Secondary server-if-range] isis enable 1
[Secondary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(5) 配置AAA認證
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(6) 配置VAM Server
# 創建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 創建Hub組0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub組內Hub的IPv4私網地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub組內Spoke的IPv4私網地址範圍。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的預共享密鑰為123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置對VAM Client進行CHAP認證。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 開啟該ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Router] isis 1
[Router-isis-1] network-entity 49.0001.0050.0500.5005.00
[Router-isis-1] is-level level-2
[Router-isis-1] quit
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0
[Router-if-range] isis enable 1
[Router-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Hub1] isis 1
[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00
[Hub1-isis-1] is-level level-2
[Hub1-isis-1] quit
[Hub1] interface range gigabitethernet 1/0/1 loopback 0
[Hub1-if-range] isis enable 1
[Hub1-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 創建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所屬的ADVPN域為abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為hub1,密碼為hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
# 配置Hub1的私網OSPF2接口cost值為1,防止Spoke之間的流量來回路徑不一致。
[Hub1-Tunnel1] ospf cost 1
[Hub1-Tunnel1] quit
(8) 配置OSPF路由
# 配置私網的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Hub2] isis 1
[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00
[Hub2-isis-1] is-level level-2
[Hub2-isis-1] quit
[Hub2] interface range gigabitethernet 1/0/1 loopback 0
[Hub2-if-range] isis enable 1
[Hub2-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 創建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所屬的ADVPN域為abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Hub2,密碼為Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(8) 配置OSPF路由
# 配置私網的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公網OSPF路由
# 配置OSPF 1路由發布公網路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke1,密碼為Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根據組網圖中規劃的信息,配置各接口的IP地址,具體配置步驟如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公網IS-IS路由
# 配置ISIS路由發布公網路由信息。
[Spoke2] isis 1
[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00
[Spoke2-isis-1] is-level level-2
[Spoke2-isis-1] quit
[Spoke2] interface range gigabitethernet 1/0/1 loopback 0
[Spoke2-if-range] isis enable 1
[Spoke2-if-range] quit
(3) 使能MPLS和LDP功能
# 配置本節點的LSR ID,並全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 創建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所屬的ADVPN域為abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的預共享密鑰為123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的認證用戶名為Spoke2,密碼為Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 開啟VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封裝的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私網的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 顯示注冊到主VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Primaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 5M 52S
0 192.168.0.2 2.2.2.2 Hub No 0H 4M 34S
0 192.168.0.3 3.3.3.3 Spoke No 0H 2M 52S
0 192.168.0.4 4.4.4.4 Spoke No 0H 1M 38S
# 顯示注冊到備VAM Server的所有VAM Client的IPv4私網地址映射信息。
[Secondaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 6M 19S
0 192.168.0.2 2.2.2.2 Hub No 0H 5M 8S
0 192.168.0.3 3.3.3.3 Spoke No 0H 3M 35S
0 192.168.0.4 4.4.4.4 Spoke No 0H 2M 27S
以上顯示信息表示Hub1、Hub2、Spoke1和Spoke2均已將地址映射信息注冊到VAM Server。
# 顯示Hub1上的IPv4 ADVPN隧道信息。
[Hub1]display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 6M 33S
192.168.0.3 3.3.3.3 -- H-S Success 0H 4M 50S
192.168.0.4 4.4.4.4 -- H-S Success 0H 3M 36S
以上顯示信息表示Hub1與Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的顯示信息與Hub1類似。
# 顯示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 5M 25S
192.168.0.2 2.2.2.2 -- S-H Success 0H 5M 25S
以上顯示信息表示Spoke1與Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的顯示信息與Spoke1類似。
# 在Spoke1上ping Spoke2的私網地址192.168.2.1。
[Spoke1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms
# 顯示Spoke1上的IPv4 ADVPN隧道信息,沒有產生與Spoke2臨時建立的IPv4 ADVPN隧道,說明是流量是通過Hub轉發的。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 7M 43S
192.168.0.2 2.2.2.2 -- S-H Success 0H 7M 43S
Spoke2上的顯示信息與Spoke1類似。
#
isis 1
is-level level-2
network-entity 49.0001.0060.0600.6006.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0070.0700.7007.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0050.0500.5005.00
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0010.0100.1001.00
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf cost 1
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0020.0200.2002.00
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0040.0400.4004.00
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
