国家 / 地区

H3C MSR系列路由器典型配置举例(V5)-6W100

28-MSR系列路由器L2TP多实例典型配置举例

本章节下载  (147.32 KB)

docurl=/cn/Service/Document_Software/Document_Center/Routers/Catalog/MSR/MSR_50/Configure/Typical_Configuration_Example/H3C_MSR_(V5)-6W100/201401/812739_30005_0.htm

28-MSR系列路由器L2TP多实例典型配置举例

MSR系列路由器L2TP多实例典型配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



1  简介

本文档介绍L2TP多实例的典型配置举例。

L2TP多实例一般应用于多个企业共用一个LNS,不同的企业用户需要与各自的总部进行通讯,网络地址采用的是私有地址。一般情况下,用户无法通过Internet直接访问企业内部的服务器。通过建立VPN并支持多实例,用户就可以访问自己企业内部网络的数据。

2  配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解L2TP和PPPoE特性。

3  配置举例

3.1  组网需求

图1所示,Router A作为PPPoE的Client端和L2TP的User,Router B同时作为LAC和PPPoE server,Router C作为LNS,要求:采用本地认证的方式,使不同的用户能够不受干扰地访问各自的企业内网。

图1 L2TP多实例典型配置组网图

 

3.2  使用版本

本举例是在Release 2317版本上进行配置和验证的。

3.3  配置注意事项

·     需在全局启用L2TP功能。

·     在LNS上配置地址池时必须在相关的域下配置,在全局下配置不起作用。

·     为方便配置描述,本文使用的本地认证,要求username@domain在不同domain中username也不能相同,否则本地认证无法区分开。

·     本用例测试完成后,以防对以后的测试产生影响,须清除掉本测试项中对所有路由器所做的配置。

3.4  配置步骤

3.4.1  Router A的配置

# 配置串口的认证用户名和密码。

<RouterA> system-view

[RouterA] interface serial 7/0/1:1

[RouterA-Serial7/0/1:1] ppp pap local-user rad@rad password simple rad

[RouterA-Serial7/0/1:1] ip address ppp-negotiate

[RouterA-Serial7/0/1:1] quit

[RouterA] interface serial 7/0/2:1

[RouterA-Serial7/0/2:1] ppp pap local-user hws@hws password simple hws

[RouterA-Serial7/0/2:1] ip address ppp-negotiate

[RouterA-Serial7/0/2:1] quit

# 配置到Router C后的私网路由。

[RouterA]ip route-static 5.0.0.0 255.0.0.0 Serial7/0/1:1

[RouterA]ip route-static 6.0.0.0 255.0.0.0 Serial7/0/2:1

3.4.2  Router B的配置

# 配置接口Ethernet0/0的IP地址。

<RouterB> system-view

[RouterB] interface ethernet 0/0

[RouterB-Ethernet0/0] ip address 1.1.1.1 255.255.255.0

[RouterB-Ethernet0/0] quit

# 全局使能L2TP。

[RouterB] l2tp enable

# 创建两个ISP域并采用缺省配置。

[RouterB] domain rad

[RouterB-isp-rad] quit

[RouterB-isp-rad] domain hws

[RouterB-isp-hws] quit

# 创建本地用户,配置用户名、密码及服务类型。

[RouterB] local-user rad

[RouterB-luser-rad] password simple rad

[RouterB-luser-rad] service-type ppp

[RouterB-luser-rad] local-user hws

[RouterB-luser-hws] password simple hws

[RouterB-luser-hws] service-type ppp 

[RouterB-luser-hws] quit

# 设置L2TP组,不启用隧道验证。

[RouterB] l2tp-group 1

[RouterB-l2tp1] undo tunnel authentication

[RouterB-l2tp1] tunnel name rad

[RouterB-l2tp1] start l2tp ip 1.1.1.2 domain rad

[RouterB-l2tp1] l2tp-group 2

[RouterB-l2tp2] undo tunnel authentication

[RouterB-l2tp2] tunnel name hws

[RouterB-l2tp2] start l2tp ip 1.1.1.2 domain hws

[RouterB-l2tp2] quit

# 在接口上启动PPP的PAP认证。

[RouterB] interface serial 7/0/1:1

[RouterB-Serial7/0/1:1] ppp authentication-mode pap domain rad

[RouterB-Serial7/0/1:1] quit

[RouterB] interface serial 7/0/2:1

[RouterB-Serial7/0/2:1] ppp authentication-mode pap domain hws

[RouterB-Serial7/0/2:1] quit

3.4.3  Router C的配置

# 配置接口Ethernet6/2的IP地址。

<RouterC> system-view

[RouterC] interface ethernet 6/2

[RouterC-Ethernet6/2] ip address 1.1.1.2 255.255.255.0

[RouterC-Ethernet6/2] quit

# 全局使能L2TP。

[RouterC] l2tp enable

# 启用L2TP多实例功能。

[RouterC] l2tpmoreexam enable

# 在域内配置IP地址池。

[RouterC] domain rad

[RouterC-isp-rad] ip pool 1 100.0.0.2 100.0.0.100

[RouterC-isp-rad] domain hws

[RouterC-isp-hws] ip pool 1 101.0.0.2 101.0.0.100

[RouterC-isp-hws] quit

# 创建本地用户,配置用户名、密码及服务类型。

[RouterC] local-user rad

[RouterC-luser-rad] password simple rad

[RouterC-luser-rad] service-type ppp

[RouterC-luser-rad] local-user hws

[RouterC-luser-hws] password simple hws

[RouterC-luser-hws] service-type ppp 

[RouterC-luser-hws] quit

# 配置VPN实例

[RouterC] ip vpn-instance 200:1

[RouterC-vpn-instance-200:1] route-distinguisher 200:1

[RouterC-vpn-instance-200:1] vpn-target 200:1 import-extcommunity

[RouterC-vpn-instance-200:1] vpn-target 200:1 export-extcommunity

[RouterC-vpn-instance-200:1] quit

[RouterC] ip vpn-instance vpn1

[RouterC-vpn-instance-vpn1] route-distinguisher 100:1

[RouterC-vpn-instance-vpn1] vpn-target 100:1 import-extcommunity

[RouterC-vpn-instance-vpn1] vpn-target 100:1 export-extcommunity

[RouterC1-vpn-instance-vpn1] quit

# 配置虚模板接口。

[RouterC] interface Virtual-Template1

[RouterC-Virtual-Template1] ppp authentication-mode pap domain rad

[RouterC-Virtual-Template1] remote address pool 1

[RouterC-Virtual-Template1] ip binding vpn-instance vpn1

[RouterC-Virtual-Template1] ip address 100.0.0.1 255.0.0.0

[RouterC-Virtual-Template1] interface Virtual-Template2

[RouterC-Virtual-Template2] ppp authentication-mode pap domain hws

[RouterC-Virtual-Template2] remote address pool 1

[RouterC-Virtual-Template2] ip binding vpn-instance 200:1

[RouterC-Virtual-Template2] ip address 101.0.0.1 255.0.0.0

[RouterC-Virtual-Template2] quit

# 配置L2TP组,不启用隧道验证。

[RouterC] l2tp-group 1

[RouterC-l2tp1] undo tunnel authentication

[RouterC-l2tp1] allow l2tp virtual-template 1 remote rad domain rad

[RouterC-l2tp1] l2tp-group 2

[RouterC-l2tp2] undo tunnel authentication

[RouterC-l2tp2] allow l2tp virtual-template 2 remote hws domain hws

[RouterC-l2tp2] quit

# 配置接口地址并关联VPN实例。

[RouterC] interface ethernet 6/0

[RouterC-Ethernet0/0] ip binding vpn-instance vpn1

[RouterC-Ethernet0/0] ip address 5.0.0.1 32

[RouterC-Ethernet0/0] quit

[RouterC] interface ethernet 0/1

[RouterC-Ethernet0/1] ip binding vpn-instance 200:1

[RouterC-Ethernet0/1] ip address 6.0.0.1 32

[RouterC-Ethernet0/1] quit

3.5  验证配置

# 在Router A上,接口Serial7/0/1:1协议up,并分配到LNS Router C中rad域中关联地址池中的地址。

<RouterA>  display interface serial 7/0/1:1

Serial7/0/1:1 current state: UP

Line protocol current state: UP

Description: Serial7/0/1:1 Interface

The Maximum Transmit Unit is 1500, Hold timer is 10(sec)

Internet Address is negotiated, 100.0.0.2/32

Link layer protocol is PPP

LCP opened, IPCP opened

Output queue : (Urgent queuing : Size/Length/Discards)  0/100/0

Output queue : (Protocol queuing : Size/Length/Discards)  0/500/0

Output queue : (FIFO queuing : Size/Length/Discards)  0/75/0

Physical layer is synchronous, Virtual baudrate is 64000 bps

Interface is DTE, Cable type is V35, Clock mode is DTECLK1

Last clearing of counters: Never

    Last 300 seconds input rate 5.33 bytes/sec, 42 bits/sec, 0.23 packets/sec

    Last 300 seconds output rate 5.33 bytes/sec, 42 bits/sec, 0.23 packets/sec

    Input: 5040 packets, 61518 bytes, 0 no buffers

           0 broadcasts, 0 multicasts

           0 errors, 0 runts, 0 giants

           0 CRC, 0 align errors, 0 overruns

           0 dribbles, 0 aborts, 0 frame errors

    Output:5050 packets, 61826 bytes

           0 errors, 0 underruns, 0 collisions

           0 deferred

    DCD=UP  DTR=UP  DSR=UP  RTS=UP  CTS=UP

# 在Router A上,接口Serial7/0/2:1协议up,并分配到LNS Router C中hws域中关联地址池中的地址。(显示同上,不赘述)

# 在Router A上带接口Serial7/0/1:1的源地址能ping通Router C的地址5.0.0.1。

<RouterA> ping -a 100.0.0.2 5.0.0.1

  PING 5.0.0.1: 56  data bytes, press CTRL_C to break

    Reply from 5.0.0.1: bytes=56 Sequence=0 ttl=255 time=27 ms

    Reply from 5.0.0.1: bytes=56 Sequence=1 ttl=255 time=27 ms

    Reply from 5.0.0.1: bytes=56 Sequence=2 ttl=255 time=27 ms

    Reply from 5.0.0.1: bytes=56 Sequence=3 ttl=255 time=28 ms

    Reply from 5.0.0.1: bytes=56 Sequence=4 ttl=255 time=27 ms

 

  --- 5.0.0.1 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 27/27/28 ms

# 在Router A上带接口Serial7/0/2:1的源地址能ping通Router C的地址6.0.0.1。(显示同上,不赘述)

3.6  配置文件

·     Router A:

#

interface Serial7/0/1:1

 link-protocol ppp

 ppp pap local-user rad@rad password simple rad

 ip address ppp-negotiate

#

interface Serial7/0/2:1

 link-protocol ppp

 ppp pap local-user hws@hws password simple hws

 ip address ppp-negotiate

#

ip route-static 5.0.0.0 255.0.0.0 Serial7/0/1:1

ip route-static 6.0.0.0 255.0.0.0 Serial7/0/2:1

#

·     Router B:

#

 l2tp enable

#

domain hws

access-limit disable

state active

idle-cut disable

self-service-url disable

domain rad

access-limit disable

state active

idle-cut disable

self-service-url disable

#

local-user hws

password simple hws

service-type ppp

local-user rad

password simple rad

service-type ppp

#

l2tp-group 1

undo tunnel authentication

tunnel name rad

start l2tp ip 1.1.1.2 domain rad

#

l2tp-group 2

undo tunnel authentication

tunnel name hws

start l2tp ip 1.1.1.2 domain hws

#

interface Ethernet0/0

port link-mode route

ip address 1.1.1.1 255.255.255.0

#

interface Serial7/0/1:1

 link-protocol ppp

 ppp authentication-mode pap domain rad

#

interface Serial7/0/2:1

 link-protocol ppp

 ppp authentication-mode pap domain hws

#

·     Router C:

#

 l2tp enable

l2tpmoreexam enable

#

ip vpn-instance 200:1

 route-distinguisher 200:1

 vpn-target 200:1 export-extcommunity

 vpn-target 200:1 import-extcommunity

#

ip vpn-instance vpn1

 route-distinguisher 100:1

 vpn-target 100:1 export-extcommunity

 vpn-target 100:1 import-extcommunity

#

domain hws

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

 ip pool 1 101.0.0.2 101.0.0.100

domain rad

 access-limit disable

 state active

 idle-cut disable

 self-service-url disable

 ip pool 1 100.0.0.2 100.0.0.100

#

local-user hws

 password simple hws

 service-type ppp

local-user rad

 password simple rad

 service-type ppp

#

l2tp-group 1

 undo tunnel authentication

 allow l2tp virtual-template 1 remote rad domain rad

#

l2tp-group 2

 undo tunnel authentication

 allow l2tp virtual-template 2 remote hws domain hws

#

interface Virtual-Template1

 ppp authentication-mode pap domain rad

 remote address pool 1

 ip binding vpn-instance vpn1

 ip address 100.0.0.1 255.0.0.0

#

interface Virtual-Template2

 ppp authentication-mode pap domain hws

 remote address pool 1

 ip binding vpn-instance 200:1

 ip address 101.0.0.1 255.0.0.0

#

interface Ethernet6/0

 port link-mode route

 ip binding vpn-instance vpn1

 ip address 5.0.0.1 255.255.255.255

#

interface Ethernet6/1

port link-mode route

 ip binding vpn-instance 200:1

 ip address 6.0.0.1 255.255.255.255

#

interface Ethernet6/2

port link-mode route

 ip address 1.1.1.2 255.255.255.0

#

4  相关资料

·     H3C MSR 系列路由器 命令参考(V5)-R2311

·     H3C MSR 系列路由器 配置指导(V5)-R2311

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!

联系我们 联系我们
联系我们
回到顶部 回到顶部