- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
28-MSR系列路由器L2TP多实例典型配置举例
本章节下载: 28-MSR系列路由器L2TP多实例典型配置举例 (147.32 KB)
MSR系列路由器L2TP多实例典型配置举例
|
Copyright © 2014杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
|
目 录
本文档介绍L2TP多实例的典型配置举例。
L2TP多实例一般应用于多个企业共用一个LNS,不同的企业用户需要与各自的总部进行通讯,网络地址采用的是私有地址。一般情况下,用户无法通过Internet直接访问企业内部的服务器。通过建立VPN并支持多实例,用户就可以访问自己企业内部网络的数据。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解L2TP和PPPoE特性。
如图1所示,Router A作为PPPoE的Client端和L2TP的User,Router B同时作为LAC和PPPoE server,Router C作为LNS,要求:采用本地认证的方式,使不同的用户能够不受干扰地访问各自的企业内网。
图1 L2TP多实例典型配置组网图
本举例是在Release 2317版本上进行配置和验证的。
· 需在全局启用L2TP功能。
· 在LNS上配置地址池时必须在相关的域下配置,在全局下配置不起作用。
· 为方便配置描述,本文使用的本地认证,要求username@domain在不同domain中username也不能相同,否则本地认证无法区分开。
· 本用例测试完成后,以防对以后的测试产生影响,须清除掉本测试项中对所有路由器所做的配置。
# 配置串口的认证用户名和密码。
<RouterA> system-view
[RouterA] interface serial 7/0/1:1
[RouterA-Serial7/0/1:1] ppp pap local-user rad@rad password simple rad
[RouterA-Serial7/0/1:1] ip address ppp-negotiate
[RouterA-Serial7/0/1:1] quit
[RouterA] interface serial 7/0/2:1
[RouterA-Serial7/0/2:1] ppp pap local-user hws@hws password simple hws
[RouterA-Serial7/0/2:1] ip address ppp-negotiate
[RouterA-Serial7/0/2:1] quit
# 配置到Router C后的私网路由。
[RouterA]ip route-static 5.0.0.0 255.0.0.0 Serial7/0/1:1
[RouterA]ip route-static 6.0.0.0 255.0.0.0 Serial7/0/2:1
# 配置接口Ethernet0/0的IP地址。
<RouterB> system-view
[RouterB] interface ethernet 0/0
[RouterB-Ethernet0/0] ip address 1.1.1.1 255.255.255.0
[RouterB-Ethernet0/0] quit
# 全局使能L2TP。
[RouterB] l2tp enable
# 创建两个ISP域并采用缺省配置。
[RouterB] domain rad
[RouterB-isp-rad] quit
[RouterB-isp-rad] domain hws
[RouterB-isp-hws] quit
# 创建本地用户,配置用户名、密码及服务类型。
[RouterB] local-user rad
[RouterB-luser-rad] password simple rad
[RouterB-luser-rad] service-type ppp
[RouterB-luser-rad] local-user hws
[RouterB-luser-hws] password simple hws
[RouterB-luser-hws] service-type ppp
[RouterB-luser-hws] quit
# 设置L2TP组,不启用隧道验证。
[RouterB] l2tp-group 1
[RouterB-l2tp1] undo tunnel authentication
[RouterB-l2tp1] tunnel name rad
[RouterB-l2tp1] start l2tp ip 1.1.1.2 domain rad
[RouterB-l2tp1] l2tp-group 2
[RouterB-l2tp2] undo tunnel authentication
[RouterB-l2tp2] tunnel name hws
[RouterB-l2tp2] start l2tp ip 1.1.1.2 domain hws
[RouterB-l2tp2] quit
# 在接口上启动PPP的PAP认证。
[RouterB] interface serial 7/0/1:1
[RouterB-Serial7/0/1:1] ppp authentication-mode pap domain rad
[RouterB-Serial7/0/1:1] quit
[RouterB] interface serial 7/0/2:1
[RouterB-Serial7/0/2:1] ppp authentication-mode pap domain hws
[RouterB-Serial7/0/2:1] quit
# 配置接口Ethernet6/2的IP地址。
<RouterC> system-view
[RouterC] interface ethernet 6/2
[RouterC-Ethernet6/2] ip address 1.1.1.2 255.255.255.0
[RouterC-Ethernet6/2] quit
# 全局使能L2TP。
[RouterC] l2tp enable
# 启用L2TP多实例功能。
[RouterC] l2tpmoreexam enable
# 在域内配置IP地址池。
[RouterC] domain rad
[RouterC-isp-rad] ip pool 1 100.0.0.2 100.0.0.100
[RouterC-isp-rad] domain hws
[RouterC-isp-hws] ip pool 1 101.0.0.2 101.0.0.100
[RouterC-isp-hws] quit
# 创建本地用户,配置用户名、密码及服务类型。
[RouterC] local-user rad
[RouterC-luser-rad] password simple rad
[RouterC-luser-rad] service-type ppp
[RouterC-luser-rad] local-user hws
[RouterC-luser-hws] password simple hws
[RouterC-luser-hws] service-type ppp
[RouterC-luser-hws] quit
# 配置VPN实例
[RouterC] ip vpn-instance 200:1
[RouterC-vpn-instance-200:1] route-distinguisher 200:1
[RouterC-vpn-instance-200:1] vpn-target 200:1 import-extcommunity
[RouterC-vpn-instance-200:1] vpn-target 200:1 export-extcommunity
[RouterC-vpn-instance-200:1] quit
[RouterC] ip vpn-instance vpn1
[RouterC-vpn-instance-vpn1] route-distinguisher 100:1
[RouterC-vpn-instance-vpn1] vpn-target 100:1 import-extcommunity
[RouterC-vpn-instance-vpn1] vpn-target 100:1 export-extcommunity
[RouterC1-vpn-instance-vpn1] quit
# 配置虚模板接口。
[RouterC] interface Virtual-Template1
[RouterC-Virtual-Template1] ppp authentication-mode pap domain rad
[RouterC-Virtual-Template1] remote address pool 1
[RouterC-Virtual-Template1] ip binding vpn-instance vpn1
[RouterC-Virtual-Template1] ip address 100.0.0.1 255.0.0.0
[RouterC-Virtual-Template1] interface Virtual-Template2
[RouterC-Virtual-Template2] ppp authentication-mode pap domain hws
[RouterC-Virtual-Template2] remote address pool 1
[RouterC-Virtual-Template2] ip binding vpn-instance 200:1
[RouterC-Virtual-Template2] ip address 101.0.0.1 255.0.0.0
[RouterC-Virtual-Template2] quit
# 配置L2TP组,不启用隧道验证。
[RouterC] l2tp-group 1
[RouterC-l2tp1] undo tunnel authentication
[RouterC-l2tp1] allow l2tp virtual-template 1 remote rad domain rad
[RouterC-l2tp1] l2tp-group 2
[RouterC-l2tp2] undo tunnel authentication
[RouterC-l2tp2] allow l2tp virtual-template 2 remote hws domain hws
[RouterC-l2tp2] quit
# 配置接口地址并关联VPN实例。
[RouterC] interface ethernet 6/0
[RouterC-Ethernet0/0] ip binding vpn-instance vpn1
[RouterC-Ethernet0/0] ip address 5.0.0.1 32
[RouterC-Ethernet0/0] quit
[RouterC] interface ethernet 0/1
[RouterC-Ethernet0/1] ip binding vpn-instance 200:1
[RouterC-Ethernet0/1] ip address 6.0.0.1 32
[RouterC-Ethernet0/1] quit
# 在Router A上,接口Serial7/0/1:1协议up,并分配到LNS Router C中rad域中关联地址池中的地址。
<RouterA> display interface serial 7/0/1:1
Serial7/0/1:1 current state: UP
Line protocol current state: UP
Description: Serial7/0/1:1 Interface
The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is negotiated, 100.0.0.2/32
Link layer protocol is PPP
LCP opened, IPCP opened
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Physical layer is synchronous, Virtual baudrate is 64000 bps
Interface is DTE, Cable type is V35, Clock mode is DTECLK1
Last clearing of counters: Never
Last 300 seconds input rate 5.33 bytes/sec, 42 bits/sec, 0.23 packets/sec
Last 300 seconds output rate 5.33 bytes/sec, 42 bits/sec, 0.23 packets/sec
Input: 5040 packets, 61518 bytes, 0 no buffers
0 broadcasts, 0 multicasts
0 errors, 0 runts, 0 giants
0 CRC, 0 align errors, 0 overruns
0 dribbles, 0 aborts, 0 frame errors
Output:5050 packets, 61826 bytes
0 errors, 0 underruns, 0 collisions
0 deferred
DCD=UP DTR=UP DSR=UP RTS=UP CTS=UP
# 在Router A上,接口Serial7/0/2:1协议up,并分配到LNS Router C中hws域中关联地址池中的地址。(显示同上,不赘述)
# 在Router A上带接口Serial7/0/1:1的源地址能ping通Router C的地址5.0.0.1。
<RouterA> ping -a 100.0.0.2 5.0.0.1
PING 5.0.0.1: 56 data bytes, press CTRL_C to break
Reply from 5.0.0.1: bytes=56 Sequence=0 ttl=255 time=27 ms
Reply from 5.0.0.1: bytes=56 Sequence=1 ttl=255 time=27 ms
Reply from 5.0.0.1: bytes=56 Sequence=2 ttl=255 time=27 ms
Reply from 5.0.0.1: bytes=56 Sequence=3 ttl=255 time=28 ms
Reply from 5.0.0.1: bytes=56 Sequence=4 ttl=255 time=27 ms
--- 5.0.0.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 27/27/28 ms
# 在Router A上带接口Serial7/0/2:1的源地址能ping通Router C的地址6.0.0.1。(显示同上,不赘述)
· Router A:
#
interface Serial7/0/1:1
link-protocol ppp
ppp pap local-user rad@rad password simple rad
ip address ppp-negotiate
#
interface Serial7/0/2:1
link-protocol ppp
ppp pap local-user hws@hws password simple hws
ip address ppp-negotiate
#
ip route-static 5.0.0.0 255.0.0.0 Serial7/0/1:1
ip route-static 6.0.0.0 255.0.0.0 Serial7/0/2:1
#
· Router B:
#
l2tp enable
#
domain hws
access-limit disable
state active
idle-cut disable
self-service-url disable
domain rad
access-limit disable
state active
idle-cut disable
self-service-url disable
#
local-user hws
password simple hws
service-type ppp
local-user rad
password simple rad
service-type ppp
#
l2tp-group 1
undo tunnel authentication
tunnel name rad
start l2tp ip 1.1.1.2 domain rad
#
l2tp-group 2
undo tunnel authentication
tunnel name hws
start l2tp ip 1.1.1.2 domain hws
#
interface Ethernet0/0
port link-mode route
ip address 1.1.1.1 255.255.255.0
#
interface Serial7/0/1:1
link-protocol ppp
ppp authentication-mode pap domain rad
#
interface Serial7/0/2:1
link-protocol ppp
ppp authentication-mode pap domain hws
#
· Router C:
#
l2tp enable
l2tpmoreexam enable
#
ip vpn-instance 200:1
route-distinguisher 200:1
vpn-target 200:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 100:1 import-extcommunity
#
domain hws
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 101.0.0.2 101.0.0.100
domain rad
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 100.0.0.2 100.0.0.100
#
local-user hws
password simple hws
service-type ppp
local-user rad
password simple rad
service-type ppp
#
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1 remote rad domain rad
#
l2tp-group 2
undo tunnel authentication
allow l2tp virtual-template 2 remote hws domain hws
#
interface Virtual-Template1
ppp authentication-mode pap domain rad
remote address pool 1
ip binding vpn-instance vpn1
ip address 100.0.0.1 255.0.0.0
#
interface Virtual-Template2
ppp authentication-mode pap domain hws
remote address pool 1
ip binding vpn-instance 200:1
ip address 101.0.0.1 255.0.0.0
#
interface Ethernet6/0
port link-mode route
ip binding vpn-instance vpn1
ip address 5.0.0.1 255.255.255.255
#
interface Ethernet6/1
port link-mode route
ip binding vpn-instance 200:1
ip address 6.0.0.1 255.255.255.255
#
interface Ethernet6/2
port link-mode route
ip address 1.1.1.2 255.255.255.0
#
· H3C MSR 系列路由器 命令参考(V5)-R2311
· H3C MSR 系列路由器 配置指导(V5)-R2311
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
