国家 / 地区

H3C MSR系列路由器典型配置举例(V5)-6W100

57-MSR系列路由器公网作MPLS L3VPN Over GRE Over IPsec备份和NAT多实例上Internet功能的典型配置举例

本章节下载  (153.81 KB)

docurl=/cn/Service/Document_Software/Document_Center/Routers/Catalog/MSR/MSR_50/Configure/Typical_Configuration_Example/H3C_MSR_(V5)-6W100/201401/812768_30005_0.htm

57-MSR系列路由器公网作MPLS L3VPN Over GRE Over IPsec备份和NAT多实例上Internet功能的典型配置举例

MSR系列路由器公网Internet上的MPLS L3VPN over GRE over IPsec隧道备份MPLS L3VPN网络的配置举例

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

H3C_彩色.emf

目  录

1 简介

2 配置前提

3 配置举例

3.1 组网需求

3.2 使用版本

3.3 配置步骤

3.3.1 设备PE配置

3.3.2 设备PE 1配置

3.3.3 设备PE 2配置

3.4 验证配置

3.5 配置文件

4 相关资料


1  简介

本文档介绍Internet上的MPLS L3VPN over GRE over IPsec隧道备份MPLS L3VPN网络的的典型案例。

2  配置前提

本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解GRE Over IPSec和MPLS L3VPN的特性。

3  配置举例

3.1  组网需求

图1所示,MPLS VPN骨干网中,总部PE路由器与分支PE路由器互通,为防止主用MPLS VPN网络断开后PE间无法互联,现要求:

·     在PE间建立基于隧道的冗余备份链路,使得MPLS网络故障时PE间仍能够互访。

·     在PE上配置NAT多实例,使得PE的VPN路由都可以访问Internet。

图1 MSR系列路由器MPLS L3VPN Over GRE Over IPSec备份和NAT多实例功能组网图

设备

接口

IP地址

设备

接口

IP地址

PE 1

Loop0

2.2.2.2/32

PE

Loop0

1.1.1.1/32

 

Loop100

100.2.2.2/32

 

Loop100

100.1.1.1/32

 

Eth0/1

10.1.1.2/24

 

Eth0/1

10.1.1.1/24

 

Eth0/2

20.1.1.2/24

 

Eth0/2

20.1.1.1/24

 

Tunnel0

1.2.0.2/24

 

Tunnel0

1.2.0.1/24

PE 2

Loop0

3.3.3.3/32

 

Tunnel1

1.3.0.1/24

 

Loop100

100.3.3.3/32

Internet

-

20.1.1.254/24

 

Eth0/1

10.1.1.3/24

 

 

 

 

Eth0/2

20.1.1.3/24

 

 

 

 

Tunnel0

1.3.0.2/24

 

 

 

 

3.2  使用版本

本举例是在Release 2311版本上进行配置和验证的。

3.3  配置步骤

3.3.1  设备PE配置

# 配置设备接口地址。

<PE> system-view

[PE] interface loopback 0

[PE-LoopBack0] ip address 1.1.1.1 255.255.255.255

[PE-LoopBack0] quit

[PE] interface loopback 100

[PE-LoopBack100] ip address 100.1.1.1 255.255.255.255

[PE-LoopBack100] quit

[PE] interface ethernet 0/1

[PE-Ethernet0/1] port link-mode route

[PE-Ethernet0/1] ip address 10.1.1.1 255.255.255.0

[PE-Ethernet0/1] quit

[PE] interface ethernet 0/2

[PE-Ethernet0/2] port link-mode route

[PE-Ethernet0/2] ip address 20.1.1.1 255.255.255.0

[PE-Ethernet0/2] quit

# 配置OSPF协议,使网络互通。

[PE] ospf 1

[PE-ospf-1] area 0.0.0.0

[PE-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[PE-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE-ospf-1-area-0.0.0.0] quit

[PE-ospf-1] quit

# 配置MPLS LSR-ID,使能MPLSMPLS LDP功能。

[PE] router id 1.1.1.1

[PE] mpls lsr-id 1.1.1.1

[PE] mpls

[PE-mpls] quit

[PE] mpls ldp

[PE-mpls-ldp] quit

# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。

[PE] interface ethernet0/1

[PE-Ethernet0/1] mpls

[PE-Ethernet0/1] mpls ldp

[PE-Ethernet0/1] quit

# 创建VPN实例vpna,并配置RD和VPN Target属性。

[PE] ip vpn-instance vpna

[PE-vpn-instance-vpna] route-distinguisher 1:1

[PE-vpn-instance-vpna] vpn-target 1:1 export-extcommunity

[PE-vpn-instance-vpna] vpn-target 1:1 import-extcommunity

[PE-vpn-instance-vpna] quit

# PE间建立MP-IBGP对等体。

[PE] bgp 100

[PE-bgp] group 100 internal

[PE-bgp] peer 100 connect-interface loopback 0

[PE-bgp] peer 2.2.2.2 group 100

[PE-bgp] peer 3.3.3.3 group 100

# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。

[PE-bgp] ipv4-family vpn-instance vpna

[PE-bgp-ipv4-vpna] import-route direct

[PE-bgp-ipv4-vpna] quit

# 进入BGP-VPNv4子地址族视图,配置对等体2.2.2.23.3.3.3

[PE-bgp] ipv4-family vpnv4

[PE-bgp-af-vpnv4] peer 100 enable

[PE-bgp-af-vpnv4] peer 2.2.2.2 enable

[PE-bgp-af-vpnv4] peer 2.2.2.2 group 100

[PE-bgp-af-vpnv4] peer 3.3.3.3 enable

[PE-bgp-af-vpnv4] peer 3.3.3.3 group 100

[PE-bgp-af-vpnv4] quit

[PE-bgp] quit

# IKE配置本端安全网关名为1.1.1.1

[PE] ike local-name 1.1.1.1

# 创建GRE隧道Tunnel 0。

[PE] interface tunnel 0

[PE-Tunnel0] ip address 1.2.0.1 255.255.255.0

[PE-Tunnel0] source 100.1.1.1

[PE-Tunnel0] destination 100.2.2.2

# 使能GRE隧道的keepalive功能。

[PE-Tunnel0] keepalive 10 3

# 使能Tunnel 0的MPLS功能。

[PE-Tunnel0] mpls

[PE-Tunnel0] quit

# 创建GRE隧道Tunnel 1。

[PE] interface tunnel 1

[PE-Tunnel1] ip address 1.3.0.1 255.255.255.0

[PE-Tunnel1] source 100.1.1.1

[PE-Tunnel1] destination 100.3.3.3

# 使能GRE隧道的keepalive功能。

[PE-Tunnel1] keepalive 10 3

# 使能Tunnel 1的MPLS功能。

[PE-Tunnel1] mpls

[PE-Tunnel1] quit

# 将Tunnel 0和Tunnel 1加入OSPF网络中。

[PE] ospf 1

[PE-ospf-1] area 0.0.0.0

[PE-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255

[PE-ospf-1-area-0.0.0.0] network 1.3.0.0 0.0.0.255

[PE-ospf-1-area-0.0.0.0] quit

[PE-ospf-1] quit

# 配置访问控制列表,定义相应的数据流。

[PE] acl number 3000

[PE-acl-adv-3000] rule 0 permit ip vpn-instance vpna

[PE-acl-adv-3000] quit

[PE] acl number 3333

[PE-acl-adv-3333] rule 10 permit gre source 100.1.1.1 0 destination 100.2.2.2 0

[PE-acl-adv-3333] quit

[PE] acl number 3334

[PE-acl-adv-3334] rule 20 permit gre source 100.1.1.1 0 destination 100.3.3.3 0

[PE-acl-adv-3334] quit

# 创建IPsec安全提议tran1,采用隧道模式封装,ESP安全协议。

[PE] ipsec transform-set tran1

[PE-ipsec-transform-set-tran1] encapsulation-mode tunnel

[PE-ipsec-transform-set-tran1] transform esp

# 配置SHA1DES算法。

[PE-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[PE-ipsec-transform-set-tran1] esp encryption-algorithm des

[PE-ipsec-transform-set-tran1] quit

# 配置IKE对等体2.2.2.2,使用野蛮模式。

[PE] ike peer 2.2.2.2

[PE-ike-peer-2.2.2.2] exchange-mode aggressive

[PE-ike-peer-2.2.2.2] pre-shared-key cipher h3c

[PE-ike-peer-2.2.2.2] id-type name

[PE-ike-peer-2.2.2.2] remote-name 2.2.2.2

# 配置IKE对等体NAT穿越功能。

[PE-ike-peer-2.2.2.2] nat traversal

[PE-ike-peer-2.2.2.2] quit

# 配置IKE对等体3.3.3.3,使用野蛮模式。

[PE] ike peer 3.3.3.3

[PE-ike-peer-3.3.3.3] exchange-mode aggressive

[PE-ike-peer-3.3.3.3] pre-shared-key cipher h3c

[PE-ike-peer-3.3.3.3] id-type name

[PE-ike-peer-3.3.3.3] remote-name 3.3.3.3

# 配置IKE对等体NAT穿越功能。

[PE-ike-peer-3.3.3.3] nat traversal

[PE-ike-peer-3.3.3.3] quit

# 创建一条IPSec安全策略branch 1,协商方式为isakmp,引用ACL 3333,IKE对等体2.2.2.2,IPSec安全提议tran1

[PE] ipsec policy branch 1 isakmp

[PE-ipsec-policy-isakmp-branch-1] security acl 3333

[PE-ipsec-policy-isakmp-branch-1] ike-peer 2.2.2.2

[PE-ipsec-policy-isakmp-branch-1] transform-set tran1

[PE-ipsec-policy-isakmp-branch-1] quit

# 创建一条IPSec安全策略branch 2,协商方式为isakmp,引用ACL 3334,IKE对等体3.3.3.3,IPSec安全提议tran1

[PE] ipsec policy branch 2 isakmp

[PE-ipsec-policy-isakmp-branch-2] security acl 3334

[PE-ipsec-policy-isakmp-branch-2] ike-peer 3.3.3.3

[PE-ipsec-policy-isakmp-branch-2] transform-set tran1

[PE-ipsec-policy-isakmp-branch-2] quit

# 在接口Ethernet0/2上应用IPSec安全策略组branchNAT多实例。

[PE] interface ethernet 0/2

[PE-Ethernet0/2] ip address 20.1.1.1 255.255.255.0

[PE-Ethernet0/2] ipsec policy branch

[PE-Ethernet0/2] nat outbound 3000

[PE-Ethernet0/2] quit

# VPN实例vpna配置到Internet的缺省路由。

[PE] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254

# 配置到Internet的缺省路由。

[PE] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

3.3.2  设备PE 1配置

# 配置设备接口地址。

<PE1> system-view

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 2.2.2.2 255.255.255.255

[PE1-LoopBack0] quit

[PE1] interface loopback 100

[PE1-LoopBack100] ip address 100.2.2.2 255.255.255.255

[PE1-LoopBack100] quit

[PE1] interface ethernet 0/1

[PE1-Ethernet0/1] port link-mode route

[PE1-Ethernet0/1] ip address 10.1.1.2 255.255.255.0

[PE1-Ethernet0/1] quit

[PE1] interface ethernet 0/2

[PE1-Ethernet0/2] port link-mode route

[PE1-Ethernet0/2] ip address 20.1.1.2 255.255.255.0

[PE1-Ethernet0/2] quit

# 配置OSPF协议,使网络互通。

[PE1] ospf 1

[PE1-ospf-1] area 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# 配置MPLS LSR-ID,使能MPLSMPLS LDP功能。

[PE1] router id 2.2.2.2

[PE1] mpls lsr-id 2.2.2.2

[PE1] mpls

[PE1-mpls] quit

[PE1] mpls ldp

[PE1-mpls-ldp] quit

# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。

[PE1] interface ethernet 0/1

[PE1-Ethernet0/1] mpls

[PE1-Ethernet0/1] mpls ldp

[PE1-Ethernet0/1] quit

# 创建VPN实例vpna,并配置RD和VPN Target属性。

[PE1] ip vpn-instance vpna

[PE1-vpn-instance-vpna] route-distinguisher 2:1

[PE1-vpn-instance-vpna] vpn-target 1:1 export-extcommunity

[PE1-vpn-instance-vpna] vpn-target 1:1 import-extcommunity

[PE1-vpn-instance-vpna] quit

# PE间建立MP-IBGP对等体。

[PE1] bgp 100

[PE1-bgp] group 100 internal

[PE1-bgp] peer 100 connect-interface loopback0

[PE1-bgp] peer 1.1.1.1 group 100

[PE1-bgp] peer 3.3.3.3 group 100

# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。

[PE1-bgp] ipv4-family vpn-instance vpna

[PE1-bgp-ipv4-vpna] import-route direct

[PE1-bgp-ipv4-vpna] quit

# 进入BGP-VPNv4子地址族视图,配置对等体1.1.1.13.3.3.3

[PE1-bgp] ipv4-family vpnv4

[PE1-bgp-af-vpnv4] peer 100 enable

[PE1-bgp-af-vpnv4] peer 1.1.1.1 enable

[PE1-bgp-af-vpnv4] peer 1.1.1.1 group 100

[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable

[PE1-bgp-af-vpnv4] peer 3.3.3.3 group 100

[PE1-bgp-af-vpnv4] quit

[PE1-bgp] quit

# IKE配置本端安全网关名为2.2.2.2。

[PE1] ike local-name 2.2.2.2

# 创建GRE隧道Tunnel 0。

[PE1] interface tunnel 0

[PE1-Tunnel0] ip address 1.2.0.2 255.255.255.0

[PE1-Tunnel0] source 100.2.2.2

[PE1-Tunnel0] destination 100.1.1.1

# 使能GRE隧道的keepalive功能。

[PE1-Tunnel0] keepalive 10 3

# 使能Tunnel 0的MPLS功能。

[PE1-Tunnel0] mpls

[PE1-Tunnel0] quit

# 将Tunnel 0加入OSPF网络中。

[PE1] ospf 1

[PE1-ospf-1] area 0.0.0.0

[PE1-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

# 配置访问控制列表,定义相应的数据流。

[PE1] acl number 3000

[PE1-acl-adv-3000] rule 0 permit ip vpn-instance vpna

[PE1-acl-adv-3000] quit

[PE1] acl number 3333

[PE1-acl-adv-3333] rule 10 permit gre source 100.2.2.2 0 destination 100.1.1.1 0

[PE1-acl-adv-3333] quit

# 创建IPSec安全提议tran1,采用隧道模式封装,ESP安全协议。

[PE1] ipsec transform-set tran1

[PE1-ipsec-transform-set-tran1] encapsulation-mode tunnel

[PE1-ipsec-transform-set-tran1] transform esp

# 配置SHA1DES算法。

[PE1-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[PE1-ipsec-transform-set-tran1] esp encryption-algorithm des

[PE1-ipsec-transform-set-tran1] quit

# 配置IKE对等体1.1.1.1,使用野蛮模式。

[PE1] ike peer 1.1.1.1

[PE1-ike-peer-1.1.1.1] exchange-mode aggressive

[PE1-ike-peer-1.1.1.1] pre-shared-key cipher h3c

[PE1-ike-peer-1.1.1.1] id-type name

[PE1-ike-peer-1.1.1.1] remote-name 1.1.1.1

# 配置IKE对等体NAT穿越功能。

[PE1-ike-peer-1.1.1.1] nat traversal

[PE1-ike-peer-1.1.1.1] quit

# 创建IPSec安全策略center,协商方式为isakmp,引用ACL 3333,IKE对等体1.1.1.1,IPSec安全提议tran1

[PE1] ipsec policy center 1 isakmp

[PE1-ipsec-policy-isakmp-center-1] security acl 3333

[PE1-ipsec-policy-isakmp-center-1] ike-peer 1.1.1.1

[PE1-ipsec-policy-isakmp-center-1] transform-set tran1

[PE1-ipsec-policy-isakmp-branch-1] quit

# 在接口Ethernet0/2上应用IPSec安全策略组center和NAT多实例

[PE1] interface ethernet 0/2

[PE1-Ethernet0/2] ipsec policy center

[PE1-Ethernet0/2] nat outbound 3000

[PE1-Ethernet0/2] quit

# VPN实例vpna配置到Internet的缺省路由。

[PE1] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254

# 配置到Internet的缺省路由。

[PE1] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

3.3.3  设备PE 2配置

# 配置设备接口地址。

<PE2> system-view

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 3.3.3.3 255.255.255.255

[PE2-LoopBack0] quit

[PE2] interface loopback 100

[PE2-LoopBack100] ip address 100.3.3.3 255.255.255.255

[PE2-LoopBack100] quit

[PE2] interface ethernet 0/1

[PE2-Ethernet0/1] port link-mode route

[PE2-Ethernet0/1] ip address 10.1.1.3 255.255.255.0

[PE2-Ethernet0/1] quit

[PE2] interface ethernet 0/2

[PE2-Ethernet0/2] port link-mode route

[PE2-Ethernet0/2] ip address 20.1.1.3 255.255.255.0

[PE2-Ethernet0/2] quit

# 配置OSPF协议,使网络互通。

[PE2] ospf 1

[PE2-ospf-1] area 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# 配置MPLS LSR-ID,使能MPLSMPLS LDP功能。

[PE2] router id 3.3.3.3

[PE2] mpls lsr-id 3.3.3.3

[PE2] mpls

[PE2-mpls] quit

[PE2] mpls ldp

[PE2-mpls-ldp] quit

# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。

[PE2] interface ethernet 0/1

[PE2-Ethernet0/1] mpls

[PE2-Ethernet0/1] mpls ldp

[PE2-Ethernet0/1] quit

# 创建VPN实例vpna,并配置RD和VPN Target属性。

[PE2] ip vpn-instance vpna

[PE2-vpn-instance-vpna] route-distinguisher 3:1

[PE2-vpn-instance-vpna] vpn-target 1:1 export-extcommunity

[PE2-vpn-instance-vpna] vpn-target 1:1 import-extcommunity

[PE2-vpn-instance-vpna] quit

# PE间建立MP-IBGP对等体。

[PE2] bgp 100

[PE2-bgp] group 100 internal

[PE2-bgp] peer 100 connect-interface loopback0

[PE2-bgp] peer 1.1.1.1 group 100

[PE2-bgp] peer 2.2.2.2 group 100

# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。

[PE2-bgp] ipv4-family vpn-instance vpna

[PE2-bgp-ipv4-vpna] import-route direct

[PE2-bgp-ipv4-vpna] quit

# 进入BGP-VPNv4子地址族视图,配置对等体1.1.1.12.2.2.2

[PE2-bgp] ipv4-family vpnv4

[PE2-bgp-af-vpnv4] peer 100 enable

[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable

[PE2-bgp-af-vpnv4] peer 1.1.1.1 group 100

[PE2-bgp-af-vpnv4] peer 2.2.2.2 enable

[PE2-bgp-af-vpnv4] peer 2.2.2.2 group 100

[PE2-bgp-af-vpnv4] quit

[PE2-bgp] quit

# IKE配置本端安全网关名为3.3.3.3。

[PE2] ike local-name 3.3.3.3

# 创建GRE隧道Tunnel 0。

[PE2] interface tunnel 0

[PE2-Tunnel0] ip address 1.3.0.2 255.255.255.0

[PE2-Tunnel0] source 100.3.3.3

[PE2-Tunnel0] destination 100.1.1.1

[PE2-Tunnel0] quit

# 使能GRE隧道的keepalive功能。

[PE2-Tunnel0] keepalive 10 3

# 使能Tunnel 0的MPLS功能。

[PE2-Tunnel0] mpls

[PE2-Tunnel0] quit

# 将Tunnel 0加入OSPF网络中。

[PE2] ospf 1

[PE2-ospf-1] area 0.0.0.0

[PE2-ospf-1-area-0.0.0.0] network 1.3.0.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

# 配置访问控制列表,定义相应的数据流。

[PE2] acl number 3000

[PE2-acl-adv-3000] rule 0 permit ip vpn-instance vpna

[PE2-acl-adv-3000] quit

[PE2] acl number 3333

[PE2-acl-adv-3333] rule 10 permit gre source 100.3.3.3 0 destination 100.1.1.1 0

[PE2-acl-adv-3333] quit

# 创建IPSec安全提议tran1,采用隧道模式封装,ESP安全协议。

[PE2] ipsec transform-set tran1

[PE2-ipsec-transform-set-tran1] encapsulation-mode tunnel

[PE2-ipsec-transform-set-tran1] transform esp

# 配置SHA1DES算法。

[PE2-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[PE2-ipsec-transform-set-tran1] esp encryption-algorithm des

[PE2-ipsec-transform-set-tran1] quit

# 配置IKE对等体1.1.1.1,使用野蛮模式。

[PE2] ike peer 1.1.1.1

[PE2-ike-peer-1.1.1.1] exchange-mode aggressive

[PE2-ike-peer-1.1.1.1] pre-shared-key cipher h3c

[PE2-ike-peer-1.1.1.1] id-type name

[PE2-ike-peer-1.1.1.1] remote-name 1.1.1.1

# 配置IKE对等体NAT穿越功能。

[PE2-ike-peer-1.1.1.1] nat traversal

[PE2-ike-peer-1.1.1.1] quit

# 创建IPSec安全策略center,协商方式为isakmp,引用ACL 3333,IKE对等体1.1.1.1,IPSec安全提议tran1

[PE2] ipsec policy center 1 isakmp

[PE2-ipsec-policy-isakmp-center-1] security acl 3333

[PE2-ipsec-policy-isakmp-center-1] ike-peer 1.1.1.1

[PE2-ipsec-policy-isakmp-center-1] transform-set tran1

[PE2-ipsec-policy-isakmp-center-1] quit

# 在接口Ethernet0/1上应用IPSec安全策略组center和NAT多实例

[PE2] interface ethernet 0/2

[PE2-Ethernet0/2] nat outbound 3000

[PE2-Ethernet0/2] ipsec policy center

[PE2-Ethernet0/2] quit

# VPN实例vpna配置到Internet的缺省路由。

[PE2] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254

# 配置到Internet的缺省路由。

[PE2] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

3.4  验证配置

# 在总部PE路由器上通过VPN路由ping Internet的地址,看能否ping通。

<PE> ping -vpn-instance vpna 20.1.1.254

  PING 20.1.1.254: 56  data bytes, press CTRL_C to break

    Reply from 20.1.1.254: bytes=56 Sequence=0 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=1 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms

 

  --- 20.1.1.254 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/1 ms

# 在总部PE路由器上ping Internet的地址,看能否ping通。

<PE> ping 20.1.1.254

  PING 20.1.1.254: 56  data bytes, press CTRL_C to break

    Reply from 20.1.1.254: bytes=56 Sequence=0 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=1 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms

    Reply from 20.1.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms

 

  --- 20.1.1.254 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/1 ms

# 在总部路由器上查看MPLS LDP会话。

<PE> display mpls ldp session

 

               LDP Session(s) in Public Network

 Total number of sessions: 2

 ------------------------------------------------------------------------------

 Peer-ID                Status         SsnRole  FT   MD5  KA-Sent/Rcv

 ------------------------------------------------------------------------------

 2.2.2.2:0              Operational    Passive  Off  Off  1665/1665

 3.3.3.3:0              Non Existent   Passive  Off  Off  0/0

 ------------------------------------------------------------------------------

 FT  : Fault Tolerance

# 在总部PE路由器上查看IKE邻居。

<PE> display ike peer

 

---------------------------

 IKE Peer: 2.2.2.2

   exchange mode: aggressive on phase 1

   pre-shared-key ******

   peer id type: name

   peer ip address: 20.1.1.2

   local ip address:

   peer name: 2.2.2.2

   nat traversal: enable

   dpd:

---------------------------

 

 

---------------------------

 IKE Peer: 3.3.3.3

   exchange mode: aggressive on phase 1

   pre-shared-key ******

   peer id type: name

   peer ip address: 20.1.1.3

   local ip address:

   peer name: 3.3.3.3

   nat traversal: enable

   dpd:

---------------------------

3.5  配置文件

·     PE配置:

#

 ike local-name 1.1.1.1

#

 router id 1.1.1.1

#

 mpls lsr-id 1.1.1.1

#

ip vpn-instance vpna

 route-distinguisher 1:1

 vpn-target 1:1 export-extcommunity

 vpn-target 1:1 import-extcommunity

#

acl number 3000

 rule 0 permit ip vpn-instance vpna

acl number 3333

 rule 10 permit gre source 100.1.1.1 0 destination 100.2.2.2 0

acl number 3334

 rule 20 permit gre source 100.1.1.1 0 destination 100.3.3.3 0

#

mpls

#

mpls ldp

#

ike peer 2.2.2.2

 exchange-mode aggressive

 pre-shared-key cipher $c$3$Ata32mmg/Sqogxj2B8z1IPQRRS0cDA==

 id-type name

 remote-name 2.2.2.2

 nat traversal

#

ike peer 3.3.3.3

 exchange-mode aggressive

 pre-shared-key cipher $c$3$jTaX3ShJo728rwzbWeHZl7raKsA2Mw==

 id-type name

 remote-name 3.3.3.3

 nat traversal

#

ipsec transform-set tran1

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm sha1

 esp encryption-algorithm des

#

ipsec policy branch 1 isakmp

 security acl 3333

 ike-peer 2.2.2.2

 transform-set tran1

#

ipsec policy branch 2 isakmp

 security acl 3333

 ike-peer 3.3.3.3

 transform-set tran1

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

interface LoopBack100

 ip address 100.1.1.1 255.255.255.255

#

interface Ethernet0/1

 ip address 10.1.1.1 255.255.255.0

 mpls

 mpls ldp

#

interface Ethernet0/2

 ip address 20.1.1.1 255.255.255.0

 nat outbound 3000

 ipsec policy branch

#

interface Tunnel0

 ip address 1.2.0.1 255.255.255.0

 source 100.1.1.1

 destination 100.2.2.2

 keepalive 10 3

 mpls

#

interface Tunnel1

 ip address 1.3.0.1 255.255.255.0

 source 100.1.1.1

 destination 100.3.3.3

 keepalive 10 3

 mpls

#

bgp 100

 undo synchronization

 group 100 internal

 peer 100 connect-interface LoopBack0

 peer 2.2.2.2 group 100

 peer 3.3.3.3 group 100

#

 ipv4-family vpn-instance vpna

  import-route direct

#

 ipv4-family vpnv4

  peer 100 enable

  peer 2.2.2.2 enable

  peer 2.2.2.2 group 100

  peer 3.3.3.3 enable

  peer 3.3.3.3 group 100

#

ospf 1

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 1.2.0.0 0.0.0.255

  network 1.3.0.0 0.0.0.255

  network 10.1.1.0 0.0.0.255

 

#

 ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

 ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254

·     PE1配置:

#

 ike local-name 2.2.2.2

#

 router id 2.2.2.2

#

 mpls lsr-id 2.2.2.2

#

ip vpn-instance vpna

 route-distinguisher 2:1

 vpn-target 1:1 export-extcommunity

 vpn-target 1:1 import-extcommunity

#

acl number 3000

 rule 0 permit ip vpn-instance vpna

acl number 3333

 rule 10 permit gre source 100.2.2.2 0 destination 100.1.1.1 0

#

mpls

#

mpls ldp

#

ike peer 1.1.1.1

 exchange-mode aggressive

 pre-shared-key cipher $c$3$DeuU8f4NqT7u6cJ8E/+7jrXIyKGw/g==

 id-type name

 remote-name 1.1.1.1

 nat traversal

#

ipsec transform-set tran1

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm sha1

 esp encryption-algorithm des

#

ipsec policy center 1 isakmp

 security acl 3333

 ike-peer 1.1.1.1

 transform-set tran1

#

interface Ethernet0/1

 port link-mode route

 ip address 10.1.1.2 255.255.255.0

 mpls

 mpls ldp

#

interface Ethernet0/2

 port link-mode route

 nat outbound 3000

 ip address 20.1.1.2 255.255.255.0

 ipsec policy center

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

interface LoopBack100

 ip address 100.2.2.2 255.255.255.255

#

interface Tunnel0

 ip address 1.2.0.2 255.255.255.0

 source 100.2.2.2

 destination 100.1.1.1

 keepalive 10 3

 mpls

#

bgp 100

 undo synchronization

 group 100 internal

 peer 100 connect-interface LoopBack0

 peer 1.1.1.1 group 100

 peer 3.3.3.3 group 100

 #

 ipv4-family vpn-instance vpna

  import-route direct

 #

 ipv4-family vpnv4

  peer 100 enable

  peer 1.1.1.1 enable

  peer 1.1.1.1 group 100

  peer 3.3.3.3 enable

  peer 3.3.3.3 group 100

#

ospf 1

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 1.2.0.0 0.0.0.255

  network 10.1.1.0 0.0.0.255

#

 ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

 ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254

·     PE2配置:

#

 ike local-name 3.3.3.3

#

 router id 3.3.3.3

#

 mpls lsr-id 3.3.3.3

#

ip vpn-instance vpna

 route-distinguisher 3:1

 vpn-target 1:1 export-extcommunity

 vpn-target 1:1 import-extcommunity

#

acl number 3000

 rule 0 permit ip vpn-instance vpna

acl number 3333

 rule 10 permit gre source 100.3.3.3 0 destination 100.1.1.1 0

#

mpls

#

mpls ldp

#

ike peer 1.1.1.1

 exchange-mode aggressive

 pre-shared-key cipher $c$3$+InhNF72zvL32yKkCOdR5QkPhhZc9A==

 id-type name

 remote-name 1.1.1.1

 nat traversal

#

ipsec transform-set tran1

 encapsulation-mode tunnel

 transform esp

 esp authentication-algorithm sha1

 esp encryption-algorithm des

#

ipsec policy center 1 isakmp

 security acl 3333

 ike-peer 1.1.1.1

 transform-set tran1

#

interface Ethernet0/1

 port link-mode route

 ip address 10.1.1.3 255.255.255.0

 mpls

 mpls ldp

#

interface Ethernet0/2

 port link-mode route

 nat outbound 3000

 duplex full

 ip address 20.1.1.3 255.255.255.0

 ipsec policy center

#

interface LoopBack0

 ip address 3.3.3.3 255.255.255.255

#

interface LoopBack100

 ip address 100.3.3.3 255.255.255.255

#

interface Tunnel0

 ip address 1.3.0.2 255.255.255.0

 source 100.3.3.3

 destination 100.1.1.1

 keepalive 10 3

 mpls

#

bgp 100

 undo synchronization

 group 100 internal

 peer 100 connect-interface LoopBack0

 peer 1.1.1.1 group 100

 peer 2.2.2.2 group 100

 #

 ipv4-family vpn-instance vpna

  import-route direct

 #

 ipv4-family vpnv4

  peer 100 enable

  peer 1.1.1.1 enable

  peer 1.1.1.1 group 100

  peer 2.2.2.2 enable

  peer 2.2.2.2 group 100

#

ospf 1

 area 0.0.0.0

  network 3.3.3.3 0.0.0.0

  network 1.3.0.0 0.0.0.255

  network 10.1.1.0 0.0.0.255

#

 ip route-static 0.0.0.0 0.0.0.0 20.1.1.254

 ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254

4  相关资料

·     H3C MSR 系列路由器 命令参考(V5)-R2311

·     H3C MSR 系列路由器 配置指导(V5)-R2311

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!