目  录

1 简介

2 配置前提

3 IPv4 MPLS L3VPN over UDP封装ADVPN配置举例

3.1 组网需求

3.2 配置思路

3.3 使用版本

3.4 数据规划

3.5 配置步骤

3.5.1 配置VAM server

3.5.2 配置Hub

3.5.3 配置PE 1

3.5.4 配置PE 2

3.5.5 配置Device

3.5.6 配置CE 1

3.5.7 配置CE 2

3.6 验证配置

3.6.1 验证ADVPN隧道成功建立

3.6.2 验证PE学习到对端的私网路由，CE间可以ping通

3.7 配置文件

4 IPv6 LDP over GRE封装的ADVPN配置举例

4.1 组网需求

4.2 配置思路

4.3 使用版本

4.4 数据规划

4.5 配置步骤

4.5.1 配置VAM server

4.5.2 配置Hub

4.5.3 配置Spoke 1

4.5.4 配置Spoke 2

4.5.5 配置Device

4.5.6 配置CE 1

4.5.7 配置CE 2

4.6 验证配置

4.6.1 验证ADVPN隧道成功建立

4.6.2 验证Spoke和Hub之间成功建立LDP LSP

4.6.3 验证CE之间可以通过IPv6 LDP LSP互访

4.7 配置文件

5 相关资料

1 简介

MPLS over ADVPN是指在ADVPN隧道上运行MPLS协议，基于ADVPN隧道建立MPLS LSP，以实现位于不同位置的MPLS网络跨越ADVPN隧道进行互通。

本文档以IPv4 MPLS L3VPN over UDP封装ADVPN隧道（Full-Mesh组网）、IPv6 LDP over GRE封装的ADVPN隧道（Hub-Spoke组网）为例，介绍MPLS over ADVPN典型组网的配置方法。

2 配置前提

本文档适用于使用Comware V9软件版本的路由器，如果使用过程中与产品实际情况有差异，请参考相关产品手册，或以设备实际情况为准。

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解LDP、MPLS L3VPN和ADVPN特性。

3 IPv4 MPLS L3VPN over UDP封装ADVPN配置举例

3.1  组网需求

企业网各分支机构使用动态地址接入公网，利用ADVPN在Hub和Spoke之间、Spoke和Spoke之间建立ADVPN隧道，形成Full-Mesh组网，以实现分支机构的公网地址变化时，各分支机构间仍可以互通。

与此同时，企业希望通过MPLS L3VPN实现分支机构间不同私网流量的相互隔离。为此，需要在公网的ADVPN隧道上建立MPLS LSP，以实现MPLS VPN流量跨越ADVPN隧道进行传递。

如图3-1所示，本例中的具体组网要求为：

·     CE 1和CE 2同属于VPN 1。

·     PE 1和PE 2不仅是CE接入MPLS L3VPN网络的接入设备，同时还是ADVPN网络的Spoke设备，与Hub建立ADVPN隧道。

·     PE 1、PE 2和Hub作为VAM client，向VAM server注册公私网地址的映射关系。

图3-1 IPv4 MPLS L3VPN over UDP封装ADVPN配置组网图

‌

3.2  配置思路

为了实现MPLS VPN流量跨越ADVPN隧道进行传递，需要执行以下配置：

·     在PE、Device、Hub和VAM server设备的骨干网侧接口上运行OSPF，确保VAM client和VAM server之间路由可达。

·     PE、Hub设备上配置ADVPN，在PE和Hub、PE和PE之间建立UDP封装方式的ADVPN隧道。

·     在ADVPN隧道上配置IPsec功能，以确保数据的安全传递。

·     对于MPLS L3VPN来说，ADVPN隧道是MPLS L3VPN在骨干网上的一条虚拟链路。在PE、Hub设备的ADVPN隧道接口和Loopback接口上需要运行OSPF，以实现MPLS L3VPN的公网路由可达。

·     ADVPN隧道接口上开启MPLS功能和LDP功能，以便在ADVPN隧道上建立LDP LSP，该LDP LSP作为MPLS L3VPN的公网隧道。

·     PE与CE之间配置EBGP实现私网路由的交互。在CE上，需要将直连路由引入到BGP中。

·     在PE设备之间建立MP-IBGP对等体，交互BGP VPNv4路由。

3.3  使用版本

本举例是在ICG2000H设备的R9141P16版本上进行配置和验证的。

3.4  数据规划

表3-1 数据规划表

配置项	数据
CE 1的AS号	65410
CE 2的AS号	65420
PE 1和PE 2的AS号	100
VAM server地址	4.0.0.1
Hub的ADVPN隧道接口地址	10.3.1.1/24
PE 1（Spoke1）的ADVPN隧道接口地址	10.3.1.2/24
PE 2（Spoke2）的ADVPN隧道接口地址	10.3.1.3/24

 

3.5  配置步骤

3.5.1  配置VAM server

1. 配置IP地址和单播路由协议

# 配置接口的IP地址。

<Sysname> system-view

[Sysname] sysname VAMserver

[VAMserver] interface gigabitethernet 0/0/1

[VAMserver-GigabitEthernet0/0/1] ip address 4.0.0.1 24

[VAMserver-GigabitEthernet0/0/1] quit

# 配置OSPF协议实现网络层互通。

[VAMserver] ospf

[VAMserver-ospf-1] area 0

[VAMserver-ospf-1-area-0.0.0.0] network 4.0.0.0 0.0.0.255

[VAMserver-ospf-1-area-0.0.0.0] quit

[VAMserver-ospf-1] quit

2. 配置设备作为VAM server

# 创建ADVPN域abc。

[VAMserver] vam server advpn-domain abc id 1

# 创建Hub组0。

[VAMserver-vam-server-domain-abc] hub-group 0

# 指定Hub组内Hub的IPv4私网地址，及Hub设备ADVPN隧道接口的地址。

[VAMserver-vam-server-domain-abc-hub-group-0] hub private-address 10.3.1.1

# 指定Hub组内Spoke的IPv4私网地址范围。

[VAMserver-vam-server-domain-abc-hub-group-0] spoke private-address network 10.3.1.0 255.255.255.0

[VAMserver-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的预共享密钥为123456。

[VAMserver-vam-server-domain-abc] pre-shared-key simple 123456

# 配置VAM server不对VAM Client进行认证。

[VAMserver-vam-server-domain-abc] authentication-method none

# 开启该ADVPN域的VAM Server功能。

[VAMserver-vam-server-domain-abc] server enable

[VAMserver-vam-server-domain-abc] quit

3.5.2  配置Hub

1. 配置IP地址和单播路由协议

# 配置接口的IP地址。

<Sysname> system-view

[Sysname] sysname Hub

[Hub] interface gigabitethernet 0/0/1

[Hub-GigabitEthernet0/0/1] ip address 1.0.0.1 24

[Hub-GigabitEthernet0/0/1] quit

# 配置OSPF协议实现网络层互通。

[Hub] ospf

[Hub-ospf-1] area 0

[Hub-ospf-1-area-0.0.0.0] network 1.0.0.0 0.0.0.255

[Hub-ospf-1-area-0.0.0.0] quit

[Hub-ospf-1] quit

2. 配置Hub作为VAM client

# 创建VAM Client Hub。

[Hub] vam client name Hub

# 配置VAM Client所属的ADVPN域为abc。

[Hub-vam-client-Hub] advpn-domain abc

# 配置VAM Client的预共享密钥为123456。

[Hub-vam-client-Hub] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[Hub-vam-client-Hub] server primary ip-address 4.0.0.1

# 开启VAM Client功能。

[Hub-vam-client-Hub] client enable

[Hub-vam-client-Hub] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[Hub] ike keychain abc

[Hub-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[Hub-ike-keychain-abc] quit

[Hub] ike profile abc

[Hub-ike-profile-abc] keychain abc

[Hub-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub] ipsec transform-set abc

[Hub-ipsec-transform-set-abc] encapsulation-mode transport

[Hub-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub-ipsec-transform-set-abc] quit

[Hub] ipsec profile abc isakmp

[Hub-ipsec-profile-isakmp-abc] transform-set abc

[Hub-ipsec-profile-isakmp-abc] ike-profile abc

[Hub-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建UDP封装的IPv4 ADVPN隧道接口Tunnel1，并配置该接口的IP地址。

[Hub] interface tunnel1 mode advpn udp

[Hub-Tunnel1] ip address 10.3.1.1 255.255.255.0

# 配置IPv4 ADVPN隧道接口绑定的VAM Client。

[Hub-Tunnel1] vam client Hub

# 配置OSPF的网络类型为Broadcast，即在Spoke和Spoke之间建立ADVPN隧道，以形成Full-Mesh组网。

[Hub-Tunnel1] ospf network-type broadcast

# 配置IPv4 ADVPN隧道的源接口。

[Hub-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv4 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[Hub-Tunnel1] tunnel protection ipsec profile abc

[Hub-Tunnel1] quit

5. 配置OSPF发布ADVPN隧道接口地址的路由

# 配置OSPF发布ADVPN隧道接口地址的路由。通过不同的OSPF进程发布Tunnel1接口和GigabitEthernet0/0/1接口的路由。

[Hub] ospf 2

[Hub-ospf-2] area 0

[Hub-ospf-2-area-0.0.0.0] network 10.3.1.0 0.0.0.255

[Hub-ospf-2-area-0.0.0.0] quit

[Hub-ospf-2] quit

3.5.3  配置PE 1

1. 配置IP地址和单播路由协议

# 配置接口的IP地址。

<Sysname> system-view

[Sysname] sysname PE1

[PE1] interface loopback 0

[PE1-LoopBack0] ip address 1.1.1.1 32

[PE1-LoopBack0] quit

[PE1] interface gigabitethernet 0/0/1

[PE1-GigabitEthernet0/0/1] ip address 2.0.0.1 24

[PE1-GigabitEthernet0/0/1] quit

# 配置OSPF协议实现网络层互通。

[PE1] ospf

[PE1-ospf-1] area 0

[PE1-ospf-1-area-0.0.0.0] network 2.0.0.0 0.0.0.255

[PE1-ospf-1-area-0.0.0.0] quit

[PE1-ospf-1] quit

2. 配置设备作为VAM Client

# 创建VAM Client Spoke1。

[PE1] vam client name Spoke1

# 配置VAM Client所属的ADVPN域为abc。

[PE1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的预共享密钥。

[PE1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[PE1-vam-client-Spoke1] server primary ip-address 4.0.0.1

# 开启VAM Client功能。

[PE1-vam-client-Spoke1] client enable

[PE1-vam-client-Spoke1] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[PE1] ike keychain abc

[PE1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[PE1-ike-keychain-abc] quit

[PE1] ike profile abc

[PE1-ike-profile-abc] keychain abc

[PE1-ike-profile-abc] quit

# 配置IPsec安全框架。

[PE1] ipsec transform-set abc

[PE1-ipsec-transform-set-abc] encapsulation-mode transport

[PE1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[PE1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[PE1-ipsec-transform-set-abc] quit

[PE1] ipsec profile abc isakmp

[PE1-ipsec-profile-isakmp-abc] transform-set abc

[PE1-ipsec-profile-isakmp-abc] ike-profile abc

[PE1-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建UDP封装的IPv4 ADVPN隧道接口Tunnel1，并配置该接口的IP地址。

[PE1] interface tunnel1 mode advpn udp

[PE1-Tunnel1] ip address 10.3.1.2 255.255.255.0

# 配置IPv4 ADVPN隧道接口绑定的VAM Client。

[PE1-Tunnel1] vam client Spoke1

# 配置OSPF的网络类型为Broadcast，即在Spoke和Spoke之间建立ADVPN隧道，以形成Full-Mesh组网。将PE1的DR优先级配置为0，以使PE1不参与DR/BDR选举。

[PE1-Tunnel1] ospf network-type broadcast

[PE1-Tunnel1] ospf dr-priority 0

# 配置IPv4 ADVPN隧道的源接口。

[PE1-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv4 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[PE1-Tunnel1] tunnel protection ipsec profile abc

[PE1-Tunnel1] quit

5. 配置OSPF发布ADVPN隧道接口地址的路由

# 配置OSPF发布ADVPN隧道接口地址和Loopback接口地址的路由。通过不同的OSPF进程发布Tunnel1/Loopback0接口和GigabitEthernet0/0/1接口的路由。

[PE1] ospf 2

[PE1-ospf-2] area 0

[PE1-ospf-2-area-0.0.0.0] network 1.1.1.1 0.0.0.0

[PE1-ospf-2-area-0.0.0.0] network 10.3.1.0 0.0.0.255

[PE1-ospf-2-area-0.0.0.0] quit

[PE1-ospf-2] quit

6. 配置节点的MPLS LSR ID、开启MPLS能力和MPLS LDP能力

[PE1] mpls lsr-id 1.1.1.1

[PE1] mpls ldp

[PE1-ldp] quit

[PE1] interface tunnel1 mode advpn udp

[PE1-Tunnel1] mpls enable

[PE1-Tunnel1] mpls ldp enable

[PE1-Tunnel1] quit

7. 配置PE 1与PE 2建立MP-IBGP对等体，交互VPNv4路由

[PE1] bgp 100

[PE1-bgp-default] peer 2.2.2.2 as-number 100

[PE1-bgp-default] peer 2.2.2.2 connect-interface loopback 0

[PE1-bgp-default] address-family vpnv4

[PE1-bgp-default-vpnv4] peer 2.2.2.2 enable

[PE1-bgp-default-vpnv4] quit

8. 配置VPN实例

# 创建VPN实例vpn1，并配置VPN实例的RD和RT。

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpn1] route-distinguisher 1:1

[PE1-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity

[PE1-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity

[PE1-vpn-instance-vpn1] quit

# 配置接口GigabitEthernet0/0/2绑定VPN实例vpn1，并配置该接口的IP地址。

[PE1] interface gigabitethernet 0/0/2

[PE1-GigabitEthernet0/0/2] ip binding vpn-instance vpn1

[PE1-GigabitEthernet0/0/2] ip address 10.1.1.1 24

[PE1-GigabitEthernet0/0/2] quit

9. 配置PE 1与CE 1建立EBGP对等体，交互私网路由

[PE1] bgp 100

[PE1-bgp-default] ip vpn-instance vpn1

[PE1-bgp-default-vpn1] peer 10.1.1.2 as-number 65410

[PE1-bgp-default-vpn1] address-family ipv4 unicast

[PE1-bgp-default-ipv4-vpn1] peer 10.1.1.2 enable

[PE1-bgp-default-ipv4-vpn1] quit

[PE1-bgp-default-vpn1] quit

3.5.4  配置PE 2

1. 配置IP地址和单播路由协议

# 配置接口的IP地址。

<Sysname> system-view

[Sysname] sysname PE2

[PE2] interface loopback 0

[PE2-LoopBack0] ip address 2.2.2.2 32

[PE2-LoopBack0] quit

[PE2] interface gigabitethernet 0/0/1

[PE2-GigabitEthernet0/0/1] ip address 3.0.0.1 24

[PE2-GigabitEthernet0/0/1] quit

# 配置OSPF协议实现网络层互通。

[PE2] ospf

[PE2-ospf-1] area 0

[PE2-ospf-1-area-0.0.0.0] network 3.0.0.0 0.0.0.255

[PE2-ospf-1-area-0.0.0.0] quit

[PE2-ospf-1] quit

2. 配置设备作为VAM Client

# 创建VAM Client Spoke2。

[PE2] vam client name Spoke2

# 配置VAM Client所属的ADVPN域为abc。

[PE2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的预共享密钥。

[PE2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[PE2-vam-client-Spoke2] server primary ip-address 4.0.0.1

# 开启VAM Client功能。

[PE2-vam-client-Spoke2] client enable

[PE2-vam-client-Spoke2] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[PE2] ike keychain abc

[PE2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456

[PE2-ike-keychain-abc] quit

[PE2] ike profile abc

[PE2-ike-profile-abc] keychain abc

[PE2-ike-profile-abc] quit

# 配置IPsec安全框架。

[PE2] ipsec transform-set abc

[PE2-ipsec-transform-set-abc] encapsulation-mode transport

[PE2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[PE2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[PE2-ipsec-transform-set-abc] quit

[PE2] ipsec profile abc isakmp

[PE2-ipsec-profile-isakmp-abc] transform-set abc

[PE2-ipsec-profile-isakmp-abc] ike-profile abc

[PE2-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建UDP封装的IPv4 ADVPN隧道接口Tunnel1，并配置该接口的IP地址。

[PE2] interface tunnel1 mode advpn udp

[PE2-Tunnel1] ip address 10.3.1.3 255.255.255.0

# 配置IPv4 ADVPN隧道接口绑定的VAM Client。

[PE2-Tunnel1] vam client Spoke2

# 配置OSPF的网络类型为Broadcast，即在Spoke和Spoke之间建立ADVPN隧道，以形成Full-Mesh组网。将PE2的DR优先级配置为0，以使PE2不参与DR/BDR选举。

[PE2-Tunnel1] ospf network-type broadcast

[PE2-Tunnel1] ospf dr-priority 0

# 配置IPv4 ADVPN隧道的源接口。

[PE2-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv4 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[PE2-Tunnel1] tunnel protection ipsec profile abc

[PE2-Tunnel1] quit

5. 配置OSPF发布ADVPN隧道接口地址的路由

# 配置OSPF发布ADVPN隧道接口地址和Loopback接口地址的路由。通过不同的OSPF进程发布Tunnel1/Loopback0接口和GigabitEthernet0/0/1接口的路由。

[PE2] ospf 2

[PE2-ospf-2] area 0

[PE2-ospf-2-area-0.0.0.0] network 2.2.2.2 0.0.0.0

[PE2-ospf-2-area-0.0.0.0] network 10.3.1.0 0.0.0.255

[PE2-ospf-2-area-0.0.0.0] quit

[PE2-ospf-2] quit

6. 配置节点的MPLS LSR ID、开启MPLS能力和MPLS LDP能力

[PE2] mpls lsr-id 2.2.2.2

[PE2] mpls ldp

[PE2-ldp] quit

[PE2] interface tunnel1 mode advpn udp

[PE2-Tunnel1] mpls enable

[PE2-Tunnel1] mpls ldp enable

[PE2-Tunnel1] quit

7. 配置PE 1与PE 2建立MP-IBGP对等体，交互VPNv4路由

[PE2] bgp 100

[PE2-bgp-default] peer 1.1.1.1 as-number 100

[PE2-bgp-default] peer 1.1.1.1 connect-interface loopback 0

[PE2-bgp-default] address-family vpnv4

[PE2-bgp-default-vpnv4] peer 1.1.1.1 enable

[PE2-bgp-default-vpnv4] quit

8. 配置VPN实例

# 创建VPN实例vpn1，并配置VPN实例的RD和RT。

[PE2] ip vpn-instance vpn1

[PE2-vpn-instance-vpn1] route-distinguisher 1:1

[PE2-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity

[PE2-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity

[PE2-vpn-instance-vpn1] quit

# 配置接口GigabitEthernet0/0/2绑定VPN实例vpn1，并配置该接口的IP地址。

[PE2] interface gigabitethernet 0/0/2

[PE2-GigabitEthernet0/0/2] ip binding vpn-instance vpn1

[PE2-GigabitEthernet0/0/2] ip address 10.2.1.1 24

[PE2-GigabitEthernet0/0/2] quit

9. 配置PE 1与CE 1建立EBGP对等体，交互私网路由

[PE2] bgp 100

[PE2-bgp-default] ip vpn-instance vpn1

[PE2-bgp-default-vpn1] peer 10.2.1.2 as-number 65420

[PE2-bgp-default-vpn1] address-family ipv4 unicast

[PE2-bgp-default-ipv4-vpn1] peer 10.2.1.2 enable

[PE2-bgp-default-ipv4-vpn1] quit

[PE2-bgp-default-vpn1] quit

3.5.5  配置Device

1. 配置IP地址

# 配置接口的IP地址。

<Sysname> system-view

[Sysname] sysname Device

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] ip address 1.0.0.2 24

[Device-GigabitEthernet0/0/1] quit

[Device] interface gigabitethernet 0/0/2

[Device-GigabitEthernet0/0/2] ip address 2.0.0.2 24

[Device-GigabitEthernet0/0/2] quit

[Device] interface gigabitethernet 0/0/3

[Device-GigabitEthernet0/0/3] ip address 3.0.0.2 24

[Device-GigabitEthernet0/0/3] quit

[Device] interface gigabitethernet 0/0/4

[Device-GigabitEthernet0/0/4] ip address 4.0.0.2 24

[Device-GigabitEthernet0/0/4] quit

2. 配置单播路由协议

# 配置OSPF协议实现网络层互通。

[Device] ospf

[Device-ospf-1] area 0

[Device-ospf-1-area-0.0.0.0] network 1.0.0.0 0.0.0.255

[Device-ospf-1-area-0.0.0.0] network 2.0.0.0 0.0.0.255

[Device-ospf-1-area-0.0.0.0] network 3.0.0.0 0.0.0.255

[Device-ospf-1-area-0.0.0.0] network 4.0.0.0 0.0.0.255

[Device-ospf-1-area-0.0.0.0] quit

[Device-ospf-1] quit

3.5.6  配置CE 1

1. 配置IP地址

<Sysname> system-view

[Sysname] sysname CE1

[CE1] interface gigabitethernet 0/0/1

[CE1-GigabitEthernet0/0/1] ip address 10.1.1.2 24

[CE1-GigabitEthernet0/0/1] quit

2. 在PE与CE之间建立EBGP对等体，引入直连路由

[CE1] bgp 65410

[CE1-bgp-default] peer 10.1.1.1 as-number 100

[CE1-bgp-default] address-family ipv4 unicast

[CE1-bgp-default-ipv4] peer 10.1.1.1 enable

[CE1-bgp-default-ipv4] import-route direct

[CE1-bgp-default-ipv4] quit

[CE1-bgp-default] quit

3.5.7  配置CE 2

1. 配置IP地址

<Sysname> system-view

[Sysname] sysname CE2

[CE2] interface gigabitethernet 0/0/1

[CE2-GigabitEthernet0/0/1] ip address 10.2.1.2 24

[CE2-GigabitEthernet0/0/1] quit

2. 在PE与CE之间建立EBGP对等体，引入直连路由

[CE2] bgp 65420

[CE2-bgp-default] peer 10.2.1.1 as-number 100

[CE2-bgp-default] address-family ipv4 unicast

[CE2-bgp-default-ipv4] peer 10.2.1.1 enable

[CE2-bgp-default-ipv4] quit

[CE2-bgp-default] quit

3.6  验证配置

3.6.1  验证ADVPN隧道成功建立

＃ 在VAM server上查看注册的所有VAM Client的IPv4私网地址映射信息。可以看到Hub、Spoke 1和Spoke 2的公私网地址映射信息均已注册到VAM server。

<VAMserver> display vam server address-map

ADVPN domain name: abc

Total private address mappings: 3

Group      Private address  Public address              Type   NAT  Holding time

0          10.3.1.1         1.0.0.1                     Hub    No   0H 43M 43S

0          10.3.1.2         2.0.0.1                     Spoke  No   0H 44M 40S

0          10.3.1.3         3.0.0.1                     Spoke  No   0H 44M 53S

# 在PE 1上ping PE 2的私网地址10.3.1.3，可以ping通。

<PE1> ping 10.3.1.3

Ping 10.3.1.3 (10.3.1.3): 56 data bytes, press CTRL_C to break

56 bytes from 10.3.1.3: icmp_seq=0 ttl=255 time=4.000 ms

56 bytes from 10.3.1.3: icmp_seq=1 ttl=255 time=0.000 ms

56 bytes from 10.3.1.3: icmp_seq=2 ttl=255 time=0.000 ms

56 bytes from 10.3.1.3: icmp_seq=3 ttl=255 time=0.000 ms

56 bytes from 10.3.1.3: icmp_seq=4 ttl=255 time=1.000 ms

 

--- Ping statistics for 10.3.1.3 ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms

# 在Hub、PE 1和PE 2上查看IPv4 ADVPN隧道信息。可以看到Hub和Spoke、Spoke和Spoke之间均已建立ADVPN隧道。

<Hub> display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

10.3.1.2             2.0.0.1              18001 H-S   Success      0H 41M 35S

10.3.1.3             3.0.0.1              18001 H-S   Success      0H 41M 36S

<PE1> display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

10.3.1.1             1.0.0.1              18001 S-H   Success      0H 44M 7S

10.3.1.3             3.0.0.1              18001 S-S   Success      0H 40M 2S

<PE2> display advpn session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

10.3.1.1             1.0.0.1              18001 S-H   Success      0H 48M 41S

10.3.1.2             2.0.0.1              18001 S-S   Success      0H 44M 31S

3.6.2  验证PE学习到对端的私网路由，CE间可以ping通

# 在PE上执行display bgp peer vpnv4命令，可以看到PE 1与PE 2建立了BGP VPNv4对等体。

<PE1> display bgp peer vpnv4

 

 BGP local router ID: 1.1.1.1

 Local AS number: 100

 Total number of peers: 1                 Peers in established state: 1

 

  * - Dynamically created peer

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

 

  2.2.2.2                100       30       26    0       1 00:20:34 Established

<PE2> display bgp peer vpnv4

 

 BGP local router ID: 2.2.2.2

 Local AS number: 100

 Total number of peers: 1                 Peers in established state: 1

 

  * - Dynamically created peer

  Peer                    AS  MsgRcvd  MsgSent OutQ PrefRcv Up/Down  State

 

  1.1.1.1                100       30       35    0       1 00:24:36 Established

# 在PE上执行display bgp routing-table vpnv4命令，可以看到PE均通过BGP VPNv4学习到了远端CE的私网路由。

<PE1> display bgp routing-table vpnv4

 

 BGP local router ID is 1.1.1.1

 Status codes: * - valid, > - best, d - dampened, h - history,

               s - suppressed, S - stale, i - internal, e - external,

               a - additional-path

               Origin: i - IGP, e - EGP, ? - incomplete

 

 Total number of routes from all PEs: 1

 

 Route distinguisher: 1:1(vpn1)

 Total number of routes: 2

 

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

 

* >e 10.1.1.0/24        10.1.1.2        0                     0       65410?

* >i 10.2.1.0/24        2.2.2.2         0          100        0       65420?

<PE2> display bgp routing-table vpnv4

 

 BGP local router ID is 2.2.2.2

 Status codes: * - valid, > - best, d - dampened, h - history,

               s - suppressed, S - stale, i - internal, e - external,

               a - additional-path

               Origin: i - IGP, e - EGP, ? - incomplete

 

 Total number of routes from all PEs: 1

 

 Route distinguisher: 1:1(vpn1)

 Total number of routes: 2

 

     Network            NextHop         MED        LocPrf     PrefVal Path/Ogn

 

* >i 10.1.1.0/24        1.1.1.1         0          100        0       65410?

* >e 10.2.1.0/24        10.2.1.2        0                     0       65420?

# 在PE上查看VPN实例vpn1的FIB表项，可以看出到达远端CE的路由出接口为ADVPN隧道接口Tunnel1，且远端PE为该路由分配了私网标签。

<PE1> display fib vpn-instance vpn1

Route destination count: 9

Directly-connected host count: 1

 

Flag:

  U:Usable   G:Gateway   H:Host   B:Blackhole   D:Dynamic   S:Static

  R:Relay     F:FRR

 

Destination/Mask   Nexthop         Flag     OutInterface/Token       Label

0.0.0.0/32         127.0.0.1       UH       InLoop0                  Null

10.1.1.0/24        10.1.1.1        U        GE0/0/2                        Null

10.1.1.1/32        127.0.0.1       UH       InLoop0                  Null

10.1.1.2/32        10.1.1.2        UH       GE0/0/2                        Null

10.1.1.255/32      10.1.1.1        UBH      GE0/0/2                        Null

10.2.1.0/24        2.2.2.2         UGR      1                        24256

127.0.0.0/8        127.0.0.1       U        InLoop0                  Null

127.0.0.1/32       127.0.0.1       UH       InLoop0                  Null

127.255.255.255/32 127.0.0.1       UH       InLoop0                  Null

255.255.255.255/32 127.0.0.1       UH       InLoop0                  Null

<PE2> display fib vpn-instance vpn1

Route destination count: 9

Directly-connected host count: 1

 

Flag:

  U:Usable   G:Gateway   H:Host   B:Blackhole   D:Dynamic   S:Static

  R:Relay     F:FRR

 

Destination/Mask   Nexthop         Flag     OutInterface/Token       Label

0.0.0.0/32         127.0.0.1       UH       InLoop0                  Null

10.1.1.0/24        1.1.1.1         UGR      1                        24256

10.2.1.0/24        10.2.1.1        U        GE0/0/2                        Null

10.2.1.1/32        127.0.0.1       UH       InLoop0                  Null

10.2.1.2/32        10.2.1.2        UH       GE0/0/2                        Null

10.2.1.255/32      10.2.1.1        UBH      GE0/0/2                        Null

127.0.0.0/8        127.0.0.1       U        InLoop0                  Null

127.0.0.1/32       127.0.0.1       UH       InLoop0                  Null

127.255.255.255/32 127.0.0.1       UH       InLoop0                  Null

255.255.255.255/32 127.0.0.1       UH       InLoop0                  Null

# CE之间可以互相ping通。

<CE1> ping 10.2.1.2

Ping 10.2.1.2 (10.2.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.2.1.2: icmp_seq=0 ttl=253 time=2.000 ms

56 bytes from 10.2.1.2: icmp_seq=1 ttl=253 time=1.000 ms

56 bytes from 10.2.1.2: icmp_seq=2 ttl=253 time=2.000 ms

56 bytes from 10.2.1.2: icmp_seq=3 ttl=253 time=1.000 ms

56 bytes from 10.2.1.2: icmp_seq=4 ttl=253 time=2.000 ms

 

--- Ping statistics for 10.2.1.2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.600/2.000/0.490 ms

3.7  配置文件

·     VAM server

#

 sysname VAMserver

 

#

ospf 1

 area 0.0.0.0

  network 4.0.0.0 0.0.0.255

 

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 4.0.0.1 255.255.255.0

 

#

vam server advpn-domain abc id 1

 pre-shared-key cipher $c$3$4g3dSoFtvWfi8HvmFfTt2RItcU9oDrJnYg==

 authentication-method none

 server enable

 hub-group 0

  hub private-address 10.3.1.1

  spoke private-address range 10.3.1.0 10.3.1.255

#

return

·     Hub

#

 sysname Hub

#

ospf 1

 area 0.0.0.0

  network 1.0.0.0 0.0.0.255

#

ospf 2

 area 0.0.0.0

  network 10.3.1.0 0.0.0.255

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 1.0.0.1 255.255.255.0

#

interface Tunnel1 mode advpn udp

 ip address 10.3.1.1 255.255.255.0

 ospf network-type broadcast

 source GigabitEthernet0/0/1

 tunnel protection ipsec profile abc

 vam client Hub

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$MTshF3PbSXutZ6ba3rQ445mP6m1jyPXuMg==

#

vam client name Hub

 advpn-domain abc

 server primary ip-address 4.0.0.1

 pre-shared-key cipher $c$3$t3kfwOkdYFK57jEODcpQHf943u+98JdbkA==

 client enable

#

return

·     PE 1

#

 sysname PE1

#

ip vpn-instance vpn1

 route-distinguisher 1:1

 vpn-target 1:1 import-extcommunity

 vpn-target 1:1 export-extcommunity

#

ospf 1

 area 0.0.0.0

  network 2.0.0.0 0.0.0.255

#

ospf 2

 area 0.0.0.0

  network 1.1.1.1 0.0.0.0

  network 10.3.1.0 0.0.0.255

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

#

interface LoopBack0

 ip address 1.1.1.1 255.255.255.255

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 2.0.0.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ip binding vpn-instance vpn1

 ip address 10.1.1.1 255.255.255.0

#

interface Tunnel1 mode advpn udp

 ip address 10.3.1.2 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 mpls enable

 mpls ldp enable

 source GigabitEthernet0/0/1

 tunnel protection ipsec profile abc

 vam client Spoke1

#

bgp 100

 peer 2.2.2.2 as-number 100

 peer 2.2.2.2 connect-interface LoopBack0

 #

 address-family vpnv4

  peer 2.2.2.2 enable

 #

 ip vpn-instance vpn1

  peer 10.1.1.2 as-number 65410

  #

  address-family ipv4 unicast

   peer 10.1.1.2 enable

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$D4z85zTTQkoSKg6QcP/yNRcRyYzT5Rci1w==

#

vam client name Spoke1

 advpn-domain abc

 server primary ip-address 4.0.0.1

 pre-shared-key cipher $c$3$kdGtUDsS34JSBmeagv0gg/+bUzGX1jo/nQ==

 client enable

#

return

·     PE 2

#

 sysname PE2

#

ip vpn-instance vpn1

 route-distinguisher 1:1

 vpn-target 1:1 import-extcommunity

 vpn-target 1:1 export-extcommunity

#

ospf 1

 area 0.0.0.0

  network 3.0.0.0 0.0.0.255

#

ospf 2

 area 0.0.0.0

  network 2.2.2.2 0.0.0.0

  network 10.3.1.0 0.0.0.255

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

#

interface LoopBack0

 ip address 2.2.2.2 255.255.255.255

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 3.0.0.1 255.255.255.0

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ip binding vpn-instance vpn1

 ip address 10.2.1.1 255.255.255.0

#

interface Tunnel1 mode advpn udp

 ip address 10.3.1.3 255.255.255.0

 ospf network-type broadcast

 ospf dr-priority 0

 mpls enable

 mpls ldp enable

 source GigabitEthernet0/0/1

 tunnel protection ipsec profile abc

 vam client Spoke2

#

bgp 100

 peer 1.1.1.1 as-number 100

 peer 1.1.1.1 connect-interface LoopBack0

 #

 address-family vpnv4

  peer 1.1.1.1 enable

 #

 ip vpn-instance vpn1

  peer 10.2.1.2 as-number 65420

  #

  address-family ipv4 unicast

   peer 10.2.1.2 enable

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$xDmL61HQY2KOy0pQqPpkwXNZD81U77cPow==

#

vam client name Spoke2

 advpn-domain abc

 server primary ip-address 4.0.0.1

 pre-shared-key cipher $c$3$JmWbOY0L4qmNKYkMvY2ve3/cbDz7lVFuKg==

 client enable

#

return

·     Device

#

 sysname Device

#

ospf 1

 area 0.0.0.0

  network 1.0.0.0 0.0.0.255

  network 2.0.0.0 0.0.0.255

  network 3.0.0.0 0.0.0.255

  network 4.0.0.0 0.0.0.255

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 1.0.0.2 255.255.255.0

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ip address 2.0.0.2 255.255.255.0

#

interface GigabitEthernet0/0/3

 port link-mode route

 combo enable copper

 ip address 3.0.0.2 255.255.255.0

#

interface GigabitEthernet0/0/4

 port link-mode route

 combo enable copper

 ip address 4.0.0.2 255.255.255.0

#

return

·     CE 1

#

 sysname CE1

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 10.1.1.2 255.255.255.0

#

bgp 65410

 peer 10.1.1.1 as-number 100

 #

 address-family ipv4 unicast

  import-route direct

  peer 10.1.1.1 enable

#

return

·     CE 2

#

 sysname CE2

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ip address 10.2.1.2 255.255.255.0

#

bgp 65420

 peer 10.2.1.1 as-number 100

 #

 address-family ipv4 unicast

  import-route direct

  peer 10.2.1.1 enable

#

return

4 IPv6 LDP over GRE封装的ADVPN配置举例

4.1  组网需求

企业网各分支机构使用动态地址接入公网，利用ADVPN在Hub和Spoke之间建立ADVPN隧道，Spoke之间不建立ADVPN隧道，形成Hub-Spoke组网，以实现分支机构的公网地址变化时，各分支机构间仍可以互通。

与此同时，企业分支间希望通过IPv6 LDP LSP转发流量。为此，需要在公网的ADVPN隧道上建立IPv6 LDP LSP，以实现在分支机构之间跨越ADVPN隧道建立IPv6 LDP LSP。

如图4-1所示，本例中的具体组网要求为：

·     Spoke 1和Spoke 2作为ADVPN网络的Spoke设备，与Hub建立ADVPN隧道。

·     在ADVPN隧道上配置IPv6 LDP，以便在ADVPN隧道上建立IPv6 LDP LSP。

·     Spoke 1、Spoke 2和Hub作为VAM client，向VAM server注册公私网地址的映射关系。

图4-1 IPv6 LDP over GRE封装的ADVPN配置组网图

‌

4.2  配置思路

为了实现跨越ADVPN隧道建立IPv6 LDP LSP，需要执行以下配置：

·     在Spoke、Device、Hub和VAM server设备的骨干网侧接口上运行OSPFv3，确保VAM client和VAM server之间路由可达。

·     Spoke、Hub设备上配置ADVPN，在Spoke和Hub之间建立GRE封装方式的ADVPN隧道。

·     在ADVPN隧道上配置IPsec功能，以确保数据的安全传递。

·     对于IPv6 LDP来说，ADVPN隧道是骨干网上的一条虚拟链路。Spoke和Hub设备的ADVPN隧道接口上需要配置路由协议（本例中为OSPFv3），以实现站点间的私网路由可达、站点之间可以通过ADVPN隧道互通。

·     在Spoke、Hub设备的ADVPN隧道接口上开启MPLS功能和LDP功能，以便在ADVPN隧道上建立IPv6 LDP LSP。

4.3  使用版本

本举例是在ICG2000H设备的R9141P16版本上进行配置和验证的。

4.4  数据规划

表4-1 数据规划表

配置项	数据
VAM server地址	4::1
Hub的ADVPN隧道接口地址	192:168:3::1/64
Spoke1的ADVPN隧道接口地址	192:168:3::2/64
Spoke2的ADVPN隧道接口地址	192:168:3::3/64

 

4.5  配置步骤

4.5.1  配置VAM server

1. 配置IPv6地址和单播路由协议

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname VAMserver

[VAMserver] ospfv3

[VAMserver-ospfv3-1] router-id 4.4.4.4

[VAMserver-ospfv3-1] area 0

[VAMserver-ospfv3-1-area-0.0.0.0] quit

[VAMserver-ospfv3-1] quit

# 配置接口的IPv6地址，并在接口上使能OSPFv3。

[VAMserver] interface gigabitethernet 0/0/1

[VAMserver-GigabitEthernet0/0/1] ipv6 address 4::1/64

[VAMserver-GigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0

[VAMserver-GigabitEthernet0/0/1] quit

2. 配置设备作为VAM server

# 创建ADVPN域abc。

[VAMserver] vam server advpn-domain abc id 1

# 创建Hub组0。

[VAMserver-vam-server-domain-abc] hub-group 0

# 指定Hub组内Hub的IPv6私网地址，及Hub设备ADVPN隧道接口的地址。

[VAMserver-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168:3::1

# 指定Hub组内Spoke的IPv6私网地址范围。

[VAMserver-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168:: 32

[VAMserver-vam-server-domain-abc-hub-group-0] quit

# 配置VAM Server的预共享密钥为123456。

[VAMserver-vam-server-domain-abc] pre-shared-key simple 123456

# 配置VAM server不对VAM Client进行认证。

[VAMserver-vam-server-domain-abc] authentication-method none

# 开启该ADVPN域的VAM Server功能。

[VAMserver-vam-server-domain-abc] server enable

[VAMserver-vam-server-domain-abc] quit

4.5.2  配置Hub

1. 配置IPv6地址和单播路由协议

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname Hub

[Hub] ospfv3

[Hub-ospfv3-1] router-id 5.5.5.5

[Hub-ospfv3-1] area 0

[Hub-ospfv3-1-area-0.0.0.0] quit

[Hub-ospfv3-1] quit

# 配置接口的IPv6地址，并在接口上使能OSPFv3。

[Hub] interface gigabitethernet 0/0/1

[Hub-GigabitEthernet0/0/1] ipv6 address 1::1 64

[Hub-GigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0

[Hub-GigabitEthernet0/0/1] quit

2. 配置Hub作为VAM client

# 创建VAM Client Hub。

[Hub] vam client name Hub

# 配置VAM Client所属的ADVPN域为abc。

[Hub-vam-client-Hub] advpn-domain abc

# 配置VAM Client的预共享密钥为123456。

[Hub-vam-client-Hub] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[Hub-vam-client-Hub] server primary ipv6-address 4::1

# 开启VAM Client功能。

[Hub-vam-client-Hub] client enable

[Hub-vam-client-Hub] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[Hub] ike keychain abc

[Hub-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Hub-ike-keychain-abc] quit

[Hub] ike profile abc

[Hub-ike-profile-abc] keychain abc

[Hub-ike-profile-abc] quit

# 配置IPsec安全框架。

[Hub] ipsec transform-set abc

[Hub-ipsec-transform-set-abc] encapsulation-mode transport

[Hub-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Hub-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Hub-ipsec-transform-set-abc] quit

[Hub] ipsec profile abc isakmp

[Hub-ipsec-profile-isakmp-abc] transform-set abc

[Hub-ipsec-profile-isakmp-abc] ike-profile abc

[Hub-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建GRE封装的IPv6 ADVPN隧道接口Tunnel1，并配置该接口的IPv6地址。

[Hub] interface tunnel1 mode advpn gre ipv6

[Hub-Tunnel1] ipv6 address 192:168:3::1 64

[Hub-Tunnel1] ipv6 address fe80::1 link-local

# 配置IPv6 ADVPN隧道接口绑定的VAM Client。

[Hub-Tunnel1] vam ipv6 client Hub

# 配置OSPF的网络类型为P2MP，即仅在Hub和Spoke之间建立ADVPN隧道，Spoke和Spoke之间不建立ADVPN隧道，以形成Hub-Spoke组网。

[Hub-Tunnel1] ospfv3 network-type p2mp

# 配置IPv6 ADVPN隧道的源接口。

[Hub-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv4 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[Hub-Tunnel1] tunnel protection ipsec profile abc

[Hub-Tunnel1] quit

5. 配置OSPFv3发布ADVPN隧道接口地址的路由

# 配置OSPFv3发布ADVPN隧道接口地址的路由。通过不同的OSPFv3进程发布Tunnel1接口和GigabitEthernet0/0/1接口的路由。

[Hub] ospfv3 2

[Hub-ospfv3-2] router-id 5.5.5.5

[Hub-ospfv3-2] area 0

[Hub-ospfv3-2-area-0.0.0.0] quit

[Hub-ospfv3-2] quit

[Hub] interface tunnel1

[Hub-Tunnel1] ospfv3 2 area 0.0.0.0

[Hub-Tunnel1] quit

6. 配置节点的MPLS LSR ID、开启MPLS能力和MPLS LDP能力

# 开启MPLS和MPLS LDP能力，并配置所有IPv6路由都能触发建立IPv6 LDP LSP。

[Hub] mpls lsr-id 5.5.5.5

[Hub] mpls ldp

[Hub-ldp] ipv6 lsp-trigger all

[Hub-ldp] quit

# 在Tunnel1接口上开启MPLS和MPLS LDP能力，并配置LDP的传输地址为Tunnel1接口的地址。

[Hub] interface tunnel1

[Hub-Tunnel1] mpls enable

[Hub-Tunnel1] mpls ldp ipv6 enable

[Hub-Tunnel1] mpls ldp transport-address 192:168:3::1

[Hub-Tunnel1] quit

4.5.3  配置Spoke 1

1. 配置IPv6地址和单播路由协议

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname Spoke1

[Spoke1] ospfv3

[Spoke1-ospfv3-1] router-id 1.1.1.1

[Spoke1-ospfv3-1] area 0

[Spoke1-ospfv3-1-area-0.0.0.0] quit

[Spoke1-ospfv3-1] quit

# 配置接口GigabitEthernet0/0/1的IPv6地址，并在接口上使能OSPFv3。

[Spoke1] interface gigabitethernet 0/0/1

[Spoke1-GigabitEthernet0/0/1] ipv6 address 2::1 64

[Spoke1-GigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0

[Spoke1-GigabitEthernet0/0/1] quit

# 配置接口GigabitEthernet0/0/2的IPv6地址。

[Spoke1] interface gigabitethernet 0/0/2

[Spoke1-GigabitEthernet0/0/2] ipv6 address 192:168:1::1 64

[Spoke1-GigabitEthernet0/0/2] quit

2. 配置设备作为VAM Client

# 创建VAM Client Spoke1。

[Spoke1] vam client name Spoke1

# 配置VAM Client所属的ADVPN域为abc。

[Spoke1-vam-client-Spoke1] advpn-domain abc

# 配置VAM Client的预共享密钥。

[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[Spoke1-vam-client-Spoke1] server primary ipv6-address 4::1

# 开启VAM Client功能。

[Spoke1-vam-client-Spoke1] client enable

[Spoke1-vam-client-Spoke1] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[Spoke1] ike keychain abc

[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke1-ike-keychain-abc] quit

[Spoke1] ike profile abc

[Spoke1-ike-profile-abc] keychain abc

[Spoke1-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke1] ipsec transform-set abc

[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke1-ipsec-transform-set-abc] quit

[Spoke1] ipsec profile abc isakmp

[Spoke1-ipsec-profile-isakmp-abc] transform-set abc

[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke1-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建GRE封装的IPv6 ADVPN隧道接口Tunnel1，并配置该接口的IPv6地址。

[Spoke1] interface tunnel1 mode advpn gre ipv6

[Spoke1-Tunnel1] ipv6 address 192:168:3::2 64

[Spoke1-Tunnel1] ipv6 address FE80::3 link-local

# 配置IPv6 ADVPN隧道接口绑定的VAM Client。

[Spoke1-Tunnel1] vam ipv6 client Spoke1

# 配置OSPF的网络类型为P2MP，即仅在Hub和Spoke之间建立ADVPN隧道，Spoke和Spoke之间不建立ADVPN隧道，以形成Hub-Spoke组网。

[Spoke1-Tunnel1] ospfv3 network-type p2mp

# 配置IPv6 ADVPN隧道的源接口。

[Spoke1-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv6 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[Spoke1-Tunnel1] tunnel protection ipsec profile abc

[Spoke1-Tunnel1] quit

5. 配置OSPFv3发布ADVPN隧道接口地址的路由

# 配置OSPFv3发布ADVPN隧道接口地址的路由。发布Tunnel1和GigabitEthernet0/0/2接口路由的OSPFv3进程，与发布GigabitEthernet0/0/1接口路由的OSPFv3进程不同。

[Spoke1] ospfv3 2

[Spoke1-ospfv3-2] router-id 1.1.1.1

[Spoke1-ospfv3-2] area 0

[Spoke1-ospfv3-2-area-0.0.0.0] quit

[Spoke1-ospfv3-2] quit

[Spoke1] interface tunnel1

[Spoke1-Tunnel1] ospfv3 2 area 0.0.0.0

[Spoke1-Tunnel1] quit

[Spoke1] interface gigabitethernet 0/0/2

[Spoke1-GigabitEthernet0/0/2] ospfv3 2 area 0.0.0.0

[Spoke1-GigabitEthernet0/0/2] quit

6. 配置节点的MPLS LSR ID、开启MPLS能力和MPLS LDP能力

# 开启MPLS和MPLS LDP能力，并配置所有IPv6路由都能触发建立IPv6 LDP LSP。

[Spoke1] mpls lsr-id 1.1.1.1

[Spoke1] mpls ldp

[Spoke1-ldp] ipv6 lsp-trigger all

[Spoke1-ldp] quit

# 在接口Tunnel1上开启MPLS和MPLS LDP能力，并配置LDP的传输地址为当前接口的地址。

[Spoke1] interface tunnel1

[Spoke1-Tunnel1] mpls enable

[Spoke1-Tunnel1] mpls ldp ipv6 enable

[Spoke1-Tunnel1] mpls ldp transport-address 192:168:3::2

[Spoke1-Tunnel1] quit

4.5.4  配置Spoke 2

1. 配置IPv6地址和单播路由协议

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname Spoke2

[Spoke2] ospfv3

[Spoke2-ospfv3-1] router-id 2.2.2.2

[Spoke2-ospfv3-1] area 0

[Spoke2-ospfv3-1-area-0.0.0.0] quit

[Spoke2-ospfv3-1] quit

# 配置接口GigabitEthernet0/0/1的IPv6地址，并在接口上使能OSPFv3。

[Spoke2] interface gigabitethernet 0/0/1

[Spoke2-GigabitEthernet0/0/1] ipv6 address 3::1 64

[Spoke2-GigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0

[Spoke2-GigabitEthernet0/0/1] quit

# 配置接口GigabitEthernet0/0/2的IPv6地址。

[Spoke2] interface gigabitethernet 0/0/2

[Spoke2-GigabitEthernet0/0/2] ipv6 address 192:168:2::1 64

[Spoke2-GigabitEthernet0/0/2] quit

2. 配置设备作为VAM Client

# 创建VAM Client Spoke2。

[Spoke2] vam client name Spoke2

# 配置VAM Client所属的ADVPN域为abc。

[Spoke2-vam-client-Spoke2] advpn-domain abc

# 配置VAM Client的预共享密钥。

[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456

# 配置VAM Server的IP地址。

[Spoke2-vam-client-Spoke2] server primary ipv6-address 4::1

# 开启VAM Client功能。

[Spoke2-vam-client-Spoke2] client enable

[Spoke2-vam-client-Spoke2] quit

3. 配置IPsec安全框架

# 配置IKE框架。

[Spoke2] ike keychain abc

[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456

[Spoke2-ike-keychain-abc] quit

[Spoke2] ike profile abc

[Spoke2-ike-profile-abc] keychain abc

[Spoke2-ike-profile-abc] quit

# 配置IPsec安全框架。

[Spoke2] ipsec transform-set abc

[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport

[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc

[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1

[Spoke2-ipsec-transform-set-abc] quit

[Spoke2] ipsec profile abc isakmp

[Spoke2-ipsec-profile-isakmp-abc] transform-set abc

[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc

[Spoke2-ipsec-profile-isakmp-abc] quit

4. 配置ADVPN隧道

# 创建GRE封装的IPv6 ADVPN隧道接口Tunnel1，并配置该接口的IPv6地址。

[Spoke2] interface tunnel1 mode advpn gre ipv6

[Spoke2-Tunnel1] ipv6 address 192:168:3::3/64

[Spoke2-Tunnel1] ipv6 address fe80::4 link-local

# 配置IPv6 ADVPN隧道接口绑定的VAM Client。

[Spoke2-Tunnel1] vam ipv6 client Spoke2

# 配置OSPF的网络类型为P2MP，即仅在Hub和Spoke之间建立ADVPN隧道，Spoke和Spoke之间不建立ADVPN隧道，以形成Hub-Spoke组网。

[Spoke2-Tunnel1] ospfv3 network-type p2mp

# 配置IPv6 ADVPN隧道的源接口。

[Spoke2-Tunnel1] source gigabitethernet 0/0/1

# 配置IPv6 ADVPN隧道引用的IPsec安全框架，通过IPsec对数据传输进行安全保护。

[Spoke2-Tunnel1] tunnel protection ipsec profile abc

[Spoke2-Tunnel1] quit

5. 配置OSPFv3发布ADVPN隧道接口地址的路由

# 配置OSPFv3发布ADVPN隧道接口地址的路由。发布Tunnel1和GigabitEthernet0/0/2接口路由的OSPFv3进程，与发布GigabitEthernet0/0/1接口路由的OSPFv3进程不同。

[Spoke2] ospfv3 2

[Spoke2-ospfv3-2] router-id 2.2.2.2

[Spoke2-ospfv3-2] area 0

[Spoke2-ospfv3-2-area-0.0.0.0] quit

[Spoke2-ospfv3-2] quit

[Spoke2] interface tunnel1

[Spoke2-Tunnel1] ospfv3 2 area 0.0.0.0

[Spoke2-Tunnel1] quit

[Spoke2] interface gigabitethernet 0/0/2

[Spoke2-GigabitEthernet0/0/2] ospfv3 2 area 0.0.0.0

[Spoke2-GigabitEthernet0/0/2] quit

6. 配置节点的MPLS LSR ID、开启MPLS能力和MPLS LDP能力

# 开启MPLS和MPLS LDP能力，并配置所有IPv6路由都能触发建立IPv6 LDP LSP。

[Spoke2] mpls lsr-id 2.2.2.2

[Spoke2] mpls ldp

[Spoke2-ldp] ipv6 lsp-trigger all

[Spoke2-ldp] quit

# 在接口Tunnel1上开启MPLS和MPLS LDP能力，并配置LDP的传输地址为当前接口的地址。

[Spoke2] interface tunnel1

[Spoke2-Tunnel1] mpls enable

[Spoke2-Tunnel1] mpls ldp ipv6 enable

[Spoke2-Tunnel1] mpls ldp transport-address 192:168:3::3

[Spoke2-Tunnel1] quit

4.5.5  配置Device

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname Device

[Device] ospfv3

[Device-ospfv3-1] router-id 3.3.3.3

[Device-ospfv3-1] area 0

[Device-ospfv3-1-area-0.0.0.0] quit

[Device-ospfv3-1] quit

# 配置接口的IPv6地址，并在接口上使能OSPFv3。

[Device] interface gigabitethernet 0/0/1

[Device-GigabitEthernet0/0/1] ipv6 address 1::2 64

[Device-GigabitEthernet0/0/1] ospfv3 1 area 0.0.0.0

[Device-GigabitEthernet0/0/1] quit

[Device] interface gigabitethernet 0/0/2

[Device-GigabitEthernet0/0/2] ipv6 address 2::2 64

[Device-GigabitEthernet0/0/2] ospfv3 1 area 0.0.0.0

[Device-GigabitEthernet0/0/2] quit

[Device] interface gigabitethernet 0/0/3

[Device-GigabitEthernet0/0/3] ipv6 address 3::2 64

[Device-GigabitEthernet0/0/3] ospfv3 1 area 0.0.0.0

[Device-GigabitEthernet0/0/3] quit

[Device] interface gigabitethernet 0/0/4

[Device-GigabitEthernet0/0/4] ipv6 address 4::2 64

[Device-GigabitEthernet0/0/4] ospfv3 1 area 0.0.0.0

[Device-GigabitEthernet0/0/4] quit

4.5.6  配置CE 1

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname CE1

[CE1] ospfv3 2

[CE1-ospfv3-2] router-id 6.6.6.6

[CE1-ospfv3-2] area 0

[CE1-ospfv3-2-area-0.0.0.0] quit

[CE1-ospfv3-2] quit

# 配置接口GigabitEthernet0/0/1的IPv6地址，并在接口上使能OSPFv3。

[CE1] interface gigabitethernet 0/0/1

[CE1-GigabitEthernet0/0/1] ipv6 address 192:168:1::2 64

[CE1-GigabitEthernet0/0/1] ospfv3 2 area 0.0.0.0

[CE1-GigabitEthernet0/0/1] quit

4.5.7  配置CE 2

# 创建OSPFv3进程1区域0，并配置路由器的Router ID。

<Sysname> system-view

[Sysname] sysname CE2

[CE2] ospfv3 2

[CE2-ospfv3-2] router-id 7.7.7.7

[CE2-ospfv3-2] area 0

[CE2-ospfv3-2-area-0.0.0.0] quit

[CE2-ospfv3-2] quit

# 配置接口GigabitEthernet0/0/1的IPv6地址，并在接口上使能OSPFv3。

[CE2] interface gigabitethernet 0/0/1

[CE2-GigabitEthernet0/0/1] ipv6 address 192:168:2::2 64

[CE2-GigabitEthernet0/0/1] ospfv3 2 area 0.0.0.0

[CE2-GigabitEthernet0/0/1] quit

4.6  验证配置

4.6.1  验证ADVPN隧道成功建立

＃ 在VAM server上查看注册的所有VAM Client的IPv6私网地址映射信息。可以看到Hub、Spoke 1和Spoke 2的公私网地址映射信息均已注册到VAM server。

<VAMserver> display vam server ipv6 address-map

ADVPN domain name: abc

Total private address mappings: 3

Group      Private address       Public address         Type   NAT  Holding time

0          192:168:3::1          1::1                   Hub    No   0H 48M 45S

0          192:168:3::2          2::1                   Spoke  No   0H 42M 54S

0          192:168:3::3          3::1                   Spoke  No   0H 48M 1S

# 在Hub、Spoke 1和Spoke 2上查看IPv6 ADVPN隧道信息。可以看到Hub和Spoke之间已建立ADVPN隧道，Spoke和Spoke之间未建立ADVPN隧道。

<Hub> display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 2

Private address      Public address       Port  Type  State        Holding time

192:168:3::2         2::1                 --    H-S   Success      0H 38M 22S

192:168:3::3         3::1                 --    H-S   Success      0H 43M 30S

<Spoke1> display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 1

Private address      Public address       Port  Type  State        Holding time

192:168:3::1         1::1                 --    S-H   Success      0H 34M 26S

<Spoke2> display advpn ipv6 session

Interface         : Tunnel1

Number of sessions: 1

Private address      Public address       Port  Type  State        Holding time

192:168:3::1         1::1                 --    S-H   Success      0H 45M 17S

4.6.2  验证Spoke和Hub之间成功建立LDP LSP

# 在Spoke和Hub设备上执行display mpls ldp peer命令，可以看到Spoke与Hub之间建立了LDP对等体。

<Hub> display mpls ldp peer

VPN instance: public instance

Total number of peers: 2

Peer LDP ID             State         Role     GR   Auth      KA Sent/Rcvd

1.1.1.1:0               Operational   Passive  Off  None      93/93

2.2.2.2:0               Operational   Passive  Off  None      92/92

<Spoke1> display mpls ldp peer

VPN instance: public instance

Total number of peers: 2

Peer LDP ID             State         Role     GR   Auth      KA Sent/Rcvd

5.5.5.5:0               Operational   Active   Off  None      78/78

<Spoke2> display mpls ldp peer

VPN instance: public instance

Total number of peers: 2

Peer LDP ID             State         Role     GR   Auth      KA Sent/Rcvd

5.5.5.5:0               Operational   Active   Off  None      99/99

# 在Spoke和Hub设备上执行display mpls lsp ipv6命令，可以看到Spoke与Hub之间建立了IPv6 LDP LSP。其中，Spoke与Hub之间的IPv6 LDP LSP出接口为ADVPN隧道接口Tunnel1。以FEC前缀192:168:2::/64为例，从Spoke 1到Spoke 2的IPv6 LDP LSP路径如下：

(1)     Spoke 1上出标签为24118，出接口为ADVPN隧道接口Tunnel1。

(2)     Hub上入标签为24118，出标签为24123，出接口为ADVPN隧道接口Tunnel1。

(3)     Spoke 2上入标签为24123，出标签为空，即弹出标签后，通过直连路由将其转发给CE 2。

<Spoke1> display mpls lsp ipv6 192:168:2:: 64

FEC      : 192:168:2::/64

Protocol : LDP        In-Label : 24118

Out-Label: 24118      Out-Interface: Tun1

 

FEC      : 192:168:2::/64

Protocol : LDP        In-Label : -

Out-Label: 24118      Out-Interface: Tun1

<Hub> display mpls lsp ipv6 192:168:2:: 64

FEC      : 192:168:2::/64

Protocol : LDP        In-Label : 24118

Out-Label: 24123      Out-Interface: Tun1

 

FEC      : 192:168:2::/64

Protocol : LDP        In-Label : -

Out-Label: 24123      Out-Interface: Tun1

<Spoke2> display mpls lsp ipv6 192:168:2:: 64

FEC      : 192:168:2::/64

Protocol : LDP        In-Label : 24123

Out-Label: -          Out-Interface: -

4.6.3  验证CE之间可以通过IPv6 LDP LSP互访

# 在Spoke和Hub设备上打开MPLS报文的调试信息开关。下文仅以Spoke 1为例。

<Spoke1> debugging mpls packet

<Spoke1> terminal debugging

<Spoke1> terminal monitor

# 在CE 1上ping CE 2。

<CE1> ping ipv6 192:168:2::2

Ping6(56 data bytes) 192:168:1::2 --> 192:168:2::2, press CTRL_C to break

56 bytes from 192:168:2::2, icmp_seq=0 hlim=61 time=3.000 ms

56 bytes from 192:168:2::2, icmp_seq=1 hlim=61 time=4.000 ms

56 bytes from 192:168:2::2, icmp_seq=2 hlim=61 time=3.000 ms

56 bytes from 192:168:2::2, icmp_seq=3 hlim=61 time=2.000 ms

56 bytes from 192:168:2::2, icmp_seq=4 hlim=61 time=2.000 ms

 

--- Ping6 statistics for 192:168:2::2 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 2.000/2.800/4.000/0.748 ms

# CE 1上ping CE 2时，可以看到Spoke和Hub设备上会打印MPLS报文的收发及处理信息，说明报文通过IPv6 LDP LSP进行了MPLS转发。下文仅以Spoke 1为例。

<Spoke1>

*Oct 11 11:04:15:032 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS Forward: Receiving IPv6 packet, len = 104, s = 192:168:1::2, d = 192:168:2::2.

 

*Oct 11 11:04:15:032 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

PUSH Label=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:032 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS Output6: Sending to interface Tun1, PktLen=108, AF=36, Label(s)=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:032 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS send result 0.

 

*Oct 11 11:04:15:035 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSInput: Receiving from interface Tun1, PktLen=108, AF=36, Label(s)=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:035 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

POP Label=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:237 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSForward: Receiving IPv6 packet, len = 104, s = 192:168:1::2, d = 192:168:2::2.

 

*Oct 11 11:04:15:237 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

PUSH Label=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:237 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSOutput6: Sending to interface Tun1, PktLen=108, AF=36, Label(s)=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:237 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS send result 0.

 

*Oct 11 11:04:15:239 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS Input: Receiving from interface Tun1, PktLen=108, AF=36, Label(s)=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:239 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

POP Label=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:441 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSForward: Receiving IPv6 packet, len = 104, s = 192:168:1::2, d = 192:168:2::2.

 

*Oct 11 11:04:15:441 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

PUSH Label=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:441 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSOutput6: Sending to interface Tun1, PktLen=108, AF=36, Label(s)=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:441 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS send result 0.

 

*Oct 11 11:04:15:443 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSInput: Receiving from interface Tun1, PktLen=108, AF=36, Label(s)=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:443 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

POP Label=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:645 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSForward: Receiving IPv6 packet, len = 104, s = 192:168:1::2, d = 192:168:2::2.

 

*Oct 11 11:04:15:645 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

PUSH Label=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:645 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSOutput6: Sending to interface Tun1, PktLen=108, AF=36, Label(s)=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:645 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS send result 0.

 

*Oct 11 11:04:15:647 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSInput: Receiving from interface Tun1, PktLen=108, AF=36, Label(s)=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:647 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

POP Label=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:847 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSForward: Receiving IPv6 packet, len = 104, s = 192:168:1::2, d = 192:168:2::2.

 

*Oct 11 11:04:15:847 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

PUSH Label=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:847 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSOutput6: Sending to interface Tun1, PktLen=108, AF=36, Label(s)=24118, EXP=0, TTL=63.

 

*Oct 11 11:04:15:847 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS send result 0.

 

*Oct 11 11:04:15:849 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

MPLS FSInput: Receiving from interface Tun1, PktLen=108, AF=36, Label(s)=24119, EXP=0, TTL=62.

 

*Oct 11 11:04:15:849 2023 Spoke1 MPLSFW/7/MPLSFW: -MDC=1;

POP Label=24119, EXP=0, TTL=62.

4.7  配置文件

·     VAM server

#

 sysname VAMserver

#

ospfv3 1

 router-id 4.4.4.4

 area 0.0.0.0

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 4::1/64

#

vam server advpn-domain abc id 1

 pre-shared-key cipher $c$3$OpYSbdgXeyNryePMVEIu/YkmfyL/OsFeNg==

 authentication-method none

 server enable

 hub-group 0

  hub ipv6 private-address 192:168:3::1

  spoke ipv6 private-address range 192:168:: 192:168:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

#

return

·     Hub

#

 sysname Hub

#

ospfv3 1

 router-id 5.5.5.5

 area 0.0.0.0

#

ospfv3 2

 router-id 5.5.5.5

 area 0.0.0.0

#

 mpls lsr-id 5.5.5.5

#

mpls ldp

 ipv6 lsp-trigger all

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 1::1/64

#

interface Tunnel1 mode advpn gre ipv6

 ospfv3 2 area 0.0.0.0

 ospfv3 network-type p2mp

 mpls enable

 mpls ldp ipv6 enable

 mpls ldp transport-address 192:168:3::1

 source GigabitEthernet0/0/1

 ipv6 address FE80::1 link-local

 ipv6 address 192:168:3::1/64

 tunnel protection ipsec profile abc

 vam ipv6 client Hub

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address ipv6 :: 0 key cipher $c$3$T7Q4sF6vhxaDLrThPwGn/xWxdO0yP+MOkA==

#

vam client name Hub

 advpn-domain abc

 server primary ipv6-address 4::1

 pre-shared-key cipher $c$3$4BBIUe2nuHqNxXJ4M1O2Hv44697+GQOTSg==

 client enable

#

return

·     Spoke 1

#

 sysname Spoke1

#

ospfv3 1

 router-id 1.1.1.1

 area 0.0.0.0

#

ospfv3 2

 router-id 1.1.1.1

 area 0.0.0.0

#

 mpls lsr-id 1.1.1.1

#

mpls ldp

 ipv6 lsp-trigger all

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 2::1/64

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ospfv3 2 area 0.0.0.0

 ipv6 address 192:168:1::1/64

#

interface Tunnel1 mode advpn gre ipv6

 ospfv3 2 area 0.0.0.0

 ospfv3 network-type p2mp

 mpls enable

 mpls ldp ipv6 enable

 mpls ldp transport-address 192:168:3::2

 source GigabitEthernet0/0/1

 ipv6 address FE80::3 link-local

 ipv6 address 192:168:3::2/64

 tunnel protection ipsec profile abc

 vam ipv6 client Spoke1

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address ipv6 :: 0 key cipher $c$3$7cyhmn5VAtBz5E3PnQJvRxUeUE2a4wDDtQ==

#

vam client name Spoke1

 advpn-domain abc

 server primary ipv6-address 4::1

 pre-shared-key cipher $c$3$XkOIAx+EhtRrlRVOCfJhmx5YkLY4figR1w==

 client enable

#

return

·     Spoke 2

#

 sysname Spoke2

#

ospfv3 1

 router-id 2.2.2.2

 area 0.0.0.0

#

ospfv3 2

 router-id 2.2.2.2

 area 0.0.0.0

#

 mpls lsr-id 2.2.2.2

#

mpls ldp

 ipv6 lsp-trigger all

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 3::1/64

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ospfv3 2 area 0.0.0.0

 ipv6 address 192:168:2::1/64

#

interface Tunnel1 mode advpn gre ipv6

 ospfv3 2 area 0.0.0.0

 ospfv3 network-type p2mp

 mpls enable

 mpls ldp ipv6 enable

 mpls ldp transport-address 192:168:3::3

 source GigabitEthernet0/0/1

 ipv6 address FE80::4 link-local

 ipv6 address 192:168:3::3/64

 tunnel protection ipsec profile abc

 vam ipv6 client Spoke2

#

ipsec transform-set abc

 encapsulation-mode transport

 esp encryption-algorithm des-cbc

 esp authentication-algorithm sha1

#

ipsec profile abc isakmp

 transform-set abc

 ike-profile abc

#

ike profile abc

 keychain abc

#

ike keychain abc

 pre-shared-key address ipv6 :: 0 key cipher $c$3$Ysgday0kEOAsz7PK2VBkQKXts2w88tNplA==

#

vam client name Spoke2

 advpn-domain abc

 server primary ipv6-address 4::1

 pre-shared-key cipher $c$3$YkiBYd4FdavbYylKBwpRNDzBHCUrotn5NA==

 client enable

#

return

·     Device

#

 sysname Device

#

ospfv3 1

 router-id 3.3.3.3

 area 0.0.0.0

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 1::2/64

#

interface GigabitEthernet0/0/2

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 2::2/64

#

interface GigabitEthernet0/0/3

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 3::2/64

#

interface GigabitEthernet0/0/4

 port link-mode route

 combo enable copper

 ospfv3 1 area 0.0.0.0

 ipv6 address 4::2/64

#

return

·     CE 1

#

 sysname CE1

#

ospfv3 2

 router-id 6.6.6.6

 area 0.0.0.0

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 2 area 0.0.0.0

 ipv6 address 192:168:1::2/64

#

return

·     CE 2

#

 sysname CE2

#

ospfv3 2

 router-id 7.7.7.7

 area 0.0.0.0

#

interface GigabitEthernet0/0/1

 port link-mode route

 combo enable copper

 ospfv3 2 area 0.0.0.0

 ipv6 address 192:168:2::2/64

#

return

5 相关资料

·     《H3C ICG2000[3000]信息通信网关 配置指导(V9)》中的“MPLS配置指导”

·     《H3C ICG2000[3000]信息通信网关 命令参考(V9)》中的“MPLS命令参考”