- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
03-H3C MSR系列路由器 MPLS over ADVPN典型配置举例
本章节下载: 03-H3C MSR系列路由器 MPLS over ADVPN典型配置举例 (754.47 KB)
ADVPN over MPLS典型配置举例
Copyright © 2024 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
1.2 Full-Mesh类型ADVPN over MPLS典型配置举例(路由应用)
1.3 Hub-Spoke类型ADVPN over MPLS典型配置举例(路由应用)
1.4 Full-Mesh类型ADVPN over MPLS典型配置举例(安全应用)
1.5 Hub-Spoke类型ADVPN over MPLS典型配置举例(安全应用)
MPLS(Multiprotocol Label Switching,多协议标签交换)是目前应用比较广泛的一种骨干网技术。MPLS在无连接的IP网络上引入面向连接的标签交换概念,将第三层路由技术和第二层交换技术相结合,充分发挥了IP路由的灵活性和二层交换的简洁性。
LDP(Label Distribution Protocol,标签分发协议)用来动态建立LSP。通过LDP,LSR可以把网络层的IP路由信息映射到MPLS的标签交换路径上。
ADVPN(Auto Discovery Virtual Private Network,自动发现虚拟专用网络)是一种基于VAM(VPN Address Management,VPN地址管理)协议的动态VPN技术。
ADVPN over MPLS可以帮助企业网各分支机构使用动态地址接入MPLS LDP公网的情况下,可以利用ADVPN在各分支机构间建立VPN。
本配置举例是在MSR3610-X1路由器Release 6749版本上进行配置和验证的。
· Hub、Spoke、Router、Server通过MPLS LDP动态建立LSP,使这些设备的环回地址互访的报文能够通过MPLS进行传输。
· 在IPv4 Full-Mesh的组网方式下,主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的两个Spoke之间在有数据时动态建立ADVPN隧道。
表1-1 IPv4 Full-Mesh类型ADVPN over MPLS组网图
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(4) 配置AAA认证
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(5) 配置VAM Server
# 创建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Primary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(4) 配置AAA认证
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(5) 配置VAM Server
# 创建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke1,密码为Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke2,密码为Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Primaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 10M 30S
0 192.168.0.2 2.2.2.2 Hub No 0H 10M 31S
0 192.168.0.3 3.3.3.3 Spoke No 0H 9M 27S
0 192.168.0.4 4.4.4.4 Spoke No 0H 9M 51S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Secondaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 11M 49S
0 192.168.0.2 2.2.2.2 Hub No 0H 11M 50S
0 192.168.0.3 3.3.3.3 Spoke No 0H 10M 45S
0 192.168.0.4 4.4.4.4 Spoke No 0H 11M 10S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 12M 23S
192.168.0.3 3.3.3.3 -- H-S Success 0H 11M 19S
192.168.0.4 4.4.4.4 -- H-S Success 0H 11M 44S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 11M 0S
192.168.0.2 2.2.2.2 -- S-H Success 0H 11M 0S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.2.1。
[Spoke1] ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息,产生了与Spoke2临时建立的IPv4 ADVPN隧道。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 12M 44S
192.168.0.2 2.2.2.2 -- S-H Success 0H 12M 44S
192.168.0.4 4.4.4.4 -- S-S Success 0H 1M 0S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1与Spoke2建立了Spoke-Spoke临时隧道。Spoke2上的显示信息与Spoke1类似。
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 4.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 4.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.252
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
本举例是在的版本上进行配置和验证的。
· Hub、Spoke、Router、Server通过MPLS LDP动态建立LSP,使这些设备的环回地址互访的报文能够通过MPLS进行传输。
· 在IPv4 Hub-Spoke的组网方式下,数据通过Hub-Spoke隧道进行转发。主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
表1-2 IPv4 Hub-Spoke类型ADVPN over MPLS组网图
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Primary server] isis 1
[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00
[Primary server-isis-1] is-level level-2
[Primary server-isis-1] quit
[Primary server] interface range gigabitethernet 1/0/1 loopback 0
[Primary server-if-range] isis enable 1
[Primary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(5) 配置AAA认证
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(6) 配置VAM Server
# 创建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Primary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Secondary server] isis 1
[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00
[Secondary server-isis-1] is-level level-2
[Secondary server-isis-1] quit
[Secondary server] interface range gigabitethernet 1/0/1 loopback 0
[Secondary server-if-range] isis enable 1
[Secondary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(5) 配置AAA认证
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(6) 配置VAM Server
# 创建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Router] isis 1
[Router-isis-1] network-entity 49.0001.0050.0500.5005.00
[Router-isis-1] is-level level-2
[Router-isis-1] quit
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0
[Router-if-range] isis enable 1
[Router-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Hub1] isis 1
[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00
[Hub1-isis-1] is-level level-2
[Hub1-isis-1] quit
[Hub1] interface range gigabitethernet 1/0/1 loopback 0
[Hub1-if-range] isis enable 1
[Hub1-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 创建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
# 配置Hub1的私网OSPF2接口cost值为1,防止Spoke之间的流量来回路径不一致。
[Hub1-Tunnel1] ospf cost 1
[Hub1-Tunnel1] quit
(8) 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Hub2] isis 1
[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00
[Hub2-isis-1] is-level level-2
[Hub2-isis-1] quit
[Hub2] interface range gigabitethernet 1/0/1 loopback 0
[Hub2-if-range] isis enable 1
[Hub2-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 创建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(8) 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke1,密码为Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Spoke2] isis 1
[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00
[Spoke2-isis-1] is-level level-2
[Spoke2-isis-1] quit
[Spoke2] interface range gigabitethernet 1/0/1 loopback 0
[Spoke2-if-range] isis enable 1
[Spoke2-if-range] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke2,密码为Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Primaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 5M 52S
0 192.168.0.2 2.2.2.2 Hub No 0H 4M 34S
0 192.168.0.3 3.3.3.3 Spoke No 0H 2M 52S
0 192.168.0.4 4.4.4.4 Spoke No 0H 1M 38S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Secondaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 6M 19S
0 192.168.0.2 2.2.2.2 Hub No 0H 5M 8S
0 192.168.0.3 3.3.3.3 Spoke No 0H 3M 35S
0 192.168.0.4 4.4.4.4 Spoke No 0H 2M 27S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1]display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 6M 33S
192.168.0.3 3.3.3.3 -- H-S Success 0H 4M 50S
192.168.0.4 4.4.4.4 -- H-S Success 0H 3M 36S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 5M 25S
192.168.0.2 2.2.2.2 -- S-H Success 0H 5M 25S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.2.1。
[Spoke1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息,没有产生与Spoke2临时建立的IPv4 ADVPN隧道,说明是流量是通过Hub转发的。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 7M 43S
192.168.0.2 2.2.2.2 -- S-H Success 0H 7M 43S
Spoke2上的显示信息与Spoke1类似。
#
isis 1
is-level level-2
network-entity 49.0001.0060.0600.6006.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0070.0700.7007.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0050.0500.5005.00
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0010.0100.1001.00
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf cost 1
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0020.0200.2002.00
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0040.0400.4004.00
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
本举例是在F5000-AI160的E8371版本上进行配置和验证的。
· Hub、Spoke、Router、Server通过MPLS LDP动态建立LSP,使这些设备的环回地址互访的报文能够通过MPLS进行传输。
· 在IPv4 Full-Mesh的组网方式下,主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的两个Spoke之间在有数据时动态建立ADVPN隧道。
表1-3 IPv4 Full-Mesh类型ADVPN over MPLS组网图
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Primary server] security-zone name untrust
[Primary server-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Primary server-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使VAM Server可以向公网发送协议和业务报文,具体配置步骤如下。
[Primary server] security-policy ip
[Primary server-security-policy-ip] rule name publicout
[Primary server-security-policy-ip-0-publicout] source-zone local
[Primary server-security-policy-ip-0-publicout] destination-zone untrust
[Primary server-security-policy-ip-0-publicout] action pass
[Primary server-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使VAM Server可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Primary server-security-policy-ip] rule name publicin
[Primary server-security-policy-ip-1-publicin] source-zone untrust
[Primary server-security-policy-ip-1-publicin] destination-zone local
[Primary server-security-policy-ip-1-publicin] action pass
[Primary server-security-policy-ip-1-publicin] quit
[Primary server-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(6) 配置AAA认证
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(7) 配置VAM Server
# 创建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Primary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Secondary server] security-zone name untrust
[Secondary server-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Secondary server-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使VAM Server可以向公网发送协议和业务报文,具体配置步骤如下。
[Secondary server] security-policy ip
[Secondary server-security-policy-ip] rule name publicout
[Secondary server-security-policy-ip-0-publicout] source-zone local
[Secondary server-security-policy-ip-0-publicout] destination-zone untrust
[Secondary server-security-policy-ip-0-publicout] action pass
[Secondary server-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使VAM Server可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Secondary server-security-policy-ip] rule name publicin
[Secondary server-security-policy-ip-1-publicin] source-zone untrust
[Secondary server-security-policy-ip-1-publicin] destination-zone local
[Secondary server-security-policy-ip-1-publicin] action pass
[Secondary server-security-policy-ip-1-publicin] quit
[Secondary server-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(6) 配置AAA认证
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(7) 配置VAM Server
# 创建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 4.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Hub1] security-zone name untrust
[Hub1-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Hub1-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使Hub1可以向公网发送协议和业务报文,具体配置步骤如下。
[Hub1] security-policy ip
[Hub1-security-policy-ip] rule name publicout
[Hub1-security-policy-ip-0-publicout] source-zone local
[Hub1-security-policy-ip-0-publicout] destination-zone untrust
[Hub1-security-policy-ip-0-publicout] action pass
[Hub1-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使Hub1可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Hub1-security-policy-ip] rule name publicin
[Hub1-security-policy-ip-1-publicin] source-zone untrust
[Hub1-security-policy-ip-1-publicin] destination-zone local
[Hub1-security-policy-ip-1-publicin] action pass
[Hub1-security-policy-ip-1-publicin] quit
# 配置名称为private的安全策规则,使Hub1可以转发Spoke之间的业务报文,具体配置步骤如下。
[Hub1-security-policy-ip] rule name private
[Hub1-security-policy-ip-2-private] source-zone untrust
[Hub1-security-policy-ip-2-private] destination-zone untrust
[Hub1-security-policy-ip-2-private] action pass
[Hub1-security-policy-ip-2-private] quit
[Hub1-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 创建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(9) 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Hub2] security-zone name untrust
[Hub2-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Hub2-security-zone-Untrust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使Hub2可以向公网发送协议和业务报文,具体配置步骤如下。
[Hub2] security-policy ip
[Hub2-security-policy-ip] rule name publicout
[Hub2-security-policy-ip-0-publicout] source-zone local
[Hub2-security-policy-ip-0-publicout] destination-zone untrust
[Hub2-security-policy-ip-0-publicout] action pass
[Hub2-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使Hub2可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Hub2-security-policy-ip] rule name publicin
[Hub2-security-policy-ip-1-publicin] source-zone untrust
[Hub2-security-policy-ip-1-publicin] destination-zone local
[Hub2-security-policy-ip-1-publicin] action pass
[Hub2-security-policy-ip-1-publicin] quit
# 配置名称为private的安全策规则,使Hub2可以转发Spoke之间的业务报文,具体配置步骤如下。
[Hub2-security-policy-ip] rule name private
[Hub2-security-policy-ip-2-private] source-zone untrust
[Hub2-security-policy-ip-2-private] destination-zone untrust
[Hub2-security-policy-ip-2-private] action pass
[Hub2-security-policy-ip-2-private] quit
[Hub2-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 创建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(9) 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Spoke1] security-zone name untrust
[Spoke1-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Spoke1-security-zone-Untrust] quit
[Spoke1] security-zone name trust
[Spoke1-security-zone-Trust] import interface gigabitethernet 1/0/2
[Spoke1-security-zone-Trust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使Spoke1可以向公网发送协议和业务报文,具体配置步骤如下。
[Spoke1] security-policy ip
[Spoke1-security-policy-ip] rule name publicout
[Spoke1-security-policy-ip-0-publicout] source-zone local
[Spoke1-security-policy-ip-0-publicout] destination-zone untrust
[Spoke1-security-policy-ip-0-publicout] action pass
[Spoke1-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使Spoke1可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Spoke1-security-policy-ip] rule name publicin
[Spoke1-security-policy-ip-1-publicin] source-zone untrust
[Spoke1-security-policy-ip-1-publicin] destination-zone local
[Spoke1-security-policy-ip-1-publicin] action pass
[Spoke1-security-policy-ip-1-publicin] quit
# 配置名称为privateout的安全策规则,使Spoke1可以向公网发送私网业务报文,具体配置步骤如下。
[Spoke1-security-policy-ip] rule name privateout
[Spoke1-security-policy-ip-2-private] source-zone trust
[Spoke1-security-policy-ip-2-private] destination-zone untrust
[Spoke1-security-policy-ip-2-private] action pass
[Spoke1-security-policy-ip-2-private] quit
# 配置名称为privateout的安全策规则,使Spoke1可以接收公网发送的私网业务报文,具体配置步骤如下。
[Spoke1-security-policy-ip] rule name privatein
[Spoke1-security-policy-ip-3-privatein] source-zone untrust
[Spoke1-security-policy-ip-3-privatein] destination-zone trust
[Spoke1-security-policy-ip-3-privatein] action pass
[Spoke1-security-policy-ip-3-privatein] quit
[Spoke1-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 创建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke1,密码为Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(9) 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置接口加入安全域。
# 请根据组网图中规划的信息,将接口加入对应的安全域,具体配置步骤如下。
[Spoke2] security-zone name untrust
[Spoke2-security-zone-Untrust] import interface gigabitethernet 1/0/1
[Spoke2-security-zone-Untrust] quit
[Spoke2] security-zone name trust
[Spoke2-security-zone-Trust] import interface gigabitethernet 1/0/2
[Spoke2-security-zone-Trust] quit
(3) 配置安全策略
# 配置名称为publicout的安全策规则,使Spoke2可以向公网发送协议和业务报文,具体配置步骤如下。
[Spoke2] security-policy ip
[Spoke2-security-policy-ip] rule name publicout
[Spoke2-security-policy-ip-0-publicout] source-zone local
[Spoke2-security-policy-ip-0-publicout] destination-zone untrust
[Spoke2-security-policy-ip-0-publicout] action pass
[Spoke2-security-policy-ip-0-publicout] quit
# 配置名称为publicin的安全策规则,使Spoke2可以接收公网发送的协议和业务报文,具体配置步骤如下。
[Spoke2-security-policy-ip] rule name publicin
[Spoke2-security-policy-ip-1-publicin] source-zone untrust
[Spoke2-security-policy-ip-1-publicin] destination-zone local
[Spoke2-security-policy-ip-1-publicin] action pass
[Spoke2-security-policy-ip-1-publicin] quit
# 配置名称为privateout的安全策规则,使Spoke2可以向公网发送私网业务报文,具体配置步骤如下。
[Spoke2-security-policy-ip] rule name privateout
[Spoke2-security-policy-ip-2-private] source-zone trust
[Spoke2-security-policy-ip-2-private] destination-zone untrust
[Spoke2-security-policy-ip-2-private] action pass
[Spoke2-security-policy-ip-2-private] quit
# 配置名称为privateout的安全策规则,使Spoke2可以接收公网发送的私网业务报文,具体配置步骤如下。
[Spoke2-security-policy-ip] rule name privatein
[Spoke2-security-policy-ip-3-privatein] source-zone untrust
[Spoke2-security-policy-ip-3-privatein] destination-zone trust
[Spoke2-security-policy-ip-3-privatein] action pass
[Spoke2-security-policy-ip-3-privatein] quit
[Spoke2-security-policy-ip] quit
(4) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 4.4.4.4 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 4.5.1.1 0.0.0.3
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
(5) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(6) 配置VAM Client
# 创建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke2,密码为Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(7) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(8) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(9) 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Primaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 10M 30S
0 192.168.0.2 2.2.2.2 Hub No 0H 10M 31S
0 192.168.0.3 3.3.3.3 Spoke No 0H 9M 27S
0 192.168.0.4 4.4.4.4 Spoke No 0H 9M 51S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Secondaryserver] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 11M 49S
0 192.168.0.2 2.2.2.2 Hub No 0H 11M 50S
0 192.168.0.3 3.3.3.3 Spoke No 0H 10M 45S
0 192.168.0.4 4.4.4.4 Spoke No 0H 11M 10S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 12M 23S
192.168.0.3 3.3.3.3 -- H-S Success 0H 11M 19S
192.168.0.4 4.4.4.4 -- H-S Success 0H 11M 44S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 11M 0S
192.168.0.2 2.2.2.2 -- S-H Success 0H 11M 0S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.2.1。
[Spoke1] ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=255 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.400/2.000/0.490 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息,产生了与Spoke2临时建立的IPv4 ADVPN隧道。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 12M 44S
192.168.0.2 2.2.2.2 -- S-H Success 0H 12M 44S
192.168.0.4 4.4.4.4 -- S-S Success 0H 1M 0S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1与Spoke2建立了Spoke-Spoke临时隧道。Spoke2上的显示信息与Spoke1类似。
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
mpls enable
mpls ldp enable
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
#
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
mpls enable
mpls ldp enable
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
#
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 4.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
security-policy ip
rule 0 name publicout
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name private
action pass
source-zone untrust
destination-zone untrust
#
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type broadcast
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
security-policy ip
rule 0 name publicout
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name private
action pass
source-zone untrust
destination-zone untrust
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name privateout
action pass
source-zone trust
destination-zone untrust
rule 3 name privatein
action pass
source-zone untrust
destination-zone trust
#
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 4.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.252
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
security-policy ip
rule 0 name publicout
action pass
source-zone local
destination-zone untrust
rule 1 name publicin
action pass
source-zone untrust
destination-zone local
rule 2 name privateout
action pass
source-zone trust
destination-zone untrust
rule 3 name privatein
action pass
source-zone untrust
destination-zone trust
#
本举例是在F5000-AI160的E8371版本上进行配置和验证的。
· Hub、Spoke、Router、Server通过MPLS LDP动态建立LSP,使这些设备的环回地址互访的报文能够通过MPLS进行传输。
· 在IPv4 Hub-Spoke的组网方式下,数据通过Hub-Spoke隧道进行转发。主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
表1-4 IPv4 Hub-Spoke类型ADVPN over MPLS组网图
|
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
Hub 1 |
GE1/0/1 |
1.5.1.1/30 |
Spoke 1 |
GE1/0/1 |
3.5.1.1/30 |
|
|
Loopback0 |
1.1.1.1/32 |
|
Loopback0 |
3.3.3.3/32 |
|
|
Tunnel1 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Hub 2 |
GE1/0/1 |
2.5.1.1/30 |
|
GE1/0/2 |
192.168.1.1/24 |
|
|
Loopback0 |
2.2.2.2/32 |
Spoke 2 |
GE1/0/1 |
4.5.1.1/30 |
|
|
Tunnel1 |
192.168.0.2/24 |
|
Loopback0 |
4.4.4.4/32 |
|
Router |
GE1/0/1 |
1.5.1.2/30 |
|
Tunnel1 |
192.168.0.4/24 |
|
|
GE1/0/2 |
2.5.1.2/30 |
|
GE1/0/2 |
192.168.2.1/24 |
|
|
GE1/0/3 |
3.5.1.2/30 |
Primary server |
GE1/0/1 |
5.6.1.3/24 |
|
|
GE1/0/4 |
4.5.1.2/30 |
|
Loopback0 |
6.6.6.6/32 |
|
|
GE1/0/5 |
5.6.1.1/24 |
Secondary server |
GE1/0/1 |
5.6.1.4/24 |
|
|
Loopback0 |
5.5.5.5/32 |
|
Loopback0 |
7.7.7.7/32 |
|
AAA server |
|
5.6.1.2/24 |
|
|
|
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Primary server> system-view
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] ip address 5.6.1.3 24
[Primary server-GigabitEthernet1/0/1] quit
[Primary server] interface loopback 0
[Primary server-LoopBack0] ip address 6.6.6.6 32
[Primary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Primary server] ospf 1
[Primary server-ospf-1] area 0
[Primary server-ospf-1-area-0.0.0.0] network 6.6.6.6 0.0.0.0
[Primary server-ospf-1-area-0.0.0.0] network 5.6.1.3 0.0.0.255
[Primary server-ospf-1-area-0.0.0.0] quit
[Primary server-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Primary server] isis 1
[Primary server-isis-1] network-entity 49.0001.0060.0600.6006.00
[Primary server-isis-1] is-level level-2
[Primary server-isis-1] quit
[Primary server] interface range gigabitethernet 1/0/1 loopback 0
[Primary server-if-range] isis enable 1
[Primary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Primary server] mpls lsr-id 6.6.6.6
[Primary server] mpls ldp
[Primary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Primary server] interface gigabitethernet 1/0/1
[Primary server-GigabitEthernet1/0/1] mpls enable
[Primary server-GigabitEthernet1/0/1] mpls ldp enable
[Primary server-GigabitEthernet1/0/1] quit
(5) 配置AAA认证
# 配置RADIUS方案。
[Primary server] radius scheme abc
[Primary server-radius-abc] primary authentication 5.6.1.2 1812
[Primary server-radius-abc] primary accounting 5.6.1.2 1813
[Primary server-radius-abc] key authentication simple 123
[Primary server-radius-abc] key accounting simple 123
[Primary server-radius-abc] user-name-format without-domain
[Primary server-radius-abc] quit
[Primary server] radius session-control enable
# 配置ISP域的AAA方案。
[Primary server] domain abc
[Primary server-isp-abc] authentication advpn radius-scheme abc
[Primary server-isp-abc] accounting advpn radius-scheme abc
[Primary server-isp-abc] quit
[Primary server] domain default enable abc
(6) 配置VAM Server
# 创建ADVPN域abc。
[Primary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Primary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Primary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Primary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Primary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Primary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Primary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Primary server-vam-server-domain-abc] server enable
[Primary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Secondary server> system-view
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] ip address 5.6.1.4 24
[Secondary server-GigabitEthernet1/0/1] quit
[Secondary server] interface loopback 0
[Secondary server-LoopBack0] ip address 7.7.7.7 32
[Secondary server-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Secondary server] ospf 1
[Secondary server-ospf-1] area 0
[Secondary server-ospf-1-area-0.0.0.0] network 7.7.7.7 0.0.0.0
[Secondary server-ospf-1-area-0.0.0.0] network 5.6.1.4 0.0.0.255
[Secondary server-ospf-1-area-0.0.0.0] quit
[Secondary server-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Secondary server] isis 1
[Secondary server-isis-1] network-entity 49.0001.0070.0700.7007.00
[Secondary server-isis-1] is-level level-2
[Secondary server-isis-1] quit
[Secondary server] interface range gigabitethernet 1/0/1 loopback 0
[Secondary server-if-range] isis enable 1
[Secondary server-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Secondary server] mpls lsr-id 7.7.7.7
[Secondary server] mpls ldp
[Secondary server-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Secondary server] interface gigabitethernet 1/0/1
[Secondary server-GigabitEthernet1/0/1] mpls enable
[Secondary server-GigabitEthernet1/0/1] mpls ldp enable
[Secondary server-GigabitEthernet1/0/1] quit
(5) 配置AAA认证
# 配置RADIUS方案。
[Secondary server] radius scheme abc
[Secondary server-radius-abc] primary authentication 5.6.1.2 1812
[Secondary server-radius-abc] primary accounting 5.6.1.2 1813
[Secondary server-radius-abc] key authentication simple 123
[Secondary server-radius-abc] key accounting simple 123
[Secondary server-radius-abc] user-name-format without-domain
[Secondary server-radius-abc] quit
[Secondary server] radius session-control enable
# 配置ISP域的AAA方案。
[Secondary server] domain abc
[Secondary server-isp-abc] authentication advpn radius-scheme abc
[Secondary server-isp-abc] accounting advpn radius-scheme abc
[Secondary server-isp-abc] quit
[Secondary server] domain default enable abc
(6) 配置VAM Server
# 创建ADVPN域abc。
[Secondary server] vam server advpn-domain abc id 1
# 创建Hub组0。
[Secondary server-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[Secondary server-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[Secondary server-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 24
[Secondary server-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[Secondary server-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[Secondary server-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[Secondary server-vam-server-domain-abc] server enable
[Secondary server-vam-server-domain-abc] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 1.5.1.2 30
[Router-GigabitEthernet1/0/1] quit
[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] ip address 2.5.1.2 30
[Router-GigabitEthernet1/0/2] quit
[Router] interface gigabitethernet 1/0/3
[Router-GigabitEthernet1/0/3] ip address 3.5.1.2 30
[Router-GigabitEthernet1/0/3] quit
[Router] interface gigabitethernet 1/0/4
[Router-GigabitEthernet1/0/4] ip address 4.5.1.2 30
[Router-GigabitEthernet1/0/4] quit
[Router] interface gigabitethernet 1/0/5
[Router-GigabitEthernet1/0/5] ip address 5.6.1.1 24
[Router-GigabitEthernet1/0/5] quit
[Router] interface loopback 0
[Router-LoopBack0] ip address 5.5.5.5 32
[Router-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Router] ospf 1
[Router-ospf-1] area 0
[Router-ospf-1-area-0.0.0.0] network 1.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 2.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 3.5.1.0 0.0.0.3
[Router-ospf-1-area-0.0.0.0] network 5.6.1.0 0.0.0.255
[Router-ospf-1-area-0.0.0.0] network 5.5.5.5 0.0.0.0
[Router-ospf-1-area-0.0.0.0] quit
[Router-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Router] isis 1
[Router-isis-1] network-entity 49.0001.0050.0500.5005.00
[Router-isis-1] is-level level-2
[Router-isis-1] quit
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/4 gigabitethernet 1/0/5 loopback 0
[Router-if-range] isis enable 1
[Router-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Router] mpls lsr-id 5.5.5.5
[Router] mpls ldp
[Router-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Router] interface range gigabitethernet 1/0/1 gigabitethernet 1/0/2 gigabitethernet 1/0/3 gigabitethernet 1/0/4 gigabitethernet 1/0/5
[Router-if-range] mpls enable
[Router-if-range] mpls ldp enable
[Router-if-range] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub1> system-view
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] ip address 1.5.1.1 30
[Hub1-GigabitEthernet1/0/1] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 1.1.1.1 32
[Hub1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[Hub1-ospf-1-area-0.0.0.0] network 1.5.1.1 0.0.0.3
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Hub1] isis 1
[Hub1-isis-1] network-entity 49.0001.0010.0100.1001.00
[Hub1-isis-1] is-level level-2
[Hub1-isis-1] quit
[Hub1] interface range gigabitethernet 1/0/1 loopback 0
[Hub1-if-range] isis enable 1
[Hub1-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub1] mpls lsr-id 1.1.1.1
[Hub1] mpls ldp
[Hub1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub1] interface gigabitethernet 1/0/1
[Hub1-GigabitEthernet1/0/1] mpls enable
[Hub1-GigabitEthernet1/0/1] mpls ldp enable
[Hub1-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 创建VAM Client Hub1。
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 6.6.6.6
[Hub1-vam-client-Hub1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 24
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] source loopback 0
[Hub1-Tunnel1] tunnel protection ipsec profile abc
# 配置Hub1的私网OSPF2接口cost值为1,防止Spoke之间的流量来回路径不一致。
[Hub1-Tunnel1] ospf cost 1
[Hub1-Tunnel1] quit
(8) 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 2
[Hub1-ospf-2] area 0
[Hub1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.0] quit
[Hub1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Hub2> system-view
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] ip address 2.5.1.1 30
[Hub2-GigabitEthernet1/0/1] quit
[Hub2] interface loopback 0
[Hub2-LoopBack0] ip address 2.2.2.2 32
[Hub2-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[Hub2-ospf-1-area-0.0.0.0] network 2.5.1.1 0.0.0.3
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
(3) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Hub2] isis 1
[Hub2-isis-1] network-entity 49.0001.0020.0200.2002.00
[Hub2-isis-1] is-level level-2
[Hub2-isis-1] quit
[Hub2] interface range gigabitethernet 1/0/1 loopback 0
[Hub2-if-range] isis enable 1
[Hub2-if-range] quit
(4) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Hub2] mpls lsr-id 2.2.2.2
[Hub2] mpls ldp
[Hub2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Hub2] interface gigabitethernet 1/0/1
[Hub2-GigabitEthernet1/0/1] mpls enable
[Hub2-GigabitEthernet1/0/1] mpls ldp enable
[Hub2-GigabitEthernet1/0/1] quit
(5) 配置VAM Client
# 创建VAM Client Hub2。
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 6.6.6.6
[Hub2-vam-client-Hub2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
(6) 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
(7) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 24
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] source loopback 0
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(8) 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 2
[Hub2-ospf-2] area 0
[Hub2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.0] quit
[Hub2-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke1> system-view
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] ip address 3.5.1.1 30
[Spoke1-GigabitEthernet1/0/1] quit
[Spoke1] interface gigabitethernet 1/0/2
[Spoke1-GigabitEthernet1/0/2] ip address 192.168.1.1 24
[Spoke1-GigabitEthernet1/0/2] quit
[Spoke1] interface loopback 0
[Spoke1-LoopBack0] ip address 3.3.3.3 32
[Spoke1-LoopBack0] quit
(2) 配置公网OSPF路由
# 配置OSPF 1路由发布公网路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 3.5.1.1 0.0.0.3
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke1] mpls lsr-id 3.3.3.3
[Spoke1] mpls ldp
[Spoke1-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke1] interface gigabitethernet 1/0/1
[Spoke1-GigabitEthernet1/0/1] mpls enable
[Spoke1-GigabitEthernet1/0/1] mpls ldp enable
[Spoke1-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke1。
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke1,密码为Spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 6.6.6.6
[Spoke1-vam-client-Spoke1] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel 1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 24
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source loopback 0
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.0] quit
[Spoke1-ospf-2] quit
(1) 配置接口IP地址
# 根据组网图中规划的信息,配置各接口的IP地址,具体配置步骤如下。
<Spoke2> system-view
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] ip address 4.5.1.1 30
[Spoke2-GigabitEthernet1/0/1] quit
[Spoke2] interface gigabitethernet 1/0/2
[Spoke2-GigabitEthernet1/0/2] ip address 192.168.2.1 24
[Spoke2-GigabitEthernet1/0/2] quit
[Spoke2] interface loopback 0
[Spoke2-LoopBack0] ip address 4.4.4.4 32
[Spoke2-LoopBack0] quit
(2) 配置公网IS-IS路由
# 配置ISIS路由发布公网路由信息。
[Spoke2] isis 1
[Spoke2-isis-1] network-entity 49.0001.0040.0400.4004.00
[Spoke2-isis-1] is-level level-2
[Spoke2-isis-1] quit
[Spoke2] interface range gigabitethernet 1/0/1 loopback 0
[Spoke2-if-range] isis enable 1
[Spoke2-if-range] quit
(3) 使能MPLS和LDP功能
# 配置本节点的LSR ID,并全局使能LSR的LDP能力。
[Spoke2] mpls lsr-id 4.4.4.4
[Spoke2] mpls ldp
[Spoke2-ldp] quit
# 使能接口的MPLS能力和接口的LDP支持IPv4能力。
[Spoke2] interface gigabitethernet 1/0/1
[Spoke2-GigabitEthernet1/0/1] mpls enable
[Spoke2-GigabitEthernet1/0/1] mpls ldp enable
[Spoke2-GigabitEthernet1/0/1] quit
(4) 配置VAM Client
# 创建VAM Client Spoke2。
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Spoke2,密码为Spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 6.6.6.6
[Spoke2-vam-client-Spoke2] server secondary ip-address 7.7.7.7
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
(5) 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
(6) 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel 1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 24
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source loopback 0
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(7) 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.0] quit
[Spoke2-ospf-2] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Primaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 5M 52S
0 192.168.0.2 2.2.2.2 Hub No 0H 4M 34S
0 192.168.0.3 3.3.3.3 Spoke No 0H 2M 52S
0 192.168.0.4 4.4.4.4 Spoke No 0H 1M 38S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[Secondaryserver]display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.1.1.1 Hub No 0H 6M 19S
0 192.168.0.2 2.2.2.2 Hub No 0H 5M 8S
0 192.168.0.3 3.3.3.3 Spoke No 0H 3M 35S
0 192.168.0.4 4.4.4.4 Spoke No 0H 2M 27S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1]display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 2.2.2.2 -- H-H Success 0H 6M 33S
192.168.0.3 3.3.3.3 -- H-S Success 0H 4M 50S
192.168.0.4 4.4.4.4 -- H-S Success 0H 3M 36S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 5M 25S
192.168.0.2 2.2.2.2 -- S-H Success 0H 5M 25S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.2.1。
[Spoke1]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL_C to break
56 bytes from 192.168.2.1: icmp_seq=0 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=1.000 ms
56 bytes from 192.168.2.1: icmp_seq=2 ttl=254 time=2.000 ms
56 bytes from 192.168.2.1: icmp_seq=3 ttl=254 time=3.000 ms
56 bytes from 192.168.2.1: icmp_seq=4 ttl=254 time=2.000 ms
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/2.000/3.000/0.632 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息,没有产生与Spoke2临时建立的IPv4 ADVPN隧道,说明是流量是通过Hub转发的。
[Spoke1]display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.1.1.1 -- S-H Success 0H 7M 43S
192.168.0.2 2.2.2.2 -- S-H Success 0H 7M 43S
Spoke2上的显示信息与Spoke1类似。
#
isis 1
is-level level-2
network-entity 49.0001.0060.0600.6006.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 6.6.6.6 0.0.0.0
#
mpls lsr-id 6.6.6.6
#
mpls ldp
#
interface LoopBack0
ip address 6.6.6.6 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.3 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0070.0700.7007.00
#
ospf 1
area 0.0.0.0
network 5.6.1.0 0.0.0.255
network 7.7.7.7 0.0.0.0
#
mpls lsr-id 7.7.7.7
#
mpls ldp
#
interface LoopBack0
ip address 7.7.7.7 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 5.6.1.4 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
radius session-control enable
#
radius scheme abc
primary authentication 5.6.1.2
primary accounting 5.6.1.2
key authentication simple 123
key accounting simple 123
user-name-format without-domain
#
domain abc
authentication advpn radius-scheme abc
accounting advpn radius-scheme abc
#
domain default enable abc
#
vam server advpn-domain abc id 1
pre-shared-key simple 123456
server enable
hub-group 0
hub private-address 192.168.0.1
hub private-address 192.168.0.2
spoke private-address range 192.168.0.0 192.168.0.255
#
#
isis 1
is-level level-2
network-entity 49.0001.0050.0500.5005.00
#
ospf 1
area 0.0.0.0
network 1.5.1.0 0.0.0.3
network 2.5.1.0 0.0.0.3
network 3.5.1.0 0.0.0.3
network 5.5.5.5 0.0.0.0
network 5.6.1.0 0.0.0.255
#
mpls lsr-id 5.5.5.5
#
mpls ldp
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 2.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/3
ip address 3.5.1.2 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/4
ip address 4.5.1.2 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/5
ip address 5.6.1.1 255.255.255.0
isis enable 1
mpls enable
mpls ldp enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0010.0100.1001.00
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 1.1.1.1
#
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 1.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.1 255.255.255.0
ospf cost 1
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub1 password simple hub1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0020.0200.2002.00
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 2.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
mpls lsr-id 2.2.2.2
#
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 2.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.2 255.255.255.0
ospf network-type p2mp
source LoopBack0
tunnel protection ipsec profile abc
vam client Hub2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Hub2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user hub2 password simple hub2
client enable
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 3.5.1.0 0.0.0.3
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
mpls lsr-id 3.3.3.3
#
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet1/0/1
ip address 3.5.1.1 255.255.255.252
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.3 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke1
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke1
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke1 password simple spoke1
client enable
#
#
isis 1
is-level level-2
network-entity 49.0001.0040.0400.4004.00
#
ospf 2
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
mpls lsr-id 4.4.4.4
#
mpls ldp
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
interface GigabitEthernet1/0/1
ip address 4.5.1.1 255.255.255.252
isis enable 1
mpls enable
mpls ldp enable
#
interface GigabitEthernet1/0/2
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel1 mode advpn gre
ip address 192.168.0.4 255.255.255.0
ospf network-type p2mp
ospf dr-priority 0
source LoopBack0
tunnel protection ipsec profile abc
vam client Spoke2
#
ipsec transform-set abc
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile abc isakmp
transform-set abc
ike-profile abc
#
ike profile abc
keychain abc
#
ike keychain abc
pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
#
vam client name Spoke2
advpn-domain abc
server primary ip-address 6.6.6.6
server secondary ip-address 7.7.7.7
pre-shared-key simple 123456
user spoke2 password simple spoke2
client enable
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
