Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-ADVPN configuration | 271.39 KB |
Contents
Restrictions: Hardware compatibility with ADVPN
Hardware compatibility with VAM server
Configuring a preshared key for the VAM server
Setting the port number of the VAM server
Specifying authentication and encryption algorithms for the VAM server
Configuring an authentication method
Configuring keepalive parameters
Specifying an ADVPN domain for a VAM client
Configuring a preshared key for a VAM client
Setting the retry interval and retry number for a VAM client
Setting the dumb timer for a VAM client
Configuring a username and password for a VAM client
Configuring an ADVPN tunnel interface
Configuring ADVPN
About ADVPN
Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses.
VAM protocol
VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.
ADVPN structures
ADVPN uses domains to identify VPNs. VAM clients in a VPN must be assigned to the same ADVPN domain. A VAM client can belong to only one ADVPN domain. A VAM server can serve multiple ADVPN domains and manage their clients.
VAM clients include hubs and spokes.
· Hub—A hub is the exchange center of routing information. A hub in a hub-spoke network is also a data forwarding center.
· Spoke—A spoke is the gateway of a branch. It does not forward data received from other ADVPN nodes.
ADVPN supports full-mesh, hub-spoke, and hub-group structures.
Full-mesh ADVPN
In a full-mesh ADVPN, spokes can directly communicate with each other. The hub acts as the route exchange center.
As shown in Figure 1, the spokes register with the VAM server and get hub information in the ADVPN domain. Then, they establish permanent tunnels to the hub.
Any two spokes can establish a dynamic tunnel to directly exchange data. The tunnel is deleted if no data exists during the idle timeout time.
Hub-spoke ADVPN
In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center.
As shown in Figure 2, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub.
Hub-group ADVPN
A hub-group ADVPN can accommodate more ADVPN clients. This allows one hub to manage all clients. As shown in Figure 3, a hub-group ADVPN contains multiple hub groups. Each hub group has one or multiple hubs and spokes.
Follow these guidelines to classify hub groups:
· All hubs must belong to the backbone hub group. This hub group forms the full-mesh backbone area. All hubs obtain information about other hubs from the VAM server and establish permanent ADVPN tunnels to each other.
· Spokes must belong to non-backbone hub groups. Each non-backbone hub group includes at least one hub and uses either the full-mesh or hub-spoke structure. Spokes obtain hub information in the ADVPN domain from the VAM server, and establish permanent tunnels to the hub. Spokes can establish tunnels only to the hubs in the hub group.
Tunnel establishment and data forwarding in a hub group depend on the network structure. Inter-group communications between spokes need to pass the hubs of the groups. To reduce the pressure on hubs during inter-group communications, you can allow spokes in different hub groups to establish a dynamic tunnel. The dynamic tunnel is deleted if no data exists during the idle timeout time.
How ADVPN operates
The VAM server must have a static public address. VAM clients have both a public address and a private address. The public address is the address of the interface connected to the public network. It can be manually configured or dynamically assigned. The private address is the address of the ADVPN tunnel interface. It must be manually configured. All the private addresses of clients in an ADVPN domain must belong to the same network segment.
ADVPN includes the following phases:
· Connection initialization.
· Registration.
· Tunnel establishment.
· Route learning and packet forwarding.
Connection initialization
As shown in Figure 4, a client and a server perform the following operations to initialize a connection:
1. The client sends encryption and authentication algorithms to the server in a connection request.
2. The server compares its algorithms in descending order of priority with the algorithms sent by the client.
3. The server sends the matching algorithms to the client.
If no match is found, the negotiation fails.
4. The server and the client generate encryption and authentication keys based on the preshared key.
If authentication and encryption are not needed, they do not generate keys.
5. The server and the client exchange negotiation acknowledgment packets protected by using the keys.
6. The server and the client use the keys to protect subsequent packets if they can restore the protected negotiation acknowledgment packets.
If they cannot restore the packets, the negotiation fails.
Figure 4 Connection initialization process
Registration
Figure 5 shows the following registration process:
1. The client sends the server a registration request that includes its public address, private address, and the connected private network.
2. The server sends the client an identity authentication request that specifies the authentication algorithm.
If authentication is not required, the server directly registers the client and sends the client a registration acknowledgement. VAM supports both PAP and CHAP authentication.
3. The client submits its identity information to the server.
4. The server performs authentication and accounting for the client through the AAA server.
5. The server sends the client a registration acknowledgement that includes hub information.
Tunnel establishment
A spoke can establish permanent tunnels to any number of hubs. Hubs in an ADVPN domain must establish permanent tunnels.
Figure 6 shows the tunnel establishment process.
1. The initiator originates a tunnel establishment request.
¡ To establish a hub-spoke tunnel:
The spoke checks whether a tunnel to each hub exists. If not, the spoke sends a tunnel establishment request to the hub.
¡ To establish a hub-hub tunnel:
The hub checks whether a tunnel to each peer hub exists. If not, the hub sends a tunnel establishment request to the peer hub.
¡ To establish a spoke-spoke tunnel:
In a full-mesh network, when a spoke receives a data packet but finds no tunnel for forwarding the packet, it sends an address resolution request to the server. After receiving the resolved address, the spoke sends a tunnel establishment request to the peer spoke.
2. The receiver saves tunnel information in the request and sends a response to the sender.
Figure 6 Tunnel establishment process
Route learning and packet forwarding
ADVPN nodes use the following methods to learn private routes:
· Static or dynamic routing—It must be configured for private networks and ADVPN tunnel interfaces to ensure connectivity among private networks. A dynamic routing protocol discovers neighbors, updates routes, and establishes a routing table over ADVPN tunnels. From the perspective of private networks, ADVPN tunnels are links that connect different private networks. The routing protocol exchanges routes between hub and hub, and between hub and spoke. It does not directly exchange routes between spoke and spoke.
When a spoke receives a packet destined to a remote private network, it performs the following operations to forward the packet:
a. Locates the private next hop from the routing table.
b. Uses the private next hop to obtain the corresponding public address from the VAM server.
c. Sends the packet to the public address over the ADVPN tunnel.
Full-mesh and hub-spoke structures are determined by routing. If the next hop is a spoke, the structure is full-mesh. If the next hop is a hub, the structure is hub-spoke.
· Registration and query from the VAM server—VAM clients register information about the connected private networks on the VAM server.
When a spoke receives a packet destined to a remote private network, it performs the following operations to forward the packet:
a. Sends the destination address of the packet to the VAM server.
b. Queries the VAM server for information about the ADVPN node (public and private addresses of the node) connected to the remote private network.
c. Generates a route to the remote private network through the ADVPN node.
d. Sends the packet to the public address of the ADVPN node over the ADVPN tunnel.
If both methods are used, the spoke sends both the private next hop and the destination address of the packet to the VAM server. The VAM server preferentially obtains the private network according to the destination address. If the route to the remote private network is learned by using both methods, the route with a lower preference is used.
NAT traversal
An ADVPN tunnel can traverse a NAT gateway.
· If only the tunnel initiator resides behind a NAT gateway, a spoke-spoke tunnel can be established through the NAT gateway.
· If the tunnel receiver resides behind a NAT gateway, packets must be forwarded by a hub before the receiver originates a tunnel establishment request. If the NAT gateway uses Endpoint-Independent Mapping, a spoke-spoke tunnel can be established through the NAT gateway.
· If both ends reside behind a NAT gateway, no tunnel can be established and packets between them must be forwarded by a hub.
Restrictions: Hardware compatibility with ADVPN
|
Hardware |
ADVPN compatibility |
|
F5010, F5020, F5020-GM, F5030, F5030-6GW, F5040, F5060, F5080, F5000-AI-20, F5000-AI-40, F5000-V30, F5000-C, F5000-S, F5000-M, F5000-A |
Yes |
|
F1000-AI-20, F1000-AI-30, F1000-AI-50, F1000-AI-60, F1000-AI-70, F1000-AI-80, F1000-AI-90 |
Yes |
|
F1003-L, F1005-L, F1010-L |
Yes |
|
F1005, F1010 |
Yes |
|
F1020, F1020-GM, F1030, F1030-GM, F1050, F1060, F1070, F1070-GM, F1070-GM-L, F1080, F1090, F1000-V70 |
Yes |
|
F1000-AK1110, F1000-AK1120, F1000-AK1130, F1000-AK1140 |
Yes |
|
F1000-AK1212, F1000-AK1222, F1000-AK1232, F1000-AK1312, F1000-AK1322, F1000-AK1332 |
Yes |
|
F1000-AK1414, F1000-AK1424, F1000-AK1434, F1000-AK1514, F1000-AK1524, F1000-AK1534, F1000-AK1614 |
Yes |
|
F1000-AK108, F1000-AK109, F1000-AK110, F1000-AK115, F1000-AK120, F1000-AK125, F1000-AK710 |
Yes |
|
F1000-AK130, F1000-AK135, F1000-AK140, F1000-AK145, F1000-AK150, F1000-AK155, F1000-AK160, F1000-AK165, F1000-AK170, F1000-AK175, F1000-AK180, F1000-AK185, F1000-GM-AK370, F1000-GM-AK380, F1000-AK711 |
Yes |
|
LSU3FWCEA0, LSUM1FWCEAB0, LSX1FWCEA1 |
Yes |
|
LSXM1FWDF1, LSUM1FWDEC0, IM-NGFWX-IV, LSQM1FWDSC0, LSWM1FWD0, LSPM6FWD, LSQM2FWDSC0 |
Yes |
|
vFW1000, vFW2000 |
Yes |
ADVPN tasks at a glance
Configure ADVPN in the order of VAM servers, hubs, and spokes. Whether an ADVPN node is a hub or a spoke is specified on the VAM servers.
To configure ADVPN, perform the following tasks:
2. Configuring ADVPN nodes
c. Configuring an ADVPN tunnel interface
d. (Optional.) Configuring IPsec for ADVPN tunnels
e. (Optional.) Enabling ADVPN logging
Configuring the VAM server
Hardware compatibility with VAM server
|
Hardware |
VAM server compatibility |
|
F5010, F5020, F5020-GM, F5030, F5030-6GW, F5040, F5060, F5080, F5000-AI-20, F5000-AI-40, F5000-V30, F5000-C, F5000-S, F5000-M, F5000-A |
Yes |
|
F1000-AI-20, F1000-AI-30, F1000-AI-50, F1000-AI-60, F1000-AI-70, F1000-AI-80, F1000-AI-90 |
Yes |
|
F1003-L, F1005-L, F1010-L |
No |
|
F1005, F1010 |
No |
|
F1020, F1020-GM, F1030, F1030-GM, F1050, F1060, F1070, F1070-GM, F1070-GM-L, F1080, F1090, F1000-V70 |
Yes |
|
F1000-AK1110, F1000-AK1120, F1000-AK1130, F1000-AK1140 |
No |
|
F1000-AK1212, F1000-AK1222, F1000-AK1232, F1000-AK1312, F1000-AK1322, F1000-AK1332 |
Yes |
|
F1000-AK1414, F1000-AK1424, F1000-AK1434, F1000-AK1514, F1000-AK1524, F1000-AK1534, F1000-AK1614 |
Yes |
|
F1000-AK108, F1000-AK109, F1000-AK110, F1000-AK115, F1000-AK120, F1000-AK125, F1000-AK710 |
No |
|
F1000-AK130, F1000-AK135, F1000-AK140, F1000-AK145, F1000-AK150, F1000-AK155, F1000-AK160, F1000-AK165, F1000-AK170, F1000-AK175, F1000-AK180, F1000-AK185, F1000-GM-AK370, F1000-GM-AK380, F1000-AK711 |
Yes |
|
LSU3FWCEA0, LSUM1FWCEAB0, LSX1FWCEA1 |
Yes |
|
LSXM1FWDF1, LSUM1FWDEC0, IM-NGFWX-IV, LSQM1FWDSC0, LSWM1FWD0, LSPM6FWD, LSQM2FWDSC0 |
Yes |
|
vFW1000, vFW2000 |
Yes |
VAM server tasks at a glance
To configure the VAM server, perform the following tasks:
3. Configuring a preshared key for the VAM server
5. (Optional.) Setting the port number of the VAM server
6. (Optional.) Specifying authentication and encryption algorithms for the VAM server
7. (Optional.) Configuring an authentication method
8. (Optional.) Configuring keepalive parameters
9. (Optional.) Setting the retry timer
Creating an ADVPN domain
1. Enter system view.
system-view
2. Create an ADVPN domain and enter ADVPN domain view.
vam server advpn-domain domain-name id domain-id
Enabling the VAM server
1. Enter system view.
system-view
2. Enable the VAM server. Choose one of the following tasks:
¡ In system view, enable the VAM server for one or all ADVPN domains.
vam server enable [ advpn-domain domain-name ]
¡ Execute the following commands in sequence to enable the VAM server for an ADVPN domain:
vam server advpn-domain domain-name [ id domain-id ]
server enable
By default, the VAM server is disabled.
Configuring a preshared key for the VAM server
About this task
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
If the preshared key on the VAM server is different than the VAM clients, packet decryption and integrity verification will fail. The VAM server and clients cannot establish connections.
Restrictions and guidelines
The VAM server and the VAM clients in the same ADVPN domain must have the same preshared key.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Configure a preshared key for the VAM server.
pre-shared-key { cipher | simple } string
By default, no preshared key is configured.
Configuring hub groups
About this task
Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group. The VAM server assigns a client only the hub information of the client's own hub group. A client establishes permanent ADVPN tunnels only to the hubs in its own hub group.
By default, spokes are not allowed to establish direct tunnels. If an ACL is specified to control establishing spoke-spoke tunnels, the VAM server assigns the specified ACL to an online hub. The hub uses the ACL to match received packets. If a match is found, the hub sends a redirect packet to the spoke that sent the packet. Then, the spoke sends the VAM server the destination address of the packet, obtains the remote spoke information, and establishes a direct tunnel to the remote spoke.
After a spoke-spoke tunnel is established, the spokes directly exchange packets.
When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows:
1. The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order.
2. If a match is found, the server assigns the client to the hub group as a hub.
3. If no match is found, the server matches the client's private address against the private addresses of spokes in different hub groups in lexicographic order.
4. If a match is found, the server assigns the client to the hub group as a spoke.
5. If no match is found, the registration fails.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Create a hub group and enter hub group view.
hub-group group-name
4. Configure a hub private address.
IPv4:
hub private-address private-ip-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]
IPv6:
hub ipv6 private-address private-ipv6-address [ public-address { public-ipv4-address | public-ipv6-address } [ advpn-port port-number ] ]
By default, no hub private addresses are configured.
A hub group must have a minimum of one hub private address.
5. Configure a spoke private address range.
IPv4:
spoke private-address { network ip-address { mask-length | mask } | range start-ipv4-address end-ipv4-address }
IPv6:
spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address }
By default, no spoke private address ranges are configured.
You can configure multiple spoke private IPv4 and IPv6 address ranges in a hub group.
6. Specify an ACL to control establishing spoke-to-spoke tunnels.
IPv4:
shortcut interest { acl { acl-number | name acl-name } all }
IPv6:
shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } | all }
By default, spokes are not allowed to establish direct tunnels.
Setting the port number of the VAM server
Restrictions and guidelines
The port number of the VAM server must be the same as that configured on the VAM clients.
Procedure
1. Enter system view.
system-view
2. Set the port number of the VAM server.
vam server listen-port port-number
The default port number is 18000.
Specifying authentication and encryption algorithms for the VAM server
About this task
The VAM server uses the specified algorithms to negotiate with the VAM client.
The VAM server and client use SHA-1 and AES-CBC-128 during connection initialization, and use the negotiated algorithms after connection initialization.
Restrictions and guidelines
The algorithm specified earlier in a command line has a higher priority.
The configuration of the commands that specify authentication and encryption algorithms does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Specify authentication algorithms.
authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } *
The default authentication algorithm is SHA-1.
4. Specify encryption algorithms.
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } *
The default encryption algorithms are AES-CBC-256, AES-CBC-192, AES-CBC-128, AES-CTR-256, AES-CTR-192, AES-CTR-128, 3DES-CBC, and DES-CBC in descending order of priority.
Configuring an authentication method
About this task
The VAM server uses the specified method to authenticate clients in the ADVPN domain. The authentication method includes none authentication and AAA authentication. If AAA is used, the VAM server supports PAP and CHAP authentication. Only VAM clients that pass identity authentication can access the ADVPN domain. For information about AAA configuration on the VAM server, see Security Configuration Guide.
Restrictions and guidelines
If the specified ISP domain does not exist, the authentication will fail.
A newly configured authentication method does not affect registered VAM clients. It applies to subsequently registered VAM clients.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Specify an authentication method.
authentication-method { none | { chap | pap } [ domain isp-name ] }
By default, the authentication method is CHAP, and the default ISP domain is used.
Configuring keepalive parameters
About this task
Keepalive parameters include a keepalive interval and a maximum number of keepalive retries. The VAM server assigns the configured keepalive parameters to clients in the ADVPN domain.
A client sends keepalives to the server at the specified interval. If a client does not receive any responses from the server after the maximum keepalive attempts (keepalive retries + 1), the client stops sending keepalives. If the VAM server does not receive any keepalives from a client before the timeout timer expires, the server removes information about the client and logs off the client. The timeout time is the product of the keepalive interval and keepalive attempts.
Restrictions and guidelines
Newly configured keepalive parameters do not affect registered VAM clients. They apply to subsequently registered clients.
If a device configured with dynamic NAT exists between the VAM server and VAM clients, configure the keepalive interval to be shorter than the aging time of NAT entries.
Configure proper values for the keepalive parameters depending on the network condition.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Configure keepalive parameters.
keepalive interval interval retry retries
By default, the keepalive interval is 180 seconds, and the maximum number of keepalive retries is 3.
Setting the retry timer
About this task
The VAM server starts the retry timer after it sends a request to a client. If the server does not receive a response from the client before the retry timer expires, the server resends the request. The server stops sending the request after receiving a response from the client or after the timeout timer (product of the keepalive interval and keepalive attempts) expires.
Procedure
1. Enter system view.
system-view
2. Enter ADVPN domain view.
vam server advpn-domain domain-name [ id domain-id ]
3. Set the retry timer.
retry interval interval
By default, the retry timer is 5 seconds.
Configuring the VAM client
VAM client tasks at a glance
To configure the VAM client, perform the following tasks:
4. Specifying an ADVPN domain for a VAM client
5. Configuring a preshared key for a VAM client
6. (Optional.) Setting the retry interval and retry number for a VAM client
7. (Optional.) Setting the dumb timer for a VAM client
8. (Optional.) Configuring a username and password for a VAM client
Creating a VAM client
1. Enter system view.
system-view
2. Create a VAM client and enter its view.
vam client name client-name
Enabling VAM clients
1. Enter system view.
system-view
2. Enable VAM clients. Choose one of the following tasks:
¡ Enable one or all VAM clients.
vam client enable [ name client-name ]
¡ Execute the following commands in sequence to enable a VAM client:
vam client name client-name
client enable
By default, no VAM clients are enabled.
Specifying VAM servers
About this task
You can specify a primary VAM server and a secondary VAM server for a VAM client. The client registers with both servers, and accepts settings from the server that first registers the client. When the server fails, the client uses the settings from the other server.
Restrictions and guidelines
If the specified primary and secondary VAM servers have the same address or name, only the primary VAM server takes effect.
The port number of a VAM server must be the same as that configured on the VAM server.
Procedure
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Specify the primary VAM server.
server primary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
By default, no VAM server is specified.
4. (Optional.) Specify the secondary VAM server.
server secondary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ]
By default, no VAM server is specified.
Specifying an ADVPN domain for a VAM client
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Specify an ADVPN domain for the VAM client.
advpn-domain domain-name
By default, no ADVPN domain is specified for a VAM client.
Configuring a preshared key for a VAM client
About this task
The preshared key is used to generate initial encryption and authentication keys during connection initialization. It is also used to generate encryption and authentication keys for subsequent packets if encryption and authentication are needed.
If a VAM client and the VAM server have different preshared keys, packet decryption and integrity verification will fail. The VAM client and server cannot establish a connection.
Restrictions and guidelines
The VAM server and the VAM clients in the same ADVPN domain must have the same preshared key.
Procedure
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Configure a preshared key for the VAM client.
pre-shared-key { cipher | simple } string
By default, no preshared key is configured for a VAM client.
Setting the retry interval and retry number for a VAM client
About this task
After a VAM client sends a request to the server, it resends the request if it does not receive any responses within the retry interval. If the client fails to receive a response after maximum attempts (retry times + 1), the client determines that the server is unreachable.
The retry-times setting does not apply to register and update requests. The client sends those requests at the retry interval until it goes offline.
Procedure
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Set the retry interval and retry number.
retry interval interval count retries
By default, the retry interval is 5 seconds, and the retry number is 3.
Setting the dumb timer for a VAM client
About this task
A VAM client starts the dumb timer after the timeout timer expires. The client does not process any packets during the dumb time. When the dumb timer expires, the client sends a new connection request to the VAM server.
Procedure
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Set the dumb timer.
dumb-time time-interval
By default, the dumb timer is 120 seconds.
Configuring a username and password for a VAM client
About this task
A VAM client uses its username and password for authentication on the VAM server.
Procedure
1. Enter system view.
system-view
2. Enter VAM client view.
vam client name client-name
3. Configure a username and password for the client.
user username password { cipher | simple } string
By default, no username and password are configured for a VAM client.
Configuring routing
ADVPN supports OSPF, RIP, and BGP for IPv4.
· When OSPF is used, set the network type of an OSPF interface to broadcast in a full-mesh network or to P2MP in a hub-spoke network. For more information about OSPF configuration, see Layer 3—IP Routing Configuration Guide.
· Full-mesh ADVPN does not support RIP. Only hub-spoke ADVPN supports RIP. When RIP is used in a hub-spoke network, you must disable split horizon. For more information about RIP configuration, see Layer 3—IP Routing Configuration Guide.
· When BGP is used, configure a routing policy to make sure the next hop of a route destined for a remote private network meets the following requirements:
¡ In a full-mesh network, the next hop is the IP address of the peer spoke. EBGP does not support full-mesh.
¡ In a hub-spoke network, the next hop is the IP address of the hub.
For more information about BGP and routing policy configuration, see Layer 3—IP Routing Configuration Guide.
ADVPN supports OSPFv3, RIPng, and IPv6 BGP for IPv6.
· When OSPFv3 is used, set the network type of an OSPFv3 interface to broadcast in a full-mesh network or to P2MP in a hub-spoke network. For more information about OSPFv3 configuration, see Layer 3—IP Routing Configuration Guide.
· When RIPng is used, only the full-mesh network is supported. For more information about RIPng configuration, see Layer 3—IP Routing Configuration Guide.
· When IPv6 BGP is used, configure a routing policy to make sure the next hop of a route destined for a remote private network meets the following requirements:
¡ In a full-mesh network, the next hop is the IP address of the peer spoke. EBGP does not support full-mesh.
¡ In a hub-spoke network, the next hop is the IP address of the hub.
For more information about IPv6 BGP and routing policy configuration, see Layer 3—IP Routing Configuration Guide.
Configuring an ADVPN tunnel interface
Restrictions and guidelines
For more information about tunnel interface, see "Configuring tunneling." For more information about tunnel interface configuration commands, see tunneling commands in VPN Command Reference.
Procedure
1. Enter system view.
system-view
2. Create an ADVPN tunnel interface and enter its view.
interface tunnel number [ mode advpn { gre | udp } [ ipv6 ] ]
The two ends of an ADVPN tunnel must use the same tunnel mode.
3. Configure a private address for the tunnel interface.
IPv4:
ip address ip-address { mask | mask-length } [ sub ]
IPv6:
ipv6 address ipv6-address prefix-length
By default, no private address is configured for the tunnel interface.
All tunnel interfaces in a hub group must reside in the same private network.
4. Specify a source address or source interface for the tunnel interface.
source { ip-address | interface-type interface-number }
By default, no source address or source interface is configured for a tunnel interface.
The specified source address or the IP address of the specified source interface is used as the source address of sent ADVPN packets.
5. (Optional.) Set the DF bit for ADVPN packets.
tunnel dfbit enable
By default, the DF bit is not set for ADVPN packets.
6. (Optional.) Set the source UDP port number of ADVPN packets.
advpn source-port port-number
By default, the source UDP port number of ADVPN packets is 18001.
This command is available when the tunnel mode is UDP.
If the vam client command configured on the tunnel interface has the compatible keyword, the tunnel interface must have a different source UDP port number than other tunnel interfaces.
7. Bind a VAM client to the tunnel interface.
IPv4:
vam client client-name [ compatible advpn0 ]
IPv6:
vam ipv6 client client-name
By default, no VAM client is bound to an ADVPN tunnel interface.
A VAM client can be bound to only one IPv4 or IPv6 ADVPN tunnel interface.
8. (Optional.) Configure a private network for the tunnel interface.
IPv4:
advpn network ip-address { mask-length | mask } [ preference preference-value ]
IPv6:
advpn ipv6 network prefix prefix-length [ preference preference-value ]
By default, no private network is configured for the tunnel interface.
Set the preference of the private network route to be higher than other dynamic routing protocols, and lower than static routing.
9. (Optional.) Set the keepalive interval and the maximum number of keepalive attempts for the tunnel interface.
keepalive interval interval retry retries
By default, the keepalive interval is 180 seconds, and the maximum number of keepalive attempts is 3.
The keepalive interval and the maximum number of keepalive attempts must be the same on the tunnel interfaces in an ADVPN domain.
10. (Optional.) Set the idle timeout time for the spoke-spoke tunnel.
advpn session idle-time time-interval
By default, the idle timeout time is 600 seconds.
The new idle timeout setting applies to both existing and subsequently established spoke-spoke tunnels.
11. (Optional.) Set the dumb timer for the tunnel interface.
advpn session dumb-time time-interval
By default, the dumb timer is 120 seconds.
The new dumb timer setting only applies to subsequently established tunnels.
12. (Optional.) Configure an ADVPN group name.
advpn group group-name
By default, no ADVPN group name is configured.
Perform this step on the spoke.
13. (Optional.) Configure a mapping between an ADVPN group and a QoS policy.
advpn map group group-name qos-policy policy-name outbound
By default, no ADVPN group-to-QoS policy mappings are configured.
Perform this step on the hub.
Configuring IPsec for ADVPN tunnels
You can configure an IPsec profile to secure ADVPN tunnels:
1. Configure IPsec transform sets to specify the security protocols, authentication and encryption algorithms, and the encapsulation mode.
2. Configure an IKE-mode IPsec profile that uses the IPsec transform sets.
3. Apply the IPsec profile to an ADVPN tunnel interface.
For more information about IPsec configuration, see Security Configuration Guide.
Enabling ADVPN logging
About this task
This feature enables the device to generate logs for the ADVPN module and send the logs to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable ADVPN logging.
advpn logging enable
By default, ADVPN logging is disabled.
Display and maintenance commands for ADVPN
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display IPv4 private-to-public address mapping information for VAM clients registered with the VAM server. |
display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ] |
|
Display IPv6 private-to-public address mapping information for VAM clients registered with the VAM server. |
display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ] |
|
Display IPv4 private networks for VAM clients registered with the VAM server. |
display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ] |
|
Display IPv6 private networks for VAM clients registered with the VAM server. |
display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ] |
|
Display ADVPN domain statistics on the VAM server. |
display vam server statistics [ advpn-domain domain-name ] |
|
Display FSM information for VAM clients. |
display vam client fsm [ name client-name ] |
|
Display statistics for VAM clients. |
display vam client statistics [ name client-name ] |
|
Display IPv4 spoke-to-spoke tunnel establishment rules for VAM clients. |
display vam client shortcut interest [ name client-name ] |
|
Display IPv6 spoke-to-spoke tunnel establishment rules for VAM clients. |
display vam client shortcut ipv6 interest [ name client-name ] |
|
Display ADVPN group-to-QoS policy mappings. |
display advpn group-qos-map [ interface tunnel number [ group group-name ] ] |
|
Display IPv4 ADVPN tunnel information. |
display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ] |
|
Display IPv6 ADVPN tunnel information. |
display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ] |
|
Display the number of ADVPN sessions in different states. |
display advpn session count |
|
Clear IPv4 private-to-public address mapping information for VAM clients registered with the VAM server. |
reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] |
|
Clear IPv6 private-to-public address mapping information for VAM clients registered with the VAM server. |
reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] |
|
Clear ADVPN domain statistics on the VAM server. |
reset vam server statistics [ advpn-domain domain-name ] |
|
Reset the FSM for VAM clients. |
reset vam client [ ipv6 ] fsm [ name client-name ] |
|
Clear statistics for VAM client. |
reset vam client statistics [ name client-name ] |
|
Delete IPv4 ADVPN tunnels. |
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ] |
|
Delete IPv6 ADVPN tunnels. |
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ] |
|
Clear statistics for IPv4 ADVPN tunnels. |
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ] |
|
Clear statistics for IPv6 ADVPN tunnels. |
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ] |
