57-MSR系列路由器公网作MPLS L3VPN Over GRE Over IPsec备份和NAT多实例上Internet功能的典型配置举例
本章节下载: 57-MSR系列路由器公网作MPLS L3VPN Over GRE Over IPsec备份和NAT多实例上Internet功能的典型配置举例 (153.81 KB)
MSR系列路由器公网Internet上的MPLS L3VPN over GRE over IPsec隧道备份MPLS L3VPN网络的配置举例
Copyright © 2014 杭州华三通信技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部, 并不得以任何形式传播。本文档中的信息可能变动,恕不另行通知。 |
目 录
本文档介绍Internet上的MPLS L3VPN over GRE over IPsec隧道备份MPLS L3VPN网络的的典型案例。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解GRE Over IPSec和MPLS L3VPN的特性。
如图1所示,在MPLS VPN骨干网中,总部PE路由器与分支PE路由器互通,为防止主用MPLS VPN网络断开后PE间无法互联,现要求:
· 在PE间建立基于隧道的冗余备份链路,使得MPLS网络故障时PE间仍能够互访。
· 在PE上配置NAT多实例,使得PE的VPN路由都可以访问Internet。
图1 MSR系列路由器MPLS L3VPN Over GRE Over IPSec备份和NAT多实例功能组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
PE 1 |
Loop0 |
2.2.2.2/32 |
PE |
Loop0 |
1.1.1.1/32 |
|
Loop100 |
100.2.2.2/32 |
|
Loop100 |
100.1.1.1/32 |
|
Eth0/1 |
10.1.1.2/24 |
|
Eth0/1 |
10.1.1.1/24 |
|
Eth0/2 |
20.1.1.2/24 |
|
Eth0/2 |
20.1.1.1/24 |
|
Tunnel0 |
1.2.0.2/24 |
|
Tunnel0 |
1.2.0.1/24 |
PE 2 |
Loop0 |
3.3.3.3/32 |
|
Tunnel1 |
1.3.0.1/24 |
|
Loop100 |
100.3.3.3/32 |
Internet |
- |
20.1.1.254/24 |
|
Eth0/1 |
10.1.1.3/24 |
|
|
|
|
Eth0/2 |
20.1.1.3/24 |
|
|
|
|
Tunnel0 |
1.3.0.2/24 |
|
|
|
本举例是在Release 2311版本上进行配置和验证的。
# 配置设备接口地址。
<PE> system-view
[PE] interface loopback 0
[PE-LoopBack0] ip address 1.1.1.1 255.255.255.255
[PE-LoopBack0] quit
[PE] interface loopback 100
[PE-LoopBack100] ip address 100.1.1.1 255.255.255.255
[PE-LoopBack100] quit
[PE] interface ethernet 0/1
[PE-Ethernet0/1] port link-mode route
[PE-Ethernet0/1] ip address 10.1.1.1 255.255.255.0
[PE-Ethernet0/1] quit
[PE] interface ethernet 0/2
[PE-Ethernet0/2] port link-mode route
[PE-Ethernet0/2] ip address 20.1.1.1 255.255.255.0
[PE-Ethernet0/2] quit
# 配置OSPF协议,使网络互通。
[PE] ospf 1
[PE-ospf-1] area 0.0.0.0
[PE-ospf-1-area-0.0.0.0] network 1.1.1.1 0.0.0.0
[PE-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE-ospf-1-area-0.0.0.0] quit
[PE-ospf-1] quit
# 配置MPLS LSR-ID,使能MPLS和MPLS LDP功能。
[PE] router id 1.1.1.1
[PE] mpls lsr-id 1.1.1.1
[PE] mpls
[PE-mpls] quit
[PE] mpls ldp
[PE-mpls-ldp] quit
# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。
[PE] interface ethernet0/1
[PE-Ethernet0/1] mpls
[PE-Ethernet0/1] mpls ldp
[PE-Ethernet0/1] quit
# 创建VPN实例vpna,并配置RD和VPN Target属性。
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] route-distinguisher 1:1
[PE-vpn-instance-vpna] vpn-target 1:1 export-extcommunity
[PE-vpn-instance-vpna] vpn-target 1:1 import-extcommunity
[PE-vpn-instance-vpna] quit
# 在PE间建立MP-IBGP对等体。
[PE] bgp 100
[PE-bgp] group 100 internal
[PE-bgp] peer 100 connect-interface loopback 0
[PE-bgp] peer 2.2.2.2 group 100
[PE-bgp] peer 3.3.3.3 group 100
# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。
[PE-bgp] ipv4-family vpn-instance vpna
[PE-bgp-ipv4-vpna] import-route direct
[PE-bgp-ipv4-vpna] quit
# 进入BGP-VPNv4子地址族视图,配置对等体2.2.2.2和3.3.3.3。
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 100 enable
[PE-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE-bgp-af-vpnv4] peer 2.2.2.2 group 100
[PE-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE-bgp-af-vpnv4] peer 3.3.3.3 group 100
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
# 为IKE配置本端安全网关名为1.1.1.1。
[PE] ike local-name 1.1.1.1
# 创建GRE隧道Tunnel 0。
[PE] interface tunnel 0
[PE-Tunnel0] ip address 1.2.0.1 255.255.255.0
[PE-Tunnel0] source 100.1.1.1
[PE-Tunnel0] destination 100.2.2.2
# 使能GRE隧道的keepalive功能。
[PE-Tunnel0] keepalive 10 3
# 使能Tunnel 0的MPLS功能。
[PE-Tunnel0] mpls
[PE-Tunnel0] quit
# 创建GRE隧道Tunnel 1。
[PE] interface tunnel 1
[PE-Tunnel1] ip address 1.3.0.1 255.255.255.0
[PE-Tunnel1] source 100.1.1.1
[PE-Tunnel1] destination 100.3.3.3
# 使能GRE隧道的keepalive功能。
[PE-Tunnel1] keepalive 10 3
# 使能Tunnel 1的MPLS功能。
[PE-Tunnel1] mpls
[PE-Tunnel1] quit
# 将Tunnel 0和Tunnel 1加入OSPF网络中。
[PE] ospf 1
[PE-ospf-1] area 0.0.0.0
[PE-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255
[PE-ospf-1-area-0.0.0.0] network 1.3.0.0 0.0.0.255
[PE-ospf-1-area-0.0.0.0] quit
[PE-ospf-1] quit
# 配置访问控制列表,定义相应的数据流。
[PE] acl number 3000
[PE-acl-adv-3000] rule 0 permit ip vpn-instance vpna
[PE-acl-adv-3000] quit
[PE] acl number 3333
[PE-acl-adv-3333] rule 10 permit gre source 100.1.1.1 0 destination 100.2.2.2 0
[PE-acl-adv-3333] quit
[PE] acl number 3334
[PE-acl-adv-3334] rule 20 permit gre source 100.1.1.1 0 destination 100.3.3.3 0
[PE-acl-adv-3334] quit
# 创建IPsec安全提议tran1,采用隧道模式封装,ESP安全协议。
[PE] ipsec transform-set tran1
[PE-ipsec-transform-set-tran1] encapsulation-mode tunnel
[PE-ipsec-transform-set-tran1] transform esp
# 配置SHA1和DES算法。
[PE-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[PE-ipsec-transform-set-tran1] esp encryption-algorithm des
[PE-ipsec-transform-set-tran1] quit
# 配置IKE对等体2.2.2.2,使用野蛮模式。
[PE] ike peer 2.2.2.2
[PE-ike-peer-2.2.2.2] exchange-mode aggressive
[PE-ike-peer-2.2.2.2] pre-shared-key cipher h3c
[PE-ike-peer-2.2.2.2] id-type name
[PE-ike-peer-2.2.2.2] remote-name 2.2.2.2
# 配置IKE对等体NAT穿越功能。
[PE-ike-peer-2.2.2.2] nat traversal
[PE-ike-peer-2.2.2.2] quit
# 配置IKE对等体3.3.3.3,使用野蛮模式。
[PE] ike peer 3.3.3.3
[PE-ike-peer-3.3.3.3] exchange-mode aggressive
[PE-ike-peer-3.3.3.3] pre-shared-key cipher h3c
[PE-ike-peer-3.3.3.3] id-type name
[PE-ike-peer-3.3.3.3] remote-name 3.3.3.3
# 配置IKE对等体NAT穿越功能。
[PE-ike-peer-3.3.3.3] nat traversal
[PE-ike-peer-3.3.3.3] quit
# 创建一条IPSec安全策略branch 1,协商方式为isakmp,引用ACL 3333,IKE对等体2.2.2.2,IPSec安全提议tran1。
[PE] ipsec policy branch 1 isakmp
[PE-ipsec-policy-isakmp-branch-1] security acl 3333
[PE-ipsec-policy-isakmp-branch-1] ike-peer 2.2.2.2
[PE-ipsec-policy-isakmp-branch-1] transform-set tran1
[PE-ipsec-policy-isakmp-branch-1] quit
# 创建一条IPSec安全策略branch 2,协商方式为isakmp,引用ACL 3334,IKE对等体3.3.3.3,IPSec安全提议tran1。
[PE] ipsec policy branch 2 isakmp
[PE-ipsec-policy-isakmp-branch-2] security acl 3334
[PE-ipsec-policy-isakmp-branch-2] ike-peer 3.3.3.3
[PE-ipsec-policy-isakmp-branch-2] transform-set tran1
[PE-ipsec-policy-isakmp-branch-2] quit
# 在接口Ethernet0/2上应用IPSec安全策略组branch和NAT多实例。
[PE] interface ethernet 0/2
[PE-Ethernet0/2] ip address 20.1.1.1 255.255.255.0
[PE-Ethernet0/2] ipsec policy branch
[PE-Ethernet0/2] nat outbound 3000
[PE-Ethernet0/2] quit
# 为VPN实例vpna配置到Internet的缺省路由。
[PE] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254
# 配置到Internet的缺省路由。
[PE] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
# 配置设备接口地址。
<PE1> system-view
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 2.2.2.2 255.255.255.255
[PE1-LoopBack0] quit
[PE1] interface loopback 100
[PE1-LoopBack100] ip address 100.2.2.2 255.255.255.255
[PE1-LoopBack100] quit
[PE1] interface ethernet 0/1
[PE1-Ethernet0/1] port link-mode route
[PE1-Ethernet0/1] ip address 10.1.1.2 255.255.255.0
[PE1-Ethernet0/1] quit
[PE1] interface ethernet 0/2
[PE1-Ethernet0/2] port link-mode route
[PE1-Ethernet0/2] ip address 20.1.1.2 255.255.255.0
[PE1-Ethernet0/2] quit
# 配置OSPF协议,使网络互通。
[PE1] ospf 1
[PE1-ospf-1] area 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# 配置MPLS LSR-ID,使能MPLS和MPLS LDP功能。
[PE1] router id 2.2.2.2
[PE1] mpls lsr-id 2.2.2.2
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。
[PE1] interface ethernet 0/1
[PE1-Ethernet0/1] mpls
[PE1-Ethernet0/1] mpls ldp
[PE1-Ethernet0/1] quit
# 创建VPN实例vpna,并配置RD和VPN Target属性。
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 2:1
[PE1-vpn-instance-vpna] vpn-target 1:1 export-extcommunity
[PE1-vpn-instance-vpna] vpn-target 1:1 import-extcommunity
[PE1-vpn-instance-vpna] quit
# 在PE间建立MP-IBGP对等体。
[PE1] bgp 100
[PE1-bgp] group 100 internal
[PE1-bgp] peer 100 connect-interface loopback0
[PE1-bgp] peer 1.1.1.1 group 100
[PE1-bgp] peer 3.3.3.3 group 100
# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-ipv4-vpna] import-route direct
[PE1-bgp-ipv4-vpna] quit
# 进入BGP-VPNv4子地址族视图,配置对等体1.1.1.1和3.3.3.3。
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 100 enable
[PE1-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE1-bgp-af-vpnv4] peer 1.1.1.1 group 100
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable
[PE1-bgp-af-vpnv4] peer 3.3.3.3 group 100
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# 为IKE配置本端安全网关名为2.2.2.2。
[PE1] ike local-name 2.2.2.2
# 创建GRE隧道Tunnel 0。
[PE1] interface tunnel 0
[PE1-Tunnel0] ip address 1.2.0.2 255.255.255.0
[PE1-Tunnel0] source 100.2.2.2
[PE1-Tunnel0] destination 100.1.1.1
# 使能GRE隧道的keepalive功能。
[PE1-Tunnel0] keepalive 10 3
# 使能Tunnel 0的MPLS功能。
[PE1-Tunnel0] mpls
[PE1-Tunnel0] quit
# 将Tunnel 0加入OSPF网络中。
[PE1] ospf 1
[PE1-ospf-1] area 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 1.2.0.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# 配置访问控制列表,定义相应的数据流。
[PE1] acl number 3000
[PE1-acl-adv-3000] rule 0 permit ip vpn-instance vpna
[PE1-acl-adv-3000] quit
[PE1] acl number 3333
[PE1-acl-adv-3333] rule 10 permit gre source 100.2.2.2 0 destination 100.1.1.1 0
[PE1-acl-adv-3333] quit
# 创建IPSec安全提议tran1,采用隧道模式封装,ESP安全协议。
[PE1] ipsec transform-set tran1
[PE1-ipsec-transform-set-tran1] encapsulation-mode tunnel
[PE1-ipsec-transform-set-tran1] transform esp
# 配置SHA1和DES算法。
[PE1-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[PE1-ipsec-transform-set-tran1] esp encryption-algorithm des
[PE1-ipsec-transform-set-tran1] quit
# 配置IKE对等体1.1.1.1,使用野蛮模式。
[PE1] ike peer 1.1.1.1
[PE1-ike-peer-1.1.1.1] exchange-mode aggressive
[PE1-ike-peer-1.1.1.1] pre-shared-key cipher h3c
[PE1-ike-peer-1.1.1.1] id-type name
[PE1-ike-peer-1.1.1.1] remote-name 1.1.1.1
# 配置IKE对等体NAT穿越功能。
[PE1-ike-peer-1.1.1.1] nat traversal
[PE1-ike-peer-1.1.1.1] quit
# 创建IPSec安全策略center,协商方式为isakmp,引用ACL 3333,IKE对等体1.1.1.1,IPSec安全提议tran1。
[PE1] ipsec policy center 1 isakmp
[PE1-ipsec-policy-isakmp-center-1] security acl 3333
[PE1-ipsec-policy-isakmp-center-1] ike-peer 1.1.1.1
[PE1-ipsec-policy-isakmp-center-1] transform-set tran1
[PE1-ipsec-policy-isakmp-branch-1] quit
# 在接口Ethernet0/2上应用IPSec安全策略组center和NAT多实例。
[PE1] interface ethernet 0/2
[PE1-Ethernet0/2] ipsec policy center
[PE1-Ethernet0/2] nat outbound 3000
[PE1-Ethernet0/2] quit
# 为VPN实例vpna配置到Internet的缺省路由。
[PE1] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254
# 配置到Internet的缺省路由。
[PE1] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
# 配置设备接口地址。
<PE2> system-view
[PE2] interface loopback 0
[PE2-LoopBack0] ip address 3.3.3.3 255.255.255.255
[PE2-LoopBack0] quit
[PE2] interface loopback 100
[PE2-LoopBack100] ip address 100.3.3.3 255.255.255.255
[PE2-LoopBack100] quit
[PE2] interface ethernet 0/1
[PE2-Ethernet0/1] port link-mode route
[PE2-Ethernet0/1] ip address 10.1.1.3 255.255.255.0
[PE2-Ethernet0/1] quit
[PE2] interface ethernet 0/2
[PE2-Ethernet0/2] port link-mode route
[PE2-Ethernet0/2] ip address 20.1.1.3 255.255.255.0
[PE2-Ethernet0/2] quit
# 配置OSPF协议,使网络互通。
[PE2] ospf 1
[PE2-ospf-1] area 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# 配置MPLS LSR-ID,使能MPLS和MPLS LDP功能。
[PE2] router id 3.3.3.3
[PE2] mpls lsr-id 3.3.3.3
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# 在接口Ethernet0/1配置MPLS和MPLS LDP功能。
[PE2] interface ethernet 0/1
[PE2-Ethernet0/1] mpls
[PE2-Ethernet0/1] mpls ldp
[PE2-Ethernet0/1] quit
# 创建VPN实例vpna,并配置RD和VPN Target属性。
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] route-distinguisher 3:1
[PE2-vpn-instance-vpna] vpn-target 1:1 export-extcommunity
[PE2-vpn-instance-vpna] vpn-target 1:1 import-extcommunity
[PE2-vpn-instance-vpna] quit
# 在PE间建立MP-IBGP对等体。
[PE2] bgp 100
[PE2-bgp] group 100 internal
[PE2-bgp] peer 100 connect-interface loopback0
[PE2-bgp] peer 1.1.1.1 group 100
[PE2-bgp] peer 2.2.2.2 group 100
# 进入BGP-VPN实例视图,将直连路由引入到vpna的路由表。
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-ipv4-vpna] import-route direct
[PE2-bgp-ipv4-vpna] quit
# 进入BGP-VPNv4子地址族视图,配置对等体1.1.1.1和2.2.2.2。
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 100 enable
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE2-bgp-af-vpnv4] peer 1.1.1.1 group 100
[PE2-bgp-af-vpnv4] peer 2.2.2.2 enable
[PE2-bgp-af-vpnv4] peer 2.2.2.2 group 100
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
# 为IKE配置本端安全网关名为3.3.3.3。
[PE2] ike local-name 3.3.3.3
# 创建GRE隧道Tunnel 0。
[PE2] interface tunnel 0
[PE2-Tunnel0] ip address 1.3.0.2 255.255.255.0
[PE2-Tunnel0] source 100.3.3.3
[PE2-Tunnel0] destination 100.1.1.1
[PE2-Tunnel0] quit
# 使能GRE隧道的keepalive功能。
[PE2-Tunnel0] keepalive 10 3
# 使能Tunnel 0的MPLS功能。
[PE2-Tunnel0] mpls
[PE2-Tunnel0] quit
# 将Tunnel 0加入OSPF网络中。
[PE2] ospf 1
[PE2-ospf-1] area 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] network 1.3.0.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
# 配置访问控制列表,定义相应的数据流。
[PE2] acl number 3000
[PE2-acl-adv-3000] rule 0 permit ip vpn-instance vpna
[PE2-acl-adv-3000] quit
[PE2] acl number 3333
[PE2-acl-adv-3333] rule 10 permit gre source 100.3.3.3 0 destination 100.1.1.1 0
[PE2-acl-adv-3333] quit
# 创建IPSec安全提议tran1,采用隧道模式封装,ESP安全协议。
[PE2] ipsec transform-set tran1
[PE2-ipsec-transform-set-tran1] encapsulation-mode tunnel
[PE2-ipsec-transform-set-tran1] transform esp
# 配置SHA1和DES算法。
[PE2-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[PE2-ipsec-transform-set-tran1] esp encryption-algorithm des
[PE2-ipsec-transform-set-tran1] quit
# 配置IKE对等体1.1.1.1,使用野蛮模式。
[PE2] ike peer 1.1.1.1
[PE2-ike-peer-1.1.1.1] exchange-mode aggressive
[PE2-ike-peer-1.1.1.1] pre-shared-key cipher h3c
[PE2-ike-peer-1.1.1.1] id-type name
[PE2-ike-peer-1.1.1.1] remote-name 1.1.1.1
# 配置IKE对等体NAT穿越功能。
[PE2-ike-peer-1.1.1.1] nat traversal
[PE2-ike-peer-1.1.1.1] quit
# 创建IPSec安全策略center,协商方式为isakmp,引用ACL 3333,IKE对等体1.1.1.1,IPSec安全提议tran1。
[PE2] ipsec policy center 1 isakmp
[PE2-ipsec-policy-isakmp-center-1] security acl 3333
[PE2-ipsec-policy-isakmp-center-1] ike-peer 1.1.1.1
[PE2-ipsec-policy-isakmp-center-1] transform-set tran1
[PE2-ipsec-policy-isakmp-center-1] quit
# 在接口Ethernet0/1上应用IPSec安全策略组center和NAT多实例。
[PE2] interface ethernet 0/2
[PE2-Ethernet0/2] nat outbound 3000
[PE2-Ethernet0/2] ipsec policy center
[PE2-Ethernet0/2] quit
# 为VPN实例vpna配置到Internet的缺省路由。
[PE2] ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 ethernet0/2 20.1.1.254
# 配置到Internet的缺省路由。
[PE2] ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
# 在总部PE路由器上通过VPN路由ping Internet的地址,看能否ping通。
<PE> ping -vpn-instance vpna 20.1.1.254
PING 20.1.1.254: 56 data bytes, press CTRL_C to break
Reply from 20.1.1.254: bytes=56 Sequence=0 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms
--- 20.1.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# 在总部PE路由器上ping Internet的地址,看能否ping通。
<PE> ping 20.1.1.254
PING 20.1.1.254: 56 data bytes, press CTRL_C to break
Reply from 20.1.1.254: bytes=56 Sequence=0 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 20.1.1.254: bytes=56 Sequence=4 ttl=255 time=1 ms
--- 20.1.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
# 在总部路由器上查看MPLS LDP会话。
<PE> display mpls ldp session
LDP Session(s) in Public Network
Total number of sessions: 2
------------------------------------------------------------------------------
Peer-ID Status SsnRole FT MD5 KA-Sent/Rcv
------------------------------------------------------------------------------
2.2.2.2:0 Operational Passive Off Off 1665/1665
3.3.3.3:0 Non Existent Passive Off Off 0/0
------------------------------------------------------------------------------
FT : Fault Tolerance
# 在总部PE路由器上查看IKE邻居。
<PE> display ike peer
---------------------------
IKE Peer: 2.2.2.2
exchange mode: aggressive on phase 1
pre-shared-key ******
peer id type: name
peer ip address: 20.1.1.2
local ip address:
peer name: 2.2.2.2
nat traversal: enable
dpd:
---------------------------
---------------------------
IKE Peer: 3.3.3.3
exchange mode: aggressive on phase 1
pre-shared-key ******
peer id type: name
peer ip address: 20.1.1.3
local ip address:
peer name: 3.3.3.3
nat traversal: enable
dpd:
---------------------------
· PE配置:
#
ike local-name 1.1.1.1
#
router id 1.1.1.1
#
mpls lsr-id 1.1.1.1
#
ip vpn-instance vpna
route-distinguisher 1:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
acl number 3000
rule 0 permit ip vpn-instance vpna
acl number 3333
rule 10 permit gre source 100.1.1.1 0 destination 100.2.2.2 0
acl number 3334
rule 20 permit gre source 100.1.1.1 0 destination 100.3.3.3 0
#
mpls
#
mpls ldp
#
ike peer 2.2.2.2
exchange-mode aggressive
pre-shared-key cipher $c$3$Ata32mmg/Sqogxj2B8z1IPQRRS0cDA==
id-type name
remote-name 2.2.2.2
nat traversal
#
ike peer 3.3.3.3
exchange-mode aggressive
pre-shared-key cipher $c$3$jTaX3ShJo728rwzbWeHZl7raKsA2Mw==
id-type name
remote-name 3.3.3.3
nat traversal
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm des
#
ipsec policy branch 1 isakmp
security acl 3333
ike-peer 2.2.2.2
transform-set tran1
#
ipsec policy branch 2 isakmp
security acl 3333
ike-peer 3.3.3.3
transform-set tran1
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
interface LoopBack100
ip address 100.1.1.1 255.255.255.255
#
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Ethernet0/2
ip address 20.1.1.1 255.255.255.0
nat outbound 3000
ipsec policy branch
#
interface Tunnel0
ip address 1.2.0.1 255.255.255.0
source 100.1.1.1
destination 100.2.2.2
keepalive 10 3
mpls
#
interface Tunnel1
ip address 1.3.0.1 255.255.255.0
source 100.1.1.1
destination 100.3.3.3
keepalive 10 3
mpls
#
bgp 100
undo synchronization
group 100 internal
peer 100 connect-interface LoopBack0
peer 2.2.2.2 group 100
peer 3.3.3.3 group 100
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpnv4
peer 100 enable
peer 2.2.2.2 enable
peer 2.2.2.2 group 100
peer 3.3.3.3 enable
peer 3.3.3.3 group 100
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 1.2.0.0 0.0.0.255
network 1.3.0.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254
· PE1配置:
#
ike local-name 2.2.2.2
#
router id 2.2.2.2
#
mpls lsr-id 2.2.2.2
#
ip vpn-instance vpna
route-distinguisher 2:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
acl number 3000
rule 0 permit ip vpn-instance vpna
acl number 3333
rule 10 permit gre source 100.2.2.2 0 destination 100.1.1.1 0
#
mpls
#
mpls ldp
#
ike peer 1.1.1.1
exchange-mode aggressive
pre-shared-key cipher $c$3$DeuU8f4NqT7u6cJ8E/+7jrXIyKGw/g==
id-type name
remote-name 1.1.1.1
nat traversal
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm des
#
ipsec policy center 1 isakmp
security acl 3333
ike-peer 1.1.1.1
transform-set tran1
#
interface Ethernet0/1
port link-mode route
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet0/2
port link-mode route
nat outbound 3000
ip address 20.1.1.2 255.255.255.0
ipsec policy center
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
interface LoopBack100
ip address 100.2.2.2 255.255.255.255
#
interface Tunnel0
ip address 1.2.0.2 255.255.255.0
source 100.2.2.2
destination 100.1.1.1
keepalive 10 3
mpls
#
bgp 100
undo synchronization
group 100 internal
peer 100 connect-interface LoopBack0
peer 1.1.1.1 group 100
peer 3.3.3.3 group 100
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpnv4
peer 100 enable
peer 1.1.1.1 enable
peer 1.1.1.1 group 100
peer 3.3.3.3 enable
peer 3.3.3.3 group 100
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 1.2.0.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254
· PE2配置:
#
ike local-name 3.3.3.3
#
router id 3.3.3.3
#
mpls lsr-id 3.3.3.3
#
ip vpn-instance vpna
route-distinguisher 3:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
acl number 3000
rule 0 permit ip vpn-instance vpna
acl number 3333
rule 10 permit gre source 100.3.3.3 0 destination 100.1.1.1 0
#
mpls
#
mpls ldp
#
ike peer 1.1.1.1
exchange-mode aggressive
pre-shared-key cipher $c$3$+InhNF72zvL32yKkCOdR5QkPhhZc9A==
id-type name
remote-name 1.1.1.1
nat traversal
#
ipsec transform-set tran1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm sha1
esp encryption-algorithm des
#
ipsec policy center 1 isakmp
security acl 3333
ike-peer 1.1.1.1
transform-set tran1
#
interface Ethernet0/1
port link-mode route
ip address 10.1.1.3 255.255.255.0
mpls
mpls ldp
#
interface Ethernet0/2
port link-mode route
nat outbound 3000
duplex full
ip address 20.1.1.3 255.255.255.0
ipsec policy center
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack100
ip address 100.3.3.3 255.255.255.255
#
interface Tunnel0
ip address 1.3.0.2 255.255.255.0
source 100.3.3.3
destination 100.1.1.1
keepalive 10 3
mpls
#
bgp 100
undo synchronization
group 100 internal
peer 100 connect-interface LoopBack0
peer 1.1.1.1 group 100
peer 2.2.2.2 group 100
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpnv4
peer 100 enable
peer 1.1.1.1 enable
peer 1.1.1.1 group 100
peer 2.2.2.2 enable
peer 2.2.2.2 group 100
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 1.3.0.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 20.1.1.254
ip route-static vpn-instance vpna 0.0.0.0 0.0.0.0 Ethernet0/2 20.1.1.254
· H3C MSR 系列路由器 命令参考(V5)-R2311
· H3C MSR 系列路由器 配置指导(V5)-R2311
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!