16-ADVPN配置
本章节下载: 16-ADVPN配置 (740.70 KB)
1.10.1 IPv4 Full-Mesh类型ADVPN典型配置举例
1.10.2 IPv6 Full-Mesh类型ADVPN典型配置举例
1.10.3 IPv4 Hub-Spoke类型ADVPN典型配置举例
1.10.4 IPv6 Hub-Spoke类型ADVPN典型配置举例
1.10.5 IPv4划分多个Hub组ADVPN典型配置举例
1.10.6 IPv6划分多个Hub组ADVPN典型配置举例
1.10.7 IPv4 Full-Mesh穿越NAT类型ADVPN典型配置举例
ADVPN(Auto Discovery Virtual Private Network,自动发现虚拟专用网络)是一种基于VAM(VPN Address Management,VPN地址管理)协议的动态VPN技术。VAM协议负责收集、维护和分发动态变化的公网地址等信息,采用Client/Server模型。ADVPN网络中的节点(称为ADVPN节点)作为VAM Client。当公网地址变化时,VAM Client将当前公网地址注册到VAM Server。ADVPN节点通过VAM协议从VAM Server获取另一端ADVPN节点的当前公网地址,从而实现在两个节点之间动态建立跨越IP核心网络的ADVPN隧道。
在企业网各分支机构使用动态地址接入公网的情况下,可以利用ADVPN在各分支机构间建立VPN。
ADVPN通过ADVPN域区分不同的VPN网络,ADVPN域由域ID来标识。属于同一个VPN的VAM Client需要规划到相同的ADVPN域中,且一个VAM Client只能属于一个ADVPN域;VAM Server可以同时为多个ADVPN域服务,管理多个ADVPN域的VAM Client。
ADVPN节点分为如下两类:
· Hub:ADVPN网络的中心设备。它是路由信息交换的中心。
· Spoke:ADVPN网络的分支设备,通常是企业分支机构的网关。该节点不会转发收到的其它ADVPN节点的数据。
根据数据转发方式的不同,ADVPN组网结构分为如下两种:
· Full-Mesh(全互联)网络:Spoke和Spoke之间可以建立隧道直接通信。
· Hub-Spoke网络:Spoke之间不能建立隧道直接通信,只能通过Hub转发数据。
当一个ADVPN域中的ADVPN节点数目较多时,由于某些原因(如动态路由协议邻居数限制等),Hub无法管理全部的ADVPN节点。此时,可以将ADVPN网络划分为多个Hub组,每个Hub组中包含一个或多个Hub,及一部分Spoke节点,以减轻Hub节点的负担。
如图1-1所示,在Full-Mesh网络中,Spoke向VAM Server注册后获得Spoke所属ADVPN域所在Hub组中Hub的信息,并与Hub建立永久的ADVPN隧道。当两个Spoke之间有数据报文交互时,Spoke从VAM Server获取对端Spoke的公网地址,并在Spoke之间直接建立隧道。Spoke之间的隧道是动态的,当在一段时间(Spoke-Spoke隧道空闲超时时间)内没有数据报文交互时,则删除该隧道。
图1-1 Full-Mesh网络示意图
如图1-2所示,在Hub-Spoke网络中,Spoke向VAM Server注册后获得Spoke所属ADVPN域所在Hub组中Hub的信息,并与Hub建立永久的ADVPN隧道。两个Spoke之间有数据报文交互时,该报文通过Hub转发,不会在Spoke之间建立隧道。Hub既作为路由信息交换的中心,又作为数据转发的中心。
图1-2 Hub-Spoke网络示意图
如图1-3所示,划分多个Hub组网络中,Hub组的划分方式为:
· 所有Hub必须属于同一个Hub组,该Hub组作为骨干区域。骨干区域采用Full-Mesh组网,即Hub向VAM Server注册后获得骨干区域中所有Hub的信息,并在每两个Hub之间都建立永久的ADVPN隧道。
· 将Spoke部署到除骨干区域外的其他Hub组中。这些Hub组内至少有1个Hub,可以使用Full-Mesh组网也可以使用Hub-Spoke组网。Spoke向VAM Server注册后获得Spoke所属ADVPN域所在Hub组中Hub的信息,并与Hub建立永久的ADVPN隧道。一个Hub组内的Spoke只与本组的Hub建立ADVPN隧道,不与其他Hub组的Hub建立ADVPN隧道。
同一个Hub组内,隧道建立方式和数据转发方式由其组网方式决定。不同Hub组间,数据需要通过本组的Hub转发到目的组的Hub,再由目的组Hub转发到对应的Spoke。
为了减少Hub跨组转发数据时的压力,可以允许不同组的Spoke直接建立隧道,但该隧道是动态的,当在一段时间(Spoke-Spoke隧道空闲超时时间)内没有数据报文交互时,则删除该隧道。
图1-3 划分多个Hub组网络示意图
ADVPN对VAM Server和VAM Client的地址具有一定要求:
· VAM Server只需要具有公网地址,且该公网地址必须静态配置,不能动态变化。
· VAM Client需要具有公网地址和私网地址。公网地址是VAM Client连接IP核心网络的接口的地址,既可以静态配置也可以动态获取。私网地址是ADVPN隧道接口的地址,必须静态配置。在同一个ADVPN域内,同一个Hub组内的VAM Client的私网地址应该属于同一个网段。
ADVPN的关键是通过VAM Client的私网地址获取动态变化的公网地址,以便建立ADVPN隧道、转发报文。ADVPN的工作过程分为连接初始化、注册、隧道建立、路由学习和报文转发四个阶段,下面对这四个阶段做简单说明。
如图1-4所示,连接初始化阶段用来协商完整性验证、加密算法及密钥,其过程为:
(1) Client通过连接请求报文将自己支持的完整性验证算法、加密算法等发送给Server。
(2) Server按照优先级从高到低的顺序从自己支持的算法列表中依次选择算法,与Client发送的算法列表进行匹配。如果存在相同的算法,则Server通过连接响应报文将该算法发送给Client;如果不存在相同的算法,则算法协商失败,断开连接。
(3) 如果协商结果为不对VAM协议报文进行加密或认证(Server上配置不需要加密或认证),则Server和Client不必生成加密密钥或完整性验证密钥。否则,Server和Client都根据预共享密钥生成加密密钥和完整性验证密钥。
(4) Client和Server分别利用生成的加密密钥和完整性验证密钥对初始化完成报文进行保护,并发送给对端。如果对端能够正确解密和验证该报文,则算法、密钥协商成功,后续的VAM协议报文都通过协商的算法和密钥进行保护。否则,协商失败,断开连接。
如图1-5所示,注册阶段的具体过程为:
(1) Client向Server发送注册请求报文,注册请求报文中包括Client的公网地址、私网地址、连接的私网网段等信息。
(2) Server收到注册请求报文后,根据配置决定是否对该Client进行身份认证。如果配置为不认证,则直接注册Client信息并向Client发送注册成功响应;如果配置为认证,Server向Client回应身份认证请求,并指明需要的认证方法。VAM支持PAP和CHAP两种认证方式。
(3) Client向Server提交自己的身份信息。
(4) Server通过AAA对Client进行认证和计费。认证和计费成功后,Server向Client发送注册成功响应报文,注册成功报文中携带Server下发给Client的Hub信息。
Spoke要和Hub建立永久隧道,一个Spoke可以和任意多个Hub建立永久隧道。如果在一个ADVPN域中有多个Hub,则Hub之间需要建立永久隧道。具体隧道建立流程如图1-6所示。
· Hub-Spoke隧道:Spoke收到Server下发的Hub信息后,检查与这些Hub之间是否存在隧道。如果隧道不存在,则向Hub发送隧道建立请求报文。
· Hub-Hub隧道:Hub收到Server下发的已注册成功的Hub信息后,检查与这些Hub之间是否存在隧道。如果隧道不存在,则向其发送隧道建立请求报文。
· Spoke-Spoke隧道:在Full-Mesh组网中,Spoke收到某个数据报文后,若没有查到相应的能够转发该报文的隧道,则会向Server发送地址解析请求,根据得到的地址解析响应向对端Spoke发起隧道建立请求。
(2) 隧道对端收到隧道建立请求后,保存隧道信息,并向请求发起方发送隧道建立成功响应报文。
ADVPN节点可以通过以下两种方式学习私网路由:
· 通过静态或动态路由协议学习:ADVPN网络连接的各个私网及ADVPN隧道接口上都需要配置静态路由或动态路由协议,实现私网路由的连通。ADVPN隧道建立以后,路由协议通过隧道进行邻居发现、路由更新,并建立路由表。ADVPN隧道可以看作是私网中的一条普通链路,负责连接不同的私网网段。完成私网路由的学习后,Spoke接收到它连接的私网用户访问其他私网的报文时,查找路由表找到私网下一跳的地址。Spoke通过VAM Server查询私网下一跳对应的公网地址,并将该公网地址作为隧道的目的地址对报文进行封装。封装后的报文通过ADVPN隧道发送给对端。
· 向VAM Server注册和查询私网网段:ADVPN节点将本地连接的私网网段信息注册到VAM Server。Spoke接收到它连接的私网用户访问其他私网的报文时,将报文的目的地址发送给VAM Server,通过VAM Server查询连接该目的地址所在私网网段的ADVPN节点的信息(包括ADVPN节点的公网和私网地址),并在本地生成到达该私网网段的路由,路由下一跳为该ADVPN节点。完成查询后,Spoke将查询到的ADVPN节点的公网地址作为隧道的目的地址对报文进行封装。封装后的报文通过ADVPN隧道发送给对端。
在ADVPN网络中,如果同时使用了上述两种私网路由学习方式,则Spoke接收到它连接的私网用户访问其他私网的报文时,会同时将私网路由的下一跳地址和报文的目的地址发送给VAM Server,VAM Server优先根据目的地址进行查询,即优先采用向VAM Server注册和查询私网网段方式。如果同时通过上述两种方式学习到了到达同一私网网段的路由,则优先选择路由优先级小的路由转发报文。
· 路由协议只在Hub和Spoke以及各Hub之间进行交互,在Spoke与Spoke之间不直接交换路由信息。
· ADVPN组网采用的是Full-Mesh网络还是Hub-Spoke网络,由路由决定。如果学习到的路由下一跳是对端Spoke,则为Full-Mesh网络;如果学习到的路由下一跳是Hub,则为Hub-Spoke网络。
当隧道发起方在NAT网关后侧时,则可以建立穿越NAT的Spoke-Spoke隧道;如果隧道接收方在NAT网关后侧,则数据包要由Hub转发,直到接收方发起隧道建立请求。如果双方都在NAT网关后侧,则它们都无法与对方建立隧道,所有的数据包都只能从Hub转发。
如果NAT网关采用Endpoint-Independent Mapping(不关心对端地址和端口转换模式),隧道接收方在NAT网关后侧时,也可以建立穿越NAT的Spoke-Spoke隧道。
通过在ADVPN隧道上应用QoS策略可以对ADVPN隧道进行流量控制。要在ADVPN隧道上应用QoS策略,需要在Spoke端的ADVPN隧道接口下配置ADVPN隧道组名,并在Hub端的ADVPN隧道接口下配置ADVPN隧道组名与QoS策略的对应关系,Spoke向Hub发送建立Hub-Spoke类型的隧道请求时,把配置的组名发送给Hub,Hub在ADVPN隧道接口上收到Spoke的隧道建立请求后,会解析其携带的ADVPN隧道组名,并根据组名查找配置的QoS策略对应关系,如果查找成功,则将会在该隧道接口上按照ADVPN隧道组名对应的QoS策略进行数据转发,如果查找失败则不应用QoS策略。
搭建ADVPN网络时,一般先配置VAM Server,然后配置Hub设备,最后配置Spoke设备。
表1-1 ADVPN配置任务简介
配置任务 |
说明 |
详细配置 |
|
VAM Server端的配置 |
配置AAA |
可选 |
|
配置VAM Server |
必选 |
||
VAM Client端的配置 |
配置VAM Client |
必选 |
|
配置ADVPN隧道 |
必选 |
||
配置路由 |
必选 |
||
配置IPsec保护ADVPN隧道报文 |
可选 |
VAM Server可以根据需要使用AAA对接入到ADVPN域的VAM Client进行身份认证,只有通过身份认证的VAM Client才可以接入到ADVPN域。
VAM Server端AAA的具体配置请参见“安全配置指导”中的“AAA”。
表1-2 VAM Server配置任务简介
配置任务 |
说明 |
详细配置 |
创建ADVPN域 |
必选 |
|
开启VAM Server功能 |
必选 |
|
配置VAM Server的预共享密钥 |
必选 |
|
配置Hub组 |
必选 |
|
配置VAM Server的监听端口号 |
可选 |
|
配置VAM协议报文的安全参数 |
可选 |
|
配置对VAM Client的身份认证方式 |
可选 |
|
配置Keepalive报文参数 |
可选 |
|
配置请求报文重传参数 |
可选 |
创建ADVPN域时必须指定一个唯一的ID。进入已经创建的ADVPN域时,不需要指定ID。
表1-3 创建ADVPN域
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
创建ADVPN域,并进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
缺省情况下,不存在任何ADVPN域 |
该配置用来开启服务器端ADVPN域的VAM Server功能。
操作 |
命令 |
说明 |
|
进入系统视图 |
system-view |
- |
|
开启VAM Server功能 |
开启所有或指定ADVPN域的VAM Server功能 |
vam server enable [ advpn-domain domain-name ] |
二者选其一 缺省情况下,VAM Server功能处于关闭状态 |
开启指定ADVPN域的VAM Server功能 |
vam server advpn-domain domain-name [ id domain-id ] |
||
server enable |
预共享密钥用于生成加密/完整性验证的密钥:
· 在连接初始化阶段预共享密钥用来生成验证和加密连接请求、连接响应报文的初始密钥。
· 如果选择对后续的报文进行加密和验证,则预共享密钥还用来生成验证和加密后续报文的连接密钥。
同一个ADVPN域内的VAM Server和VAM Client上配置的预共享密钥必须一致。VAM Client/VAM Server通过报文解密、完整性验证是否成功,可以判断二者的预共享密钥是否相同,从而实现对VAM Server/VAM Client的身份认证。
表1-5 配置VAM Server的预共享密钥
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
配置VAM Server的预共享密钥 |
pre-shared-key { cipher | simple } string |
缺省情况下,未配置VAM Server的预共享密钥 |
在大规模组网情况下,将ADVPN域划分为多个Hub组可以方便管理。创建Hub组后,可以按照Spoke的私网地址网段或地址范围,将Spoke划分到不同的Hub组中,并为每个Hub组指定一个或多个Hub。
当VAM Client向VAM Server注册时,根据VAM Client的私网地址将VAM Client划分到对应的ADVPN域Hub组中:
(1) 根据Hub组名称字典序依次匹配各Hub组内配置的Hub私网地址。
(2) 如果匹配上,则VAM Client为Hub,并被划分到该Hub组;如果VAM Client不是Hub,再根据Hub组名称字典序依次匹配各Hub组内配置的Spoke私网地址范围。
(3) 如果匹配上,则VAM Client为Spoke,并被划分到该Hub组;否则,VAM Client既不是Hub也不是Spoke,注册失败。
VAM Server只向VAM Client下发其所属的Hub组内的Hub信息。VAM Client只与本Hub组内的Hub建立永久ADVPN隧道。
表1-6 创建Hub组
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
创建Hub组,并进入Hub组视图 |
hub-group group-name |
缺省情况下,不存在Hub组 |
每个Hub组必须至少配置一个Hub私网地址。
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
进入Hub组视图 |
hub-group group-name |
- |
配置Hub的私网地址 |
hub private-address private-ip-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ] |
二者选其一 缺省情况下,没有配置Hub私网地址 |
hub ipv6 private-address private-ipv6-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ] |
每个Hub组可以配置多个Spoke的IPv4和IPv6私网地址范围,将按照地址从低到高的顺序排列。
表1-8 配置Spoke的地址范围
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
进入Hub组视图 |
hub-group group-name |
- |
配置Spoke的私网地址范围 |
spoke private-address { network ip-address { mask-length | mask } | range start-address end-address } |
二者选其一 缺省情况下,没有配置Spoke的私网地址范围 |
spoke ipv6 private-address { network prefix prefix-length | range start-ipv6-address end-ipv6-address } |
如果配置了跨Hub组建立Spoke-Spoke直连隧道的规则,则在Hub上线后,VAM Server将指定的规则下发到Hub。在Hub转发私网数据报文的同时,会将数据报文与收到的规则进行匹配。如果匹配成功,Hub向发送该数据报文的Spoke发送重定向报文。Spoke收到重定向报文后,将被重定向的数据报文的目的地址发送给VAM Server,向VAM Server查询连接该目的地址所在私网网段的Spoke节点的信息,并与该Spoke建立直连隧道。
跨Hub组Spoke-Spoke直连隧道建立前,数据报文仍由Hub进行转发。直连隧道建立后,数据报文将直接发送到直连路由下一跳所对应的Spoke,而不再经过Hub中转。
表1-9 配置跨Hub组建立Spoke-Spoke直连隧道的规则
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
进入Hub组视图 |
hub-group group-name |
- |
配置跨Hub组建立Spoke-Spoke直连隧道的规则 |
shortcut interest { acl { acl-number | name acl-name } | all } |
二者选其一 缺省情况下,没有配置跨Hub组建立Spoke-Spoke直连隧道的规则,不允许跨Hub组建立Spoke-Spoke直连隧道 |
shortcut ipv6 interest { acl { ipv6-acl-number | name ipv6-acl-name } | all } |
VAM Server的监听端口号与VAM Client上指定的VAM Server的端口号必须一致。
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
配置VAM Server的监听端口号 |
vam server listen-port port-number |
缺省情况下,VAM Server的监听端口号为18000 |
该配置用来设置VAM协议报文的验证、加密算法。VAM Server根据配置的报文完整性验证、加密算法以及优先级与VAM Client发送的算法列表进行协商,协商后的算法分别作为两端协议报文的完整性验证算法和加密算法。
需要注意的是:
· VAM Server与VAM Client固定使用SHA-1验证算法和AES-CBC-128加密算法对连接初始化请求和响应报文进行完整性验证和加密;使用协商出来的验证算法和加密算法对其他VAM协议报文进行完整性验证和加密。
· 验证/加密算法在配置中的出现顺序决定其使用优先级。配置中越靠前的验证/加密算法,其优先级越高。
· 修改验证/加密算法对已经注册的VAM Client没有影响,新注册的VAM Client将采用修改后的算法进行协商。
表1-11 配置VAM协议报文的安全参数
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
配置VAM协议报文的验证算法 |
authentication-algorithm { aes-xcbc-mac | md5 | none | sha-1 | sha-256 } * |
缺省情况下,VAM协议报文的验证算法为SHA-1 |
配置VAM协议报文的加密算法 |
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } * |
缺省情况下,按照优先级由高到低依次使用AES-CBC-256、AES-CBC-192、AES-CBC-128、AES-CTR-256、AES-CTR-192、AES-CTR-128、3DES-CBC、DES-CBC算法 |
该配置用来设置VAM Server对VAM Client的认证方式。目前,只支持PAP和CHAP两种身份验证方式。
如果配置时指定的认证ISP域不存在,则VAM Server对VAM Client的身份认证会失败。
修改认证方式对已经注册的VAM Client没有影响,新注册的VAM Client将按照修改后的认证方式进行身份认证。
表1-12 配置对VAM Client的身份认证方式
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
配置VAM Server对VAM Client的身份认证方式 |
authentication-method { none | { chap | pap } [ domain isp-name ] } |
缺省情况下,VAM Server使用CHAP方式,对VAM Client进行身份认证,认证使用的ISP域为用户配置的系统默认域 |
VAM Client和VAM Server之间通过Keepalive报文保持联系。该配置用来设置VAM Client发送Keepalive报文的时间间隔和重发次数。当VAM Client注册成功后,VAM Server会将配置的参数在注册响应中下发给VAM Client,同一个ADVPN域中所有VAM Client的Keepalive报文参数都是相同的。
VAM Client按照VAM Server指定的时间间隔向VAM Server发送Keepalive报文,VAM Server收到Keepalive报文后回复响应报文。当Keepalive报文的重发次数达到指定的值仍没有收到VAM Server的响应时,VAM Client认为与VAM Server的连接中断,不再发送Keepalive报文。当VAM Server在时间间隔×重发次数的时间内没有收到VAM Client的Keepalive报文,则认为与VAM Client的连接中断,会删除该VAM Client的信息并将其下线。
如果VAM Server改变Keepalive报文参数,则修改后的参数只对新注册的VAM Client生效,已经注册的VAM Client不受影响。
如果VAM Server与VAM Client间存在配置了动态NAT的设备,则Keepalive报文的发送时间间隔应小于NAT表项的老化时间,从而保证NAT表项不会老化。
请根据实际组网情况,合理配置VAM Client发送Keepalive报文的时间间隔和重发次数。
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
配置VAM Client向VAM Server发送Keepalive报文的时间间隔和重试次数 |
keepalive interval interval retry retries |
缺省情况下,VAM Client发送Keepalive报文的时间间隔为180秒,重试次数是3次 |
VAM Server向VAM Client发送请求报文后,如果在指定的时间间隔内没有收到响应报文,VAM Server将重新发送该请求报文,直到收到响应报文或者VAM Client Keepalive超时(即VAM Server在Keepalive报文发送时间间隔×重发次数的时间内没有收到VAM Client的Keepalive报文)为止。
表1-14 配置报文重传参数
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入ADVPN域视图 |
vam server advpn-domain domain-name [ id domain-id ] |
- |
配置VAM Server重发请求报文的时间间隔 |
retry interval interval |
缺省情况下,VAM Server重发请求报文的时间间隔为5秒 |
表1-15 VAM Client配置任务简介
配置任务 |
说明 |
详细配置 |
创建VAM Client |
必选 |
|
开启VAM Client功能 |
必选 |
|
配置VAM Server的地址 |
必选 |
|
配置VAM Client所属的ADVPN域 |
必选 |
|
配置VAM Client的预共享密钥 |
必选 |
|
配置请求报文重传参数 |
可选 |
|
配置VAM Client连接超时的静默时间 |
可选 |
|
配置认证用户名和密码 |
可选 |
表1-16 创建VAM Client
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
创建VAM Client,并进入VAM Client视图 |
vam client name client-name |
缺省情况下,没有配置VAM Client |
表1-17 开启VAM Client功能
操作 |
命令 |
说明 |
|
进入系统视图 |
system-view |
- |
|
开启VAM Client功能 |
开启所有或指定VAM Client的VAM Client功能 |
vam client enable [ name client-name ] |
二者选其一 缺省情况下, VAM Client功能处于关闭状态 |
开启指定VAM Client的VAM Client功能 |
vam client name client-name |
||
client enable |
可以为一个VAM Client配置两个VAM Server,一个主VAM Server,一个备VAM Server。VAM Client会同时向主VAM Server和备VAM Server进行注册,如果都注册成功,VAM Client会优先使用先注册成功的VAM Server向其下发的信息。当该VAM Server故障时,VAM Client再使用另外一个VAM Server下发的信息。
如果主VAM Server和备VAM Server的地址相同(配置了相同的地址或通过域名解析到相同的地址),则只有主VAM Server有效。
VAM Client上指定的VAM Server端口号,必须和VAM Server上配置的监听端口号一致。
表1-18 配置VAM Server的地址
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置主VAM Server的地址 |
server primary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ] |
缺省情况下,没有配置主VAM Server的地址 |
(可选)配置备VAM Server的地址 |
server secondary { ip-address ip-address | ipv6-address ipv6-address | name host-name } [ port port-number ] |
缺省情况下,没有配置备VAM Server的地址 |
表1-19 配置VAM Client所属的ADVPN域
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置VAM Client所属的ADVPN域 |
advpn-domain domain-name |
缺省情况下,VAM Client不属于任何ADVPN域 |
预共享密钥用于生成加密/完整性验证的密钥:
· 在连接初始化阶段预共享密钥用来生成验证和加密连接请求、连接响应报文的初始密钥。
· 如果选择对后续的报文进行加密和验证,则预共享密钥还用来生成验证和加密后续报文的连接密钥。
同一个ADVPN域内的VAM Client和VAM Server上配置的预共享密钥必须一致。VAM Client/VAM Server通过报文解密、完整性验证是否成功,可以判断二者的预共享密钥是否相同,从而实现对VAM Server/VAM Client的身份认证。
表1-20 配置VAM Client的预共享密钥
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置VAM Client的预共享密钥 |
pre-shared-key { cipher | simple } string |
缺省情况下,无预共享密钥 |
VAM Client向VAM Server发送请求报文后,如果在指定的时间间隔内没有收到响应报文,VAM Client将重新发送请求报文。如果重新发送请求报文的次数超过指定的重发次数,则VAM Client认为VAM Server不可达。
需要注意的是:
· 私网注册请求报文和节点信息更新请求报文不受重发次数的限制,将会按照指定的时间间隔一直发送,直至VAM Client下线。
· VAM Client发送Keepalive报文的时间间隔和重发次数由VAM Server的配置决定。
表1-21 配置VAM协议报文重传参数
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置VAM协议报文重传参数 |
retry interval interval count retries |
缺省情况下,VAM协议报文重发间隔时间为5秒,重传次数为3次 |
VAM Client在与VAM Server连接超时后,会进入静默状态,此时VAM Client不处理任何报文。当静默时间到达后,VAM Client将重新发起连接请求。
表1-22 配置VAM Client连接超时的静默时间
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置VAM Client连接超时的静默时间 |
dumb-time time-interval |
缺省情况下,VAM Client连接超时的静默时间为120秒 |
配置VAM Client的用户名和密码,用于向VAM Server进行身份认证。
表1-23 配置认证用户和密码
操作 |
命令 |
说明 |
进入系统视图 |
system-view |
- |
进入VAM Client视图 |
vam client name client-name |
- |
配置认证用户名和密码 |
user username password { cipher | simple } string |
缺省情况下,没有配置认证用户名和密码 |
关于Tunnel接口的详细介绍,请参见“三层技术-IP业务配置指导”中的“隧道”。关于interface tunnel、source和tunnel dfbit enable命令以及Tunnel接口下更多配置命令的详细介绍,请参见“三层技术-IP业务命令参考”中的“隧道”。
表1-24 配置ADVPN隧道
操作 |
命令 |
说明 |
|
进入系统视图 |
system-view |
- |
|
创建ADVPN隧道类型的Tunnel接口,并进入Tunnel接口视图 |
interface tunnel number [ mode advpn { gre | udp } [ ipv6 ] ] |
缺省情况下,不存在任何Tunnel接口 在隧道的两端应配置相同的隧道模式,否则可能造成报文传输失败 |
|
配置Tunnel接口的私网地址 |
ip address ip-address { mask | mask-length } [ sub ] |
二者至少选其一 缺省情况下,Tunnel接口上没有配置私网地址 在同一个Hub组中,所有Tunnel接口的地址应该配置为同一个网段 |
|
ipv6 address ipv6-address prefix-length |
|||
配置ADVPN隧道的源端地址或源接口 |
source { ip-address | interface-type interface-number } |
缺省情况下,没有配置ADVPN隧道的源端地址和源接口 如果设置的是源端地址,则该地址将作为封装后隧道报文的源地址;如果设置的是源接口,则该接口的地址将作为封装后隧道报文的源地址 |
|
(可选)设置封装后隧道报文的DF(Don’t Fragment,不分片)标志 |
tunnel dfbit enable |
缺省情况下,未设置隧道报文的不分片标志,即转发隧道报文时允许分片 |
|
(可选)配置ADVPN报文的源UDP端口号 |
advpn source-port port-number |
缺省情况下,ADVPN报文的源UDP端口号为18001 本命令只有在UDP封装模式的ADVPN隧道类型的Tunnel接口下才能配置 如果Tunnel接口下执行vam client命令时指定了compatible参数,则该Tunnel接口配置的源端口号必须和其他Tunnel接口不同 |
|
配置Tunnel接口绑定的VAM Client |
vam client client-name [ compatible advpn0 ] |
缺省情况下,Tunnel隧道接口没有绑定任何VAM Client 一个VAM Client只能与一个IPv4 ADVPN类型的Tunnel接口绑定 一个VAM Client只能与一个IPv6 ADVPN隧道类型的Tunnel接口绑定 |
|
vam ipv6 client client-name |
|||
(可选)配置ADVPN隧道的私网信息 |
advpn network ip-address { mask-length | mask } [ preference preference-value ] |
缺省情况下,没有配置ADVPN隧道的私网信息 私网路由的优先级建议高于其他动态路由协议,低于静态路由 |
|
advpn ipv6 network prefix prefix-length [ preference preference-value ] |
|||
(可选)配置ADVPN隧道的Keepalive报文发送周期及最大发送次数 |
keepalive interval interval retry retries |
缺省情况下,ADVPN隧道的Keepalive报文发送周期为180秒,最大发送次数为3次 在同一个ADVPN域中,所有Tunnel接口的Keepalive报文发送周期及最大发送次数必须一致 |
|
(可选)配置Spoke-Spoke类型ADVPN隧道的空闲超时时间 |
advpn session idle-time time-interval |
缺省情况下,Spoke-Spoke类型ADVPN隧道的空闲超时时间为600秒 修改此参数,已经建立的Spoke-Spoke类型ADVPN隧道会使用修改后的参数值重新开始计时 |
|
(可选)配置ADVPN隧道建立失败的静默时间 |
advpn session dumb-time time-interval |
缺省情况下,ADVPN隧道建立失败的静默时间为120秒 修改此参数后,已经建立的ADPVN隧道不会改变静默时间,之后建立的ADPVN隧道会使用修改后的静默时间 |
|
(可选)配置ADVPN隧道的组名 |
advpn group group-name |
缺省情况下,未配置ADVPN隧道的组名 在Spoke上进行此配置 |
|
(可选)配置ADVPN隧道组名与QoS策略的对应关系 |
advpn map group group-name qos-policy policy-name outbound |
缺省情况下,未配置ADVPN隧道组名与QoS策略的对应关系 在Hub上进行此配置 |
如果设备上配置了多个使用GRE封装的ADVPN隧道接口,且隧道的源端地址或源接口相同时,不同GRE封装的ADVPN隧道接口的GRE Key必须不同。关于GRE Key的详细介绍请参见“三层技术-IP业务配置指导”中的“GRE”。
ADVPN客户端IPv4私网支持的路由协议为OSPF和BGP:
· 采用OSPF路由协议时,如果是Full-Mesh网络,OSPF接口的网络类型需要配置为broadcast;如果是Hub-Spoke网络,OSPF接口的网络类型需要配置为p2mp。OSPF的具体配置请参见“三层技术-IP路由配置指导”中的“OSPF”。
· 采用BGP路由协议时,如果是Full-Mesh网络,需要通过路由策略等配置,保证一端Spoke学习到的到达对端私网路由的下一跳为对端Spoke的地址(EBGP不支持Full-Mesh网络);如果是Hub-Spoke网络,需要通过路由策略等配置,保证一端Spoke学习到的到达对端私网路由的下一跳为Hub的地址。BGP和路由策略的具体配置请参见“三层技术-IP路由配置指导”中的“BGP”和“路由策略”。
ADVPN客户端IPv6私网支持的路由协议为OSPFv3和IPv6 BGP:
· 采用OSPFv3路由协议时,如果是Full-Mesh网络,OSPFv3接口的网络类型需要配置为broadcast;如果是Hub-Spoke网络,OSPFv3接口的网络类型需要配置为p2mp。OSPFv3的具体配置请参见“三层技术-IP路由配置指导”中的“OSPFv3”
· 采用IPv6 BGP路由协议时,如果是Full-Mesh网络,需要通过路由策略等配置,保证一端Spoke学习到的到达对端私网路由的下一跳为对端Spoke的地址(EBGP不支持Full-Mesh网络);如果是Hub-Spoke网络,需要通过路由策略等配置,保证一端Spoke学习到的到达对端私网路由的下一跳为Hub的地址。IPv6 BGP和路由策略的具体配置请参见“三层技术-IP路由配置指导”中的“BGP”和“路由策略”。
设备支持用IPsec安全框架来保护ADVPN隧道数据报文和控制报文的传递,其基本配置思路如下:
(1) 配置IPsec安全提议:指定安全协议、认证算法和加密算法、封装模式等。
(2) 配置IKE协商方式的IPsec安全框架。
(3) 在ADVPN隧道接口上应用IKE协商方式的IPsec安全框架。
详细配置请参见“安全配置指导”中的“IPsec”。
在完成上述配置后,在任意视图下执行display命令可以显示配置后ADVPN的运行情况,通过查看显示信息验证配置的效果。
在用户视图下,执行reset命令可以清除相应的统计信息。
表1-25 ADVPN显示和维护
操作 |
命令 |
|
|
显示注册到VAM Server上的VAM Client的IPv4私网地址和公网地址映射信息 |
display vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] [ verbose ] |
|
|
显示注册到VAM Server上的VAM Client的IPv6私网地址和公网地址映射信息 |
display vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] [ verbose ] |
|
|
显示注册到VAM Server上的VAM Client的IPv4私网信息 |
display vam server private-network [ advpn-domain domain-name [ private-address private-ip-address ] ] |
|
|
显示注册到VAM Server上的VAM Client的IPv6私网信息 |
display vam server ipv6 private-network [ advpn-domain domain-name [ private-address private-ipv6-address ] ] |
|
|
显示VAM Server上ADVPN域的统计信息 |
display vam server statistics [ advpn-domain domain-name ] |
|
|
显示VAM Client的状态机信息 |
display vam client fsm [ name client-name ] |
|
|
显示VAM Client的统计信息 |
display vam client statistics [ name client-name ] |
|
|
显示VAM Client收到的VAM Server下发的跨Hub组建立IPv4 Spoke-Spoke直连隧道的规则 |
display vam client shortcut interest [ name client-name ] |
|
|
显示VAM Client收到的VAM Server下发的跨Hub组建立IPv6 Spoke-Spoke直连隧道的规则 |
display vam client shortcut ipv6 interest [ name client-name ] |
|
|
显示ADVPN隧道组名与QoS策略的对应关系 |
display advpn group-qos-map [ interface tunnel number [ group group-name ] ] |
||
显示IPv4 ADVPN隧道的信息 |
display advpn session [ interface tunnel number [ private-address private-ip-address ] ] [ verbose ] |
|
|
显示IPv6 ADVPN隧道的信息 |
display advpn ipv6 session [ interface tunnel number [ private-address private-ipv6-address ] ] [ verbose ] |
|
|
显示不同状态下ADVPN会话的个数 |
display advpn session count |
|
|
清除注册到VAM Server上的IPv4私网地址和公网地址映射信息 |
reset vam server address-map [ advpn-domain domain-name [ private-address private-ip-address ] ] |
|
|
清除注册到VAM Server上的IPv6私网地址和公网地址映射信息 |
reset vam server ipv6 address-map [ advpn-domain domain-name [ private-address private-ipv6-address ] ] |
|
|
清除VAM Server上ADVPN域的统计信息 |
reset vam server statistics [ advpn-domain domain-name ] |
|
|
重置VAM Client的状态机 |
reset vam client [ ipv6 ] fsm [ name client-name ] |
|
|
清除VAM Client的统计信息 |
reset vam client statistics [ name client-name ] |
|
|
删除IPv4 ADVPN隧道 |
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ] |
|
|
删除IPv6 ADVPN隧道 |
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ] |
|
|
清除IPv4 ADVPN隧道的统计信息 |
reset advpn session statistics [ interface tunnel number [ private-address private-ip-address ] ] |
|
|
清除IPv6 ADVPN隧道的统计信息 |
reset advpn ipv6 session statistics [ interface tunnel number [ private-address private-ipv6-address ] ] |
|
|
· 在IPv4 Full-Mesh的组网方式下,主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的两个Spoke之间在有数据时动态建立ADVPN隧道。
图1-7 IPv4 Full-Mesh类型ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1.0.0.1/24 |
Spoke 1 |
GE0/1 |
1.0.0.3/24 |
|
Tunnel1 |
192.168.0.1/24 |
|
GE0/2 |
192.168.1.1/24 |
Hub 2 |
GE0/1 |
1.0.0.2/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Tunnel1 |
192.168.0.2/24 |
Spoke 2 |
GE0/1 |
1.0.0.4/24 |
AAA server |
|
1.0.0.10/24 |
|
GE0/2 |
192.168.2.1/24 |
Primary server |
GE0/1 |
1.0.0.11/24 |
|
Tunnel1 |
192.168.0.4/24 |
Secondary server |
GE0/1 |
1.0.0.12/24 |
|
|
|
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1。
<Hub1> system-view
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥为123456。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2。
<Hub2> system-view
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel 1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(5) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke1的DR优先级配置为0,以使Spoke1不参与DR/BDR选举。
[Spoke1] interface tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(6) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke2的DR优先级配置为0,以使Spoke2不参与DR/BDR选举。
[Spoke2] interface tunnel1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S
192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.0.4。
[Spoke1] ping 192.168.0.4
Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms
56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.0.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
192.168.0.4 1.0.0.4 -- S-S Success 0H 0M 1S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1与Spoke2建立了Spoke-Spoke临时隧道。Spoke2上的显示信息与Spoke1类似。
· 在IPv6 Full-Mesh的组网方式下,主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的两个Spoke之间在有数据时动态建立ADVPN隧道。
图1-8 IPv6 Full-Mesh类型ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1::1/64 |
Spoke 1 |
GE0/1 |
1::3/64 |
|
Tunnel1 |
192:168::1/64 |
|
GE0/2 |
192:168:1::1/64 |
Hub 2 |
GE0/1 |
1::2/64 |
|
Tunnel1 |
192:168::3/64 |
|
Tunnel1 |
192:168::2/64 |
Spoke 2 |
GE0/1 |
1::4/64 |
AAA server |
|
1::10/64 |
|
GE0/2 |
192:168:2::1/64 |
Primary server |
GE0/1 |
1::11/64 |
|
Tunnel1 |
192:168::4/64 |
Secondary server |
GE0/1 |
1::12/64 |
|
|
|
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv6私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
# 指定Hub组内Spoke的IPv6私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1。
<Hub1> system-view
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置主、被VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装模式的IPv6 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn gre ipv6
[Hub1-Tunnel1] ipv6 address 192:168::1 64
[Hub1-Tunnel1] ipv6 address fe80::1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1
[Hub1-Tunnel1] ospfv3 1 area 0
[Hub1-Tunnel1] ospfv3 network-type broadcast
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2。
<Hub2> system-view
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub2] ospfv3 1
[Hub2-ospfv3-1] router-id 0.0.0.2
[Hub2-ospfv3-1] area 0
[Hub2-ospfv3-1-area-0.0.0.0] quit
[Hub2-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn gre ipv6
[Hub2-Tunnel1] ipv6 address 192:168::2 64
[Hub1-Tunnel1] ipv6 address fe80::2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2
[Hub2-Tunnel1] ospfv3 1 area 0
[Hub2-Tunnel1] ospfv3 network-type broadcast
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(5) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.3
[Spoke1-ospfv3-1] area 0
[Spoke1-ospfv3-1-area-0.0.0.0] quit
[Spoke1-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke1的DR优先级配置为0,以使Spoke1不参与DR/BDR选举。
[Spoke1] interface tunnel1 mode advpn gre ipv6
[Spoke1-Tunnel1] ipv6 address 192:168::3 64
[Spoke1-Tunnel1] ipv6 address fe80::3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] ospfv3 1 area 0
[Spoke1-Tunnel1] ospfv3 network-type broadcast
[Spoke1-Tunnel1] ospfv3 dr-priority 0
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(6) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.4
[Spoke2-ospfv3-1] area 0
[Spoke2-ospfv3-1-area-0.0.0.0] quit
[Spoke2-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke2的DR优先级配置为0,以使Spoke2不参与DR/BDR选举。
[Spoke2] interface tunnel1 mode advpn gre ipv6
[Spoke2-Tunnel1] ipv6 address 192:168::4 64
[Spoke2-Tunnel1] ipv6 address fe80::4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] ospfv3 1 area 0
[Spoke2-Tunnel1] ospfv3 network-type broadcast
[Spoke2-Tunnel1] ospfv3 dr-priority 0
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv6私网地址映射信息。
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
# 显示注册到备VAM Server的所有VAM Client的IPv6私网地址映射信息。
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv6 ADVPN隧道信息。
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::2 1::2 -- H-H Success 0H 46M 8S
192:168::3 1::3 -- H-S Success 0H 27M 27S
192:168::4 1::4 -- H-S Success 0H 18M 18S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv6 ADVPN隧道信息。
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192:168::4。
[Spoke1] ping ipv6 192:168::4
Ping6(56 data bytes) 192:168::3 --> 192:168::4, press CTRL_C to break
56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms
56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms
--- Ping6 statistics for 192:168::4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms
# 显示Spoke1上的IPv6 ADVPN隧道信息。
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
192.168::4 1::4 -- S-S Success 0H 0M 1S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1与Spoke2建立了Spoke-Spoke临时隧道。Spoke2上的显示信息与Spoke1类似。
· 在IPv4 Hub-Spoke的组网方式下,数据通过Hub-Spoke隧道进行转发。主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
图1-9 IPv4 Hub-Spoke类型ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1.0.0.1/24 |
Spoke 1 |
GE0/1 |
1.0.0.3/24 |
|
Tunnel1 |
192.168.0.1/24 |
|
GE0/2 |
192.168.1.1/24 |
Hub 2 |
GE0/1 |
1.0.0.2/24 |
|
Tunnel1 |
192.168.0.3/24 |
|
Tunnel1 |
192.168.0.2/24 |
Spoke 2 |
GE0/1 |
1.0.0.4/24 |
AAA server |
|
1.0.0.10/24 |
|
GE0/2 |
192.168.2.1/24 |
Primary server |
GE0/1 |
1.0.0.11/24 |
|
Tunnel1 |
192.168.0.4/24 |
Secondary server |
GE0/1 |
1.0.0.12/24 |
|
|
|
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1。
<Hub1> system-view
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn gre
[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type p2mp
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2。
<Hub2> system-view
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为Hub2,密码为Hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn gre
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type p2mp
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(5) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type p2mp
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(6) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv4 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel1 mode advpn gre
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type p2mp
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Spoke No 0H 28M 25S
0 192.168.0.4 1.0.0.4 Spoke No 0H 19M 15S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 -- H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 -- H-S Success 0H 27M 27S
192.168.0.4 1.0.0.4 -- H-S Success 0H 18M 18S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S
192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.0.4。
[Spoke1] ping 192.168.0.4
Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms
56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.0.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms
· 在IPv6 Hub-Spoke的组网方式下,数据通过Hub-Spoke隧道进行转发。主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
图1-10 IPv6 Hub-Spoke类型ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1::1/64 |
Spoke 1 |
GE0/1 |
1::3/64 |
|
Tunnel1 |
192:168::1/64 |
|
GE0/2 |
192:168:1::1/64 |
Hub 2 |
GE0/1 |
1::2/64 |
|
Tunnel1 |
192:168::3/64 |
|
Tunnel1 |
192:168::2/64 |
Spoke 2 |
GE0/1 |
1::4/64 |
AAA server |
|
1::10/64 |
|
GE0/2 |
192:168:2::1/64 |
Primary server |
GE0/1 |
1::11/64 |
|
Tunnel1 |
192:168::4/64 |
Secondary server |
GE0/1 |
1::12/64 |
|
|
|
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv6私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
# 指定Hub组内Spoke的IPv6私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke ipv6 private-address network 192:168::0 64
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1。
<Hub1> system-view
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn gre ipv6
[Hub1-Tunnel1] ipv6 address 192:168::1 64
[Hub1-Tunnel1] ipv6 address fe80::1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1
[Hub1-Tunnel1] ospfv3 1 area 0
[Hub1-Tunnel1] ospfv3 network-type p2mp
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2。
<Hub2> system-view
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub2] ospfv3 1
[Hub2-ospfv3-1] router-id 0.0.0.2
[Hub2-ospfv3-1] area 0
[Hub2-ospfv3-1-area-0.0.0.0] quit
[Hub2-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn gre ipv6
[Hub2-Tunnel1] ipv6 address 192:168::2 64
[Hub2-Tunnel1] ipv6 address fe80::2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2
[Hub2-Tunnel1] ospfv3 1 area 0
[Hub2-Tunnel1] ospfv3 network-type p2mp
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
(5) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.3
[Spoke1-ospfv3-1] area 0
[Spoke1-ospfv3-1-area-0.0.0.0] quit
[Spoke1-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。
[Spoke1] interface tunnel1 mode advpn gre ipv6
[Spoke1-Tunnel1] ipv6 address 192:168::3 64
[Spoke1-Tunnel1] ipv6 address fe80::3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] ospfv3 1 area 0
[Spoke1-Tunnel1] ospfv3 network-type p2mp
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(6) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# 开启VAM Client的功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.4
[Spoke2-ospfv3-1] area 0
[Spoke2-ospfv3-1-area-0.0.0.0] quit
[Spoke2-ospfv3-1] quit
· 配置ADVPN隧道
# 配置GRE封装的IPv6 ADVPN隧道接口Tunnel1。
[Spoke2] interface tunnel1 mode advpn gre ipv6
[Spoke2-Tunnel1] ipv6 address 192:168::4 64
[Spoke2-Tunnel1] ipv6 address fe80::4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] ospfv3 1 area 0
[Spoke2-Tunnel1] ospfv3 network-type p2mp
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv6私网地址映射信息。
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
# 显示注册到备VAM Server的所有VAM Client的IPv6私网地址映射信息。
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Spoke No 0H 28M 25S
0 192:168::4 1::4 Spoke No 0H 19M 15S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv6 ADVPN隧道信息。
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168::2 1::2 -- H-H Success 0H 46M 8S
192:168::3 1::3 -- H-S Success 0H 27M 27S
192:168::4 1::4 -- H-S Success 0H 18M 18S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv6 ADVPN隧道信息。
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::1 1::1 -- S-H Success 0H 46M 8S
192:168::2 1::2 -- S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192:168::4。
[Spoke1] ping ipv6 192:168::4
Ping6(56 data bytes) 192:168::3 --> 192:168::4, press CTRL_C to break
56 bytes from 192:168::4, icmp_seq=0 hlim=64 time=3.000 ms
56 bytes from 192:168::4, icmp_seq=1 hlim=64 time=0.000 ms
56 bytes from 192:168::4, icmp_seq=2 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=3 hlim=64 time=1.000 ms
56 bytes from 192:168::4, icmp_seq=4 hlim=64 time=1.000 ms
--- Ping6 statistics for 192:168::4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.200/3.000/0.980 ms
ADVPN域中包含的ADVPN节点较多,通过划分多个Hub组来减轻Hub的负担。具体需求如下:
· 主、备VAM Server负责管理、维护各个节点的信息。
· AAA服务器负责对VAM Client进行认证和计费管理。
· 将ADVPN域划分为三个Hub组:Hub1、Hub2和Hub3属于Hub组0;Hub1、Hub2、Spoke1和Spoke2属于Hub组1,两个Hub互为备份;Hub3、Spoke3和Spoke4属于Hub组2。
· Hub组1和Hub组2内采用Full-Mesh组网方式。
· 允许所有的Spoke建立跨Hub组的Spoke-Spoke直连隧道。
图1-11 IPv4划分多个Hub组ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1.0.0.1/24 |
Spoke 1 |
GE0/1 |
1.0.0.4/24 |
|
Tunnel1 |
192.168.1.1/24 |
|
GE0/2 |
192.168.10.1/24 |
|
Tunnel2 |
192.168.0.1/24 |
|
Tunnel1 |
192.168.1.3/24 |
Hub 2 |
GE0/1 |
1.0.0.2/24 |
Spoke 2 |
GE0/1 |
1.0.0.5/24 |
|
Tunnel1 |
192.168.1.2/24 |
|
GE0/2 |
192.168.20.1/24 |
|
Tunnel2 |
192.168.0.2/24 |
|
GE0/3 |
192.168.30.1/24 |
Hub 3 |
GE0/1 |
1.0.0.3/24 |
|
Tunnel1 |
192.168.1.4/24 |
|
Tunnel1 |
192.168.2.1/24 |
Spoke 3 |
GE0/1 |
1.0.0.6/24 |
|
Tunnel2 |
192.168.0.3/24 |
|
GE0/2 |
192.168.40.1/24 |
AAA server |
|
1.0.0.10/24 |
|
Tunnel1 |
192.168.2.2/24 |
Primary server |
GE0/1 |
1.0.0.11/24 |
Spoke 4 |
GE0/1 |
1.0.0.7/24 |
Secondary server |
GE0/1 |
1.0.0.12/24 |
|
GE0/2 |
192.168.50.1/24 |
|
|
|
|
GE0/3 |
192.168.60.1/24 |
|
|
|
|
Tunnel1 |
192.168.2.3/24 |
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 1.0.0.10 1812
[PrimaryServer-radius-abc] primary accounting 1.0.0.10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv4私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.3
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 创建Hub组1。
[PrimaryServer-vam-server-domain-abc] hub-group 1
# 指定Hub组内Hub的IPv4私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2
# 指定Hub组内Spoke的IPv4私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0
# 允许建立跨组Spoke-Spoke直连隧道。
[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all
[PrimaryServer-vam-server-domain-abc-hub-group-1] quit
# 创建Hub组2。
[PrimaryServer-vam-server-domain-abc] hub-group 2
# 指定Hub组内Hub的IPv4私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-2] hub private-address 192.168.2.1
# 指定Hub组内Spoke的IPv4私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke private-address network 192.168.2.0 255.255.255.0
# 允许建立跨组Spoke-Spoke直连隧道。
[PrimaryServer-vam-server-domain-abc-hub-group-2] shortcut interest all
[PrimaryServer-vam-server-domain-abc-hub-group-2] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1Group0。
<Hub1> system-view
[Hub1] vam client name Hub1Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1Group0] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1Group0] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1Group0] client enable
[Hub1-vam-client-Hub1Group0] quit
# 创建VAM Client Hub1Group1。
[Hub1] vam client name Hub1Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1Group1] server primary ip-address 1.0.0.11
[Hub1-vam-client-Hub1Group1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1Group1] client enable
[Hub1-vam-client-Hub1Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] area 1
[Hub1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[Hub1-ospf-1-area-0.0.0.1] quit
[Hub1-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn udp
[Hub1-Tunnel1] ip address 192.168.1.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1Group1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel2。
[Hub1] interface tunnel2 mode advpn udp
[Hub1-Tunnel2] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel2] vam client Hub1Group0
[Hub1-Tunnel2] ospf network-type broadcast
[Hub1-Tunnel2] source gigabitethernet 0/1
[Hub1-Tunnel2] tunnel protection ipsec profile abc
[Hub1-Tunnel2] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2Group0。
<Hub2> system-view
[Hub2] vam client name Hub2Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2Group0] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2Group0] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2Group0] client enable
[Hub2-vam-client-Hub2Group0] quit
# 创建VAM Client Hub2Group1。
[Hub2] vam client name Hub2Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2Group1] user Hub2 password simple Hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2Group1] server primary ip-address 1.0.0.11
[Hub2-vam-client-Hub2Group1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2Group1] client enable
[Hub2-vam-client-Hub2Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] area 1
[Hub2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.1] quit
[Hub2-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn udp
[Hub2-Tunnel1] ip address 192.168.1.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2Group1
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel2。
[Hub2] interface tunnel2 mode advpn udp
[Hub2-Tunnel2] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel2] vam client Hub2Group0
[Hub2-Tunnel2] ospf network-type broadcast
[Hub2-Tunnel2] source gigabitethernet 0/1
[Hub2-Tunnel2] tunnel protection ipsec profile abc
[Hub2-Tunnel2] quit
(5) 配置Hub3
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub3Group0。
<Hub3> system-view
[Hub3] vam client name Hub3Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub3-vam-client-Hub3Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub3,密码为hub3。
[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3
# 配置VAM Server的IP地址。
[Hub3-vam-client-Hub3Group0] server primary ip-address 1.0.0.11
[Hub3-vam-client-Hub3Group0] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub3-vam-client-Hub3Group0] client enable
[Hub3-vam-client-Hub3Group0] quit
# 创建VAM Client Hub3Group1。
[Hub3] vam client name Hub3Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub3-vam-client-Hub3Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub3,密码为hub3。
[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3
# 配置VAM Server的IP地址。
[Hub3-vam-client-Hub3Group1] server primary ip-address 1.0.0.11
[Hub3-vam-client-Hub3Group1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Hub3-vam-client-Hub3Group1] client enable
[Hub3-vam-client-Hub3Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub3] ike keychain abc
[Hub3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub3-ike-keychain-abc] quit
[Hub3] ike profile abc
[Hub3-ike-profile-abc] keychain abc
[Hub3-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub3] ipsec transform-set abc
[Hub3-ipsec-transform-set-abc] encapsulation-mode transport
[Hub3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub3-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub3-ipsec-transform-set-abc] quit
[Hub3] ipsec profile abc isakmp
[Hub3-ipsec-profile-isakmp-abc] transform-set abc
[Hub3-ipsec-profile-isakmp-abc] ike-profile abc
[Hub3-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub3] ospf 1
[Hub3-ospf-1] area 0
[Hub3-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub3-ospf-1-area-0.0.0.0] quit
[Hub3-ospf-1] area 2
[Hub3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[Hub3-ospf-1-area-0.0.0.2] quit
[Hub3-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub3] interface tunnel1 mode advpn udp
[Hub3-Tunnel1] ip address 192.168.2.1 255.255.255.0
[Hub3-Tunnel1] vam client Hub3Group1
[Hub3-Tunnel1] ospf network-type broadcast
[Hub3-Tunnel1] source gigabitethernet 0/1
[Hub3-Tunnel1] tunnel protection ipsec profile abc
[Hub3-Tunnel1] quit
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel2。
[Hub3] interface tunnel2 mode advpn udp
[Hub3-Tunnel2] ip address 192.168.0.3 255.255.255.0
[Hub3-Tunnel2] vam client Hub3Group0
[Hub3-Tunnel2] ospf network-type broadcast
[Hub3-Tunnel2] source gigabitethernet 0/1
[Hub3-Tunnel2] tunnel protection ipsec profile abc
[Hub3-Tunnel2] quit
(6) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 1
[Spoke1-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.1] network 192.168.10.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.1] quit
[Spoke1-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke1的DR优先级配置为0,以使Spoke1不参与DR/BDR选举。
[Spoke1] interface tunnel1 mode advpn udp
[Spoke1-Tunnel1] ip address 192.168.1.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] advpn network 192.168.10.0 255.255.255.0
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.11
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 1
[Spoke2-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.1] network 192.168.20.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.1] network 192.168.30.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.1] quit
[Spoke2-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke2的DR优先级配置为0,以使Spoke2不参与DR/BDR选举。
[Spoke2] interface tunnel1 mode advpn udp
[Spoke2-Tunnel1] ip address 192.168.1.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] advpn network 192.168.20.0 255.255.255.0
[Spoke2-Tunnel1] advpn network 192.168.30.0 255.255.255.0
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(8) 配置Spoke3
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke3。
<Spoke3> system-view
[Spoke3] vam client name Spoke3
# 配置VAM Client所属的ADVPN域为abc。
[Spoke3-vam-client-Spoke3] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke3,密码为spoke3。
[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3
# 配置VAM Server的IP地址。
[Spoke3-vam-client-Spoke3] server primary ip-address 1.0.0.11
[Spoke3-vam-client-Spoke3] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke3-vam-client-Spoke3] client enable
[Spoke3-vam-client-Spoke3] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke3] ike keychain abc
[Spoke3-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke3-ike-keychain-abc] quit
[Spoke3] ike profile abc
[Spoke3-ike-profile-abc] keychain abc
[Spoke3-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke3] ipsec transform-set abc
[Spoke3-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke3-ipsec-transform-set-abc] quit
[Spoke3] ipsec profile abc isakmp
[Spoke3-ipsec-profile-isakmp-abc] transform-set abc
[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke3-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke3] ospf 1
[Spoke3-ospf-1] area 2
[Spoke3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[Spoke3-ospf-1-area-0.0.0.2] network 192.168.40.0 0.0.0.255
[Spoke3-ospf-1-area-0.0.0.2] quit
[Spoke3-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke3的DR优先级配置为0,以使Spoke3不参与DR/BDR选举。
[Spoke3] interface tunnel 1 mode advpn udp
[Spoke3-Tunnel1] ip address 192.168.2.2 255.255.255.0
[Spoke3-Tunnel1] vam client Spoke3
[Spoke3-Tunnel1] ospf network-type broadcast
[Spoke3-Tunnel1] ospf dr-priority 0
[Spoke3-Tunnel1] advpn network 192.168.40.0 255.255.255.0
[Spoke3-Tunnel1] source gigabitethernet 0/1
[Spoke3-Tunnel1] tunnel protection ipsec profile abc
[Spoke3-Tunnel1] quit
(9) 配置Spoke4
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke4。
<Spoke4> system-view
[Spoke4] vam client name Spoke4
# 配置VAM Client所属的ADVPN域为abc。
[Spoke4-vam-client-Spoke4] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke4,密码为spoke4。
[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4
# 配置VAM Server的IP地址。
[Spoke4-vam-client-Spoke4] server primary ip-address 1.0.0.11
[Spoke4-vam-client-Spoke4] server secondary ip-address 1.0.0.12
# 开启VAM Client功能。
[Spoke4-vam-client-Spoke4] client enable
[Spoke4-vam-client-Spoke4] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke4] ike keychain abc
[Spoke4-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke4-ike-keychain-abc] quit
[Spoke4] ike profile abc
[Spoke4-ike-profile-abc] keychain abc
[Spoke4-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke4] ipsec transform-set abc
[Spoke4-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke4-ipsec-transform-set-abc] quit
[Spoke4] ipsec profile abc isakmp
[Spoke4-ipsec-profile-isakmp-abc] transform-set abc
[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke4-ipsec-profile-isakmp-abc] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke4] ospf 1
[Spoke4-ospf-1] area 2
[Spoke4-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[Spoke4-ospf-1-area-0.0.0.2] network 192.168.50.0 0.0.0.255
[Spoke4-ospf-1-area-0.0.0.2] network 192.168.60.0 0.0.0.255
[Spoke4-ospf-1-area-0.0.0.2] quit
[Spoke4-ospf-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke4的DR优先级配置为0,以使Spoke4不参与DR/BDR选举。
[Spoke4] interface tunnel1 mode advpn udp
[Spoke4-Tunnel1] ip address 192.168.2.3 255.255.255.0
[Spoke4-Tunnel1] vam client Spoke4
[Spoke4-Tunnel1] ospf network-type broadcast
[Spoke4-Tunnel1] ospf dr-priority 0
[Spoke4-Tunnel1] advpn network 192.168.50.0 255.255.255.0
[Spoke4-Tunnel1] advpn network 192.168.60.0 255.255.255.0
[Spoke4-Tunnel1] source gigabitethernet 0/1
[Spoke4-Tunnel1] tunnel protection ipsec profile abc
[Spoke4-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S
1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S
1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S
1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S
1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S
2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S
2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S
2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub No 0H 52M 7S
0 192.168.0.2 1.0.0.2 Hub No 0H 47M 31S
0 192.168.0.3 1.0.0.3 Hub No 0H 28M 25S
1 192.168.1.1 1.0.0.1 Hub No 0H 52M 7S
1 192.168.1.2 1.0.0.2 Hub No 0H 47M 31S
1 192.168.1.3 1.0.0.4 Spoke No 0H 18M 26S
1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S
2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S
2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S
2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S
以上显示信息表示Hub1、Hub2、Hub3、Spoke1、Spoke2、Spoke3和Spoke4均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.1.2 1.0.0.2 18001 H-H Success 0H 46M 8S
192.168.1.3 1.0.0.3 18001 H-S Success 0H 27M 27S
192.168.1.4 1.0.0.4 18001 H-S Success 0H 18M 18S
Interface : Tunnel2
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.2 18001 H-H Success 0H 46M 8S
192.168.0.3 1.0.0.3 18001 H-H Success 0H 27M 27S
以上显示信息表示Hub1与Hub2、Hub3、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.1.1 1.0.0.1 18001 S-H Success 0H 46M 8S
192.168.1.2 1.0.0.2 18001 S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 显示Spoke3上的IPv4 ADVPN隧道信息。
[Spoke3] display advpn session
Interface : Tunnel1
Number of sessions: 1
Private address Public address Port Type State Holding time
192.168.2.1 1.0.0.3 18001 S-H Success 0H 46M 8S
以上显示信息表示Spoke3与Hub3建立了Hub-Spoke永久隧道。Spoke4上的显示信息与Spoke3类似。
ADVPN域中包含的ADVPN节点较多,通过划分多个Hub组来减轻Hub的负担。具体需求如下:
· 主、备VAM Server负责管理、维护各个节点的信息。
· AAA服务器负责对VAM Client进行认证和计费管理。
· 将ADVPN域划分为三个Hub组:Hub1、Hub2和Hub3属于Hub组0;Hub1、Hub2、Spoke1和Spoke2属于Hub组1,两个Hub互为备份;Hub3、Spoke3和Spoke4属于Hub组2。
· Hub组1和Hub组2内采用Full-Mesh组网方式。
· 允许所有的Spoke建立跨Hub组的Spoke-Spoke直连隧道。
图1-12 IPv6划分多个Hub组ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
Hub 1 |
GE0/1 |
1::1/64 |
Spoke 1 |
GE0/1 |
1::4/64 |
|
Tunnel1 |
192:168:1::1/64 |
|
GE0/2 |
192:168:10::1/64 |
|
Tunnel2 |
192:168::1/64 |
|
Tunnel1 |
192:168:1::3/64 |
Hub 2 |
GE0/1 |
1::2/64 |
Spoke 2 |
GE0/1 |
1::5/64 |
|
Tunnel1 |
192:168:1::2/64 |
|
GE0/2 |
192:168:20::1/64 |
|
Tunnel2 |
192:168::2/64 |
|
GE0/3 |
192:168:30::1/64 |
Hub 3 |
GE0/1 |
1::3/64 |
|
Tunnel1 |
192:168:1::4/64 |
|
Tunnel1 |
192:168:2::1/64 |
Spoke 3 |
GE0/1 |
1::6/64 |
|
Tunnel2 |
192:168::3/64 |
|
GE0/2 |
192:168:40::1/64 |
AAA server |
|
1::10/64 |
|
Tunnel1 |
192:168:2::2/64 |
Primary server |
GE0/1 |
1::11/64 |
Spoke 4 |
GE0/1 |
1::7/64 |
Secondary server |
GE0/1 |
1::12/64 |
|
GE0/2 |
192:168:50::1/64 |
|
|
|
|
GE0/3 |
192:168:60::1/64 |
|
|
|
|
Tunnel1 |
192:168:2::3/64 |
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication ipv6 1::10 1812
[PrimaryServer-radius-abc] primary accounting ipv6 1::10 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内Hub的IPv6私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::3
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 创建Hub组1。
[PrimaryServer-vam-server-domain-abc] hub-group 1
# 指定Hub组内Hub的IPv6私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::1
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub ipv6 private-address 192:168:1::2
# 指定Hub组内Spoke的IPv6私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-1] spoke ipv6 private-address network 192:168:1::0 64
# 允许建立跨组Spoke-Spoke直连隧道。
[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all
[PrimaryServer-vam-server-domain-abc-hub-group-1] quit
# 创建Hub组2。
[PrimaryServer-vam-server-domain-abc] hub-group 2
# 指定Hub组内Hub的IPv6私网地址。
[PrimaryServer-vam-server-domain-abc-hub-group-2] hub ipv6 private-address 192:168:2::1
# 指定Hub组内Spoke的IPv6私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-2] spoke ipv6 private-address network 192:168:2::0 64
[PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut ipv6 interest all
[PrimaryServer-vam-server-domain-abc-hub-group-2] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1Group0。
<Hub1> system-view
[Hub1] vam client name Hub1Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1Group0] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1Group0] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1Group0] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1Group0] client enable
[Hub1-vam-client-Hub1Group0] quit
# 创建VAM Client Hub1Group1。
[Hub1] vam client name Hub1Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1Group1] user hub1 password simple hub1
# 配置VAM Server的IP地址。
[Hub1-vam-client-Hub1Group1] server primary ipv6-address 1::11
[Hub1-vam-client-Hub1Group1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub1-vam-client-Hub1Group1] client enable
[Hub1-vam-client-Hub1Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub1] ike keychain abc
[Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub1-ike-keychain-abc] quit
[Hub1] ike profile abc
[Hub1-ike-profile-abc] keychain abc
[Hub1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub1] ipsec transform-set abc
[Hub1-ipsec-transform-set-abc] encapsulation-mode transport
[Hub1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub1-ipsec-transform-set-abc] quit
[Hub1] ipsec profile abc isakmp
[Hub1-ipsec-profile-isakmp-abc] transform-set abc
[Hub1-ipsec-profile-isakmp-abc] ike-profile abc
[Hub1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub1] ospfv3 1
[Hub1-ospfv3-1] router-id 0.0.0.1
[Hub1-ospfv3-1] area 0
[Hub1-ospfv3-1-area-0.0.0.0] quit
[Hub1-ospfv3-1] area 1
[Hub1-ospfv3-1-area-0.0.0.1] quit
[Hub1-ospfv3-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel1 mode advpn udp ipv6
[Hub1-Tunnel1] ipv6 address 192:168:1::1 64
[Hub1-Tunnel1] ipv6 address fe80::1:1 link-local
[Hub1-Tunnel1] vam ipv6 client Hub1Group1
[Hub1-Tunnel1] ospfv3 1 area 1
[Hub1-Tunnel1] ospfv3 network-type broadcast
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] tunnel protection ipsec profile abc
[Hub1-Tunnel1] quit
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel2。
[Hub1] interface tunnel2 mode advpn udp ipv6
[Hub1-Tunnel2] ipv6 address 192:168::1 64
[Hub1-Tunnel2] ipv6 address fe80::1 link-local
[Hub1-Tunnel2] vam ipv6 client Hub1Group0
[Hub1-Tunnel2] ospfv3 1 area 0
[Hub1-Tunnel2] ospfv3 network-type broadcast
[Hub1-Tunnel2] source gigabitethernet 0/1
[Hub1-Tunnel2] tunnel protection ipsec profile abc
[Hub1-Tunnel2] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2Group0。
<Hub2> system-view
[Hub2] vam client name Hub2Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2Group0] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2Group0] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2Group0] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2Group0] client enable
[Hub2-vam-client-Hub2Group0] quit
# 创建VAM Client Hub2Group1。
[Hub2] vam client name Hub2Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2Group1] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2Group1] server primary ipv6-address 1::11
[Hub2-vam-client-Hub2Group1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub2-vam-client-Hub2Group1] client enable
[Hub2-vam-client-Hub2Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub2] ike keychain abc
[Hub2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub2-ike-keychain-abc] quit
[Hub2] ike profile abc
[Hub2-ike-profile-abc] keychain abc
[Hub2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub2] ipsec transform-set abc
[Hub2-ipsec-transform-set-abc] encapsulation-mode transport
[Hub2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub2-ipsec-transform-set-abc] quit
[Hub2] ipsec profile abc isakmp
[Hub2-ipsec-profile-isakmp-abc] transform-set abc
[Hub2-ipsec-profile-isakmp-abc] ike-profile abc
[Hub2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub2] ospfv3 1
[Hub2-ospfv3-1] router-id 0.0.0.2
[Hub2-ospfv3-1] area 0
[Hub2-ospfv3-1-area-0.0.0.0] quit
[Hub2-ospfv3-1] area 1
[Hub2-ospfv3-1-area-0.0.0.1] quit
[Hub2-ospfv3-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn udp ipv6
[Hub2-Tunnel1] ipv6 address 192:168:1::2 64
[Hub2-Tunnel1] ipv6 address fe80::1:2 link-local
[Hub2-Tunnel1] vam ipv6 client Hub2Group1
[Hub2-Tunnel1] ospfv3 1 area 1
[Hub2-Tunnel1] ospfv3 network-type broadcast
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] tunnel protection ipsec profile abc
[Hub2-Tunnel1] quit
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel2。
[Hub2] interface tunnel2 mode advpn udp ipv6
[Hub2-Tunnel2] ipv6 address 192:168::2 64
[Hub2-Tunnel2] ipv6 address fe80::2 link-local
[Hub2-Tunnel2] vam ipv6 client Hub2Group0
[Hub2-Tunnel2] ospfv3 1 area 0
[Hub2-Tunnel2] ospfv3 network-type broadcast
[Hub2-Tunnel2] source gigabitethernet 0/1
[Hub2-Tunnel2] tunnel protection ipsec profile abc
[Hub2-Tunnel2] quit
(5) 配置Hub3
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub3Group0。
<Hub3> system-view
[Hub3] vam client name Hub3Group0
# 配置VAM Client所属的ADVPN域为abc。
[Hub3-vam-client-Hub3Group0] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub3,密码为hub3。
[Hub3-vam-client-Hub3Group0] user hub3 password simple hub3
# 配置VAM Server的IP地址。
[Hub3-vam-client-Hub3Group0] server primary ipv6-address 1::11
[Hub3-vam-client-Hub3Group0] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub3-vam-client-Hub3Group0] client enable
[Hub3-vam-client-Hub3Group0] quit
# 创建VAM Client Hub3Group1。
[Hub3] vam client name Hub3Group1
# 配置VAM Client所属的ADVPN域为abc。
[Hub3-vam-client-Hub3Group1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub3-vam-client-Hub3Group1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub3,密码为hub3。
[Hub3-vam-client-Hub3Group1] user hub3 password simple hub3
# 配置VAM Server的IP地址。
[Hub3-vam-client-Hub3Group1] server primary ipv6-address 1::11
[Hub3-vam-client-Hub3Group1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Hub3-vam-client-Hub3Group1] client enable
[Hub3-vam-client-Hub3Group1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Hub3] ike keychain abc
[Hub3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Hub3-ike-keychain-abc] quit
[Hub3] ike profile abc
[Hub3-ike-profile-abc] keychain abc
[Hub3-ike-profile-abc] quit
# 配置IPsec安全框架。
[Hub3] ipsec transform-set abc
[Hub3-ipsec-transform-set-abc] encapsulation-mode transport
[Hub3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Hub3-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Hub3-ipsec-transform-set-abc] quit
[Hub3] ipsec profile abc isakmp
[Hub3-ipsec-profile-isakmp-abc] transform-set abc
[Hub3-ipsec-profile-isakmp-abc] ike-profile abc
[Hub3-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Hub3] ospfv3 1
[Hub3-ospfv3-1] router-id 0.0.0.3
[Hub3-ospfv3-1] area 0
[Hub3-ospfv3-1-area-0.0.0.0] quit
[Hub3-ospfv3-1] area 2
[Hub3-ospfv3-1-area-0.0.0.2] quit
[Hub3-ospfv3-1] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。
[Hub3] interface tunnel1 mode advpn udp ipv6
[Hub3-Tunnel1] ipv6 address 192:168:2::1 64
[Hub3-Tunnel1] ipv6 address fe80::2:1 link-local
[Hub3-Tunnel1] vam ipv6 client Hub3Group1
[Hub3-Tunnel1] ospfv3 1 area 2
[Hub3-Tunnel1] ospfv3 network-type broadcast
[Hub3-Tunnel1] source gigabitethernet 0/1
[Hub3-Tunnel1] tunnel protection ipsec profile abc
[Hub3-Tunnel1] quit
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel2。
[Hub3] interface tunnel2 mode advpn udp ipv6
[Hub3-Tunnel2] ipv6 address 192:168::3 64
[Hub3-Tunnel2] ipv6 address fe80::3 link-local
[Hub3-Tunnel2] vam ipv6 client Hub3Group0
[Hub3-Tunnel2] ospfv3 1 area 0
[Hub3-Tunnel2] ospfv3 network-type broadcast
[Hub3-Tunnel2] source gigabitethernet 0/1
[Hub3-Tunnel2] tunnel protection ipsec profile abc
[Hub3-Tunnel2] quit
(6) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ipv6-address 1::11
[Spoke1-vam-client-Spoke1] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke1] ike keychain abc
[Spoke1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke1-ike-keychain-abc] quit
[Spoke1] ike profile abc
[Spoke1-ike-profile-abc] keychain abc
[Spoke1-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke1] ipsec transform-set abc
[Spoke1-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke1-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke1-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke1-ipsec-transform-set-abc] quit
[Spoke1] ipsec profile abc isakmp
[Spoke1-ipsec-profile-isakmp-abc] transform-set abc
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke1-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke1] ospfv3 1
[Spoke1-ospfv3-1] router-id 0.0.0.4
[Spoke1-ospfv3-1] area 1
[Spoke1-ospfv3-1-area-0.0.0.1] quit
[Spoke1-ospfv3-1] quit
[Spoke1] interface gigabitethernet 0/2
[Spoke1-GigabitEthernet0/2] ospfv3 1 area 1
[Spoke1-GigabitEthernet0/2] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke1的DR优先级配置为0,以使Spoke1不参与DR/BDR选举。
[Spoke1] interface tunnel1 mode advpn udp ipv6
[Spoke1-Tunnel1] ipv6 address 192:168:1::3 64
[Spoke1-Tunnel1] ipv6 address fe80::1:3 link-local
[Spoke1-Tunnel1] vam ipv6 client Spoke1
[Spoke1-Tunnel1] ospfv3 1 area 1
[Spoke1-Tunnel1] ospfv3 network-type broadcast
[Spoke1-Tunnel1] ospfv3 dr-priority 0
[Spoke1-Tunnel1] advpn ipv6 network 192:168:10::0 64
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] tunnel protection ipsec profile abc
[Spoke1-Tunnel1] quit
(7) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ipv6-address 1::11
[Spoke2-vam-client-Spoke2] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke2] ike keychain abc
[Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke2-ike-keychain-abc] quit
[Spoke2] ike profile abc
[Spoke2-ike-profile-abc] keychain abc
[Spoke2-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke2] ipsec transform-set abc
[Spoke2-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke2-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke2-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke2-ipsec-transform-set-abc] quit
[Spoke2] ipsec profile abc isakmp
[Spoke2-ipsec-profile-isakmp-abc] transform-set abc
[Spoke2-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke2-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke2] ospfv3 1
[Spoke2-ospfv3-1] router-id 0.0.0.5
[Spoke2-ospfv3-1] area 1
[Spoke2-ospfv3-1-area-0.0.0.1] quit
[Spoke2-ospfv3-1] quit
[Spoke1] interface gigabitethernet 0/2
[Spoke1-GigabitEthernet0/2] ospfv3 1 area 1
[Spoke1-GigabitEthernet0/2] quit
[Spoke1] interface gigabitethernet 0/3
[Spoke1-GigabitEthernet0/3] ospfv3 1 area 1
[Spoke1-GigabitEthernet0/3] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke2的DR优先级配置为0,以使Spoke2不参与DR/BDR选举。
[Spoke2] interface tunnel1 mode advpn udp ipv6
[Spoke2-Tunnel1] ipv6 address 192:168:1::4 64
[Spoke2-Tunnel1] ipv6 address fe80::1:4 link-local
[Spoke2-Tunnel1] vam ipv6 client Spoke2
[Spoke2-Tunnel1] ospfv3 1 area 1
[Spoke2-Tunnel1] ospfv3 network-type broadcast
[Spoke2-Tunnel1] ospfv3 dr-priority 0
[Spoke2-Tunnel1] advpn ipv6 network 192:168:20::0 64
[Spoke2-Tunnel1] advpn ipv6 network 192:168:30::0 64
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] tunnel protection ipsec profile abc
[Spoke2-Tunnel1] quit
(8) 配置Spoke3
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke3。
<Spoke3> system-view
[Spoke3] vam client name Spoke3
# 配置VAM Client所属的ADVPN域为abc。
[Spoke3-vam-client-Spoke3] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke3-vam-client-Spoke3] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke3,密码为spoke3。
[Spoke3-vam-client-Spoke3] user spoke3 password simple spoke3
# 配置VAM Server的IP地址。
[Spoke3-vam-client-Spoke3] server primary ipv6-address 1::11
[Spoke3-vam-client-Spoke3] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke3-vam-client-Spoke3] client enable
[Spoke3-vam-client-Spoke3] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke3] ike keychain abc
[Spoke3-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke3-ike-keychain-abc] quit
[Spoke3] ike profile abc
[Spoke3-ike-profile-abc] keychain abc
[Spoke3-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke3] ipsec transform-set abc
[Spoke3-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke3-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke3-ipsec-transform-set-abc] quit
[Spoke3] ipsec profile abc isakmp
[Spoke3-ipsec-profile-isakmp-abc] transform-set abc
[Spoke3-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke3-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke3] ospfv3 1
[Spoke3-ospfv3-1] router-id 0.0.0.6
[Spoke3-ospfv3-1] area 2
[Spoke3-ospfv3-1-area-0.0.0.2] quit
[Spoke3-ospfv3-1] quit
[Spoke3] interface gigabitethernet 0/2
[Spoke3-GigabitEthernet0/2] ospfv3 1 area 2
[Spoke3-GigabitEthernet0/2] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke3的DR优先级配置为0,以使Spoke3不参与DR/BDR选举。
[Spoke3] interface tunnel1 mode advpn udp ipv6
[Spoke3-Tunnel1] ipv6 address 192:168:2::2 64
[Spoke3-Tunnel1] ipv6 address fe80::2:2 link-local
[Spoke3-Tunnel1] vam ipv6 client Spoke3
[Spoke3-Tunnel1] ospfv3 1 area 2
[Spoke3-Tunnel1] ospfv3 network-type broadcast
[Spoke3-Tunnel1] ospfv3 dr-priority 0
[Spoke3-Tunnel1] advpn ipv6 network 192:168:40::0 64
[Spoke3-Tunnel1] source gigabitethernet 0/1
[Spoke3-Tunnel1] tunnel protection ipsec profile abc
[Spoke3-Tunnel1] quit
(9) 配置Spoke4
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke4。
<Spoke4> system-view
[Spoke4] vam client name Spoke4
# 配置VAM Client所属的ADVPN域为abc。
[Spoke4-vam-client-Spoke4] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke4-vam-client-Spoke4] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke4,密码为spoke4。
[Spoke4-vam-client-Spoke4] user spoke4 password simple spoke4
# 配置VAM Server的IP地址。
[Spoke4-vam-client-Spoke4] server primary ipv6-address 1::11
[Spoke4-vam-client-Spoke4] server secondary ipv6-address 1::12
# 开启VAM Client功能。
[Spoke4-vam-client-Spoke4] client enable
[Spoke4-vam-client-Spoke4] quit
· 配置IPsec安全框架
# 配置IKE框架。
[Spoke4] ike keychain abc
[Spoke4-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456
[Spoke4-ike-keychain-abc] quit
[Spoke4] ike profile abc
[Spoke4-ike-profile-abc] keychain abc
[Spoke4-ike-profile-abc] quit
# 配置IPsec安全框架。
[Spoke4] ipsec transform-set abc
[Spoke4-ipsec-transform-set-abc] encapsulation-mode transport
[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc
[Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1
[Spoke4-ipsec-transform-set-abc] quit
[Spoke4] ipsec profile abc isakmp
[Spoke4-ipsec-profile-isakmp-abc] transform-set abc
[Spoke4-ipsec-profile-isakmp-abc] ike-profile abc
[Spoke4-ipsec-profile-isakmp-abc] quit
· 配置OSPFv3路由
# 启动OSPFv3,以发布私网的路由信息。
[Spoke4] ospfv3 1
[Spoke4-ospfv3-1] router-id 0.0.0.7
[Spoke4-ospfv3-1] area 2
[Spoke4-ospfv3-1-area-0.0.0.2] quit
[Spoke4-ospfv3-1] quit
[Spoke4] interface gigabitethernet 0/2
[Spoke4-GigabitEthernet0/2] ospfv3 1 area 2
[Spoke4-GigabitEthernet0/2] quit
[Spoke4] interface gigabitethernet 0/3
[Spoke4-GigabitEthernet0/3] ospfv3 1 area 2
[Spoke4-GigabitEthernet0/3] quit
· 配置ADVPN隧道
# 配置UDP封装的IPv6 ADVPN隧道接口Tunnel1。将Spoke4的DR优先级配置为0,以使Spoke4不参与DR/BDR选举。
[Spoke4] interface tunnel1 mode advpn udp ipv6
[Spoke4-Tunnel1] ipv6 address 192:168:2::3 64
[Spoke4-Tunnel1] ipv6 address fe80::2:3 link-local
[Spoke4-Tunnel1] vam ipv6 client Spoke4
[Spoke4-Tunnel1] ospfv3 1 area 2
[Spoke4-Tunnel1] ospfv3 network-type broadcast
[Spoke4-Tunnel1] ospfv3 dr-priority 0
[Spoke4-Tunnel1] advpn ipv6 network 192:168:50::0 64
[Spoke4-Tunnel1] advpn ipv6 network 192:168:60::0 64
[Spoke4-Tunnel1] source gigabitethernet 0/1
[Spoke4-Tunnel1] tunnel protection ipsec profile abc
[Spoke4-Tunnel1] quit
# 显示注册到主VAM Server的所有VAM Client的IPv6私网地址映射信息。
[PrimaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Hub No 0H 28M 25S
1 192:168:1::1 1::1 Hub No 0H 52M 7S
1 192:168:1::2 1::2 Hub No 0H 47M 31S
1 192:168:1::3 1::4 Spoke No 0H 18M 26S
1 192:168:1::4 1::5 Spoke No 0H 28M 25S
2 192:168:2::1 1::3 Hub No 0H 28M 25S
2 192:168:2::2 1::6 Spoke No 0H 25M 40S
2 192:168:2::3 1::7 Spoke No 0H 25M 31S
# 显示注册到备VAM Server的所有VAM Client的IPv6私网地址映射信息。
[SecondaryServer] display vam server ipv6 address-map
ADVPN domain name: abc
Total private address mappings: 10
Group Private address Public address Type NAT Holding time
0 192:168::1 1::1 Hub No 0H 52M 7S
0 192:168::2 1::2 Hub No 0H 47M 31S
0 192:168::3 1::3 Hub No 0H 28M 25S
1 192:168:1::1 1::1 Hub No 0H 52M 7S
1 192:168:1::2 1::2 Hub No 0H 47M 31S
1 192:168:1::3 1::4 Spoke No 0H 18M 26S
1 192:168:1::4 1::5 Spoke No 0H 28M 25S
2 192:168:2::1 1::3 Hub No 0H 28M 25S
2 192:168:2::2 1::6 Spoke No 0H 25M 40S
2 192:168:2::3 1::7 Spoke No 0H 25M 31S
以上显示信息表示Hub1、Hub2、Hub3、Spoke1、Spoke2、Spoke3和Spoke4均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv6 ADVPN隧道信息。
[Hub1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192:168:1::2 1::2 18001 H-H Success 0H 46M 8S
192:168:1::3 1::3 18001 H-S Success 0H 27M 27S
192:168:1::4 1::4 18001 H-S Success 0H 18M 18S
Interface : Tunnel2
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168::2 1::2 18001 H-H Success 0H 46M 8S
192:168::3 1::3 18001 H-H Success 0H 27M 27S
以上显示信息表示Hub1与Hub2、Hub3、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv6 ADVPN隧道信息。
[Spoke1] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192:168:1::1 1::1 18001 S-H Success 0H 46M 8S
192:168:1::2 1::2 18001 S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 显示Spoke3上的IPv6 ADVPN隧道信息。
[Spoke3] display advpn ipv6 session
Interface : Tunnel1
Number of sessions: 1
Private address Public address Port Type State Holding time
192:168:2::1 1::3 18001 S-H Success 0H 46M 8S
以上显示信息表示Spoke3与Hub3建立了Hub-Spoke永久隧道。Spoke4上的显示信息与Spoke3类似。
· 在IPv4 Full-Mesh的组网方式下,主、备VAM Server负责管理、维护各个节点的信息;AAA服务器负责对VAM Client进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。
· Spoke与Hub之间建立永久的ADVPN隧道。
· 同一ADVPN域中,任意的两个Spoke之间在有数据时动态建立ADVPN隧道。
· VAM Server和各个节点均在NAT网关之后。
图1-13 IPv4 Full-Mesh穿越NAT类型ADVPN组网图
设备 |
接口 |
IP地址 |
设备 |
接口 |
IP地址 |
|
|||||
Hub 1 |
GE0/1 |
10.0.0.2/24 |
Spoke 1 |
GE0/1 |
10.0.0.2/24 |
||||||
|
Tunnel1 |
192.168.0.1/24 |
|
GE0/2 |
192.168.1.1/24 |
||||||
Hub 2 |
GE0/1 |
10.0.0.3/24 |
|
Tunnel1 |
192.168.0.3/24 |
||||||
|
Tunnel1 |
192.168.0.2/24 |
Spoke 2 |
GE0/1 |
10.0.0.2/24 |
||||||
NAT1 |
GE0/1 |
1.0.0.1/24 |
|
GE0/2 |
192.168.2.1/24 |
||||||
|
GE0/2 |
10.0.0.1/24 |
|
Tunnel1 |
192.168.0.4/24 |
||||||
NAT2 |
GE0/1 |
1.0.0.2/24 |
NAT4 |
GE0/1 |
1.0.0.4/24 |
||||||
|
GE0/2 |
10.0.0.1/24 |
|
GE0/2 |
10.0.0.1/24 |
||||||
NAT3 |
GE0/1 |
1.0.0.3/24 |
AAA server |
|
10.0.0.2/24 |
||||||
|
GE0/2 |
10.0.0.1/24 |
Primary server |
GE0/1 |
10.0.0.3/24 |
||||||
|
|
|
Secondary server |
GE0/1 |
10.0.0.4/24 |
||||||
(1) 配置主VAM Server
· 配置各个接口的IP地址(略)
· 配置AAA认证
# 配置RADIUS方案。
<PrimaryServer> system-view
[PrimaryServer] radius scheme abc
[PrimaryServer-radius-abc] primary authentication 10.0.0.2 1812
[PrimaryServer-radius-abc] primary accounting 10.0.0.2 1813
[PrimaryServer-radius-abc] key authentication simple 123
[PrimaryServer-radius-abc] key accounting simple 123
[PrimaryServer-radius-abc] user-name-format without-domain
[PrimaryServer-radius-abc] quit
[PrimaryServer] radius session-control enable
# 配置ISP域的AAA方案。
[PrimaryServer] domain abc
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc
[PrimaryServer-isp-abc] accounting advpn radius-scheme abc
[PrimaryServer-isp-abc] quit
[PrimaryServer] domain default enable abc
· 配置VAM Server
# 创建ADVPN域abc。
[PrimaryServer] vam server advpn-domain abc id 1
# 创建Hub组0。
[PrimaryServer-vam-server-domain-abc] hub-group 0
# 指定Hub组内的Hub:
· Hub1:IPv4私网地址为192.168.0.1,公网地址为1.0.0.1(NAT转换后的地址),ADVPN报文的源UDP端口号为4001(NAT转换后的UDP端口号)。
· Hub2:IPv4私网地址为192.168.0.2,公网地址为1.0.0.1(NAT转换后的地址),ADVPN报文的源UDP端口号为4002(NAT转换后的UDP端口号)。
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 public-address 1.0.0.1 advpn-port 4001
[PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 public-address 1.0.0.1 advpn-port 4002
# 指定Hub组内Spoke的IPv4私网地址范围。
[PrimaryServer-vam-server-domain-abc-hub-group-0] spoke private-address network 192.168.0.0 255.255.255.0
[PrimaryServer-vam-server-domain-abc-hub-group-0] quit
# 配置VAM Server的预共享密钥为123456。
[PrimaryServer-vam-server-domain-abc] pre-shared-key simple 123456
# 配置对VAM Client进行CHAP认证。
[PrimaryServer-vam-server-domain-abc] authentication-method chap
# 配置VAM Client发送Keepalive报文的时间间隔为10秒,重发次数为3次。
[PrimaryServer-vam-server-domain-abc] keepalive interval 10 retry 3
# 开启该ADVPN域的VAM Server功能。
[PrimaryServer-vam-server-domain-abc] server enable
[PrimaryServer-vam-server-domain-abc] quit
· 配置默认路由。
[PrimaryServer] ip route-static 0.0.0.0 0 10.0.0.1
(2) 配置备VAM Server
除IP地址外,备VAM Server的ADVPN配置与主VAM Server相同,不再赘述。
(3) 配置Hub1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub1。
<Hub1> system-view
[Hub1] vam client name Hub1
# 配置VAM Client所属的ADVPN域为abc。
[Hub1-vam-client-Hub1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub1-vam-client-Hub1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub1,密码为hub1。
[Hub1-vam-client-Hub1] user hub1 password simple hub1
# 配置主VAM Server的IP地址为1.0.0.4(NAT转换后的地址),端口号为4001(NAT转换后的端口号)。
[Hub1-vam-client-Hub1] server primary ip-address 1.0.0.4 port 4001
# 配置备VAM Server的IP地址为1.0.0.4(NAT转换后的地址),端口号为4002(NAT转换后的端口号)。
[Hub1-vam-client-Hub1] server secondary ip-address 1.0.0.4 port 4002
# 开启VAM Client功能。
[Hub1-vam-client-Hub1] client enable
[Hub1-vam-client-Hub1] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub1] ospf 1
[Hub1-ospf-1] area 0
[Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub1-ospf-1-area-0.0.0.0] quit
[Hub1-ospf-1] quit
# 配置默认路由。
[Hub1] ip route-static 0.0.0.0 0 10.0.0.1
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub1] interface tunnel 1 mode advpn udp
[Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.0
[Hub1-Tunnel1] vam client Hub1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] source gigabitethernet 0/1
[Hub1-Tunnel1] quit
(4) 配置Hub2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Hub2。
<Hub2> system-view
[Hub2] vam client name Hub2
# 配置VAM Client所属的ADVPN域为abc。
[Hub2-vam-client-Hub2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Hub2-vam-client-Hub2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为hub2,密码为hub2。
[Hub2-vam-client-Hub2] user hub2 password simple hub2
# 配置VAM Server的IP地址。
[Hub2-vam-client-Hub2] server primary ip-address 1.0.0.4 port 4001
[Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.4 port 4002
# 开启VAM Client功能。
[Hub2-vam-client-Hub2] client enable
[Hub2-vam-client-Hub2] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Hub2] ospf 1
[Hub2-ospf-1] area 0
[Hub2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub2-ospf-1-area-0.0.0.0] quit
[Hub2-ospf-1] quit
# 配置默认路由。
[Hub2] ip route-static 0.0.0.0 0 10.0.0.1
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。
[Hub2] interface tunnel1 mode advpn udp
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0
[Hub2-Tunnel1] vam client Hub2
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] source gigabitethernet 0/1
[Hub2-Tunnel1] quit
(5) 配置Spoke1
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke1。
<Spoke1> system-view
[Spoke1] vam client name Spoke1
# 配置VAM Client所属的ADVPN域为abc。
[Spoke1-vam-client-Spoke1] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke1-vam-client-Spoke1] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke1,密码为spoke1。
[Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1
# 配置VAM Server的IP地址。
[Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.4 port 4001
[Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.4 port 4002
# 开启VAM Client功能。
[Spoke1-vam-client-Spoke1] client enable
[Spoke1-vam-client-Spoke1] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
# 配置默认路由。
[Spoke1] ip route-static 0.0.0.0 0 10.0.0.1
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke1的DR优先级配置为0,以使Spoke1不参与DR/BDR选举。
[Spoke1] interface tunnel1 mode advpn udp
[Spoke1-Tunnel1] ip address 192.168.0.3 255.255.255.0
[Spoke1-Tunnel1] vam client Spoke1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source gigabitethernet 0/1
[Spoke1-Tunnel1] quit
(6) 配置Spoke2
· 配置各接口的IP地址(略)
· 配置VAM Client
# 创建VAM Client Spoke2。
<Spoke2> system-view
[Spoke2] vam client name Spoke2
# 配置VAM Client所属的ADVPN域为abc。
[Spoke2-vam-client-Spoke2] advpn-domain abc
# 配置VAM Client的预共享密钥。
[Spoke2-vam-client-Spoke2] pre-shared-key simple 123456
# 配置VAM Client的认证用户名为spoke2,密码为spoke2。
[Spoke2-vam-client-Spoke2] user spoke2 password simple spoke2
# 配置VAM Server的IP地址。
[Spoke2-vam-client-Spoke2] server primary ip-address 1.0.0.4 port 4001
[Spoke2-vam-client-Spoke2] server secondary ip-address 1.0.0.4 port 4002
# 开启VAM Client功能。
[Spoke2-vam-client-Spoke2] client enable
[Spoke2-vam-client-Spoke2] quit
· 配置OSPF路由
# 配置私网的路由信息。
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
# 配置默认路由。
[Spoke2] ip route-static 0.0.0.0 0 10.0.0.1
· 配置ADVPN隧道
# 配置UDP封装的IPv4 ADVPN隧道接口Tunnel1。将Spoke2的DR优先级配置为0,以使Spoke2不参与DR/BDR选举。
[Spoke2] interface tunnel1 mode advpn udp
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0
[Spoke2-Tunnel1] vam client Spoke2
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] source gigabitethernet 0/1
[Spoke2-Tunnel1] quit
(7) 配置NAT1
· 配置各接口的IP地址(略)
· 配置NAT内部服务器
# 配置ACL 2000,允许对内部网络中10.0.0.0/24网段的报文进行地址转换。
<NAT1> system-view
[NAT1] acl basic 2000
[NAT1-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255
[NAT1-acl-basic-2000] quit
# 在接口GigabitEthernet0/1上配置NAT内部服务器,允许外网ADVPN节点使用地址1.0.0.1访问内网Hub1和Hub2。Hub1和Hub2使用的ADVPN报文源UDP端口号均为缺省值18001,NAT映射的外网端口号分别为4001和4002。
[NAT1] interface gigabitethernet 0/1
[NAT1-GigabitEthernet0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.2 18001
[NAT1-GigabitEthernet0/1] nat server protocol udp global current-interface 4002 inside 10.0.0.3 18001
[NAT1-GigabitEthernet0/1] nat outbound 2000
[NAT1-GigabitEthernet0/1] quit
# 在接口GigabitEthernet0/2上开启NAT hairpin功能。
[NAT1] interface gigabitethernet 0/2
[NAT1-GigabitEthernet0/2] nat hairpin enable
[NAT1-GigabitEthernet0/2] quit
(8) 配置NAT2
· 配置各接口的IP地址(略)
· 配置NAT内部服务器
# 配置ACL 2000,允许对内部网络中10.0.0.0/24网段的报文进行地址转换。
<NAT2> system-view
[NAT2] acl basic 2000
[NAT2-acl-basic-2000] rule permit source 10.0.0.0 0.0.0.255
[NAT2-acl-basic-2000] quit
# 创建地址组1。
[NAT2] nat address-group 1
# 添加地址组成员1.0.0.2。
[NAT2-nat-address-group-1] address 1.0.0.2 1.0.0.2
[NAT2-nat-address-group-1] quit
# 在接口GigabitEthernet0/1上配置内网可以进行目的地址转换。
[NAT2] interface gigabitethernet 0/1
[NAT2-GigabitEthernet0/1] nat outbound 2000 address-group 1
[NAT2-GigabitEthernet0/1] quit
# 配置PAT方式下的地址转换模式为EIM,即只要是来自相同源地址和源端口号的且匹配ACL 2000的报文,不论其目的地址是否相同,通过PAT转换后,其源地址和源端口号都被转换为同一个外部地址和端口号。
[NAT2] nat mapping-behavior endpoint-independent acl 2000
(9) 配置NAT3
NAT3的配置与NAT2的配置相似,这里省略。
(10) 配置NAT4
· 配置各接口的IP地址(略)
· 配置NAT内部服务器
# 在接口GigabitEthernet0/1上配置NAT内部服务器,允许外网VAM Client使用地址1.0.0.4访问内网的VAM Server。VAM报文的源UDP端口号固定为18000,主、备VAM server通过NAT映射的外网端口号分别为4001和4002。
<NAT4> system-view
[NAT4] interface gigabitethernet 0/1
[NAT4-GigabitEthernet0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.3 18000
[NAT4-GigabitEthernet0/1] nat server protocol udp global current-interface 4002 inside 10.0.0.4 18000
# 显示注册到主VAM Server的所有VAM Client的IPv4私网地址映射信息。
[PrimaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub Yes 0H 52M 7S
0 192.168.0.2 1.0.0.1 Hub Yes 0H 47M 31S
0 192.168.0.3 1.0.0.2 Spoke Yes 0H 28M 25S
0 192.168.0.4 1.0.0.3 Spoke Yes 0H 19M 15S
# 显示注册到备VAM Server的所有VAM Client的IPv4私网地址映射信息。
[SecondaryServer] display vam server address-map
ADVPN domain name: abc
Total private address mappings: 4
Group Private address Public address Type NAT Holding time
0 192.168.0.1 1.0.0.1 Hub Yes 0H 52M 7S
0 192.168.0.2 1.0.0.1 Hub Yes 0H 47M 31S
0 192.168.0.3 1.0.0.2 Spoke Yes 0H 28M 25S
0 192.168.0.4 1.0.0.3 Spoke Yes 0H 19M 15S
以上显示信息表示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到VAM Server。
# 显示Hub1上的IPv4 ADVPN隧道信息。
[Hub1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.2 1.0.0.1 4002 H-H Success 0H 46M 8S
192.168.0.3 1.0.0.2 2001 H-S Success 0H 27M 27S
192.168.0.4 1.0.0.3 2001 H-S Success 0H 18M 18S
以上显示信息表示Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 2
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 4001 S-H Success 0H 46M 8S
192.168.0.2 1.0.0.1 4002 S-H Success 0H 46M 8S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
# 在Spoke1上ping Spoke2的私网地址192.168.0.4。
[Spoke1] ping 192.168.0.4
Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break
56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms
56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 192.168.0.4: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 192.168.0.4 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/4.000/1.549 ms
# 显示Spoke1上的IPv4 ADVPN隧道信息。
[Spoke1] display advpn session
Interface : Tunnel1
Number of sessions: 3
Private address Public address Port Type State Holding time
192.168.0.1 1.0.0.1 4001 S-H Success 0H 46M 8S
192.168.0.2 1.0.0.1 4002 S-H Success 0H 46M 8S
192.168.0.4 1.0.0.3 2001 S-S Success 0H 0M 1S
以上显示信息表示Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke1与Spoke2建立了Spoke-Spoke临时隧道。Spoke2上的显示信息与Spoke1类似。
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!