以下内容摘自正在全面热销的最新网络设备图书“豪华四件套”之一《H3C路由器配置与管理完全手册》(第二版(其余三本分别是:《Cisco交换机配置与管理完全手册》(第二版《Cisco路由器配置与管理完全手册》(第二版《H3C交换机配置与管理完全手册》(第二版)  。目前本套图书在当当网、京东网、卓越网、互动出版上全面热销中,在当当网、京东网购买该套装将直减30元http://book.dangdang.com/20130730_aife、http://item.jd.com/11299332.html(京东网上目前仅7折,折后再减30元


15.3.1  全互联结构D×××综合配置示例

  本示例拓扑结构如图15-6所示。整个D×××网络呈Full-Mesh(全互联)结构,各设备接口的IP地址分配如表15-15所示。示例中,主/VAM 服务器负责管理、维护各个节点的信息;AAA服务器负责对VAM客户端进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。SpokeHub之间建立永久隧道连接,其中Spoke 1只通过一个隧道接口Tunnel1与其他VAM客户端建立D×××连接,Spoke 3只通过一个隧道接口Tunnel2与其他VAM客户端建立D×××连接,Spoke 2通过两个隧道接口Tunnel1Tunnel2与其他VAM客户端建立D×××连接。且同一×××域中,任意的两个Spoke之间在有数据传输时可直接动态建立隧道连接。


15-6  全互联结构D×××配置示例的拓扑结构

表15-15  全互联结构D×××配置示例中的设备接口IP地址分配

设备

接口

IP地址

设备

接口

IP地址

Hub 1

Eth1/1

192.168.1.1/24

Spoke 1

Eth1/1

192.168.1.3/24

Tunnel1

10.0.1.1/24

Eth1/2

10.0.3.1/24

Tunnel2

10.0.2.1/24

Tunnel1

10.0.1.3/24

Hub 2

Eth1/1

192.168.1.2/24

Spoke 2

Eth1/1

192.168.1.4/24

Tunnel1

10.0.1.2/24

Eth1/2

10.0.4.1/24

Tunnel2

10.0.2.2/24

Tunnel1

10.0.1.4/24

VAM服务器

Eth1/1

192.168.1.22/24

Tunnel2

10.0.2.4/24

备份VAM服务器

Eth1/1

192.168.1.33//24

Spoke 3

Eth1/1

192.168.1.5/24

AAA服务器


192.168.1.11/24

Eth1/2

10.0.5.1/24




Tunnel2

10.0.2.3/24

根据15.2介绍的D×××基本配置思路可以很容易地得出Hub路由器、各Spoke路由器,以及各VAM服务器的以下具体配置步骤。

一、主VAM服务器的配置

1)按照图中标注配置主VAM服务器IP地址(略)

2)配置AAA认证(方案为RADIUS)。

system-view

[MainServer] radius scheme rad1  !---创建一个名为rad1的RADIUS认证方案

[MainServer-radius-radsun] primary authentication 192.168.1.11 1812   !--- 配置主RADIUS认证/授权服务器的IP地址为192.168.1.11,UDP端口采用默认的1812号端口

[MainServer-radius-radsun] primary accounting 192.168.1.11 1813   !--- 配置主RADIUS计费服务器的IP地址为192.168.1.11,UDP端口采用默认的1813号端口

[MainServer-radius-radsun] key authentication lycb   !--- 配置RADIUS认证/授权报文的共享密钥为lycb

[MainServer-radius-radsun] key accounting lycb    !--- 配置RADIUS计费报文的共享密钥为lycb

[MainServer-radius-radsun] server-type standard  !--- 指定采用标准类型的RADIUS服务器,还可以选择“extended”选项,指定RADIUS服务器支持私有RADIUS标准

[MainServer-radius-radsun] user-name-format with-domain   !--- 设置发送给RADIUS服务器的用户名采用带ISP域名的格式:userid@isp-name,还可以选择“without-domain”选项,则用户名格式不带ISP域名。如果采用不带域名格式,则不同域中的用户名不要一样

[MainServer-radius-radsun] quit

3)配置ISP域的AAA方案。

[MainServer] domain domain1  !---创建一个名为domain1的ISP域

[MainServer-isp-domain1] authentication default radius-scheme rad1   !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS认证/授权方案

[MainServer-isp-domain1] accounting default radius-scheme rad1  !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS计费方案

[MainServer-isp-domain1] quit

[MainServer] domain default enable domain1  !--- 配置系统默认的ISP域为domain1,所有在登录时没有提供ISP域名的用户都属于这个域

4)配置主VAM服务器,指定不同×××域中的预共享密钥、认证模式和所对应的Hub地址,然后启用VAM服务器功能。

[MainServer] vam server ip-address 192.168.1.22   !----指定VAM Server上的监听IP地址,采用默认的UDP 18000号端口

[MainServer] vam server *** 1   !----创建×××域1。注意,这里的×××域与ISP域不一样,一个ISP域下可以有多个×××域

[MainServer-vam-server-***-1] pre-shared-key simple 123456  !---配置预共享密钥为123456

[MainServer-vam-server-***-1] authentication-method chap  !----配置对客户端进行CHAP认证

!---下面三条用来指定VAM服务器所服务的,在×××域1中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel1接口IP地址。

[MainServer-vam-server-***-1] hub private-ip 10.0.1.1

[MainServer-vam-server-***-1] hub private-ip 10.0.1.2

[MainServer-vam-server-***-1] quit

[MainServer] vam server *** 2   !---创建×××域2

[MainServer-vam-server-***-2] pre-shared-key simple 654321  !----配置预共享密钥为654321

[MainServer-vam-server-***-2] authentication-method pap !---配置对客户端进行PAP认证

!--- 面三条用来指定VAM服务器所服务的,在×××域2中的两个Hub的私网地址,对应Hub1和Hub2上的Tunnel2接口IP地址。

[MainServer-vam-server-***-2] hub private-ip 10.0.2.1

[MainServer-vam-server-***-2] hub private-ip 10.0.2.2

[MainServer-vam-server-***-1] quit

[MainServer] vam server enable all   !----启动所有×××域的VAM 服务器功能

二、备份VAM服务器的配置

下面再来配置备份VAM服务器。这部分除备份VAM服务器的监听IP地址配置外,其他的配置与主VAM服务器的都一样,因为它们本来就是用来进行相互备份的,具体配置参见前面介绍的主VAM服务器配置。

三、Hub1的配置

1)配置各接口的IP地址(略)。

2)配置VAM客户端,为不同×××域创建不同的VAM客户端,并指定主/VAM服务器地址,进行身份认证的本地用户名和预共享密钥,最后启用VAM客户端服务。

system-view

!---下面两条是创建×××域1的客户端d***1hub1。

[Hub1] vam client name d***1hub1

[Hub1-vam-client-name-d***1hub1] *** 1

!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。

[Hub1-vam-client-name-d***1hub1] server primary ip-address 192.168.1.22

[Hub1-vam-client-name-d***1hub1] server secondary ip-address 192.168.1.33

[Hub1-vam-client-name-d***1hub1] pre-shared-key simple 123456

!---下面三条是配置Hub1上×××1域中的本地用户,用户名为d***1hub1,密码为d***1hub1。

[Hub1-vam-client-name-d***1hub1] user d***1hub1 password simple d***1hub1

[Hub1-vam-client-name-d***1hub1] client enable

[Hub1-vam-client-name-d***1hub1] quit

!---下面两条创建×××域2的客户端d***2hub1。

[Hub1] vam client name d***2hub1

[Hub1-vam-client-name-d***2hub1] *** 2

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Hub1-vam-client-name-d***2hub1] server primary ip-address 192.168.1.22

[Hub1-vam-client-name-d***2hub1] server secondary ip-address 192.168.1.33

[Hub1-vam-client-name-d***2hub1] pre-shared-key simple 654321

!---下面三条是配置Hub1上×××2域中的本地用户,用户名为d***2hub1,密码为d***2hub1。

[Hub1-vam-client-name-d***2hub1] user d***2hub1 password simple d***2hub1

[Hub1-vam-client-name-d***2hub1] client enable

[Hub1-vam-client-name-d***2hub1] quit

3)配置IPsec安全框架,创建安全提议,对等体、IPSec安全框架。

!---下面几条是配置IPsec安全提议。

[Hub1] ipsec proposal propo1

[Hub1-ipsec-proposal-vam] encapsulation-mode tunnel

[Hub1-ipsec-proposal-vam] transform esp

[Hub1-ipsec-proposal-vam] esp encryption-algorithm des

[Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1

[Hub1-ipsec-proposal-vam] quit

!---下面几条是配置IKE对等体。

[Hub1] ike peer peer1

[Hub1-ike-peer-vam] pre-shared-key abcdef

[Hub1-ike-peer-vam] quit

!---下面几条是配置IPsec安全框架。

[Hub1] ipsec profile profile1

[Hub1-ipsec-profile-vamp] proposal propo1

[Hub1-ipsec-profile-vamp] ike-peer peer1

[Hub1-ipsec-profile-vamp] sa duration time-based 600

[Hub1-ipsec-profile-vamp] pfs dh-group2

[Hub1-ipsec-profile-vamp] quit

【经验之谈】IPSec安全框架中所配置的安全提议名、对等体名和安全框架名可以在全网中采用相同的名称,当然也可以采用不同的名称,因为它们都是本地配置,仅对本地有意义。通常为了怕搞混,整个网络都采用相同的安全提议名、相同的的对等体名,相同的安全框架名。

4)配置D×××隧道,指定不同×××域中的隧道接口IP地址(这要与前面在VAM服务器配置的Hub地址一致)、OSPF网络类型和引用的安全框架名称。

!---下面几条是配置×××域1的隧道接口Tunnel1。

[Hub1] interface tunnel 1

[Hub1-Tunnel1] tunnel-protocol d*** udp

[Hub1-Tunnel1] vam client d***1hub1

[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0

[Hub1-Tunnel1] source ethernet 1/1

[Hub1-Tunnel1] ospf network-type broadcast

[Hub1-Tunnel1] ipsec profile profile1

[Hub1-Tunnel1] quit

!---下面几条是配置×××域2的隧道接口Tunnel2。

[Hub1] interface tunnel 2

[Hub1-Tunnel2] tunnel-protocol d*** udp

[Hub1-Tunnel2] vam client d***2hub1

[Hub1-Tunnel2] ip address 10.0.2.1 255.255.255.0

[Hub1-Tunnel2] source ethernet 1/1

[Hub1-Tunnel2] ospf network-type broadcast

[Hub1-Tunnel2] ipsec profile profile1

[Hub1-Tunnel2] quit

5)配置OSPF路由,宣告所连接的私网与公网。所连接的私网就是其Tunnel接口所连接的网络。但这里宣告的都是对应接口的IP地址,指定在对应接口上启用OSPF路由协议。Tunnel接口上所配置的IP地址都私网的。

!---下面几条是配置公网的路由信息。

[Hub1] ospf 100

[Hub1-ospf-100] area 0

[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255

[Hub1-ospf-100-area-0.0.0.0] quit

!---下面几条是配置私网的路由信息。

[Hub1] ospf 200

[Hub1-ospf-200] area 0

[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255

[Hub1-ospf-200-area-0.0.0.0] quit

[Hub1] ospf 300

[Hub1-ospf-300] area 0

[Hub1-ospf-300-area-0.0.0.0] network 10.0.2.1 0.0.0.255

【经验之谈】公网与私网的OSPF路由进程要不一样,物理连接的私网和通过Tunnel接口连接的虚拟私网也要用不同的OSPF路由进程。但都可以仅在骨干区域area 0中配置。

四、Hub2的配置

1)配置各接口的IP地址(略)。

2)配置VAM客户端。

system-view

!---下面两条是创建×××域1的客户端d***1hub2。

[Hub2] vam client name d***1hub2

[Hub2-vam-client-name-d***1hub2] *** 1

!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。

[Hub2-vam-client-name-d***1hub2] server primary ip-address 192.168.1.22

[Hub2-vam-client-name-d***1hub2] server secondary ip-address 192.168.1.33

[Hub2-vam-client-name-d***1hub2] pre-shared-key simple 123456

!---下面三条是配置Hub1的本地用户,用户名为d***1hub2,密码为d***1hub2。

[Hub2-vam-client-name-d***1hub2] user d***1hub1 password simple d***1hub2

[Hub2-vam-client-name-d***1hub2] client enable

[Hub2-vam-client-name-d***1hub2] quit

!---下面两条创建×××域2的客户端d***2hub2。

[Hub2] vam client name d***2hub2

[Hub2-vam-client-name-d***2hub2] *** 2

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Hub2-vam-client-name-d***2hub2] server primary ip-address 192.168.1.22

[Hub2-vam-client-name-d***2hub2] server secondary ip-address 192.168.1.33

[Hub2-vam-client-name-d***2hub2] pre-shared-key simple 654321

!---下面两条是配置本地用户,用户名为d***2hub2,密码为d***2hub2。

[Hub2-vam-client-name-d***2hub2] user d***2hub2 password simple d***2hub2

[Hub2-vam-client-name-d***2hub2] client enable

[Hub2-vam-client-name-d***2hub2] quit

3)配置IPsec安全框架。因为它与Hub1是互为备份的,所以在安全框架中的配置要与Hub1上的配置一致。

!---下面几条是配置IPsec安全提议。

[Hub2] ipsec proposal propo1

[Hub2-ipsec-proposal-vam] encapsulation-mode tunnel

[Hub2-ipsec-proposal-vam] transform esp

[Hub2-ipsec-proposal-vam] esp encryption-algorithm des

[Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1

[Hub2-ipsec-proposal-vam] quit

!---下面几条是配置IKE对等体。

[Hub2] ike peer peer1

[Hub2-ike-peer-vam] pre-shared-key abcdef

[Hub2-ike-peer-vam] quit

!---下面几条是配置IPsec安全框架。

[Hub2] ipsec profile profile1

[Hub2-ipsec-profile-vamp] proposal propo1

[Hub2-ipsec-profile-vamp] ike-peer peer1

[Hub2-ipsec-profile-vamp] sa duration time-based 600

[Hub2-ipsec-profile-vamp] pfs dh-group2

[Hub2-ipsec-profile-vamp] quit

4)配置D×××隧道。

!---下面几条是配置×××域1的隧道接口Tunnel1。

[Hub2] interface tunnel 1

[Hub2-Tunnel1] tunnel-protocol d*** udp

[Hub2-Tunnel1] vam client d***1hub2

[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0

[Hub2-Tunnel1] source ethernet 1/1

[Hub2-Tunnel1] ospf network-type broadcast

[Hub2-Tunnel1] ipsec profile profile1

[Hub2-Tunnel1] quit

!---下面几条是配置×××域2的隧道接口Tunnel2。

[Hub2] interface tunnel 2

[Hub2-Tunnel2] tunnel-protocol d*** udp

[Hub2-Tunnel2] vam client d***2hub2

[Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0

[Hub2-Tunnel2] source ethernet 1/1

[Hub2-Tunnel2] ospf network-type broadcast

[Hub2-Tunnel2] ipsec profile profile1

[Hub2-Tunnel2] quit

5)配置OSPF路由。

!---下面几条是配置公网的路由信息。

[Hub2] ospf 100

[Hub2-ospf-100] area 0

[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255

[Hub2-ospf-100-area-0.0.0.0] quit

!---下面几条是配置私网的路由信息。

[Hub2] ospf 200

[Hub2-ospf-200] area 0

[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255

[Hub2-ospf-200-area-0.0.0.0] quit

[Hub2] ospf 300

[Hub2-ospf-300] area 0

[Hub2-ospf-300-area-0.0.0.0] network 10.0.2.2 0.0.0.255

五、Spoke1的配置

1)配置各接口的IP地址(略)。

2)配置VAM客户端,因为Sopke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置××× 1域,无需配置××× 2中的VAM客户端。

system-view

!---下面两条是创建×××域1的客户端d***1spoke1。

[Spoke1] vam client name d***1spoke1

[Spoke1-vam-client-name-d***1spoke1] *** 1

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Spoke1-vam-client-name-d***1spoke1] server primary ip-address 192.168.1.22

[Spoke1-vam-client-name-d***1spoke1] server secondary ip-address 192.168.1.33

[Spoke1-vam-client-name-d***1spoke1] pre-shared-key simple 123456

!---下面三条是配置本地用户,用户名为d***1spoke1,密码为d***1spoke1。

[Spoke1-vam-client-name-d***1spoke1] user d***1spoke1 password simple d***1spoke1

[Spoke1-vam-client-name-d***1spoke1] client enable

[Spoke1-vam-client-name-d***1spoke1] quit

3)配置IPsec安全框架,在名称上可以不一样,但配置上要与Hub上的配置一致。

!---下面几条是配置IPsec安全提议。

[Spoke1] ipsec proposal propo1

[Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel

[Spoke1-ipsec-proposal-vam] transform esp

[Spoke1-ipsec-proposal-vam] esp encryption-algorithm des

[Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1

[Spoke1-ipsec-proposal-vam] quit

!---下面三条是配置IKE对等体。

[Spoke1] ike peer peer1

[Spoke1-ike-peer-vam] pre-shared-key abcde

[Spoke1-ike-peer-vam] quit

!---下面几条是配置IPsec安全框架。

[Spoke1] ipsec profile profile1

[Spoke1-ipsec-profile-vamp] proposal propo1

[Spoke1-ipsec-profile-vamp] sa duration time-based 600

[Spoke1-ipsec-profile-vamp] pfs dh-group2

[Spoke1-ipsec-profile-vamp] quit

4)配置D×××隧道,因为Spoke 1只有Tunnel 1一个虚拟隧道接口,所以只需配置×××1的隧道接口Tunnel1及属性。

[Spoke1] interface tunnel 1

[Spoke1-Tunnel1] tunnel-protocol d*** udp

[Spoke1-Tunnel1] vam client d***1spoke1

[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0

[Spoke1-Tunnel1] source ethernet 1/1

[Spoke1-Tunnel1] ospf network-type broadcast

[Spoke1-Tunnel1] ospf dr-priority 0

[Spoke1-Tunnel1] ipsec profile profile1

[Spoke1-Tunnel1] quit

5)配置OSPF路由,宣告它上面三个接口所连接的公网和私网接口IP地址。

!---下面几条是配置公网的路由信息。

[Spoke1] ospf 100

[Spoke1-ospf-100] area 0

[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255

[Spoke1-ospf-100-area-0.0.0.0] quit

!---下面几条是配置私网的路由信息。

[Spoke1] ospf 200

[Spoke1-ospf-200] area 0

[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255

[Spoke1-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255

六、Spoke2的配置

1)配置各接口的IP地址(略)。

2)配置VAM客户端,因为Spoke 2有两个Tunnel接口,分属于×××1×××2两个×××域,所以需要配置两个×××域中的VAM客户端。

system-view

!---下面两条是创建×××域1的客户端d***1spoke2。

[Spoke2] vam client name d***1spoke2

[Spoke2-vam-client-name-d***1spoke2] *** 1

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Spoke2-vam-client-name-d***1spoke2] server primary ip-address 192.168.1.22

[Spoke2-vam-client-name-d***1spoke2] server secondary ip-address 192.168.1.33

[Spoke2-vam-client-name-d***1spoke2] pre-shared-key simple 123456

!---下面三条是配置本地用户,用户名为d***1spoke2,密码为d***1spoke2。

[Spoke2-vam-client-name-d***1spoke2] user d***1spoke2 password simple d***1spoke2

[Spoke2-vam-client-name-d***1spoke2] client enable

[Spoke2-vam-client-name-d***1spoke2] quit

!---下面两条是创建×××域2的客户端d***1spoke2。

[Spoke2] vam client name d***1spoke2

[Spoke2-vam-client-name-d***1spoke2] *** 2

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Spoke2-vam-client-name-d***2spoke2] server primary ip-address 192.168.1.22

[Spoke2-vam-client-name-d***2spoke2] server secondary ip-address 192.168.1.33

[Spoke2-vam-client-name-d***2spoke2] pre-shared-key simple 654321

!---下面三条是配置本地用户,用户名为d***2spoke2,密码为d***2spoke2。

[Spoke2-vam-client-name-d***2spoke2] user d***2spoke2 password simple d***2spoke2

[Spoke2-vam-client-name-d***2spoke2] client enable

[Spoke2-vam-client-name-d***2spoke2] quit

3)配置IPsec安全框架。在名称上可以与Hub上的配置不一样,但在配置上要一致。

!---下面几条是配置IPsec安全提议。

[Spoke2] ipsec proposal propo2

[Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel

[Spoke2-ipsec-proposal-vam] transform esp

[Spoke2-ipsec-proposal-vam] esp encryption-algorithm des

[Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1

[Spoke2-ipsec-proposal-vam] quit

!---下面三条是配置IKE对等体。

[Spoke2] ike peer peer2

[Spoke2-ike-peer-vam] pre-shared-key abcdef

[Spoke2-ike-peer-vam] quit

!---下面几条是配置IPsec安全框架。

[Spoke2] ipsec profile profile2

[Spoke2-ipsec-profile-vamp] proposal propo2

[Spoke2-ipsec-profile-vamp] sa duration time-based 600

[Spoke2-ipsec-profile-vamp] pfs dh-group2

[Spoke2-ipsec-profile-vamp] quit

4)配置D×××隧道。因为Spoke 2Tunnel 1Tunnel 2两个虚拟隧道接口,所以需配置×××1×××2的两个隧道接口及属性。

!—下面几条是配置×××域1的隧道接口Tunnel1及属性

[Spoke2] interface tunnel 1

[Spoke2-Tunnel1] tunnel-protocol d*** udp

[Spoke2-Tunnel1] vam client d***1spoke2

[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0

[Spoke2-Tunnel1] source ethernet 1/1

[Spoke2-Tunnel1] ospf network-type broadcast

[Spoke2-Tunnel1] ospf dr-priority 0

[Spoke2-Tunnel1] ipsec profile profile2

[Spoke2-Tunnel1] quit

!—下面几条是配置×××域2的隧道接口Tunnel1及属性

[Spoke2] interface tunnel 2

[Spoke2-Tunnel2] tunnel-protocol d*** udp

[Spoke2-Tunnel2] vam client d***2spoke2

[Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0

[Spoke2-Tunnel2] source ethernet 1/1

[Spoke2-Tunnel2] ospf network-type broadcast

[Spoke2-Tunnel2] ospf dr-priority 0

[Spoke2-Tunnel2] ipsec profile profile2

[Spoke2-Tunnel2] quit

5)配置OSPF路由。

!---下面几条是配置公网的路由信息。

[Spoke2] ospf 100

[Spoke2-ospf-100] area 0

[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255

[Spoke2-ospf-100-area-0.0.0.0] quit

!---下面几条是配置私网的路由信息。

[Spoke2] ospf 200

[Spoke2-ospf-200] area 0

[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255

[Spoke2] ospf 300

[Spoke2-ospf-300] area 0

[Spoke2-ospf-300-area-0.0.0.0] network 10.0.2.4 0.0.0.255

[Spoke2-ospf-300-area-0.0.0.0] network 10.0.4.1 0.0.0.255

七、Spoke3的配置

1)配置各接口的IP地址(略)。

2)配置VAM客户端。因为Sopke 3只有Tunnel 2一个虚拟隧道接口,所以只需配置××× 2域,无需配置××× 1中的VAM客户端。

system-view

!---下面两条是创建×××域2的客户端d***2spoke2。

[Spoke3] vam client name d***2spoke3

[Spoke3-vam-client-name-d***2spoke3] *** 2

!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。

[Spoke3-vam-client-name-d***2spoke3] server primary ip-address 192.168.1.22

[Spoke3-vam-client-name-d***2spoke3] server secondary ip-address 192.168.1.33

[Spoke3-vam-client-name-d***2spoke3] pre-shared-key simple 654321

!---下面三条是配置本地用户,用户名为d***2spoke3,密码为d***2spoke3。

[Spoke3-vam-client-name-d***2spoke3] user d***2spoke3 password simple d***2spoke3

[Spoke3-vam-client-name-d***2spoke3] client enable

[Spoke3-vam-client-name-d***2spoke3] quit

3)配置IPsec安全框架。在名称上可以不一样,但配置上要与Hub上的配置一致。

!---下面几条是配置IPsec安全提议。

[Spoke3] ipsec proposal propo3

[Spoke3-ipsec-proposal-vam] encapsulation-mode tunnel

[Spoke3-ipsec-proposal-vam] transform esp

[Spoke3-ipsec-proposal-vam] esp encryption-algorithm des

[Spoke3-ipsec-proposal-vam] esp authentication-algorithm sha1

[Spoke3-ipsec-proposal-vam] quit

!---下面三条是配置IKE对等体。

[Spoke3] ike peer peer3

[Spoke3-ike-peer-vam] pre-shared-key abcdef

[Spoke3-ike-peer-vam] quit

!---下面几条是配置IPsec安全框架。

[Spoke3] ipsec profile profile3

[Spoke3-ipsec-profile-vamp] proposal propo3

[Spoke3-ipsec-profile-vamp] sa duration time-based 600

[Spoke3-ipsec-profile-vamp] pfs dh-group2

[Spoke3-ipsec-profile-vamp] quit

4)配置D×××隧道。

!—下面几条是配置×××域2的隧道接口Tunnel2及属性

[Spoke3] interface tunnel 2

[Spoke3-Tunnel2] tunnel-protocol d*** udp

[Spoke3-Tunnel2] vam client d***2spoke3

[Spoke3-Tunnel2] ip address 10.0.2.3 255.255.255.0

[Spoke3-Tunnel2] source ethernet 1/1

[Spoke3-Tunnel2] ospf network-type broadcast

[Spoke3-Tunnel2] ospf dr-priority 0

[Spoke3-Tunnel2] ipsec profile profile3

[Spoke3-Tunnel2] quit

5)配置OSPF路由。

!---下面几条是配置公网的路由信息。

[Spoke3] ospf 100

[Spoke3-ospf-100] area 0

[Spoke3-ospf-100-area-0.0.0.0] network 192.168.1.5 0.0.0.255

[Spoke3-ospf-100-area-0.0.0.0] quit

!---下面几条是配置私网的路由信息。

[Spoke3] ospf 200

[Spoke3-ospf-200] area 0

[Spoke3-ospf-200-area-0.0.0.0] network 10.0.2.3 0.0.0.255

[Spoke3-ospf-200-area-0.0.0.0] network 10.0.5.1 0.0.0.255

八、验证配置结果。

首先可使用display vam server address-map all命令查看注册到主VAM服务器的所有VAM客户端的地址映射信息。结果显示Hub1Hub2Spoke1Spoke2Spoke3均已将地址映射信息注册到VAM服务器。

[MainServer] display vam server address-map all

××× name:  1

Total address-map number:  4

Private-ip     Public-ip        Type        Holding time

10.0.1.1       192.168.1.1     Hub         0H 52M  7S

10.0.1.2       192.168.1.2     Hub         0H 47M 31S

10.0.1.3       192.168.1.3     Spoke       0H 28M 25S

10.0.1.4       192.168.1.4     Spoke       0H 19M 15S

××× name:  2

Total address-map number:  4

Private-ip     Public-ip        Type        Holding time

10.0.2.1       192.168.1.1     Hub         0H 51M 44S

10.0.2.2       192.168.1.2     Hub         0H 46M 45S

10.0.2.3       192.168.1.5     Spoke       0H 11M 25S

10.0.2.4       192.168.1.4     Spoke       0H 18M 32S

 用同样方法可以查看注册到备份VAM服务器的所有VAM客户端的地址映射信息。

 再使用display d*** session all命令查看Hub1上的D×××隧道信息。输出信息显示××× 1Hub1Hub2Spoke1Spoke2建立了永久隧道;××× 2Hub1Hub2Spoke2Spoke3建立了永久隧道。Hub2上的显示信息与Hub1类似。

[Hub1] display d*** session all

Interface: Tunnel1  ××× name: 1  Total number: 3


 Private IP:     10.0.1.2

 Public IP:      192.168.1.2

 Session type:   Hub-Hub

 State:  SUCCESS

 Holding time: 0h 1m 44s

 Input:  101 packets,  100 data packets,  1 control packets

          87 multicasts,  0 errors

 Output: 106 packets,  99 data packets,  7 control packets

          87 multicasts,  10 errors


 Private IP:     10.0.1.3

 Public IP:      192.168.1.3

 Session type:   Hub-Spoke

 State:  SUCCESS

 Holding time: 0h 8m 7s

 Input:  164 packets,  163 data packets,  1 control packets

          54 multicasts,  0 errors

 Output: 77 packets,  76 data packets,  1 control packets

          55 multicasts,  0 errors


 Private IP:     10.0.1.4

 Public IP:      192.168.1.4

 Session type:   Hub-Spoke

 State:  SUCCESS

 Holding time: 0h 27m 13s

 Input:  174 packets,  167 data packets,  7 control packets

          160 multicasts,  0 errors

 Output: 172 packets,  171 data packets,  1 control packets

          165 multicasts,  0 errors


Interface: Tunnel2  ××× name: 2  Total number: 3


 Private IP:     10.0.2.2

 Public IP:      192.168.1.2

 Session type:   Hub-Hub

 State:  SUCCESS

 Holding time: 0h 12m 10s

 Input:  183 packets,  182 data packets,  1 control packets

          0 multicasts,  0 errors

 Output: 186 packets,  185 data packets,  1 control packets

          155 multicasts,  0 errors


 Private IP:     10.0.2.4

 Public IP:      192.168.1.4

 Session type:   Hub-Spoke

 State:  SUCCESS

 Holding time: 0h 26m 39s

 Input:  174 packets,  169 data packets,  5 control packets

          162 multicasts,  0 errors

 Output: 173 packets,  172 data packets,  1 control packets

          167 multicasts,  0 errors


 Private IP:     10.0.2.3

 Public IP:      192.168.1.5

 Session type:   Hub-Spoke

 State:  SUCCESS

 Holding time: 0h 19m 30s

 Input:  130 packets,  127 data packets,  3 control packets

          120 multicasts,  0 errors

 Output: 127 packets,  126 data packets,  1 control packets

          119 multicasts,  0 errors

  再可使用display d*** session all命令查看Spoke2上的D×××隧道信息。输出信息显示××× 1Spoke2Hub1Hub2建立了Hub-Spoke永久隧道;××× 2Spoke2Hub1Hub2建立了Hub-Spoke永久隧道。Spoke1Spoke3上的显示信息与Spoke2类似。

[Spoke2] display d*** session all

Interface: Tunnel1  ××× name: 1  Total number: 2


 Private IP:     10.0.1.1

 Public IP:      192.168.1.1

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 1h 1m 22s

 Input:  381 packets,  380 data packets,  1 control packets

          374 multicasts,  0 errors

 Output: 384 packets,  376 data packets,  8 control packets

          369 multicasts,  0 errors


 Private IP:     10.0.1.2

 Public IP:      192.168.1.2

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 0h 21m 53s

 Input:  251 packets,  249 data packets,  1 control packets

          230 multicasts,  0 errors

 Output: 252 packets,  240 data packets,  7 control packets

          224 multicasts,  0 errors


Interface: Tunnel2  ××× name: 2  Total number: 2


 Private IP:     10.0.2.1

 Public IP:      192.168.1.1

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 0h 2m 47s

 Input:  383 packets,  382 data packets,  1 control packets

          377 multicasts,  0 errors

 Output: 385 packets,  379 data packets,  6 control packets

          372 multicasts,  0 errors


 Private IP:     10.0.2.2

 Public IP:      192.168.1.2

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 0h 1m 50s

 Input:  242 packets,  241 data packets,  1 control packets

          231 multicasts,  0 errors

 Output: 251 packets,  241 data packets,  7 control packets

          225 multicasts,  0 errors

  再在Spoke2ping Spoke3的私网地址10.0.5.1,结果是通的。

[Spoke2] ping 10.0.5.1

 PING 10.0.5.1: 56  data bytes, press CTRL_C to break

   Reply from 10.0.5.1: bytes=56 Sequence=1 ttl=254 time=5 ms

   Reply from 10.0.5.1: bytes=56 Sequence=2 ttl=254 time=5 ms

   Reply from 10.0.5.1: bytes=56 Sequence=3 ttl=254 time=5 ms

   Reply from 10.0.5.1: bytes=56 Sequence=4 ttl=254 time=4 ms

   Reply from 10.0.5.1: bytes=56 Sequence=5 ttl=254 time=4 ms


 --- 10.0.5.1 ping statistics ---

   5 packet(s) transmitted

   5 packet(s) received

   0.00% packet loss

   round-trip min/avg/max = 4/4/5 ms

  再可使用display d*** session interface tunnel 2命令查看Spoke2Tunnel2接口的D×××隧道信息。结果显示Spoke2Spoke3之间动态建立了Spoke-Spoke隧道。

[Spoke2] display d*** session interface tunnel 2

Interface: Tunnel2  ××× name: 2  Total number: 3


 Private IP:     10.0.2.1

 Public IP:      192.168.1.1

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 1h 10m 0s

 Input:  451 packets,  450 data packets,  1 control packets

          435 multicasts,  0 errors

 Output: 453 packets,  447 data packets,  6 control packets

          430 multicasts,  0 errors


 Private IP:     10.0.2.2

 Public IP:      192.168.1.2

 Session type:   Spoke-Hub

 State:  SUCCESS

 Holding time: 0h 1m 50s

 Input:  242 packets,  241 data packets,  1 control packets

          231 multicasts,  0 errors

 Output: 251 packets,  241 data packets,  7 control packets

          225 multicasts,  0 errors


 Private IP:     10.0.2.3

 Public IP:      192.168.1.5

Session type:   Spoke-Spoke

 State:  SUCCESS

 Holding time: 0h 0m 0s

 Input:  1 packets,  0 data packets,  1 control packets

          0 multicasts,  0 errors

 Output: 1 packets,  0 data packets,  1 control packets

          0 multicasts,  0 errors