h3c msr系列路由器操作手册

配 1 1 1 2 2 3 5 6配置 6配置VAM 6 7 7 7 8 8 9 9 9配置 创建 配置 启动 服 iH3CMSR系列路由器对特性中相关命令参数支持情况、缺省值及取值范围的差异内容请参见本模块令手册。 配 简越来越多的企业希望利用公共网络组建（VirtualPrivateNetwork，虚拟私有网络），连接地事先知道对端的公网地址，这就为组建提出了一个难题。 （DynamicVirtualPrivateNetwork，动态虚拟私有网络）通过VAM（ 地址管理）协议收集、和分发动态变化的公网地址等信息，解决了无法事 在各分支机构间建立。D把连接到公网上的各节点组成的网络看作网络，公网作为网络的链路层，DD通过VAM获取通信对端的公网地址。VAM协议是D方案的主要协议，负责收集、、分发公网地址等信息，帮助用户快捷、方VAM协议查询到私网下一跳对应的公网地址，并利用该公网地址做为隧道的目的地址进行封D的基本概D方案中有几个关键的角色D节D节点为动态隧道两端的设备，可以是网络设备或主机。D节点参与隧道的建立，需要实现VAM的客户端功能。VAMVAMServer是接受D节点向其信息的服务器，负责管理、各D节点的信息。目VAMServerVAMVAM向VAMServer自己的私网地址、公网地址、VAM标识等信息，向VAMServer查询其它VAM的信息。D节点上需要实现VAM功能。文中涉及到VAM的地方，如果不是特别说明，是指对Hub和Spoke的统称。Hub是一种VAM ，一个网络的中心设备，它是路由信息交换的中心。在Hub-Spoke组Spoke是一种VAM，通常是企业分支机构的网关设备，该节点不会转发收到的其它AAA（Authentication,AuthorizationandAccounting，认证、和计费）服务器，用于对用户进 D采用/Server模式，工作在TCP/IP协议栈的应用层，使用UDP作为传输协议。按照工作方式的不同，可将一个域中的设备划分为一个Server和多个，Server的公网地址为静态地址，的公网地址既可以静态配置也可以动态获取，而的私网地址则需要按照规划静态分配。在同一个域内，要求所有节点的私网地址在同一个网段内。每一个向Server自己的公网地址和私网地址的对应关系。向Server成功之后，其他可以从Server查询到该的公网地址，以便在之间建立D隧道。和删除。任何节点退出都能自动通知ServerD的组网结D具有两种典型的组网结构e FulMesh（全互联）网络：Spoke之间可以建立隧道直接通信；b主要作为路由信息交换如图Spok的节点在向Mv后获得该域中HSpokSke隧道空闲超时时间）内没有数据报文交互时，则删除该隧道。图1-1Full-MeshVAM PublicSpokeSpokeSiteSiteeHub-Spoke网络：Spoke之间不能建立隧道直接通信，只能通过Hub转发数据；Hub即作为路图1-2Hub-SpokeVAM PublicSpokeSpokeSiteSiteD的工作过D的工作过程分为连接初始化、和隧道建立三个阶段，下面对这三个阶段做简单说明在第一次与Server连接时，首先进行连接的初始化，双方协商决定是否需要对VAM协议报文图1-3（1）连接请连接响初始化完（4）初始化完如图1-3所示，连接初始化的过程为(1)通过连接请求报文将自己支持的完整性验证算法、加密算法等发送给Server(2)Server按照优先级从高到低的顺序从自己支持的算法列表中依次选择算法，与发送的算法列表进行匹配。如果匹配成功，则使用该算法，Server通过连接响应报文将算法协商结果发送给，同时，Server和生成加密密钥和完整性验证密钥。(3)和Server分别利用初始化完成报文验证算法和密钥协商是否成功图1-4流程请请认 成如图1-4所示，阶段的具体过程为(1)向Server发送请求报文，请求报文中包括D节点的信息(2)Server收到请求报文后，根据配置决定是否对该进行认证。如果配置为不认证，则直接信息并向发送成功响应，认证步骤省略；如果配置为认证，Server向回应认证请求，并指明需要的认证方法（CHAP认证时还返回一(3)向Server提交自己的(4)Server收到的认证信息后向AAA服务器发起认证，收到AAA认证成功的响应后再发送计费请求，当Server收到计费成功响应后，向发送成功响应报文，成功报文会携带下发给的Hub信息。个域中有两个Hub，则Hub之间需要建立永久隧道。具体隧道建立流程如图1-5所示：图1-5（1）发起隧道建立请（2）隧道建立成功响（1）发起隧道建立请（2）隧道建立成功响Hub-Spoke：Spoke成功后，要与所在中的Hub建立永久隧道。Spoke只要收到Server下发的Hub信息，就会检查与这些Hub地址之间是否有对应的隧道存在。如果隧道不存在则向Hub发送隧道建立报文；如果隧道存在则不建立隧道。Hub-Hub隧道：Hub成功后，Server会将所在中已成功的Hub地址添加到注Hub。Hub检查这些地址与其之间是否有对应的隧道存在。如果隧道不Spoke-SpokeFull-Mesh组网中，Spoke收到某个数据报文后，若没有查到相应的Spoke发起建立隧道的请求。设备支持的D特D报文对NAT网关自然穿当隧道发起方在NAT网关后可以建立穿越NAT的Spoke-Spoke隧道；如果隧道接收方在NAT网关后侧，则数据包要由Hub转发，直到接收方发起隧道建立请求。如果双方都在NAT网关后侧，则它们都无法与对方建立隧道，所有的数据包都只能从Hub转发。隧道两端的Tunnel接口不需要配置隧道目的地址，VAM在VAMServer上自己的公/私网地址，当需要建立隧道时，可以从VAMServer获取对端的公网地址，从而动态的建立道。当VAM的IP地址改变时，会向VAMServer重新，从而实现了对动态IP地址的支VAMServer对VAM的AAA认初始化过程完成之后，VAM要向VAMServer，过程中可以要求对VAM进行认证，VAM支持PAP和CHAP两种认证方式。VAMServer通过AAA对加入到域的客户端进行认证，认证通过后VAM才能接入到网络。利用预共享密钥验证VAM和VAMServer的VAM和VAMServer必须配置统一的预共享密钥，用于生成加密/完整性验证的密钥。/VAMServer通过报文、完整性验证是否成功，判断二者的预共享密钥是否相同，从而实现对VAMServer/VAM的认证。可以选择对VAM协议报文进行加密，加密算法支持AES-128、DES3DES算法 D配置任务简 的配置涉及到VAMAAATunnelIPsec安全框架和路由配组网时一般先配置好 表1-1 配置 服务器配置 客户配置 隧道属配置D服务器端可以根据需要使用AAA对接入到域的进行认证，只有通过认证的才可以接入到域。配置VAM该配置主要对D服务器端的参数进行设置，并制定相关的策略，即是否对VAM的协议报文进行保护，Server对的认证方式等等。VAMServer表1-2VAMServer创建配置的IP地址和端Hub的IP 表1-3创建-vam-VAMServer该配置用来启动服务器端域的VAM服务功能表1-4VAMServer-VAMvamserverenable{all-name Server功能vam -server配置IP地址和端该配置用来指定服务器上的IP地址和UDP端表1-5配置IP地址和端-配置服务器IP地址UDP端vamserverip-addressip-address[port-numberUDP端 VAM加密算法以及优先级与发送的算法列表进行协商，协商后的算法分别作为两端协议报文的完表1-6-vam--authentication-algorithm{none|{|sha-1}*缺省情况下，验证算法SHA-encryption-algorithm{{3des|aes-|des}*|none缺省情况下，使用AES-128、由高到低依次是AES-128、3DES．连接初始化阶段发送的连接请求和Server发送的连接响应报文，使用固定的验证算SHA- 进行验证。后续的报文可以通过上述验证算法配置确定是否验．连接初始化阶段发送的连接请求和Server发送的连接响应报文，使用固定的加密算AES- 进行验证。后续的报文可以通过上述加密算法配置确定是否加．AAA对客户端进行认证的情况，目前只支持PAP和CHAP两种验证方式。表1-7-vam --authentication-method{none|{chappap} name-string]缺省情况下CHAP验证方式HubIP该配置用来指定域中HubIP表1-8Hub的IP-vam --Hub的IPhubprivate-ipprivate-ip-[public-ippublic-ip-addressHub的IP地可以只配置Hub的私网地址，当该Hub加入域时，向Server进行，成功后Sever会向其它下发该Hub的公私网地址映射信息。如果指定了公网地址，只有向Server的的公私网地址与配置值一致，才被认为是Hub设备，否则认为该 目前，在一个域内最多只能配置Hub、200SpokeVAMServer预共享密钥是Server用来和建立安全通道的公共密钥材料。在连接初始化阶段预共享密钥表1-9-vam --pre-shared-key{cipher|simpleKeepalive数）没有收到的Keepalive报文，则删除该的节点信息并使其下线。该配置用来设置发送Keepalive报文的发送时间间隔和重试次数。在成功后-vam --keepaliveintervaltime-间间隔为10秒keepaliveretryretry-3Keepalive报文的发共发送3次配置VAM通过VAM端的配置，可以指定所在域、进行的主/备Server地址和端以及的本地用户信息等，为向Server发起初始化连接请求并最终成功到Server上做了必要准备。VAM配置任务简表1-11VAM配置任务简 VAM表1-12- -VAM设置重发VAM协议报文的时间间隔。Server发送协议报文时，在配置的时间间隔内，若没有收到回应报文，将重新发送该协议报文。协议报文包括连接请求报文、初始化完-vamname--resendintervaltime-隔时间为5秒VAMServerIPUDP端表1-14VAMServer的公网IPUDP端- --IP地址和UDP端serverprimaryip-addressip-[portport-numberIP地址和UDP端VAMServerIPUDP端表1-15VAMServer的公网IPUDP端- name--IP地址和UDP端[portport-缺省情况下，没有配置备份VAMServer的公网IPUDP端表1-16-vamname--userusernamepassword{ciphersimple}配置VAM所属 表1-17配置VAM所属的---域-域配置VAM的预共享密表1-18配置VAM的预共享密---pre-shared-key{cipher|simple}key-表1-19启动VAM服-VAM服vamenable{all|-name服务服务vamname-enable IPsec表1-20-ipsecprofileprofile-配置安全框架的安全提配置此安全框架中所的IKE对等用任何IKE对等体pfs{dh-group1|dh-group2dh-group5|dh-group14商时没有使用PFSPFS（PerfectForwardsaduration{time-basedsecondstraffic-basedkilobytes IPsec安全框架通过IKE协商SA，一个安全框架最多只能6个安全提议。IKE协商将在安全IKEPFSPFS交换。本端和对端指定的DH组必须一致，否则协商会失败。IPsec安全框架于保护D数据流。由于D地址的动态性，在发起端，IPsec安全框架下的IKE对等体中的remote-address不起作用。proposal、ike-peer、pfssaduration命令的详细配置请参见“安全分册”中的“IPsec命配置 隧道属隧道的空闲超时时间以及隧道建立失败的静默时间等，为建立D隧道做了必要准备。配置D隧表1-21配置 -创建Tunnelinterfacetunnel缺省情况下，设备上无Tunnel配置Tunnel接口的IPv4私网地ipaddressip-address{mask|mask-length}[sub]tunnel-protocol 配置Tunnel接口的源端地址或source{ip-address配置Tunnel接口的 -D封装类型的隧道接口必须与一个 缺省情况下，D隧道接口没有绑定keepalive[seconds[times]10秒、最大发送次数为3dsessionidle-道的空闲超时时间为300秒dsessiondumb-默时间为120秒配置OSPFospfnetwork-type{broadcastp2mpD隧道仅支持broadcast和两种OSPF缺省情况下，没有配置OSPF接口的网配置OSPF接口的DR优先ospfdr-priorityHub端为可选；Spoke端为缺省情况下，接口的DR优先级为HubDR优先级应高于Spoke；建议SpokeDR优先级配置为0，以使Spoke不参与DR/BDR在D隧道接口上缺省情况下，D隧道接口上没有引用任何IPsec安全框架，即不对D配置实例与Tunnel接口关ipbinding--instance-须配置多实例，将各私网之间的路由开 域中，所有Tunnel接口的D ospfnetwork-typeospfdr-priority命令的详细配置请参见“IP路由分册”中的“OSPF命多实例的配置请参见“MPLS分册”中的“MPLS D本身是一个私有网络，因此设备上必需配置路由。D隧道建立以后，路由协议通过隧道 显示和表1-22Ddisyvamserveraddress-map{all -[private-ipprivate-ip]disyvamserverstatistic{all -namedisy {address-map|fsm} -name显示隧道连接信disyd session{all|interfaceinterface-typeinterface-number[private-ipip-address]}disyipsecprofile[nameprofile-name删除隧道连接信resetd session{all|interfaceinterface-typeinterface-number[private-ipip-address]}D典型配置举 典型配置举例（Full-Mesh网络．在Full-Mesh的组网方式下，主备VAMServer负责管理、各个节点的信息；AAA服务器负责对VAM 进行认证和计费管理；两个Hub互为备份，负责数据的转发和路由信息的交．SpokeHub．同一Spoke图1-6Full-Mesh类型D组网HubSpokeSpokeHubSpokeMainBackupAAA [MainServer]radiusscheme[MainServer-radius-radsun]primaryaccounting11813[MainServer-radius-radsun]keyauthenticationexpert[MainServer-radius-radsun]keyaccountingexpert[MainServer-radius-radsun]server-typestandard[MainServer-radius-radsun]user-name-formatwith-[MainServer-radius-radsun]quit 1]authenticationdefaultradius-schemeradsun 1]accountingdefaultradius-schemeradsun 1]quit default #指定VAMServer上的IP地址。[MainServer]vamserverip-address2#创建 域1。[MainServer]vam -1]pre-shared-keysimple #指定域1的Hub地址 -1]hubprivate-ip -1]hubprivate-ip -1]#创建域2[MainServer]vam 456 -2]pre-shared-keysimple #指定域2的Hub地址 -2]hubprivate-ip -2]hubprivate-ip -1][MainServer]vamserverenable除IP地址外，备份VAMServer的D配置与主VAMServer相同，请参考(1)配置主VAM #创建 域1的客户端d [Hub1]vam named 1hub1]serverprimaryip-address2 1hub1]serversecondaryip-address3 1hub1]pre-shared-keysimple123 1hub1 1hub1]userd 1hub1passwordsimpled 1hub1]quit#创建 域2的客户端d [Hub1]vam named 2hub1]serverprimaryip-address2 2hub1]serversecondaryip-address3 2hub1]pre-shared-keysimple456 2hub1 2hub1]userd 2hub1passwordsimpled 2hub1] 配置IPsec安全框架#配置IPsec安全提议。[Hub1]ipsecproposalvam[Hub1-ipsec-proposal-vam]encapsulation-modetunnel[Hub1-ipsec-proposal-vam]transformesp[Hub1-ipsec-proposal-vam]espencryption-algorithmdes[Hub1-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub1-ipsec-proposal-vam]quit[Hub1]ikepeer[Hub1-ike-peer-vam]pre-shared-keyabcde[Hub1-ike-peer-vam]quit[Hub1]ipsecprofile[Hub1-ipsec-profile-vamp]proposalvam[Hub1-ipsec-profile-vamp]sadurationtime-based600[Hub1-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Hub1]interfacetunnel[Hub1-Tunnel1]tunnel-protocold [Hub1-Tunnel1]vam [Hub1-Tunnel1]ipaddress[Hub1-Tunnel1]sourceethernet1/1[Hub1-Tunnel1]ospfnetwork-typebroadcast[Hub1-Tunnel1]ipsecprofilevamp [Hub1]interfacetunnel[Hub1-Tunnel2]tunnel-protocold [Hub1-Tunnel2]vam [Hub1-Tunnel2]ipaddress[Hub1-Tunnel2]sourceethernet1/1[Hub1-Tunnel2]ospfnetwork-typebroadcast[Hub1-Tunnel2]ipsecprofilevamp [Hub1]ospf[Hub1-ospf-100]area[Hub1-ospf-100-area-]network55[Hub1-ospf-100-area-]quit[Hub1]ospf[Hub1-ospf-200]area[Hub1-ospf-200-area-]network55[Hub1-ospf-200-area-]quit[Hub1]ospf[Hub1-ospf-300]area[Hub1-ospf-300-area-]network55[Hub1-ospf-300-area-]quit #创建域1的客户端d [Hub2]vam named 1hub2]serverprimaryip-address2 1hub2]serversecondaryip-address3 1hub2]pre-shared-keysimple123 1hub2 1hub2]userd 1hub2passwordsimpled 1hub2]quit#创建 域2的客户端d [Hub2]vam named 2hub2]serverprimaryip-address2 2hub2]serversecondaryip-address3 2hub2]pre-shared-keysimple456 2hub2 2hub2]userd 2hub2passwordsimpled 2hub2] [Hub2]ipsecproposal[Hub2-ipsec-proposal-vam]encapsulation-modetunnel[Hub2-ipsec-proposal-vam]transformesp[Hub2-ipsec-proposal-vam]espencryption-algorithmdes[Hub2-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub2-ipsec-proposal-vam]quit[Hub2]ikepeer[Hub2-ike-peer-vam]pre-shared-keyabcde[Hub2-ike-peer-vam]quit[Hub2]ipsecprofile[Hub2-ipsec-profile-vamp]proposalvam[Hub2-ipsec-profile-vamp]sadurationtime-based600[Hub2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Hub2]interfacetunnel[Hub2-Tunnel1]tunnel-protocold [Hub2-Tunnel1]vam [Hub2-Tunnel1]ipaddress[Hub2-Tunnel1]sourceethernet1/1[Hub2-Tunnel1]ospfnetwork-typebroadcast[Hub2-Tunnel1]ipsecprofilevamp [Hub2]interfacetunnel[Hub2-Tunnel2]tunnel-protocold [Hub2-Tunnel2]vam [Hub2-Tunnel2]ipaddress[Hub2-Tunnel2]sourceethernet1/1[Hub2-Tunnel2]ospfnetwork-typebroadcast[Hub2-Tunnel2]ipsecprofilevamp [Hub2]ospf[Hub2-ospf-100]area[Hub2-ospf-100-area-]network55[Hub2-ospf-100-area-]quit[Hub2]ospf[Hub2-ospf-200]area[Hub2-ospf-200-area-]network55[Hub2-ospf-200-area-]quit[Hub2]ospf[Hub2-ospf-300]area[Hub2-ospf-300-area-]network55[Hub2-ospf-300-area-]quit #创建域1的客户端d [Spoke1]vam named 1spoke1]serverprimaryip-address2 1spoke1]serversecondaryip-address3 1spoke1]pre-shared-keysimple123 1spoke1 1spoke1]userd 1spoke1passwordsimpled 1spoke1] [Spoke1]ipsecproposal[Spoke1-ipsec-proposal-vam]encapsulation-modetunnel[Spoke1-ipsec-proposal-vam]transformesp[Spoke1-ipsec-proposal-vam]espencryption-algorithmdes[Spoke1-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke1-ipsec-proposal-vam]quit[Spoke1]ikepeer[Spoke1-ike-peer-vam]pre-shared-keyabcde[Spoke1-ike-peer-vam]quit[Spoke1]ipsecprofile[Spoke1-ipsec-profile-vamp]sadurationtime-based600[Spoke1-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Spoke1]interfacetunnel[Spoke1-Tunnel1]tunnel-protocold [Spoke1-Tunnel1]vam [Spoke1-Tunnel1]ipaddress[Spoke1-Tunnel1]sourceethernet1/1[Spoke1-Tunnel1]ospfnetwork-typebroadcast[Spoke1-Tunnel1]ospfdr-priority0[Spoke1-Tunnel1]ipsecprofilevamp[Spoke1-Tunnel1]quit [Spoke1]ospf[Spoke1-ospf-100]area[Spoke1-ospf-100-area-]network55[Spoke1-ospf-100-area-]quit[Spoke1]ospf[Spoke1-ospf-200]area[Spoke1-ospf-200-area-]network55[Spoke1-ospf-200-area-]quit #创建 域1的客户端d [Spoke2]vam named 1spoke2]serverprimaryip-address2 1spoke2]serversecondaryip-address3 1spoke2]pre-shared-keysimple123 1spoke2 1spoke2]userd 1spoke2passwordsimpled 1spoke2]quit#创建 域2的客户端d [Spoke2]vam named 2spoke2]serverprimaryip-address2 2spoke2]serversecondaryip-address3 2spoke2]pre-shared-keysimple456 2spoke2 1spoke2]userd 2spoke2passwordsimpled 1spoke2] [Spoke2]ipsecproposal[Spoke2-ipsec-proposal-vam]encapsulation-modetunnel[Spoke2-ipsec-proposal-vam]transformesp[Spoke2-ipsec-proposal-vam]espencryption-algorithmdes[Spoke2-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke2-ipsec-proposal-vam]quit[Spoke2]ikepeer[Spoke2-ike-peer-vam]pre-shared-keyabcde[Spoke2-ike-peer-vam]quit[Spoke2]ipsecprofile[Spoke2-ipsec-profile-vamp]proposalvam[Spoke2-ipsec-profile-vamp]sadurationtime-based600[Spoke2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Spoke2]interfacetunnel[Spoke2-Tunnel1]tunnel-protocold [Spoke2-Tunnel1]vam [Spoke2-Tunnel1]ipaddress[Spoke2-Tunnel1]sourceethernet1/1[Spoke2-Tunnel1]ospfnetwork-typebroadcast[Spoke2-Tunnel1]ospfdr-priority0[Spoke2-Tunnel1]ipsecprofilevamp[Spoke2-Tunnel1]quit [Spoke2]interfacetunnel[Spoke2-Tunnel2]tunnel-protocold [Spoke2-Tunnel2]vam [Spoke2-Tunnel2]ipaddress[Spoke2-Tunnel2]sourceethernet1/1[Spoke2-Tunnel2]ospfnetwork-typebroadcast[Spoke2-Tunnel2]ipsecprofilevamp [Spoke2]ospf[Spoke2-ospf-100]area[Spoke2-ospf-100-area-]network55[Spoke2-ospf-100-area-]quit[Spoke2]ospf[Spoke2-ospf-200]area[Spoke2-ospf-200-area-]network55[Spoke2-ospf-200-area-]quit[Spoke2]ospf[Spoke2-ospf-300]area[Spoke2-ospf-300-area-]network55[Spoke2-ospf-300-area-]quit #创建域2的客户端d [Spoke3]vam named 2spoke3]serverprimaryip-address2 2spoke3]serversecondaryip-address3 2spoke3]pre-shared-keysimple123 2spoke3 2spoke3]userd 2spoke3passwordsimpled 2spoke3] [Spoke3]ipsecproposal[Spoke3-ipsec-proposal-vam]encapsulation-modetunnel[Spoke3-ipsec-proposal-vam]transformesp[Spoke3-ipsec-proposal-vam]espencryption-algorithmdes[Spoke3-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke3-ipsec-proposal-vam]quit[Spoke3]ikepeer[Spoke3-ike-peer-vam]pre-shared-keyabcde[Spoke3-ike-peer-vam]quit[Spoke3]ipsecprofile[Spoke3-ipsec-profile-vamp]proposalvam[Spoke3-ipsec-profile-vamp]sadurationtime-based600[Spoke3-ipsec-profile-vamp]pfsdh-group2 配置D隧[Spoke3]interfacetunnel[Spoke3-Tunnel2]tunnel-protocold [Spoke3-Tunnel2]vam [Spoke3-Tunnel2]ipaddress[Spoke3-Tunnel2]sourceethernet1/1[Spoke3-Tunnel2]ospfnetwork-typebroadcast[Spoke3-Tunnel2]ospfdr-priority0[Spoke3-Tunnel2]ipsecprofilevamp[Spoke3-Tunnel2]quit [Spoke3]ospf[Spoke3-ospf-100]area[Spoke3-ospf-100-area-]network55[Spoke3-ospf-100-area-]quit[Spoke3]ospf[Spoke3-ospf-200]area 典型配置举例（Hub-Spoke网络．Hub-SpokeHub-SpokeVAMServer负责管理、各个节点的信息；AAA服务器负责对VAM进行认证和计费管理；两个Hub．SpokeHubHub Hub IP AAAMain Backup1Hub-to-Spokestatictunnel

Spoke SpokeSite SiteHubSpokeHubSpokeMainAAABackup [MainServer]radiusscheme[MainServer-radius-radsun]primaryaccounting1[MainServer-radius-radsun]keyauthenticationexpert[MainServer-radius-radsun]keyaccountingexpert[MainServer-radius-radsun]server-typestandard[MainServer-radius-radsun]user-name-formatwith-[MainServer-radius-radsun]quit 1]authenticationdefaultradius-schemeradsun 1]accountingdefaultradius-schemeradsun 1]quit default #指定VAMServer上的IP地址。[MainServer]vamserverip-address2#创建 域1。[MainServer]vam -1]pre-shared-keysimple -1]hubprivate-ip -1]hubprivate-ip#启动所有域的VAMServer功能[MainServer]vamserverenable除IP地址外，备份VAMServer的D配置与主VAMServer相同，请参考(1)配置主VAM #创建域1的客户端d [Hub1]vam named 1hub1]serverprimaryip-address2 1hub1]serversecondaryip-address3 1hub1]pre-shared-keysimple123 1hub1 1hub1]userd 1hub1passwordsimpled 1hub1] [Hub1]ipsecproposal[Hub1-ipsec-proposal-vam]encapsulation-modetunnel[Hub1-ipsec-proposal-vam]transformesp[Hub1-ipsec-proposal-vam]espencryption-algorithmdes[Hub1-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub1-ipsec-proposal-vam]quit[Hub1]ikepeer[Hub1-ike-peer-vam]pre-shared-keyabcde[Hub1-ike-peer-vam]quit[Hub1]ipsecprofile[Hub1-ipsec-profile-vamp]proposalvam[Hub1-ipsec-profile-vamp]sadurationtime-based600[Hub1-ipsec-profile-vamp]pfsdh-group2 配置 隧[Hub1]interfacetunnel[Hub1-Tunnel1]tunnel-protocold [Hub1-Tunnel1]vam [Hub1-Tunnel1]ipaddress[Hub1-Tunnel1]sourceethernet1/1[Hub1-Tunnel1]ospfnetwork-typep2mp[Hub1-Tunnel1]ipsecprofilevamp[Hub1-Tunnel1]quit [Hub1]ospf[Hub1-ospf-100]area[Hub1-ospf-100-area-]network55[Hub1-ospf-100-area-]quit[Hub1]ospf[Hub1-ospf-200]area[Hub1-ospf-200-area-]network55[Hub1-ospf-200-area-]quit #创建 域1的客户端d [Hub2]vam named 1hub2]serverprimaryip-address2 1hub2]serversecondaryip-address3 1hub2]pre-shared-keysimple123 1hub2 1hub2]userd 1hub2passwordsimpled 1hub2] [Hub2]ipsecproposal[Hub2-ipsec-proposal-vam]encapsulation-modetunnel[Hub2-ipsec-proposal-vam]transformesp[Hub2-ipsec-proposal-vam]espencryption-algorithmdes[Hub2-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub2-ipsec-proposal-vam]quit[Hub2]ikepeer[Hub2-ike-peer-vam]pre-shared-keyabcde[Hub2-ike-peer-vam]quit[Hub2]ipsecprofile[Hub2-ipsec-profile-vamp]proposalvam[Hub2-ipsec-profile-vamp]sadurationtime-based600[Hub2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Hub2]interfacetunnel[Hub2-Tunnel1]tunnel-protocold [Hub2-Tunnel1]vam [Hub2-Tunnel1]ipaddress[Hub2-Tunnel1]sourceethernet1/1[Hub2-Tunnel1]ospfnetwork-typep2mp[Hub2-Tunnel1]ipsecprofilevamp[Hub2-Tunnel1]quit [Hub2]ospf[Hub2-ospf-100]area[Hub2-ospf-100-area-]network55[Hub2-ospf-100-area-]quit[Hub2]ospf[Hub2-ospf-200]area[Hub2-ospf-200-area-]network55[Hub2-ospf-200-area-]quit #创建 域1的客户端d [Spoke1]vam named ServerIP 1spoke1]serverprimaryip-address2 1spoke1]serversecondaryip-address3 1spoke1]pre-shared-keysimple123 1spoke1 1spoke1]userd 1spoke1passwordsimpled 1spoke1]clinetenable 1spoke1] [Spoke1]ipsecproposal[Spoke1-ipsec-proposal-vam]encapsulation-modetunnel[Spoke1-ipsec-proposal-vam]transformesp[Spoke1-ipsec-proposal-vam]espencryption-algorithmdes[Spoke1-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke1-ipsec-proposal-vam]quit[Spoke1]ikepeer[Spoke1-ike-peer-vam]pre-shared-keyabcde[Spoke1-ike-peer-vam]quit[Spoke1]ipsecprofile[Spoke1-ipsec-profile-vamp]proposalvam[Spoke1-ipsec-profile-vamp]sadurationtime-based600[Spoke1-ipsec-profile-vamp]pfsdh-group2 配置D隧 [Spoke1]interfacetunnel[Spoke1-Tunnel1]tunnel-protocold [Spoke1-Tunnel1]vam [Spoke1-Tunnel1]ipaddress[Spoke1-Tunnel1]sourceethernet1/1[Spoke1-Tunnel1]ospfnetwork-typep2mp[Spoke1-Tunnel1]ospfdr-priority0[Spoke1-Tunnel1]ipsecprofilevamp[Spoke1-Tunnel1]quit [Spoke1]ospf[Spoke1-ospf-100]area[Spoke1-ospf-100-area-]network55[Spoke1-ospf-100-area-]quit[Spoke1]ospf[Spoke1-ospf-200]area[Spoke1-ospf-200-area-]network55[Spoke1-ospf-200-area-]quit #创建域1的客户端d [Spoke2]vam named 1spoke2]serverprimaryip-address2 1spoke2]serversecondaryip-address3 1spoke2]pre-shared-keysimple123 1spoke2 1spoke2]userd 1spoke2passwordsimpled 1spoke2] [Spoke2]ipsecproposal[Spoke2-ipsec-proposal-vam]encapsulation-modetunnel[Spoke2-ipsec-proposal-vam]transformesp[Spoke2-ipsec-proposal-vam]espencryption-algorithmdes[Spoke2-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke2]ikepeer[Spoke2-ike-peer-vam]pre-shared-keyabcde[Spoke2-ike-peer-vam]quit[Spoke2]ipsecprofile[Spoke2-ipsec-profile-vamp]proposalvam[Spoke2-ipsec-profile-vamp]sadurationtime-based600[Spoke2-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Spoke2]interfacetunnel[Spoke2-Tunnel1]tunnel-protocold [Spoke2-Tunnel1]vam [Spoke2-Tunnel1]ipaddress[Spoke2-Tunnel1]sourceethernet1/1[Spoke2-Tunnel1]ospfnetwork-typep2mp[Spoke2-Tunnel1]ospfdr-priority0[Spoke2-Tunnel1]ipsecprofilevamp[Spoke2-Tunnel1]quit [Spoke2]ospf[Spoke2-ospf-100]area[Spoke2-ospf-100-area-]network55[Spoke2-ospf-100-area-]quit[Spoke2]ospf[Spoke2-ospf-200]area[Spoke2-ospf-200-area-]network55[Spoke2-ospf-200-area-]quitGRE配 1 1 1 3 3 4配置GREoverIPv4隧 4 4配置GREoverIPv4隧 5配置GREoverIPv6隧 6 6配置GREoverIPv6隧 6GREoverIPv4典型配置举 8 8 GREoverIPv6典型配置举 iMSRMSR20-MSRMSRMSRH3CMSR系列路由器对特性中相关命令参数支持情况、缺省值及取值范围的差异内容请参见本模块令手册。 GRE的数据报文进行封装，使这些被封装的数据报文能够在另一个网络层协议（如IP）中传输。GRE采用了Tunnel（隧道）技术，是（VirtualPrivateNetwork）的第三层隧道协议。且在一个Tunnel的两端分别对数据报进行封装及解封装。1-1的网络为例说明这两个过程图1-2封装好的Tunnel图1-3TunnelProtocol）。系统收到一个净荷后，首先使用封装协议（EncapsulationProtocol）对这个净荷进行GREGREGRE报文；然后再把GREIPIP（Forwarding通常把这个负责前向转发的IP协议称为传输（DeliveryProtocol或者TransportGRERFC1701中规定 ．GREChecksum1GREPayloadNovellNovellIPXGroupNovellIPXGroupRouterGRERouterTeam1Team2RouterARouterBGRE协议封装的隧道（Tunnel），Group1和Group2、Team1和Team2可以互不影响地进行通信。如图1-5Router IP GRE IP Host

RouterIP

Host图1-6Tunnel越广域网的。图1-7GRE-IPsecRFC1701：GenericRoutingEncapsulationRFC1702：GenericRoutingEncapsulationoverIPv4RFC2784：GenericRoutingEncapsulation配置GREoverIPv4常通讯。这些接口将作为Tunnel虚接口的源接口，以保证隧道目的地址路由可达。GREoverIPv4表1-1配置GREoverIPv4-创建一个Tunnel接口，并进入该Tunnel接口视图缺省情况下，设备上无Tunnel设置Tunnel接口的IPv4ipaddressip-address{maskIPv4地址tunnel-protocol缺省情况下，采用GREover设置Tunnel接口的源端地址source{ip-address|interface-typeinterface-number}设置Tunnel接口的目的端地探测Tunnel接口状态，并配keepalive报文发送周期及keepalive[seconds[times]gregrekeykey-配置通过Tunnel必须存在经过Tunnel转发的路由，这样需要进行GREexpeditingexpeditingsubnetip-addressexpeditingenableexpeditingsubnet命令的支持情况与设备的型号有关，请以设备的实际配置”；快速终结功能的详细说明请参见“IP业务分册”中的“隧道配置”。subnet命令的详细介绍，请参见“IP业务分册”中的“隧道命令”。隧道两端可以根据实际应用的需要决定配置校验和或校验和。如果本端配置了校验和而对端配置通过Tunnel转发的路由时，可以手工配置一条静态路由，目的地址是未GRE封装的报文的目的地址，下一跳是对端Tunnel接口的地址。也可以在Tunnel接口上和与私网相连的路由器接口上分别使能动态路由协议，由动态路由协议来建立通过Tunnel转发的路由表项。配置GREoverIPv6正常通讯。这些接口将作为Tunnel虚接口的源接口，以保证隧道目的地址路由可达。GREoverIPv6表1-2配置GREoverIPv6-使能IPv6缺省情况下，关闭IPv6报文转发创建一个Tunnel缺省情况下，设备上无Tunnel接设置Tunnel接口的IPv4ipaddressip-address{mask设置IPv4地址tunnel-protocolgre设置Tunnelsource{ipv6-address设置Tunnelencapsulation-limit[number4gregrekeykey-配置通过Tunnel都必须存在经过Tunnel转发的路由。在Tunnel的两端都要进行此介绍，请参见“IP业务分册”中的“隧道命令”。隧道两端可以根据实际应用的需要决定配置校验和或校验和。如果本端配置了校验和而对端配置通过Tunnel转发的路由时，可以手工配置一条静态路由，目的地址是未GRE封装的报文的目的地址，下一跳是对端Tunnel接口的地址。也可以在Tunnel接口上和与私网相连的路由器接口上分别使能动态路由协议，由动态路由协议来建立通过Tunnel转发的路由表项。表1-3GRE显示Tunneldisyinterfacetunnel[number显示Tunnel接口的IPv6disyipv6interfacetunnel[number][verbosedisyinterfacetunnel和disyipv6interfacetunnel命令的详细介绍，请参见“IP业务GREoverIPv4GREoverIPv4典型配置举例（路由应用RouterARouterBInternetIP图1-8GREoverIPv4Ethernet1/1。 >system- ]interfaceethernet -Ethernet1/1]ipaddress -Ethernet1/1]quit ]interfaceserial -Serial2/0]ipaddress -Serial2/0]quitTunnel0 ]interfacetunnelTunnel0接口IP地址 -Tunnel0]ipaddress -Tunnel0]source -Tunnel0]destination -Tunnel0]quit ]iproute-statictunnelEthernet1/1。[RouterB]interfaceethernet[RouterB-Ethernet1/1]ipaddress[RouterB-Ethernet1/1]quit[RouterB]interfaceserial[RouterB-Serial2/1]ipaddress[RouterB-Serial2/1]quit#创建Tunnel0接口。[RouterB]interfacetunnel0[RouterB-Tunnel0]ipaddress[RouterB-Tunnel0]source[RouterB-Tunnel0]destination[RouterB-Tunnel0]quit[RouterB]iproute-statictunnelGREoverIPv4典型配置举例（交换应用SwitchASwichBInternetIP图1-9GREoverIPv4Ethernet1/1。[SwitchA]vlan100[SwitchA-vlan100]portethernet1/1[SwitchA-vlan100]quit[SwitchA]interfacevlan-interface[SwitchA-Vlan-interface100]ipaddress[SwitchA-Vlan-interface100]quit[SwitchA]vlan[SwitchA-vlan101]portethernet1/2[SwitchA-vlan101]quit[SwitchA]interfacevlan-interface[SwitchA-Vlan-interface101]ipaddress[SwitchA-Vlan-interface101]quit#创建Tunnel1接口。[SwitchA]interfacetunnel1[SwitchA-Tunnel1]ipaddress#[SwitchA-Tunnel1]sourcevlan-interface[SwitchA-Tunnel1]destination[SwitchA-Tunnel1]quit1tunnel。[SwitchA]service-loopbackgroup1typetunnel#将接口Ethernet1/3加入业务环回组1。[SwitchA]interfaceethernet1/3[SwitchA-Ethernet1/3]undostp[SwitchA-Ethernet1/3portservice-loopbackgroup1#在Tunnel接口视图下指定隧道的业务环回组1。[SwitchA-Ethernet1/3]quit[SwitchA]interfacetunnel[SwitchA-Tunnel1]service-loopback-group1[SwitchA-Tunnel1]quit[SwitchA]iproute-statictunnelEthernet1/1。[SwitchB]vlan100[SwitchB-vlan100]portethernet1/1[SwitchB-vlan100]quit[SwitchB]interfacevlan-interface[SwitchB-Vlan-interface100]ipaddress[SwitchB-Vlan-interface100]quit[SwitchB]vlan[SwitchB-vlan101]portethernet1/2[SwitchB-vlan101]quit[SwitchB]interfacevlan-interface[SwitchB-Vlan-interface101]ipaddress[SwitchB-Vlan-interface101]quit#创建Tunnel1接口。[SwitchB]interfacetunnel1[SwitchB-Tunnel1]ipaddress#[SwitchB-Tunnel1]sourcevlan-interface[SwitchB-Tunnel1]destination[SwitchB-Tunnel1]quit1tunnel。[SwitchB]service-loopbackgroup1typetunnel#将接口Ethernet1/3加入业务环回组1。[SwitchB]interfaceethernet1/3[SwitchB-Ethernet1/3]undostp[SwitchB-Ethernet1/3portservice-loopbackgroup1#在Tunnel接口视图下指定隧道的业务环回组1。[SwitchB-Ethernet1/3]quit[SwitchB]interfacetunnel[SwitchB-Tunnel1]service-loopback-group1[SwitchB-Tunnel1]quit[SwitchB]iproute-staticTunnelGREoverIPv6GREoverIPv6典型配置举例（路由应用三层隧道协议GRE，穿越IPv6网络实现互联。图1-10GREoverIPv6 IPv6 ] ]interfaceethernet -Ethernet1/1]ipaddress -Ethernet1/1]quit ]interfaceserial -Serial2/0]ipv6address2002::1:164 -Serial2/0]quitTunnel0 ]interfacetunnelTunnel0接口IP地址 -Tunnel0]ipaddres