本文出自 “王达博客” 博客,转载请与作者联系!

作者已授权本博客转载

 

13.3.2 H3C路由器Hub-Spoke结构D×××配置示例

本示例的拓扑结构如图13-8所示。示例中的网络结构为Hub-Spoke结构,数据仅通过Hub-Spoke隧道进行转发,Spoke与Hub之间建立永久隧道连接;Spoke之间不能直接构建虚拟隧道进行数据转发。示例中的各设备接口IP地址分配如表13-10所示。主/备VAM服务器负责管理、维护各个节点的信息;AAA服务器负责对VAM客户端进行认证和计费管理;两个Hub互为备份,负责数据的转发和路由信息的交换。两个Hub和两Spoke上均只配置一个隧道接口Tunnel 1,也就只需配置一个×××域××× 1。

图13-8 Hub-Spoke结构D×××配置示例的拓扑结构

按照本章前面13.2节的配置思路进行如下所示的Hub-Spoke D×××配置。
一、主VAM服务器的配置
(1)按照图中标注配置主VAM服务器IP地址(略)
(2)配置AAA认证(方案为RADIUS)。
<MainServer> system-view
[MainServer] radius scheme rad1 !---创建一个名为rad1的RADIUS认证方案
[MainServer-radius-radsun] primary authentication 192.168.1.11 1812 !--- 配置主RADIUS认证/授权服务器的IP地址为192.168.1.11,UDP端口采用默认的1812号端口
[MainServer-radius-radsun] primary accounting 192.168.1.11 1813 !--- 配置主RADIUS计费服务器的IP地址为192.168.1.11,UDP端口采用默认的1813号端口
[MainServer-radius-radsun] key authentication lycb !--- 配置RADIUS认证/授权报文的共享密钥为lycb
[MainServer-radius-radsun] key accounting lycb !--- 配置RADIUS计费报文的共享密钥为lycb
[MainServer-radius-radsun] server-type standard !--- 指定采用标准类型的RADIUS服务器,还可以选择“extended”选项,指定RADIUS服务器支持私有RADIUS标准
[MainServer-radius-radsun] user-name-format with-domain !--- 设置发送给RADIUS服务器的用户名采用带ISP域名的格式:userid@isp-name,还可以选择“without-domain”选项,则用户名格式不带ISP域名。如果采用不带域名格式,则不同域中的用户名不要一样
[MainServer-radius-radsun] quit
(3)配置ISP域的AAA方案。
[MainServer] domain domain1 !---创建一个名为domain1的ISP域
[MainServer-isp-domain1] authentication default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS认证/授权方案
[MainServer-isp-domain1] accounting default radius-scheme rad1 !---指定domain1中所有用户默认采用名为前面创建的名为rad1的RADIUS计费方案
[MainServer-isp-domain1] quit
[MainServer] domain default enable domain1 !--- 配置系统缺省的ISP域为domain1,所有在登录时没有提供ISP域名的用户都属于这个域
(4)配置主VAM服务器。
[MainServer] vam server ip-address 192.168.1.22 !----指定VAM服务器上的监听IP地址
[MainServer] vam server *** 1 !----创建×××域1
[MainServer-vam-server-***-1] pre-shared-key simple 123456 !---配置预共享密钥为123456
[MainServer-vam-server-***-1] authentication-method chap !----配置对客户端进行CHAP认证
!---下面三条用来指定×××域1中的两个Hub地址。
[MainServer-vam-server-***-1] hub private-ip 10.0.1.1
[MainServer-vam-server-***-1] hub private-ip 10.0.1.2
[MainServer-vam-server-***-1] quit
[MainServer] vam server *** 2 !---创建×××域2
[MainServer-vam-server-***-2] pre-shared-key simple 654321 !----配置预共享密钥为654321
[MainServer-vam-server-***-2] authentication-method pap !---配置对客户端进行PAP认证
!---下面三条指定×××域2中的两个Hub地址。
[MainServer-vam-server-***-2] hub private-ip 10.0.2.1
[MainServer-vam-server-***-2] hub private-ip 10.0.2.2
[MainServer-vam-server-***-1] quit
[MainServer] vam server enable all !----启动所有×××域的VAM Server功能
二、备份VAM服务器的配置
下面再来配置备份VAM服务器。这部分除监听IP地址外,备份VAM Server的D×××配置与主VAM服务器的相同,参见前面介绍的主VAM服务器配置。
三、Hub1的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Hub1> system-view
!---下面两条是创建×××域1的客户端d***1hub1。
[Hub1] vam client name d***1hub1
[Hub1-vam-client-name-d***1hub1] *** 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub1-vam-client-name-d***1hub1] server primary ip-address 192.168.1.22
[Hub1-vam-client-name-d***1hub1] server secondary ip-address 192.168.1.33
[Hub1-vam-client-name-d***1hub1] pre-shared-key simple 123456
!---下面三条是配置Hub1的本地用户,用户名为d***1hub1,密码为d***1hub1。
[Hub1-vam-client-name-d***1hub1] user d***1hub1 password simple d***1hub1
[Hub1-vam-client-name-d***1hub1] client enable
[Hub1-vam-client-name-d***1hub1] quit
(3)配置IPsec安全框架
!---下面几条是配置IPsec安全提议。
[Hub1] ipsec proposal proppo1
[Hub1-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub1-ipsec-proposal-vam] transform esp
[Hub1-ipsec-proposal-vam] esp encryption-algorithm des
[Hub1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub1-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub1] ike peer peer1
[Hub1-ike-peer-vam] pre-shared-key abcdef
[Hub1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub1] ipsec profile profile1
[Hub1-ipsec-profile-vamp] proposal propo1
[Hub1-ipsec-profile-vamp] ike-peer peer1
[Hub1-ipsec-profile-vamp] sa duration time-based 600
[Hub1-ipsec-profile-vamp] pfs dh-group2
[Hub1-ipsec-profile-vamp] quit
(4)配置D×××隧道,配置×××域1的隧道接口Tunnel1及属性。
[Hub1] interface tunnel 1
[Hub1-Tunnel1] tunnel-protocol d*** udp
[Hub1-Tunnel1] vam client d***1hub1
[Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0
[Hub1-Tunnel1] source ethernet 1/1
[Hub1-Tunnel1] ospf network-type broadcast
[Hub1-Tunnel1] ipsec profile profile1
[Hub1-Tunnel1] quit
(5)配置OSPF路由
!---下面几条是配置公网的路由信息。
[Hub1] ospf 100
[Hub1-ospf-100] area 0
[Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255
[Hub1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub1] ospf 200
[Hub1-ospf-200] area 0
[Hub1-ospf-200-area-0.0.0.0] network 10.0.1.1 0.0.0.255
[Hub1-ospf-200-area-0.0.0.0] quit
四、Hub2的配置
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Hub2> system-view
!---下面两条是创建×××域1的客户端d***1hub2。
[Hub2] vam client name d***1hub2
[Hub2-vam-client-name-d***1hub2] *** 1
!---下面三条是配置VAM服务器的IP地址及VAM客户端的预共享密钥。
[Hub2-vam-client-name-d***1hub2] server primary ip-address 192.168.1.22
[Hub2-vam-client-name-d***1hub2] server secondary ip-address 192.168.1.33
[Hub2-vam-client-name-d***1hub2] pre-shared-key simple 123456
!---下面三条是配置Hub1的本地用户,用户名为d***1hub2,密码为d***1hub2。
[Hub2-vam-client-name-d***1hub2] user d***1hub1 password simple d***1hub2
[Hub2-vam-client-name-d***1hub2] client enable
[Hub2-vam-client-name-d***1hub2] quit
(3)配置IPsec安全框架
!---下面几条是配置IPsec安全提议。
[Hub2] ipsec proposal propo1
[Hub2-ipsec-proposal-vam] encapsulation-mode tunnel
[Hub2-ipsec-proposal-vam] transform esp
[Hub2-ipsec-proposal-vam] esp encryption-algorithm des
[Hub2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Hub2-ipsec-proposal-vam] quit
!---下面几条是配置IKE对等体。
[Hub2] ike peer peer1
[Hub2-ike-peer-vam] pre-shared-key abcdef
[Hub2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Hub2] ipsec profile profile1
[Hub2-ipsec-profile-vamp] proposal propo1
[Hub2-ipsec-profile-vamp] ike-peer peer1
[Hub2-ipsec-profile-vamp] sa duration time-based 600
[Hub2-ipsec-profile-vamp] pfs dh-group2
[Hub2-ipsec-profile-vamp] quit
(4)配置D×××隧道,配置×××域1的隧道接口Tunnel1及属性。
[Hub2] interface tunnel 1
[Hub2-Tunnel1] tunnel-protocol d*** udp
[Hub2-Tunnel1] vam client d***1hub2
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0
[Hub2-Tunnel1] source ethernet 1/1
[Hub2-Tunnel1] ospf network-type broadcast
[Hub2-Tunnel1] ipsec profile profile1
[Hub2-Tunnel1] quit
(5)配置OSPF路由
!---下面几条是配置公网的路由信息。
[Hub2] ospf 100
[Hub2-ospf-100] area 0
[Hub2-ospf-100-area-0.0.0.0] network 192.168.1.2 0.0.0.255
[Hub2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Hub2] ospf 200
[Hub2-ospf-200] area 0
[Hub2-ospf-200-area-0.0.0.0] network 10.0.1.2 0.0.0.255
[Hub2-ospf-200-area-0.0.0.0] quit
五、Spoke1配置。
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Spoke1> system-view
!---下面两条是创建×××域1的客户端d***1spoke1。
[Spoke1] vam client name d***1spoke1
[Spoke1-vam-client-name-d***1spoke1] *** 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke1-vam-client-name-d***1spoke1] server primary ip-address 192.168.1.22
[Spoke1-vam-client-name-d***1spoke1] server secondary ip-address 192.168.1.33
[Spoke1-vam-client-name-d***1spoke1] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为d***1spoke1,密码为d***1spoke1。
[Spoke1-vam-client-name-d***1spoke1] user d***1spoke1 password simpled***1spoke1
[Spoke1-vam-client-name-d***1spoke1] client enable
[Spoke1-vam-client-name-d***1spoke1] quit
(3)配置IPsec安全框架
!---下面几条是配置IPsec安全提议。
[Spoke1] ipsec proposal propo1
[Spoke1-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke1-ipsec-proposal-vam] transform esp
[Spoke1-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke1-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke1-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke1] ike peer peer1
[Spoke1-ike-peer-vam] pre-shared-key abcde
[Spoke1-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke1] ipsec profile profile1
[Spoke1-ipsec-profile-vamp] proposal propo1
[Spoke1-ipsec-profile-vamp] sa duration time-based 600
[Spoke1-ipsec-profile-vamp] pfs dh-group2
[Spoke1-ipsec-profile-vamp] quit
(4)配置D×××隧道,配置×××域1的隧道接口Tunnel1及属性。
[Spoke1] interface tunnel 1
[Spoke1-Tunnel1] tunnel-protocol d*** udp
[Spoke1-Tunnel1] vam client d***1spoke1
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0
[Spoke1-Tunnel1] source ethernet 1/1
[Spoke1-Tunnel1] ospf network-type broadcast
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] ipsec profile profile1
[Spoke1-Tunnel1] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke1] ospf 100
[Spoke1-ospf-100] area 0
[Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255
[Spoke1-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke1] ospf 200
[Spoke1-ospf-200] area 0
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255
[Spoke1-ospf-200-area-0.0.0.0] network 10.0.2.1 0.0.0.255
六、Spoke2的配置。
(1)配置各接口的IP地址(略)。
(2)配置VAM客户端。
<Spoke2> system-view
!---下面两条是创建×××域1的客户端d***1spoke2。
[Spoke2] vam client name d***1spoke2
[Spoke2-vam-client-name-d***1spoke2] *** 1
!---下面三条是配置VAM Server的IP地址及VAM Client的预共享密钥。
[Spoke2-vam-client-name-d***1spoke2] server primary ip-address 192.168.1.22
[Spoke2-vam-client-name-d***1spoke2] server secondary ip-address 192.168.1.33
[Spoke2-vam-client-name-d***1spoke2] pre-shared-key simple 123456
!---下面三条是配置本地用户,用户名为d***1spoke2,密码为d***1spoke2。
[Spoke2-vam-client-name-d***1spoke2] user d***1spoke2 password simpled***1spoke2
[Spoke2-vam-client-name-d***1spoke2] client enable
[Spoke2-vam-client-name-d***1spoke2] quit
(3)配置IPsec安全框架
!---下面几条是配置IPsec安全提议。
[Spoke2] ipsec proposal propo2
[Spoke2-ipsec-proposal-vam] encapsulation-mode tunnel
[Spoke2-ipsec-proposal-vam] transform esp
[Spoke2-ipsec-proposal-vam] esp encryption-algorithm des
[Spoke2-ipsec-proposal-vam] esp authentication-algorithm sha1
[Spoke2-ipsec-proposal-vam] quit
!---下面三条是配置IKE对等体。
[Spoke2] ike peer peer2
[Spoke2-ike-peer-vam] pre-shared-key abcdef
[Spoke2-ike-peer-vam] quit
!---下面几条是配置IPsec安全框架。
[Spoke2] ipsec profile profile2
[Spoke2-ipsec-profile-vamp] proposal profile2
[Spoke2-ipsec-profile-vamp] sa duration time-based 600
[Spoke2-ipsec-profile-vamp] pfs dh-group2
[Spoke2-ipsec-profile-vamp] quit
(4)配置D×××隧道,配置×××域1的隧道接口Tunnel1及属性。
[Spoke2] interface tunnel 1
[Spoke2-Tunnel1] tunnel-protocol d*** udp
[Spoke2-Tunnel1] vam client d***1spoke2
[Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.0
[Spoke2-Tunnel1] source ethernet 1/1
[Spoke2-Tunnel1] ospf network-type broadcast
[Spoke2-Tunnel1] ospf dr-priority 0
[Spoke2-Tunnel1] ipsec profile profile2
[Spoke2-Tunnel1] quit
(5)配置OSPF路由。
!---下面几条是配置公网的路由信息。
[Spoke2] ospf 100
[Spoke2-ospf-100] area 0
[Spoke2-ospf-100-area-0.0.0.0] network 192.168.1.4 0.0.0.255
[Spoke2-ospf-100-area-0.0.0.0] quit
!---下面几条是配置私网的路由信息。
[Spoke2] ospf 200
[Spoke2-ospf-200] area 0
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.1.4 0.0.0.255
[Spoke2-ospf-200-area-0.0.0.0] network 10.0.3.1 0.0.0.255
七、验证配置结果。
首先使用“display vam server address-map all”命令查看注册到主VAM Server的所有VAM Client的地址映射信息。
[MainServer] display vam server address-map all
××× name: 1
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.1.1 192.168.1.1 Hub 0H 7M 35S
10.0.1.2 192.168.1.2 Hub 0H 13M 8S
10.0.1.3 192.168.1.3 Spoke 0H 3M 58S
10.0.1.4 192.168.1.4 Spoke 0H 0M 29S
再来使用“display vam server address-map all”显示注册到备份VAM Server的所有VAM客户端的地址映射信息。备份VAM服务器上的所有VAM客户端的地址映射信息查看一方法和显示一样。结果显示Hub1、Hub2、Spoke1和Spoke2均已将地址映射信息注册到主/备VAM服务器。
[BackupServer] display vam server address-map all
××× name: 1
Total address-map number: 4
Private-ip Public-ip Type Holding time
10.0.1.1 192.168.1.1 Hub 0H 8M 46S
10.0.1.2 192.168.1.2 Hub 0H 14M 58S
10.0.1.3 192.168.1.3 Spoke 0H 5M 9S
10.0.1.4 192.168.1.4 Spoke 0H 1M 40S
再来使用“display d*** session all”命令查看Hub1上的D×××隧道信息。结果显示××× 1中Hub1与Hub2、Spoke1、Spoke2建立了永久隧道。Hub2上的显示信息与Hub1类似。
[Hub1] display d*** session all
Interface: Tunnel1 ××× name: 1 Total number: 3
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Hub-Hub
State: SUCCESS
Holding time: 0h 1m 44s
Input: 101 packets, 100 data packets, 1 control packets
87 multicasts, 0 errors
Output: 106 packets, 99 data packets, 7 control packets
87 multicasts, 10 errors
Private IP: 10.0.1.3
Public IP: 192.168.1.3
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 4m 32s
Input: 36 packets, 18 data packets, 18 control packets
10 multicasts, 0 errors
Output: 35 packets, 17 data packets, 18 control packets
11 multicasts, 0 errors
Private IP: 10.0.1.4
Public IP: 192.168.1.4
Session type: Hub-Spoke
State: SUCCESS
Holding time: 0h 3m 15s
Input: 20 packets, 0 data packets, 20 control packets
0 multicasts, 0 errors
Output: 20 packets, 6 data packets, 14 control packets
6 multicasts, 0 errors
再来使用“display d*** session all”命令查看Spoke1上的D×××隧道信息。结果显示××× 1中Spoke1与Hub1、Hub2建立了Hub-Spoke永久隧道。Spoke2上的显示信息与Spoke1类似。
[Spoke1] display d*** session all
Interface: Tunnel1 ××× name: 1 Total number: 2
Private IP: 10.0.1.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 1m 22s
Input: 381 packets, 380 data packets, 1 control packets
374 multicasts, 0 errors
Output: 384 packets, 376 data packets, 8 control packets
369 multicasts, 0 errors
Private IP: 10.0.1.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 21m 53s
Input: 251 packets, 249 data packets, 1 control packets
230 multicasts, 0 errors
Output: 252 packets, 240 data packets, 7 control packets
224 multicasts, 0 errors
再在Spoke1上ping Spoke2的私网地址10.0.3.1,结果显示是通的。
[Spoke1] ping 10.0.3.1
PING 10.0.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=2 ttl=254 time=54 ms
Reply from 10.0.3.1: bytes=56 Sequence=3 ttl=254 time=5 ms
Reply from 10.0.3.1: bytes=56 Sequence=4 ttl=254 time=6 ms
Reply from 10.0.3.1: bytes=56 Sequence=5 ttl=254 time=37 ms
--- 10.0.3.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/21/54 ms
最后使用“display d*** session all”命令查看Spoke1上的D×××隧道信息。结果显示Spoke1和Spoke2之间没有建立动态的Spoke-Spoke隧道,Spoke1和Spoke2通过Hub转发数据。
[Spoke1] display d*** session all
Interface: Tunnel2 ××× name: 2 Total number: 2
Private IP: 10.0.2.1
Public IP: 192.168.1.1
Session type: Spoke-Hub
State: SUCCESS
Holding time: 1h 10m 0s
Input: 451 packets, 450 data packets, 1 control packets
435 multicasts, 0 errors
Output: 453 packets, 447 data packets, 6 control packets
430 multicasts, 0 errors
Private IP: 10.0.2.2
Public IP: 192.168.1.2
Session type: Spoke-Hub
State: SUCCESS
Holding time: 0h 1m 50s
Input: 242 packets, 241 data packets, 1 control packets
231 multicasts, 0 errors
Output: 251 packets, 241 data packets, 7 control packets
225 multicasts, 0 errors