h3c msr系列路由器操作手冊

配 1 1 1 2 2 3 5 6配置 6配置VAM 6 7 7 7 8 8 9 9 9配置 創(chuàng)建 配置 啟動 服 iH3CMSR系列路由器對特性中相關(guān)命令參數(shù)支持情況、缺省值及取值范圍的差異內(nèi)容請參見本模塊令手冊。 配 簡越來越多的企業(yè)希望利用公共網(wǎng)絡(luò)組建（VirtualPrivateNetwork，虛擬私有網(wǎng)絡(luò)），連接地事先知道對端的公網(wǎng)地址，這就為組建提出了一個難題。 （DynamicVirtualPrivateNetwork，動態(tài)虛擬私有網(wǎng)絡(luò)）通過VAM（ 地址管理）協(xié)議收集、和分發(fā)動態(tài)變化的公網(wǎng)地址等信息，解決了無法事 在各分支機構(gòu)間建立。D把連接到公網(wǎng)上的各節(jié)點組成的網(wǎng)絡(luò)看作網(wǎng)絡(luò)，公網(wǎng)作為網(wǎng)絡(luò)的鏈路層，DD通過VAM獲取通信對端的公網(wǎng)地址。VAM協(xié)議是D方案的主要協(xié)議，負責收集、、分發(fā)公網(wǎng)地址等信息，幫助用戶快捷、方VAM協(xié)議查詢到私網(wǎng)下一跳對應(yīng)的公網(wǎng)地址，并利用該公網(wǎng)地址做為隧道的目的地址進行封D的基本概D方案中有幾個關(guān)鍵的角色D節(jié)D節(jié)點為動態(tài)隧道兩端的設(shè)備，可以是網(wǎng)絡(luò)設(shè)備或主機。D節(jié)點參與隧道的建立，需要實現(xiàn)VAM的客戶端功能。VAMVAMServer是接受D節(jié)點向其信息的服務(wù)器，負責管理、各D節(jié)點的信息。目VAMServerVAMVAM向VAMServer自己的私網(wǎng)地址、公網(wǎng)地址、VAM標識等信息，向VAMServer查詢其它VAM的信息。D節(jié)點上需要實現(xiàn)VAM功能。文中涉及到VAM的地方，如果不是特別說明，是指對Hub和Spoke的統(tǒng)稱。Hub是一種VAM ，一個網(wǎng)絡(luò)的中心設(shè)備，它是路由信息交換的中心。在Hub-Spoke組Spoke是一種VAM，通常是企業(yè)分支機構(gòu)的網(wǎng)關(guān)設(shè)備，該節(jié)點不會轉(zhuǎn)發(fā)收到的其它AAA（Authentication,AuthorizationandAccounting，認證、和計費）服務(wù)器，用于對用戶進 D采用/Server模式，工作在TCP/IP協(xié)議棧的應(yīng)用層，使用UDP作為傳輸協(xié)議。按照工作方式的不同，可將一個域中的設(shè)備劃分為一個Server和多個，Server的公網(wǎng)地址為靜態(tài)地址，的公網(wǎng)地址既可以靜態(tài)配置也可以動態(tài)獲取，而的私網(wǎng)地址則需要按照規(guī)劃靜態(tài)分配。在同一個域內(nèi)，要求所有節(jié)點的私網(wǎng)地址在同一個網(wǎng)段內(nèi)。每一個向Server自己的公網(wǎng)地址和私網(wǎng)地址的對應(yīng)關(guān)系。向Server成功之后，其他可以從Server查詢到該的公網(wǎng)地址，以便在之間建立D隧道。和刪除。任何節(jié)點退出都能自動通知ServerD的組網(wǎng)結(jié)D具有兩種典型的組網(wǎng)結(jié)構(gòu)e FulMesh（全互聯(lián)）網(wǎng)絡(luò)：Spoke之間可以建立隧道直接通信；b主要作為路由信息交換如圖Spok的節(jié)點在向Mv后獲得該域中HSpokSke隧道空閑超時時間）內(nèi)沒有數(shù)據(jù)報文交互時，則刪除該隧道。圖1-1Full-MeshVAM PublicSpokeSpokeSiteSiteeHub-Spoke網(wǎng)絡(luò)：Spoke之間不能建立隧道直接通信，只能通過Hub轉(zhuǎn)發(fā)數(shù)據(jù)；Hub即作為路圖1-2Hub-SpokeVAM PublicSpokeSpokeSiteSiteD的工作過D的工作過程分為連接初始化、和隧道建立三個階段，下面對這三個階段做簡單說明在第一次與Server連接時，首先進行連接的初始化，雙方協(xié)商決定是否需要對VAM協(xié)議報文圖1-3（1）連接請連接響初始化完（4）初始化完如圖1-3所示，連接初始化的過程為(1)通過連接請求報文將自己支持的完整性驗證算法、加密算法等發(fā)送給Server(2)Server按照優(yōu)先級從高到低的順序從自己支持的算法列表中依次選擇算法，與發(fā)送的算法列表進行匹配。如果匹配成功，則使用該算法，Server通過連接響應(yīng)報文將算法協(xié)商結(jié)果發(fā)送給，同時，Server和生成加密密鑰和完整性驗證密鑰。(3)和Server分別利用初始化完成報文驗證算法和密鑰協(xié)商是否成功圖1-4流程請請認 成如圖1-4所示，階段的具體過程為(1)向Server發(fā)送請求報文，請求報文中包括D節(jié)點的信息(2)Server收到請求報文后，根據(jù)配置決定是否對該進行認證。如果配置為不認證，則直接信息并向發(fā)送成功響應(yīng)，認證步驟省略；如果配置為認證，Server向回應(yīng)認證請求，并指明需要的認證方法（CHAP認證時還返回一(3)向Server提交自己的(4)Server收到的認證信息后向AAA服務(wù)器發(fā)起認證，收到AAA認證成功的響應(yīng)后再發(fā)送計費請求，當Server收到計費成功響應(yīng)后，向發(fā)送成功響應(yīng)報文，成功報文會攜帶下發(fā)給的Hub信息。個域中有兩個Hub，則Hub之間需要建立永久隧道。具體隧道建立流程如圖1-5所示：圖1-5（1）發(fā)起隧道建立請（2）隧道建立成功響（1）發(fā)起隧道建立請（2）隧道建立成功響Hub-Spoke：Spoke成功后，要與所在中的Hub建立永久隧道。Spoke只要收到Server下發(fā)的Hub信息，就會檢查與這些Hub地址之間是否有對應(yīng)的隧道存在。如果隧道不存在則向Hub發(fā)送隧道建立報文；如果隧道存在則不建立隧道。Hub-Hub隧道：Hub成功后，Server會將所在中已成功的Hub地址添加到注Hub。Hub檢查這些地址與其之間是否有對應(yīng)的隧道存在。如果隧道不Spoke-SpokeFull-Mesh組網(wǎng)中，Spoke收到某個數(shù)據(jù)報文后，若沒有查到相應(yīng)的Spoke發(fā)起建立隧道的請求。設(shè)備支持的D特D報文對NAT網(wǎng)關(guān)自然穿當隧道發(fā)起方在NAT網(wǎng)關(guān)后可以建立穿越NAT的Spoke-Spoke隧道；如果隧道接收方在NAT網(wǎng)關(guān)后側(cè)，則數(shù)據(jù)包要由Hub轉(zhuǎn)發(fā)，直到接收方發(fā)起隧道建立請求。如果雙方都在NAT網(wǎng)關(guān)后側(cè)，則它們都無法與對方建立隧道，所有的數(shù)據(jù)包都只能從Hub轉(zhuǎn)發(fā)。隧道兩端的Tunnel接口不需要配置隧道目的地址，VAM在VAMServer上自己的公/私網(wǎng)地址，當需要建立隧道時，可以從VAMServer獲取對端的公網(wǎng)地址，從而動態(tài)的建立道。當VAM的IP地址改變時，會向VAMServer重新，從而實現(xiàn)了對動態(tài)IP地址的支VAMServer對VAM的AAA認初始化過程完成之后，VAM要向VAMServer，過程中可以要求對VAM進行認證，VAM支持PAP和CHAP兩種認證方式。VAMServer通過AAA對加入到域的客戶端進行認證，認證通過后VAM才能接入到網(wǎng)絡(luò)。利用預共享密鑰驗證VAM和VAMServer的VAM和VAMServer必須配置統(tǒng)一的預共享密鑰，用于生成加密/完整性驗證的密鑰。/VAMServer通過報文、完整性驗證是否成功，判斷二者的預共享密鑰是否相同，從而實現(xiàn)對VAMServer/VAM的認證?？梢赃x擇對VAM協(xié)議報文進行加密，加密算法支持AES-128、DES3DES算法 D配置任務(wù)簡 的配置涉及到VAMAAATunnelIPsec安全框架和路由配組網(wǎng)時一般先配置好 表1-1 配置 服務(wù)器配置 客戶配置 隧道屬配置D服務(wù)器端可以根據(jù)需要使用AAA對接入到域的進行認證，只有通過認證的才可以接入到域。配置VAM該配置主要對D服務(wù)器端的參數(shù)進行設(shè)置，并制定相關(guān)的策略，即是否對VAM的協(xié)議報文進行保護，Server對的認證方式等等。VAMServer表1-2VAMServer創(chuàng)建配置的IP地址和端Hub的IP 表1-3創(chuàng)建-vam-VAMServer該配置用來啟動服務(wù)器端域的VAM服務(wù)功能表1-4VAMServer-VAMvamserverenable{all-name Server功能vam -server配置IP地址和端該配置用來指定服務(wù)器上的IP地址和UDP端表1-5配置IP地址和端-配置服務(wù)器IP地址UDP端vamserverip-addressip-address[port-numberUDP端 VAM加密算法以及優(yōu)先級與發(fā)送的算法列表進行協(xié)商，協(xié)商后的算法分別作為兩端協(xié)議報文的完表1-6-vam--authentication-algorithm{none|{|sha-1}*缺省情況下，驗證算法SHA-encryption-algorithm{{3des|aes-|des}*|none缺省情況下，使用AES-128、由高到低依次是AES-128、3DES．連接初始化階段發(fā)送的連接請求和Server發(fā)送的連接響應(yīng)報文，使用固定的驗證算SHA- 進行驗證。后續(xù)的報文可以通過上述驗證算法配置確定是否驗．連接初始化階段發(fā)送的連接請求和Server發(fā)送的連接響應(yīng)報文，使用固定的加密算AES- 進行驗證。后續(xù)的報文可以通過上述加密算法配置確定是否加．AAA對客戶端進行認證的情況，目前只支持PAP和CHAP兩種驗證方式。表1-7-vam --authentication-method{none|{chappap} name-string]缺省情況下CHAP驗證方式HubIP該配置用來指定域中HubIP表1-8Hub的IP-vam --Hub的IPhubprivate-ipprivate-ip-[public-ippublic-ip-addressHub的IP地可以只配置Hub的私網(wǎng)地址，當該Hub加入域時，向Server進行，成功后Sever會向其它下發(fā)該Hub的公私網(wǎng)地址映射信息。如果指定了公網(wǎng)地址，只有向Server的的公私網(wǎng)地址與配置值一致，才被認為是Hub設(shè)備，否則認為該 目前，在一個域內(nèi)最多只能配置Hub、200SpokeVAMServer預共享密鑰是Server用來和建立安全通道的公共密鑰材料。在連接初始化階段預共享密鑰表1-9-vam --pre-shared-key{cipher|simpleKeepalive數(shù)）沒有收到的Keepalive報文，則刪除該的節(jié)點信息并使其下線。該配置用來設(shè)置發(fā)送Keepalive報文的發(fā)送時間間隔和重試次數(shù)。在成功后-vam --keepaliveintervaltime-間間隔為10秒keepaliveretryretry-3Keepalive報文的發(fā)共發(fā)送3次配置VAM通過VAM端的配置，可以指定所在域、進行的主/備Server地址和端以及的本地用戶信息等，為向Server發(fā)起初始化連接請求并最終成功到Server上做了必要準備。VAM配置任務(wù)簡表1-11VAM配置任務(wù)簡 VAM表1-12- -VAM設(shè)置重發(fā)VAM協(xié)議報文的時間間隔。Server發(fā)送協(xié)議報文時，在配置的時間間隔內(nèi)，若沒有收到回應(yīng)報文，將重新發(fā)送該協(xié)議報文。協(xié)議報文包括連接請求報文、初始化完-vamname--resendintervaltime-隔時間為5秒VAMServerIPUDP端表1-14VAMServer的公網(wǎng)IPUDP端- --IP地址和UDP端serverprimaryip-addressip-[portport-numberIP地址和UDP端VAMServerIPUDP端表1-15VAMServer的公網(wǎng)IPUDP端- name--IP地址和UDP端[portport-缺省情況下，沒有配置備份VAMServer的公網(wǎng)IPUDP端表1-16-vamname--userusernamepassword{ciphersimple}配置VAM所屬 表1-17配置VAM所屬的---域-域配置VAM的預共享密表1-18配置VAM的預共享密---pre-shared-key{cipher|simple}key-表1-19啟動VAM服-VAM服vamenable{all|-name服務(wù)服務(wù)vamname-enable IPsec表1-20-ipsecprofileprofile-配置安全框架的安全提配置此安全框架中所的IKE對等用任何IKE對等體pfs{dh-group1|dh-group2dh-group5|dh-group14商時沒有使用PFSPFS（PerfectForwardsaduration{time-basedsecondstraffic-basedkilobytes IPsec安全框架通過IKE協(xié)商SA，一個安全框架最多只能6個安全提議。IKE協(xié)商將在安全IKEPFSPFS交換。本端和對端指定的DH組必須一致，否則協(xié)商會失敗。IPsec安全框架于保護D數(shù)據(jù)流。由于D地址的動態(tài)性，在發(fā)起端，IPsec安全框架下的IKE對等體中的remote-address不起作用。proposal、ike-peer、pfssaduration命令的詳細配置請參見“安全分冊”中的“IPsec命配置 隧道屬隧道的空閑超時時間以及隧道建立失敗的靜默時間等，為建立D隧道做了必要準備。配置D隧表1-21配置 -創(chuàng)建Tunnelinterfacetunnel缺省情況下，設(shè)備上無Tunnel配置Tunnel接口的IPv4私網(wǎng)地ipaddressip-address{mask|mask-length}[sub]tunnel-protocol 配置Tunnel接口的源端地址或source{ip-address配置Tunnel接口的 -D封裝類型的隧道接口必須與一個 缺省情況下，D隧道接口沒有綁定keepalive[seconds[times]10秒、最大發(fā)送次數(shù)為3dsessionidle-道的空閑超時時間為300秒dsessiondumb-默時間為120秒配置OSPFospfnetwork-type{broadcastp2mpD隧道僅支持broadcast和兩種OSPF缺省情況下，沒有配置OSPF接口的網(wǎng)配置OSPF接口的DR優(yōu)先ospfdr-priorityHub端為可選；Spoke端為缺省情況下，接口的DR優(yōu)先級為HubDR優(yōu)先級應(yīng)高于Spoke；建議SpokeDR優(yōu)先級配置為0，以使Spoke不參與DR/BDR在D隧道接口上缺省情況下，D隧道接口上沒有引用任何IPsec安全框架，即不對D配置實例與Tunnel接口關(guān)ipbinding--instance-須配置多實例，將各私網(wǎng)之間的路由開 域中，所有Tunnel接口的D ospfnetwork-typeospfdr-priority命令的詳細配置請參見“IP路由分冊”中的“OSPF命多實例的配置請參見“MPLS分冊”中的“MPLS D本身是一個私有網(wǎng)絡(luò)，因此設(shè)備上必需配置路由。D隧道建立以后，路由協(xié)議通過隧道 顯示和表1-22Ddisyvamserveraddress-map{all -[private-ipprivate-ip]disyvamserverstatistic{all -namedisy {address-map|fsm} -name顯示隧道連接信disyd session{all|interfaceinterface-typeinterface-number[private-ipip-address]}disyipsecprofile[nameprofile-name刪除隧道連接信resetd session{all|interfaceinterface-typeinterface-number[private-ipip-address]}D典型配置舉 典型配置舉例（Full-Mesh網(wǎng)絡(luò)．在Full-Mesh的組網(wǎng)方式下，主備VAMServer負責管理、各個節(jié)點的信息；AAA服務(wù)器負責對VAM 進行認證和計費管理；兩個Hub互為備份，負責數(shù)據(jù)的轉(zhuǎn)發(fā)和路由信息的交．SpokeHub．同一Spoke圖1-6Full-Mesh類型D組網(wǎng)HubSpokeSpokeHubSpokeMainBackupAAA [MainServer]radiusscheme[MainServer-radius-radsun]primaryaccounting11813[MainServer-radius-radsun]keyauthenticationexpert[MainServer-radius-radsun]keyaccountingexpert[MainServer-radius-radsun]server-typestandard[MainServer-radius-radsun]user-name-formatwith-[MainServer-radius-radsun]quit 1]authenticationdefaultradius-schemeradsun 1]accountingdefaultradius-schemeradsun 1]quit default #指定VAMServer上的IP地址。[MainServer]vamserverip-address2#創(chuàng)建 域1。[MainServer]vam -1]pre-shared-keysimple #指定域1的Hub地址 -1]hubprivate-ip -1]hubprivate-ip -1]#創(chuàng)建域2[MainServer]vam 456 -2]pre-shared-keysimple #指定域2的Hub地址 -2]hubprivate-ip -2]hubprivate-ip -1][MainServer]vamserverenable除IP地址外，備份VAMServer的D配置與主VAMServer相同，請參考(1)配置主VAM #創(chuàng)建 域1的客戶端d [Hub1]vam named 1hub1]serverprimaryip-address2 1hub1]serversecondaryip-address3 1hub1]pre-shared-keysimple123 1hub1 1hub1]userd 1hub1passwordsimpled 1hub1]quit#創(chuàng)建 域2的客戶端d [Hub1]vam named 2hub1]serverprimaryip-address2 2hub1]serversecondaryip-address3 2hub1]pre-shared-keysimple456 2hub1 2hub1]userd 2hub1passwordsimpled 2hub1] 配置IPsec安全框架#配置IPsec安全提議。[Hub1]ipsecproposalvam[Hub1-ipsec-proposal-vam]encapsulation-modetunnel[Hub1-ipsec-proposal-vam]transformesp[Hub1-ipsec-proposal-vam]espencryption-algorithmdes[Hub1-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub1-ipsec-proposal-vam]quit[Hub1]ikepeer[Hub1-ike-peer-vam]pre-shared-keyabcde[Hub1-ike-peer-vam]quit[Hub1]ipsecprofile[Hub1-ipsec-profile-vamp]proposalvam[Hub1-ipsec-profile-vamp]sadurationtime-based600[Hub1-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Hub1]interfacetunnel[Hub1-Tunnel1]tunnel-protocold [Hub1-Tunnel1]vam [Hub1-Tunnel1]ipaddress[Hub1-Tunnel1]sourceethernet1/1[Hub1-Tunnel1]ospfnetwork-typebroadcast[Hub1-Tunnel1]ipsecprofilevamp [Hub1]interfacetunnel[Hub1-Tunnel2]tunnel-protocold [Hub1-Tunnel2]vam [Hub1-Tunnel2]ipaddress[Hub1-Tunnel2]sourceethernet1/1[Hub1-Tunnel2]ospfnetwork-typebroadcast[Hub1-Tunnel2]ipsecprofilevamp [Hub1]ospf[Hub1-ospf-100]area[Hub1-ospf-100-area-]network55[Hub1-ospf-100-area-]quit[Hub1]ospf[Hub1-ospf-200]area[Hub1-ospf-200-area-]network55[Hub1-ospf-200-area-]quit[Hub1]ospf[Hub1-ospf-300]area[Hub1-ospf-300-area-]network55[Hub1-ospf-300-area-]quit #創(chuàng)建域1的客戶端d [Hub2]vam named 1hub2]serverprimaryip-address2 1hub2]serversecondaryip-address3 1hub2]pre-shared-keysimple123 1hub2 1hub2]userd 1hub2passwordsimpled 1hub2]quit#創(chuàng)建 域2的客戶端d [Hub2]vam named 2hub2]serverprimaryip-address2 2hub2]serversecondaryip-address3 2hub2]pre-shared-keysimple456 2hub2 2hub2]userd 2hub2passwordsimpled 2hub2] [Hub2]ipsecproposal[Hub2-ipsec-proposal-vam]encapsulation-modetunnel[Hub2-ipsec-proposal-vam]transformesp[Hub2-ipsec-proposal-vam]espencryption-algorithmdes[Hub2-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub2-ipsec-proposal-vam]quit[Hub2]ikepeer[Hub2-ike-peer-vam]pre-shared-keyabcde[Hub2-ike-peer-vam]quit[Hub2]ipsecprofile[Hub2-ipsec-profile-vamp]proposalvam[Hub2-ipsec-profile-vamp]sadurationtime-based600[Hub2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Hub2]interfacetunnel[Hub2-Tunnel1]tunnel-protocold [Hub2-Tunnel1]vam [Hub2-Tunnel1]ipaddress[Hub2-Tunnel1]sourceethernet1/1[Hub2-Tunnel1]ospfnetwork-typebroadcast[Hub2-Tunnel1]ipsecprofilevamp [Hub2]interfacetunnel[Hub2-Tunnel2]tunnel-protocold [Hub2-Tunnel2]vam [Hub2-Tunnel2]ipaddress[Hub2-Tunnel2]sourceethernet1/1[Hub2-Tunnel2]ospfnetwork-typebroadcast[Hub2-Tunnel2]ipsecprofilevamp [Hub2]ospf[Hub2-ospf-100]area[Hub2-ospf-100-area-]network55[Hub2-ospf-100-area-]quit[Hub2]ospf[Hub2-ospf-200]area[Hub2-ospf-200-area-]network55[Hub2-ospf-200-area-]quit[Hub2]ospf[Hub2-ospf-300]area[Hub2-ospf-300-area-]network55[Hub2-ospf-300-area-]quit #創(chuàng)建域1的客戶端d [Spoke1]vam named 1spoke1]serverprimaryip-address2 1spoke1]serversecondaryip-address3 1spoke1]pre-shared-keysimple123 1spoke1 1spoke1]userd 1spoke1passwordsimpled 1spoke1] [Spoke1]ipsecproposal[Spoke1-ipsec-proposal-vam]encapsulation-modetunnel[Spoke1-ipsec-proposal-vam]transformesp[Spoke1-ipsec-proposal-vam]espencryption-algorithmdes[Spoke1-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke1-ipsec-proposal-vam]quit[Spoke1]ikepeer[Spoke1-ike-peer-vam]pre-shared-keyabcde[Spoke1-ike-peer-vam]quit[Spoke1]ipsecprofile[Spoke1-ipsec-profile-vamp]sadurationtime-based600[Spoke1-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Spoke1]interfacetunnel[Spoke1-Tunnel1]tunnel-protocold [Spoke1-Tunnel1]vam [Spoke1-Tunnel1]ipaddress[Spoke1-Tunnel1]sourceethernet1/1[Spoke1-Tunnel1]ospfnetwork-typebroadcast[Spoke1-Tunnel1]ospfdr-priority0[Spoke1-Tunnel1]ipsecprofilevamp[Spoke1-Tunnel1]quit [Spoke1]ospf[Spoke1-ospf-100]area[Spoke1-ospf-100-area-]network55[Spoke1-ospf-100-area-]quit[Spoke1]ospf[Spoke1-ospf-200]area[Spoke1-ospf-200-area-]network55[Spoke1-ospf-200-area-]quit #創(chuàng)建 域1的客戶端d [Spoke2]vam named 1spoke2]serverprimaryip-address2 1spoke2]serversecondaryip-address3 1spoke2]pre-shared-keysimple123 1spoke2 1spoke2]userd 1spoke2passwordsimpled 1spoke2]quit#創(chuàng)建 域2的客戶端d [Spoke2]vam named 2spoke2]serverprimaryip-address2 2spoke2]serversecondaryip-address3 2spoke2]pre-shared-keysimple456 2spoke2 1spoke2]userd 2spoke2passwordsimpled 1spoke2] [Spoke2]ipsecproposal[Spoke2-ipsec-proposal-vam]encapsulation-modetunnel[Spoke2-ipsec-proposal-vam]transformesp[Spoke2-ipsec-proposal-vam]espencryption-algorithmdes[Spoke2-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke2-ipsec-proposal-vam]quit[Spoke2]ikepeer[Spoke2-ike-peer-vam]pre-shared-keyabcde[Spoke2-ike-peer-vam]quit[Spoke2]ipsecprofile[Spoke2-ipsec-profile-vamp]proposalvam[Spoke2-ipsec-profile-vamp]sadurationtime-based600[Spoke2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Spoke2]interfacetunnel[Spoke2-Tunnel1]tunnel-protocold [Spoke2-Tunnel1]vam [Spoke2-Tunnel1]ipaddress[Spoke2-Tunnel1]sourceethernet1/1[Spoke2-Tunnel1]ospfnetwork-typebroadcast[Spoke2-Tunnel1]ospfdr-priority0[Spoke2-Tunnel1]ipsecprofilevamp[Spoke2-Tunnel1]quit [Spoke2]interfacetunnel[Spoke2-Tunnel2]tunnel-protocold [Spoke2-Tunnel2]vam [Spoke2-Tunnel2]ipaddress[Spoke2-Tunnel2]sourceethernet1/1[Spoke2-Tunnel2]ospfnetwork-typebroadcast[Spoke2-Tunnel2]ipsecprofilevamp [Spoke2]ospf[Spoke2-ospf-100]area[Spoke2-ospf-100-area-]network55[Spoke2-ospf-100-area-]quit[Spoke2]ospf[Spoke2-ospf-200]area[Spoke2-ospf-200-area-]network55[Spoke2-ospf-200-area-]quit[Spoke2]ospf[Spoke2-ospf-300]area[Spoke2-ospf-300-area-]network55[Spoke2-ospf-300-area-]quit #創(chuàng)建域2的客戶端d [Spoke3]vam named 2spoke3]serverprimaryip-address2 2spoke3]serversecondaryip-address3 2spoke3]pre-shared-keysimple123 2spoke3 2spoke3]userd 2spoke3passwordsimpled 2spoke3] [Spoke3]ipsecproposal[Spoke3-ipsec-proposal-vam]encapsulation-modetunnel[Spoke3-ipsec-proposal-vam]transformesp[Spoke3-ipsec-proposal-vam]espencryption-algorithmdes[Spoke3-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke3-ipsec-proposal-vam]quit[Spoke3]ikepeer[Spoke3-ike-peer-vam]pre-shared-keyabcde[Spoke3-ike-peer-vam]quit[Spoke3]ipsecprofile[Spoke3-ipsec-profile-vamp]proposalvam[Spoke3-ipsec-profile-vamp]sadurationtime-based600[Spoke3-ipsec-profile-vamp]pfsdh-group2 配置D隧[Spoke3]interfacetunnel[Spoke3-Tunnel2]tunnel-protocold [Spoke3-Tunnel2]vam [Spoke3-Tunnel2]ipaddress[Spoke3-Tunnel2]sourceethernet1/1[Spoke3-Tunnel2]ospfnetwork-typebroadcast[Spoke3-Tunnel2]ospfdr-priority0[Spoke3-Tunnel2]ipsecprofilevamp[Spoke3-Tunnel2]quit [Spoke3]ospf[Spoke3-ospf-100]area[Spoke3-ospf-100-area-]network55[Spoke3-ospf-100-area-]quit[Spoke3]ospf[Spoke3-ospf-200]area 典型配置舉例（Hub-Spoke網(wǎng)絡(luò)．Hub-SpokeHub-SpokeVAMServer負責管理、各個節(jié)點的信息；AAA服務(wù)器負責對VAM進行認證和計費管理；兩個Hub．SpokeHubHub Hub IP AAAMain Backup1Hub-to-Spokestatictunnel

Spoke SpokeSite SiteHubSpokeHubSpokeMainAAABackup [MainServer]radiusscheme[MainServer-radius-radsun]primaryaccounting1[MainServer-radius-radsun]keyauthenticationexpert[MainServer-radius-radsun]keyaccountingexpert[MainServer-radius-radsun]server-typestandard[MainServer-radius-radsun]user-name-formatwith-[MainServer-radius-radsun]quit 1]authenticationdefaultradius-schemeradsun 1]accountingdefaultradius-schemeradsun 1]quit default #指定VAMServer上的IP地址。[MainServer]vamserverip-address2#創(chuàng)建 域1。[MainServer]vam -1]pre-shared-keysimple -1]hubprivate-ip -1]hubprivate-ip#啟動所有域的VAMServer功能[MainServer]vamserverenable除IP地址外，備份VAMServer的D配置與主VAMServer相同，請參考(1)配置主VAM #創(chuàng)建域1的客戶端d [Hub1]vam named 1hub1]serverprimaryip-address2 1hub1]serversecondaryip-address3 1hub1]pre-shared-keysimple123 1hub1 1hub1]userd 1hub1passwordsimpled 1hub1] [Hub1]ipsecproposal[Hub1-ipsec-proposal-vam]encapsulation-modetunnel[Hub1-ipsec-proposal-vam]transformesp[Hub1-ipsec-proposal-vam]espencryption-algorithmdes[Hub1-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub1-ipsec-proposal-vam]quit[Hub1]ikepeer[Hub1-ike-peer-vam]pre-shared-keyabcde[Hub1-ike-peer-vam]quit[Hub1]ipsecprofile[Hub1-ipsec-profile-vamp]proposalvam[Hub1-ipsec-profile-vamp]sadurationtime-based600[Hub1-ipsec-profile-vamp]pfsdh-group2 配置 隧[Hub1]interfacetunnel[Hub1-Tunnel1]tunnel-protocold [Hub1-Tunnel1]vam [Hub1-Tunnel1]ipaddress[Hub1-Tunnel1]sourceethernet1/1[Hub1-Tunnel1]ospfnetwork-typep2mp[Hub1-Tunnel1]ipsecprofilevamp[Hub1-Tunnel1]quit [Hub1]ospf[Hub1-ospf-100]area[Hub1-ospf-100-area-]network55[Hub1-ospf-100-area-]quit[Hub1]ospf[Hub1-ospf-200]area[Hub1-ospf-200-area-]network55[Hub1-ospf-200-area-]quit #創(chuàng)建 域1的客戶端d [Hub2]vam named 1hub2]serverprimaryip-address2 1hub2]serversecondaryip-address3 1hub2]pre-shared-keysimple123 1hub2 1hub2]userd 1hub2passwordsimpled 1hub2] [Hub2]ipsecproposal[Hub2-ipsec-proposal-vam]encapsulation-modetunnel[Hub2-ipsec-proposal-vam]transformesp[Hub2-ipsec-proposal-vam]espencryption-algorithmdes[Hub2-ipsec-proposal-vam]espauthentication-algorithmsha1[Hub2-ipsec-proposal-vam]quit[Hub2]ikepeer[Hub2-ike-peer-vam]pre-shared-keyabcde[Hub2-ike-peer-vam]quit[Hub2]ipsecprofile[Hub2-ipsec-profile-vamp]proposalvam[Hub2-ipsec-profile-vamp]sadurationtime-based600[Hub2-ipsec-profile-vamp]pfsdh-group2 配置D隧[Hub2]interfacetunnel[Hub2-Tunnel1]tunnel-protocold [Hub2-Tunnel1]vam [Hub2-Tunnel1]ipaddress[Hub2-Tunnel1]sourceethernet1/1[Hub2-Tunnel1]ospfnetwork-typep2mp[Hub2-Tunnel1]ipsecprofilevamp[Hub2-Tunnel1]quit [Hub2]ospf[Hub2-ospf-100]area[Hub2-ospf-100-area-]network55[Hub2-ospf-100-area-]quit[Hub2]ospf[Hub2-ospf-200]area[Hub2-ospf-200-area-]network55[Hub2-ospf-200-area-]quit #創(chuàng)建 域1的客戶端d [Spoke1]vam named ServerIP 1spoke1]serverprimaryip-address2 1spoke1]serversecondaryip-address3 1spoke1]pre-shared-keysimple123 1spoke1 1spoke1]userd 1spoke1passwordsimpled 1spoke1]clinetenable 1spoke1] [Spoke1]ipsecproposal[Spoke1-ipsec-proposal-vam]encapsulation-modetunnel[Spoke1-ipsec-proposal-vam]transformesp[Spoke1-ipsec-proposal-vam]espencryption-algorithmdes[Spoke1-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke1-ipsec-proposal-vam]quit[Spoke1]ikepeer[Spoke1-ike-peer-vam]pre-shared-keyabcde[Spoke1-ike-peer-vam]quit[Spoke1]ipsecprofile[Spoke1-ipsec-profile-vamp]proposalvam[Spoke1-ipsec-profile-vamp]sadurationtime-based600[Spoke1-ipsec-profile-vamp]pfsdh-group2 配置D隧 [Spoke1]interfacetunnel[Spoke1-Tunnel1]tunnel-protocold [Spoke1-Tunnel1]vam [Spoke1-Tunnel1]ipaddress[Spoke1-Tunnel1]sourceethernet1/1[Spoke1-Tunnel1]ospfnetwork-typep2mp[Spoke1-Tunnel1]ospfdr-priority0[Spoke1-Tunnel1]ipsecprofilevamp[Spoke1-Tunnel1]quit [Spoke1]ospf[Spoke1-ospf-100]area[Spoke1-ospf-100-area-]network55[Spoke1-ospf-100-area-]quit[Spoke1]ospf[Spoke1-ospf-200]area[Spoke1-ospf-200-area-]network55[Spoke1-ospf-200-area-]quit #創(chuàng)建域1的客戶端d [Spoke2]vam named 1spoke2]serverprimaryip-address2 1spoke2]serversecondaryip-address3 1spoke2]pre-shared-keysimple123 1spoke2 1spoke2]userd 1spoke2passwordsimpled 1spoke2] [Spoke2]ipsecproposal[Spoke2-ipsec-proposal-vam]encapsulation-modetunnel[Spoke2-ipsec-proposal-vam]transformesp[Spoke2-ipsec-proposal-vam]espencryption-algorithmdes[Spoke2-ipsec-proposal-vam]espauthentication-algorithmsha1[Spoke2]ikepeer[Spoke2-ike-peer-vam]pre-shared-keyabcde[Spoke2-ike-peer-vam]quit[Spoke2]ipsecprofile[Spoke2-ipsec-profile-vamp]proposalvam[Spoke2-ipsec-profile-vamp]sadurationtime-based600[Spoke2-ipsec-profile-vamp]pfsdh-group2 配置 隧 [Spoke2]interfacetunnel[Spoke2-Tunnel1]tunnel-protocold [Spoke2-Tunnel1]vam [Spoke2-Tunnel1]ipaddress[Spoke2-Tunnel1]sourceethernet1/1[Spoke2-Tunnel1]ospfnetwork-typep2mp[Spoke2-Tunnel1]ospfdr-priority0[Spoke2-Tunnel1]ipsecprofilevamp[Spoke2-Tunnel1]quit [Spoke2]ospf[Spoke2-ospf-100]area[Spoke2-ospf-100-area-]network55[Spoke2-ospf-100-area-]quit[Spoke2]ospf[Spoke2-ospf-200]area[Spoke2-ospf-200-area-]network55[Spoke2-ospf-200-area-]quitGRE配 1 1 1 3 3 4配置GREoverIPv4隧 4 4配置GREoverIPv4隧 5配置GREoverIPv6隧 6 6配置GREoverIPv6隧 6GREoverIPv4典型配置舉 8 8 GREoverIPv6典型配置舉 iMSRMSR20-MSRMSRMSRH3CMSR系列路由器對特性中相關(guān)命令參數(shù)支持情況、缺省值及取值范圍的差異內(nèi)容請參見本模塊令手冊。 GRE的數(shù)據(jù)報文進行封裝，使這些被封裝的數(shù)據(jù)報文能夠在另一個網(wǎng)絡(luò)層協(xié)議（如IP）中傳輸。GRE采用了Tunnel（隧道）技術(shù)，是（VirtualPrivateNetwork）的第三層隧道協(xié)議。且在一個Tunnel的兩端分別對數(shù)據(jù)報進行封裝及解封裝。1-1的網(wǎng)絡(luò)為例說明這兩個過程圖1-2封裝好的Tunnel圖1-3TunnelProtocol）。系統(tǒng)收到一個凈荷后，首先使用封裝協(xié)議（EncapsulationProtocol）對這個凈荷進行GREGREGRE報文；然后再把GREIPIP（Forwarding通常把這個負責前向轉(zhuǎn)發(fā)的IP協(xié)議稱為傳輸（DeliveryProtocol或者TransportGRERFC1701中規(guī)定 ．GREChecksum1GREPayloadNovellNovellIPXGroupNovellIPXGroupRouterGRERouterTeam1Team2RouterARouterBGRE協(xié)議封裝的隧道（Tunnel），Group1和Group2、Team1和Team2可以互不影響地進行通信。如圖1-5Router IP GRE IP Host

RouterIP

Host圖1-6Tunnel越廣域網(wǎng)的。圖1-7GRE-IPsecRFC1701：GenericRoutingEncapsulationRFC1702：GenericRoutingEncapsulationoverIPv4RFC2784：GenericRoutingEncapsulation配置GREoverIPv4常通訊。這些接口將作為Tunnel虛接口的源接口，以保證隧道目的地址路由可達。GREoverIPv4表1-1配置GREoverIPv4-創(chuàng)建一個Tunnel接口，并進入該Tunnel接口視圖缺省情況下，設(shè)備上無Tunnel設(shè)置Tunnel接口的IPv4ipaddressip-address{maskIPv4地址tunnel-protocol缺省情況下，采用GREover設(shè)置Tunnel接口的源端地址source{ip-address|interface-typeinterface-number}設(shè)置Tunnel接口的目的端地探測Tunnel接口狀態(tài)，并配keepalive報文發(fā)送周期及keepalive[seconds[times]gregrekeykey-配置通過Tunnel必須存在經(jīng)過Tunnel轉(zhuǎn)發(fā)的路由，這樣需要進行GREexpeditingexpeditingsubnetip-addressexpeditingenableexpeditingsubnet命令的支持情況與設(shè)備的型號有關(guān)，請以設(shè)備的實際配置”；快速終結(jié)功能的詳細說明請參見“IP業(yè)務(wù)分冊”中的“隧道配置”。subnet命令的詳細介紹，請參見“IP業(yè)務(wù)分冊”中的“隧道命令”。隧道兩端可以根據(jù)實際應(yīng)用的需要決定配置校驗和或校驗和。如果本端配置了校驗和而對端配置通過Tunnel轉(zhuǎn)發(fā)的路由時，可以手工配置一條靜態(tài)路由，目的地址是未GRE封裝的報文的目的地址，下一跳是對端Tunnel接口的地址。也可以在Tunnel接口上和與私網(wǎng)相連的路由器接口上分別使能動態(tài)路由協(xié)議，由動態(tài)路由協(xié)議來建立通過Tunnel轉(zhuǎn)發(fā)的路由表項。配置GREoverIPv6正常通訊。這些接口將作為Tunnel虛接口的源接口，以保證隧道目的地址路由可達。GREoverIPv6表1-2配置GREoverIPv6-使能IPv6缺省情況下，關(guān)閉IPv6報文轉(zhuǎn)發(fā)創(chuàng)建一個Tunnel缺省情況下，設(shè)備上無Tunnel接設(shè)置Tunnel接口的IPv4ipaddressip-address{mask設(shè)置IPv4地址tunnel-protocolgre設(shè)置Tunnelsource{ipv6-address設(shè)置Tunnelencapsulation-limit[number4gregrekeykey-配置通過Tunnel都必須存在經(jīng)過Tunnel轉(zhuǎn)發(fā)的路由。在Tunnel的兩端都要進行此介紹，請參見“IP業(yè)務(wù)分冊”中的“隧道命令”。隧道兩端可以根據(jù)實際應(yīng)用的需要決定配置校驗和或校驗和。如果本端配置了校驗和而對端配置通過Tunnel轉(zhuǎn)發(fā)的路由時，可以手工配置一條靜態(tài)路由，目的地址是未GRE封裝的報文的目的地址，下一跳是對端Tunnel接口的地址。也可以在Tunnel接口上和與私網(wǎng)相連的路由器接口上分別使能動態(tài)路由協(xié)議，由動態(tài)路由協(xié)議來建立通過Tunnel轉(zhuǎn)發(fā)的路由表項。表1-3GRE顯示Tunneldisyinterfacetunnel[number顯示Tunnel接口的IPv6disyipv6interfacetunnel[number][verbosedisyinterfacetunnel和disyipv6interfacetunnel命令的詳細介紹，請參見“IP業(yè)務(wù)GREoverIPv4GREoverIPv4典型配置舉例（路由應(yīng)用RouterARouterBInternetIP圖1-8GREoverIPv4Ethernet1/1。 >system- ]interfaceethernet -Ethernet1/1]ipaddress -Ethernet1/1]quit ]interfaceserial -Serial2/0]ipaddress -Serial2/0]quitTunnel0 ]interfacetunnelTunnel0接口IP地址 -Tunnel0]ipaddress -Tunnel0]source -Tunnel0]destination -Tunnel0]quit ]iproute-statictunnelEthernet1/1。[RouterB]interfaceethernet[RouterB-Ethernet1/1]ipaddress[RouterB-Ethernet1/1]quit[RouterB]interfaceserial[RouterB-Serial2/1]ipaddress[RouterB-Serial2/1]quit#創(chuàng)建Tunnel0接口。[RouterB]interfacetunnel0[RouterB-Tunnel0]ipaddress[RouterB-Tunnel0]source[RouterB-Tunnel0]destination[RouterB-Tunnel0]quit[RouterB]iproute-statictunnelGREoverIPv4典型配置舉例（交換應(yīng)用SwitchASwichBInternetIP圖1-9GREoverIPv4Ethernet1/1。[SwitchA]vlan100[SwitchA-vlan100]portethernet1/1[SwitchA-vlan100]quit[SwitchA]interfacevlan-interface[SwitchA-Vlan-interface100]ipaddress[SwitchA-Vlan-interface100]quit[SwitchA]vlan[SwitchA-vlan101]portethernet1/2[SwitchA-vlan101]quit[SwitchA]interfacevlan-interface[SwitchA-Vlan-interface101]ipaddress[SwitchA-Vlan-interface101]quit#創(chuàng)建Tunnel1接口。[SwitchA]interfacetunnel1[SwitchA-Tunnel1]ipaddress#[SwitchA-Tunnel1]sourcevlan-interface[SwitchA-Tunnel1]destination[SwitchA-Tunnel1]quit1tunnel。[SwitchA]service-loopbackgroup1typetunnel#將接口Ethernet1/3加入業(yè)務(wù)環(huán)回組1。[SwitchA]interfaceethernet1/3[SwitchA-Ethernet1/3]undostp[SwitchA-Ethernet1/3portservice-loopbackgroup1#在Tunnel接口視圖下指定隧道的業(yè)務(wù)環(huán)回組1。[SwitchA-Ethernet1/3]quit[SwitchA]interfacetunnel[SwitchA-Tunnel1]service-loopback-group1[SwitchA-Tunnel1]quit[SwitchA]iproute-statictunnelEthernet1/1。[SwitchB]vlan100[SwitchB-vlan100]portethernet1/1[SwitchB-vlan100]quit[SwitchB]interfacevlan-interface[SwitchB-Vlan-interface100]ipaddress[SwitchB-Vlan-interface100]quit[SwitchB]vlan[SwitchB-vlan101]portethernet1/2[SwitchB-vlan101]quit[SwitchB]interfacevlan-interface[SwitchB-Vlan-interface101]ipaddress[SwitchB-Vlan-interface101]quit#創(chuàng)建Tunnel1接口。[SwitchB]interfacetunnel1[SwitchB-Tunnel1]ipaddress#[SwitchB-Tunnel1]sourcevlan-interface[SwitchB-Tunnel1]destination[SwitchB-Tunnel1]quit1tunnel。[SwitchB]service-loopbackgroup1typetunnel#將接口Ethernet1/3加入業(yè)務(wù)環(huán)回組1。[SwitchB]interfaceethernet1/3[SwitchB-Ethernet1/3]undostp[SwitchB-Ethernet1/3portservice-loopbackgroup1#在Tunnel接口視圖下指定隧道的業(yè)務(wù)環(huán)回組1。[SwitchB-Ethernet1/3]quit[SwitchB]interfacetunnel[SwitchB-Tunnel1]service-loopback-group1[SwitchB-Tunnel1]quit[SwitchB]iproute-staticTunnelGREoverIPv6GREoverIPv6典型配置舉例（路由應(yīng)用三層隧道協(xié)議GRE，穿越IPv6網(wǎng)絡(luò)實現(xiàn)互聯(lián)。圖1-10GREoverIPv6 IPv6 ] ]interfaceethernet -Ethernet1/1]ipaddress -Ethernet1/1]quit ]interfaceserial -Serial2/0]ipv6address2002::1:164 -Serial2/0]quitTunnel0 ]interfacetunnelTunnel0接口IP地址 -Tunnel0]ipaddres