所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

NE40E V800R010C00 配置指南 - 用户接入 01

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置L2TP隧道接入L3VPN示例

配置L2TP隧道接入L3VPN示例

介绍一个L2TP接入L3VPN的配置示例,结合配置组网图来理解业务的配置过程。配置示例包括组网需求、思路准备、操作步骤和配置文件。

组网需求

图10-9所示,DeviceA、DeviceB分别作为LAC、LNS设备。01企业总部域名为isp1,PC1为01企业用户;02企业总部域名为isp2,PC2为02企业用户。多个企业共用一个LNS,不同的企业用户需要与自己的总部进行通讯,网络的地址采用的是私有地址。一般情况下,用户无法通过Internet直接访问企业内部的服务器。通过建立VPN并支持多实例,用户就可以访问自己企业内部网络的数据。

图10-9  L2TP隧道接入L3VPN组网图
说明:

本例中interface1、interface2、interface3分别代表GE 2/0/0、GE 1/0/1、GE 3/0/0



设备 接口 IP地址
DeviceA GigabitEthernet1/0/1.1 11.11.11.1/24
  GigabitEthernet1/0/1.2 12.12.12.1/24
  GigabitEthernet2/0/0.100 -
  LoopBack0 1.1.1.1/32
  LoopBack1 2.2.2.2/32
DeviceB GigabitEthernet1/0/1.1 11.11.11.2/24
  GigabitEthernet1/0/1.2 12.12.12.2/24
  LoopBack0 3.3.3.3/32
  LoopBack1 4.4.4.4/32

配置思路

说明:

不同的VPN实例地址可以重叠。

  1. 在用户侧进行拨号配置

  2. 配置LAC

    • 配置LAC的PPPoX接入业务相关任务:配置虚模板接口、配置AAA方案、为接口指定虚模板接口、配置BAS接口
    • 使能L2TP基本能力
    • 配置LAC侧的L2TP隧道连接
    • 配置隧道验证方式
    • 配置L2TP用户属性
    • 配置路由协议(本例为静态路由),LAC与LNS间路由可达
  3. 配置LNS

    • 创建VPN实例
    • 配置虚模板接口
    • 配置LNS侧的L2TP隧道连接
    • 配置隧道验证方式和用户认证方式
    • 配置LNS侧隧道参数
    • 配置用于为L2TP用户分配IP地址的地址池,绑定VPN实例
    • 配置L2TP用户的域,并在域中指定地址池,绑定VPN实例
    • 配置路由协议(本例为静态路由),LAC与LNS间路由可达
    • 配置与企业相连接口,绑定VPN实例

数据准备

为完成此配置例,需准备如下的数据:

  • PC1用户名、口令;PC2用户名、口令

  • 隧道的密码、LNS侧本端名称和远端名称

  • VPN-instance

  • 两个虚拟接口模板编号及两个L2TP组编号

  • 远端地址池编号、范围及掩码

说明:

本节只列出了与L2TP相关的配置步骤。

操作步骤

  1. 用户侧的配置

    建立一个拨号网络,号码为DeviceA的接入号码,接收由LNS服务器端分配的地址。

    对于PC1而言,在弹出的拨号终端窗口中输入用户名user1@isp1,口令(此用户名与口令已在LNS中注册)。

    对于PC2而言,在弹出的拨号终端窗口中输入用户名use1@isp2,口令(此用户名与口令已在LNS中注册)。

  2. DeviceA(LAC侧)的配置

    # 配置虚模板接口1。

    <Device> system-view
    <~Device> sysname DeviceA
    [*DeviceA] interface virtual-template 1
    [*DeviceA-Virtual-Template1] ppp authentication-mode chap
    [*DeviceA-Virtual-Template1] commit
    [~DeviceA-Virtual-Template1] quit

    # 在GE 2/0/0.100接口上绑定虚模板接口1。

    [~DeviceA] interface gigabitethernet 2/0/0.100
    [*DeviceA-GigabitEthernet2/0/0.100] pppoe-server bind virtual-template 1
    [*DeviceA-GigabitEthernet2/0/0.100] user-vlan 1 100
    [*DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] commit
    [~DeviceA-GigabitEthernet2/0/0.100-vlan-1-100] quit

    # 配置BAS接口。

    [~DeviceA-GigabitEthernet2/0/0.100] bas
    [*DeviceA-GigabitEthernet2/0/0.100-bas] access-type layer2-subscriber
    [*DeviceA-GigabitEthernet2/0/0.100-bas] authentication-method ppp
    [*DeviceA-GigabitEthernet2/0/0.100-bas] commit
    [~DeviceA-GigabitEthernet2/0/0.100-bas] quit
    [~DeviceA-GigabitEthernet2/0/0.100] quit

    # 配置LAC与LNS相连的接口,同一接口需要建立子接口。

    [~DeviceA] interface gigabitethernet1/0/1.1
    [*DeviceA-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceA-GigabitEthernet1/0/1.1] ip address 11.11.11.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.1] commit
    [~DeviceA-GigabitEthernet1/0/1.1] quit
    [~DeviceA] interface gigabitethernet1/0/1.2
    [*DeviceA-GigabitEthernet1/0/1.2] vlan-type dot1q 2
    [*DeviceA-GigabitEthernet1/0/1.2] ip address 12.12.12.1 255.255.255.0
    [*DeviceA-GigabitEthernet1/0/1.2] commit
    [~DeviceA-GigabitEthernet1/0/1.2] quit

    # 创建环回接口。

    [~DeviceA] interface loopback0
    [*DeviceA-LoopBack0] ip address 1.1.1.1 255.255.255.255
    [*DeviceA-LoopBack0] commit
    [~DeviceA-LoopBack0] quit
    [~DeviceA] interface loopback1
    [*DeviceA-LoopBack1] ip address 2.2.2.2 255.255.255.255
    [*DeviceA-LoopBack1] commit
    [~DeviceA-LoopBack1] quit

    # 设置L2TP组并配置相关属性。

    [~DeviceA] l2tp enable
    [~DeviceA] l2tp-group lac1
    [*DeviceA-l2tp-lac1] tunnel name lac1
    [*DeviceA-l2tp-lac1] start l2tp ip 3.3.3.3
    [*DeviceA-l2tp-lac1] tunnel authentication
    [*DeviceA-l2tp-lac1] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-lac1] tunnel source loopback0
    [*DeviceA-l2tp-lac1] commit
    [~DeviceA-l2tp-lac1] quit
    [~DeviceA] l2tp-group lac2
    [*DeviceA-l2tp-lac2] tunnel name lac2
    [*DeviceA-l2tp-lac2] start l2tp ip 4.4.4.4
    [*DeviceA-l2tp-lac2] tunnel authentication
    [*DeviceA-l2tp-lac2] tunnel password simple 1qaz#EDC
    [*DeviceA-l2tp-lac2] tunnel source loopback1
    [*DeviceA-l2tp-lac2] commit
    [~DeviceA-l2tp-lac2] quit

    # 配置RADIUS服务器。

    [~DeviceA] radius-server group radius1
    [*DeviceA-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceA-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceA-radius-radius1] radius-server shared-key itellin
    [*DeviceA-radius-radius1] commit
    [~DeviceA-radius-radius1] quit

    # 配置用户所在域。

    [~DeviceA] aaa
    [*DeviceA-aaa] domain isp1
    [*DeviceA-aaa-domain-isp1] l2tp-group lac1
    [*DeviceA-aaa-domain-isp1] radius-server group radius1
    [*DeviceA-aaa-domain-isp1] authentication-scheme default1
    [*DeviceA-aaa-domain-isp1] accounting-scheme default1
    [*DeviceA-aaa-domain-isp1] commit
    [~DeviceA-aaa-domain-isp1] quit
    [~DeviceA-aaa] domain isp2
    [*DeviceA-aaa-domain-isp2] l2tp-group lac2
    [*DeviceA-aaa-domain-isp2] radius-server group radius1
    [*DeviceA-aaa-domain-isp2] authentication-scheme default1
    [*DeviceA-aaa-domain-isp2] accounting-scheme default1
    [*DeviceA-aaa-domain-isp2] commit
    [~DeviceA-aaa-domain-isp2] quit
    [~DeviceA-aaa] quit

    # 配置路由。

    [~DeviceA] ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
    [~DeviceA] ip route-static 4.4.4.4 255.255.255.255 12.12.12.2

  3. DeviceB(LNS侧)的配置

    # 创建两个VPN-instance。

    <Device> system-view
    <~Device> sysname DeviceB
    [*DeviceB] ip vpn-instance vrf1
    [*DeviceB-vpn-instance-vrf1] route-distinguisher 100:1
    [*DeviceB-vpn-instance-vrf1] vpn-target 100:1 both
    [*DeviceB–vpn-instance-vrf1] commit
    [~DeviceB–vpn-instance-vrf1] quit
    [~DeviceB] ip vpn-instance vrf2
    [*DeviceB-vpn-instance-vrf2] route-distinguisher 100:2
    [*DeviceB-vpn-instance-vrf2] vpn-target 100:2 both
    [*DeviceB–vpn-instance-vrf2] commit
    [~DeviceB–vpn-instance-vrf2] quit

    # 创建两个子接口。

    [~DeviceB] interface gigabitethernet1/0/1.1
    [*DeviceB-GigabitEthernet1/0/1.1] vlan-type dot1q 1
    [*DeviceB-GigabitEthernet1/0/1.1] ip address 11.11.11.2 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1.1] commit
    [~DeviceB-GigabitEthernet1/0/1.1] quit
    [~DeviceB] interface gigabitethernet1/0/1.2
    [*DeviceB-GigabitEthernet1/0/1.2] vlan-type dot1q 2
    [*DeviceB-GigabitEthernet1/0/1.2] ip address 12.12.12.2 255.255.255.0
    [*DeviceB-GigabitEthernet1/0/1.2] commit
    [~DeviceB-GigabitEthernet1/0/1.2] quit

    # 创建环回接口。

    [~DeviceB] interface loopback0
    [*DeviceB-LoopBack0] ip address 3.3.3.3 255.255.255.255
    [*DeviceB-LoopBack0] commit
    [~DeviceB-LoopBack0] quit
    [~DeviceB] interface loopback1
    [*DeviceB-LoopBack1] ip address 4.4.4.4 255.255.255.255
    [*DeviceB-LoopBack1] commit
    [~DeviceB-LoopBack1] quit

    # 创建虚模板接口1。

    [~DeviceB] interface virtual-template 1
    [*DeviceB-Virtual-Template1] ppp authentication-mode chap
    [*DeviceB-Virtual-Template1] commit
    [~DeviceB-Virtual-Template1] quit

    # 使能L2TP服务,并配置L2TP组。

    [~DeviceB] l2tp enable
    [~DeviceB] l2tp-group lns1
    [*DeviceB-l2tp-lns1] tunnel name lns1
    [*DeviceB-l2tp-lns1] allow l2tp virtual-template 1 remote lac1
    [*DeviceB-l2tp-lns1] tunnel authentication
    [*DeviceB-l2tp-lns1] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns1] commit
    [~DeviceB-l2tp-lns1] quit
    [~DeviceB] l2tp-group lns2
    [*DeviceB-l2tp-lns1] tunnel name lns2
    [*DeviceB-l2tp-lns2] allow l2tp virtual-template 1 remote lac2
    [*DeviceB-l2tp-lns2] tunnel authentication
    [*DeviceB-l2tp-lns2] tunnel password simple 1qaz#EDC
    [*DeviceB-l2tp-lns2] commit
    [~DeviceB-l2tp-lns2] quit

    # 创建并配置LNS组group1,绑定隧道源接口和隧道板。

    [~DeviceB] lns-group group1
    [*DeviceB-lns-group-group1] bind slot 1 
    [*DeviceB-lns-group-group1] bind source loopback 0
    [*DeviceB-lns-group-group1] bind source loopback 1
    [*DeviceB-lns-group-group1] commit
    [~DeviceB-lns-group-group1] quit

    # 配置给用户分配的地址池。

    [~DeviceB] ip pool pool1 bas local
    [*DeviceB-ip-pool-pool1] gateway 10.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool1] section 0 10.10.0.10 10.10.0.100
    [*DeviceB-ip-pool-pool1] vpn-instance vrf1
    [*DeviceB-ip-pool-pool1] commit
    [~DeviceB-ip-pool-pool1] quit
    [~DeviceB] ip pool pool2 bas local
    [*DeviceB-ip-pool-pool2] gateway 10.10.0.1 255.255.255.0
    [*DeviceB-ip-pool-pool2] section 0 10.10.0.10 10.10.0.100
    [*DeviceB-ip-pool-pool2] vpn-instance vrf2
    [*DeviceB-ip-pool-pool2] commit
    [~DeviceB-ip-pool-pool2] quit

    # 配置RADIUS服务器。

    [~DeviceB] radius-server group radius1
    [*DeviceB-radius-radius1] radius-server authentication 20.20.20.1 1812
    [*DeviceB-radius-radius1] radius-server accounting 20.20.20.1 1813
    [*DeviceB-radius-radius1] radius-server shared-key itellin
    [*DeviceB-radius-radius1] commit
    [~DeviceB-radius-radius1] quit

    # 配置用户所在域。

    [~DeviceB] aaa
    [*DeviceB-aaa] domain isp1
    [*DeviceB-aaa-domain-isp1] radius-server group radius1
    [*DeviceB-aaa-domain-isp1] authentication-scheme default1
    [*DeviceB-aaa-domain-isp1] accounting-scheme default1
    [*DeviceB-aaa-domain-isp1] ip-pool pool1
    [*DeviceB-aaa-domain-isp1] vpn-instance vrf1
    [*DeviceB-aaa-domain-isp1] commit
    [~DeviceB-aaa-domain-isp1] quit
    [~DeviceB-aaa] domain isp2
    [*DeviceB-aaa-domain-isp2] radius-server group radius1
    [*DeviceB-aaa-domain-isp2] authentication-scheme default1
    [*DeviceB-aaa-domain-isp2] accounting-scheme default1
    [*DeviceB-aaa-domain-isp2] ip-pool pool2
    [*DeviceB-aaa-domain-isp2] vpn-instance vrf2
    [*DeviceB-aaa-domain-isp2] commit
    [~DeviceB-aaa-domain-isp2] quit
    [~DeviceB-aaa] quit

    # 配置路由。

    [~DeviceB] ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
    [~DeviceB] ip route-static 2.2.2.2 255.255.255.255 12.12.12.1

  4. 检查配置结果

    [~DeviceA] ping 3.3.3.3
    PING 3.3.3.3: 56  data bytes, press CTRL_C to break                           
        Reply from 3.3.3.3: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 3.3.3.3: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 3.3.3.3: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 3.3.3.3 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [~DeviceA] ping 4.4.4.4
    PING 4.4.4.4: 56  data bytes, press CTRL_C to break                           
        Reply from 4.4.4.4: bytes=56 Sequence=1 ttl=255 time=12 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=2 ttl=255 time=10 ms                  
        Reply from 4.4.4.4: bytes=56 Sequence=3 ttl=255 time=5 ms                   
        Reply from 4.4.4.4: bytes=56 Sequence=4 ttl=255 time=8 ms                   
                                                                                    
      --- 4.4.4.4 ping statistics ---                                               
        4 packet(s) transmitted                                                     
        4 packet(s) received                                                        
        0.00% packet loss                                                           
        round-trip min/avg/max = 5/8/12 ms                           
    [~DeviceA] test l2tp-tunnel l2tp-group lac1 ip-address 3.3.3.3
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.
    [~DeviceA] test l2tp-tunnel l2tp-group lac2 ip-address 4.4.4.4
    Testing L2TP tunnel connectivity now....... 
    Test L2TP tunnel connectivity success.

    # 同时VPN用户可以访问公司总部。

    PC1可以访问企业总部Headquarter01,pc2可以访问企业总部Headquarter02。

    如果PC1输入用户名user1@isp2和口令,则PC1可以作为vrf2的用户访问企业总部Headquarter02。

配置文件

  • DeviceA的配置文件

    #
     sysname DeviceA
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 20.20.20.1 1812 
     radius-server accounting 20.20.20.1 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    interface GigabitEthernet2/0/0
     undo shutdown
    #
    interface GigabitEthernet2/0/0.100
     pppoe-server bind Virtual-Template 1
     undo shutdown
     user-vlan 1 100
     bas
      access-type layer2-subscriber
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    interface LoopBack1
     ip address 2.2.2.2 255.255.255.255
    #
    l2tp-group lac1
     tunnel password simple 1qaz#EDC
     tunnel name lac1
     start l2tp ip 3.3.3.3
     tunnel source LoopBack0
    #
    l2tp-group lac2
     tunnel password simple 1qaz#EDC
     tunnel name lac2
     start l2tp ip 4.4.4.4
     tunnel source LoopBack1
    #
    aaa
    domain isp1
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac1
    domain isp2
      authentication-scheme default1
      accounting-scheme default1
      radius-server group radius1
      l2tp-group lac2
    #
    interface GigabitEthernet1/0/1.1
     undo shutdown
     vlan-type dot1q 1
     ip address 11.11.11.1 255.255.255.0
    #
    interface GigabitEthernet1/0/1.2
     undo shutdown
     vlan-type dot1q 2
     ip address 12.12.12.1 255.255.255.0
    #
     ip route-static 3.3.3.3 255.255.255.255 11.11.11.2
     ip route-static 4.4.4.4 255.255.255.255 12.12.12.2
    #
    return
  • DeviceB的配置文件

    #
     sysname DeviceB
    #
     l2tp enable
    #
    radius-server group radius1
     radius-server authentication 20.20.20.1 1812 
     radius-server accounting 20.20.20.1 1813 
     radius-server shared-key itellin
    #
    interface Virtual-Template1
    ppp authentication-mode chap
    #
    ip vpn-instance vrf1
    route-distinguisher 100:1
     vpn-target 100:1 export-extcommunity
     vpn-target 100:1 import-extcommunity
    #
    ip vpn-instance vrf2
    route-distinguisher 100:2
     vpn-target 100:2 export-extcommunity
     vpn-target 100:2 import-extcommunity
    #
    interface LoopBack0
     ip address 3.3.3.3 255.255.255.255
    #
    interface LoopBack1
     ip address 4.4.4.4 255.255.255.255
    #
    l2tp-group lns1
     allow l2tp virtual-template 1 remote lac1
     tunnel password simple 1qaz#EDC
     tunnel name lns1
    #
    l2tp-group lns2
     allow l2tp virtual-template 1 remote lac2
     tunnel password simple 1qaz#EDC
     tunnel name lns2
    #
    lns-group group1
     bind slot 1 
     bind source LoopBack0
     bind source LoopBack1
    #
    ip pool pool1 bas local
     vpn-instance vrf1
     gateway 10.10.0.1 255.255.255.0
     section 0 10.10.0.10 10.10.0.100
    #
    ip pool pool2 bas local
     vpn-instance vrf2
     gateway 10.10.0.1 255.255.255.0
     section 0 10.10.0.10 10.10.0.100
    #
    aaa
    domain  isp1
      authentication-scheme   default1
      accounting-scheme   default1
      radius-server group radius1
      vpn-instance vrf1
      ip-pool   pool1
    domain  isp2
      authentication-scheme   default1
      accounting-scheme   default1
      radius-server group radius1
      vpn-instance vrf2
      ip-pool   pool2
    #
    interface GigabitEthernet1/0/1.1
     undo shutdown
     vlan-type dot1q 1
     ip address 11.11.11.2 255.255.255.0
    #
    interface GigabitEthernet1/0/1.2
     undo shutdown
     vlan-type dot1q 2
     ip address 12.12.12.2 255.255.255.0
    #
     ip route-static 1.1.1.1 255.255.255.255 11.11.11.1
     ip route-static 2.2.2.2 255.255.255.255 12.12.12.1
    #
    return
下载文档
更新时间:2018-07-12

文档编号:EDOC1100028564

浏览量:16337

下载量:207

平均得分:
本文档适用于这些产品
相关文档
相关版本
分享
上一页 下一页