评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置非shortcut方式DSVPN示例(OSPF路由协议)
配置思路
按照如下思路进行配置:
由于分支是采用动态地址接入公网的,分支之间互相不知道对方的公网地址,因此必须采用DSVPN来实现分支之间的VPN互联。
由于分支数量较少,因此采用非shortcut方式的DSVPN。
由于分支和总部的子网环境经常出现变动,为简化维护并根据企业网络规划,选择部署OSPF路由协议来实现分支/总部间的通信。
操作步骤
- 配置接口IP地址
在各设备上配置接口IP地址。
# 在Hub上配置接口IP地址。<HUAWEI> system-view [~HUAWEI] sysname Hub [*Hub] interface GigabitEthernet 1/0/0 [*Hub-GigabitEthernet1/0/0] ip address 10.1.1.10 255.255.255.0 [*Hub-GigabitEthernet1/0/0] binding tunnel gre [*Hub-GigabitEthernet1/0/0] quit [*Hub] interface tunnel 0 [*Hub-Tunnel0] ip address 172.16.1.1 255.255.255.0 [*Hub-Tunnel0] quit [*Hub] interface loopback 0 [*Hub-LoopBack0] ip address 192.168.0.1 255.255.255.255 [*Hub-LoopBack0] quit [*Hub] commit
按照图5-3配置Spoke1、Spoke2各接口的IP地址,具体配置过程与配置Hub相同(略)。
- 配置各设备之间公网路由可达
在各设备上配置OSPF路由协议,实现公网路由可达。
# 在Hub上配置OSPF。
[~Hub] ospf 2 router-id 10.1.1.10 [*Hub-ospf-2] area 0.0.0.1 [*Hub-ospf-2-area-0.0.0.1] network 10.1.1.0 0.0.0.255 [*Hub-ospf-2-area-0.0.0.1] quit [*Hub-ospf-2] quit [*Hub] commit
# 在Spoke1上配置OSPF。
[~Spoke1] ospf 2 router-id 10.1.2.10 [*Spoke1-ospf-2] area 0.0.0.1 [*Spoke1-ospf-2-area-0.0.0.1] network 10.1.2.0 0.0.0.255 [*Spoke1-ospf-2-area-0.0.0.1] quit [*Spoke1-ospf-2] quit [*Spoke1] commit
# 在Spoke2上配置OSPF。
[~Spoke2] ospf 2 router-id 10.1.3.10 [*Spoke2-ospf-2] area 0.0.0.1 [*Spoke2-ospf-2-area-0.0.0.1] network 10.1.3.0 0.0.0.255 [*Spoke2-ospf-2-area-0.0.0.1] quit [*Spoke2-ospf-2] quit [*Spoke2] commit
- 配置OSPF基本功能
# 配置Hub。
[~Hub] ospf 1 router-id 172.16.1.1 [*Hub-ospf-1] area 0.0.0.0 [*Hub-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [*Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [*Hub-ospf-1-area-0.0.0.0] quit [*Hub-ospf-1] quit [*Hub] commit
# 配置Spoke1。
[~Spoke1] ospf 1 router-id 172.16.1.2 [*Spoke1-ospf-1] area 0.0.0.0 [*Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [*Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [*Spoke1-ospf-1-area-0.0.0.0] quit [*Spoke1-ospf-1] quit [*Spoke1] commit
# 配置Spoke2。
[~Spoke2] ospf 1 router-id 172.16.1.3 [*Spoke2-ospf-1] area 0.0.0.0 [*Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [*Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [*Spoke2-ospf-1-area-0.0.0.0] quit [*Spoke2-ospf-1] quit [*Spoke2] commit
这里每个分支只给出一个分支子网的配置,如果子网环境发生变化,只需在本地设备配置相应的动态路由属性即可。
- 配置使能全局的nhrp功能
# 配置Hub。
[~Hub] nhrp enableSpoke和Hub上的配置类似,此处不再复述。
- 配置Tunnel接口
在Hub和Spoke上配置Tunnel接口,在Spoke1和Spoke2上分别配置Hub的静态NHRP peer表项。
# 在Hub上配置Tunnel接口。[~Hub] interface tunnel 0 [*Hub-Tunnel0] tunnel-protocol gre p2mp [*Hub-Tunnel0] nhrp enable [*Hub-Tunnel0] source gigabitethernet 1/0/0 [*Hub-Tunnel0] nhrp entry multicast dynamic [*Hub-Tunnel0] ospf network-type p2mp [*Hub-Tunnel0] quit [*Hub] commit
# 在Spoke1上配置Tunnel接口和Hub的静态NHRP peer表项。[~Spoke1] interface tunnel 0 [*Spoke1-Tunnel0] tunnel-protocol gre p2mp [*Spoke1-Tunnel0] nhrp enable [*Spoke1-Tunnel0] source gigabitethernet 1/0/0 [*Spoke1-Tunnel0] nhrp entry 172.16.1.1 10.1.1.10 register [*Spoke1-Tunnel0] ospf network-type p2mp [*Spoke1-Tunnel0] quit [*Spoke1] commit
# 在Spoke2上配置Tunnel接口和Hub的静态NHRP peer表项。[~Spoke2] interface tunnel 0 [*Spoke2-Tunnel0] tunnel-protocol gre p2mp [*Spoke2-Tunnel0] nhrp enable [*Spoke2-Tunnel0] source gigabitethernet 1/0/0 [*Spoke2-Tunnel0] nhrp entry 172.16.1.1 10.1.1.10 register [*Spoke2-Tunnel0] ospf network-type p2mp [*Spoke2-Tunnel0] quit [*Spoke2] commit
- 检查DSVPN配置结果
配置完成后,检查Spoke上的NHRP peer信息。
# 在Spoke1上执行display nhrp peer all操作,结果如下。
[~Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 10.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:10:58 Expire time : -- Number of nhrp peers: 1# 在Spoke2上执行display nhrp peer all操作,结果如下。
[~Spoke2] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 10.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:07:55 Expire time : -- Number of nhrp peers: 1完成上述配置后,执行display nhrp peer all命令,Spoke1和Spoke2上只能看到Hub的静态NHRP peer表项。
检查Hub上Spoke1和Spoke2的注册信息。
# 在Hub上执行display nhrp peer all操作,结果如下。
[~Hub] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 10.1.2.10 172.16.1.2 registered up|unique ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:02:02 Expire time : 01:57:58 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 10.1.3.10 172.16.1.3 registered up|unique ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:01:53 Expire time : 01:59:35 Number of nhrp peers: 2 - 执行ping操作,查看配置结果
在Spoke1上ping分支Spoke2的子网地址192.168.2.1,然后在Spoke1和Spoke2上可以分别看到彼此的动态NHRP peer表项。
# 在Spoke1上执行ping -a 192.168.1.1 192.168.2.1操作,结果如下。
[~Spoke1] ping -a 192.168.1.1 192.168.2.1 PING 192.168.2.1: 56 data bytes, press CTRL_C to break Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 192.168.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms# 在Spoke1上执行display nhrp peer all操作,结果如下。
[~Spoke1] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 10.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:46:35 Expire time : -- ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 10.1.3.10 172.16.1.3 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 10.1.2.10 172.16.1.2 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:28 Expire time : 01:59:32 Number of nhrp peers: 3# 在Spoke2上执行display nhrp peer all操作,结果如下。
[~Spoke2] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.1 32 10.1.1.10 172.16.1.1 hub up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:43:32 Expire time : -- ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.2 32 10.1.2.10 172.16.1.2 remote up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:47 Expire time : 01:59:13 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 10.1.3.10 172.16.1.3 local up ------------------------------------------------------------------------------- Tunnel interface: Tunnel0 Created time : 00:00:47 Expire time : 01:59:13 Number of nhrp peers: 3
配置文件
Hub的配置文件
# sysname Hub # nhrp enable # interface GigabitEthernet1/0/0 ip address 10.1.1.10 255.255.255.0 binding tunnel gre # interface LoopBack0 ip address 192.168.0.1 255.255.255.255 # interface Tunnel0 ip address 172.16.1.1 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet1/0/0 ospf network-type p2mp nhrp entry multicast dynamic nhrp enable # ospf 1 router-id 172.16.1.1 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.0.0 0.0.0.255 # ospf 2 router-id 10.1.1.10 area 0.0.0.1 network 10.1.1.0 0.0.0.255 # return
Spoke1的配置文件
# sysname Spoke1 # nhrp enable # interface GigabitEthernet1/0/0 ip address 10.1.2.10 255.255.255.0 binding tunnel gre # interface LoopBack0 ip address 192.168.1.1 255.255.255.255 # interface Tunnel0 ip address 172.16.1.2 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet1/0/0 ospf network-type p2mp nhrp enable nhrp entry 172.16.1.1 10.1.1.10 register # ospf 1 router-id 172.16.1.2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # ospf 2 router-id 10.1.2.10 area 0.0.0.1 network 10.1.2.0 0.0.0.255 # return
Spoke2的配置文件
# sysname Spoke2 # nhrp enable # interface GigabitEthernet1/0/0 ip address 10.1.3.10 255.255.255.0 binding tunnel gre # interface LoopBack0 ip address 192.168.2.1 255.255.255.255 # interface Tunnel0 ip address 172.16.1.3 255.255.255.0 tunnel-protocol gre p2mp source GigabitEthernet1/0/0 ospf network-type p2mp nhrp enable nhrp entry 172.16.1.1 10.1.1.10 register # ospf 1 router-id 172.16.1.3 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # ospf 2 router-id 10.1.3.10 area 0.0.0.1 network 10.1.3.0 0.0.0.255 # return
