首页 > 其他分享 >【华三】ADVPN的Full-Mesh组网实验

【华三】ADVPN的Full-Mesh组网实验

时间:2024-10-10 18:17:33浏览次数:11  
标签:ADVPN 华三 Full Hub advpn 0.0 VAM Spoke2 Spoke1

【华三】ADVPN的Full-Mesh组网实验

在这里插入图片描述

基础内容可以查看本篇文章:【华三】ADVPN概述和组成

实验需求

根据拓扑结构和地址规划表,完成Hub和Spoke之间的ADVPN建立。
在这里插入图片描述
在这里插入图片描述

配置

拓扑

在这里插入图片描述

ISP

基础配置

[H3C]sysname ISP

[ISP]int g1/0
[ISP-GigabitEthernet1/0]ip address 202.101.100.254 24
[ISP-GigabitEthernet1/0]quit

[ISP]int g2/0
[ISP-GigabitEthernet2/0]ip address 202.101.10.1 30
[ISP-GigabitEthernet2/0]quit

[ISP]int g3/0
[ISP-GigabitEthernet3/0]ip address 202.101.20.1 30
[ISP-GigabitEthernet3/0]quit

[ISP]int g4/0
[ISP-GigabitEthernet4/0]ip address 202.101.30.1 30
[ISP-GigabitEthernet4/0]quit

VAM Server

基础配置

[H3C]sysname VAM_Server

[VAM_Server]int g1/0
[VAM_Server-GigabitEthernet1/0]ip address 202.101.100.100 24
[VAM_Server-GigabitEthernet1/0]quit

[VAM_Server]ip route-static 0.0.0.0 0 202.101.100.254

AAA设置

# i配置RADIUS方案 advpn
[VAM_Server]radius scheme advpn
[VAM_Server-radius-advpn]primary authentication 202.101.100.110 # 指定AAA服务器地址
[VAM_Server-radius-advpn]primary accounting 202.101.100.110     # AAA认证审计地址
[VAM_Server-radius-advpn]key authentication simple 123456       # AAA:客户端和服务器 认证密钥
[VAM_Server-radius-advpn]key accounting simple 123456		  	# AAA:客户端和服务器 审计密钥
[VAM_Server-radius-advpn]user-name-format without-domain 		# AAA认证域:用户认证时不用携带域名
[VAM_Server-radius-advpn]quit

# AAA认证激活
[VAM_Server]radius session-control enable 

# i配置ISP域的AAA方案‘advpn’
# i目的是调用前面的RADIUS方案‘advpn’
[VAM_Server]domain advpn
[VAM_Server-isp-advpn] authentication advpn radius-scheme advpn
[VAM_Server-isp-advpn] accounting advpn radius-scheme advpn
[VAM_Server-isp-advpn] quit

# i启用AAA方案‘advpn’
[VAM_Server]domain default enable advpn

指定谁是Hub、Spoke

# i创建ADVPN 的VAM 域‘advpn’‘1’
[VAM_Server]vam server advpn-domain advpn id 1
[VAM_Server-vam-server-domain-advpn]hub-group 1    								  # 创建Hub组“1”
[VAM_Server-vam-server-domain-advpn-hub-group-1]hub private-address 10.255.1.1	  # 指定hub的私网地址
[VAM_Server-vam-server-domain-advpn-hub-group-1]spoke private-address network 10  # 指定spoke的私网地址范围
.255.1.0 255.255.255.0
[VAM_Server-vam-server-domain-advpn-hub-group-1]quit
# i配置VAM Server的预共享密钥和认证方式,并开启server 功能
[VAM_Server-vam-server-domain-advpn]pre-shared-key simple 123456   
[VAM_Server-vam-server-domain-advpn]authentication-method chap 
[VAM_Server-vam-server-domain-advpn]server enable 
[VAM_Server-vam-server-domain-advpn]quit

Hub

基础配置

[H3C]sysname Hub

[Hub]int g1/0
[Hub-GigabitEthernet1/0]ip address 202.101.10.2 30
[Hub-GigabitEthernet1/0]qu

[Hub]int LoopBack 1
[Hub-LoopBack1]ip address 172.16.1.1 32
[Hub-LoopBack1]qu

[Hub]int LoopBack 2
[Hub-LoopBack2]ip address 172.16.1.2 32
[Hub-LoopBack2]quit

[Hub]int LoopBack 3
[Hub-LoopBack3]ip address 172.16.1.3 32
[Hub-LoopBack3]quit

[Spoke1]ip route-static 0.0.0.0 0 202.101.10.1

配置VAM Client

# i创建vam的client为“Hub”
[Hub]vam client name Hub
[Hub-vam-client-Hub]advpn-domain advpn            # 配置VAM Client所属的ADVPN域为“advpn”
[Hub-vam-client-Hub]pre-shared-key simple 123456  # 配置VAM Client的认证信息
[Hub-vam-client-Hub]user hub password simple hub 
[Hub-vam-client-Hub]server primary ip-address 202.101.100.100 # 指定VAM Server的IP地址
[Hub-vam-client-Hub]client enable                 # 启用client
[Hub-vam-client-Hub]quit

IPSec安全策略

# 因为与Hub进行数据传输的有很多Spoke,所以这边keychain的对等体地址设为匹配所有
[Hub]ike keychain advpn
[Hub-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Hub-ike-keychain-advpn]quit

[Hub]ike profile advpn
[Hub-ike-profile-advpn]keychain advpn
[Hub-ike-profile-advpn]quit

[Hub]ipsec transform-set advpn
[Hub-ipsec-transform-set-advpn]encapsulation-mode transport 
[Hub-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Hub-ipsec-transform-set-advpn]esp authentication-algorithm md5 
[Hub-ipsec-transform-set-advpn]quit

[Hub]ipsec profile advpn isakmp 
[Hub-ipsec-profile-isakmp-advpn]transform-set advpn
[Hub-ipsec-profile-isakmp-advpn]ike-profile advpn
[Hub-ipsec-profile-isakmp-advpn]quit

隧道配置ADVPN

[Hub]ospf 1
[Hub-ospf-1]area 0
[Hub-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255

# 配置GRE封装的ADVPN隧道接口Tunnel1
[Hub]interface Tunnel1 mode advpn gre
[Hub-Tunnel1lip address 10.255.1.1 255.255.255.0
[Hub-Tunnel1]vam client Hub # 注意区分大小写
# Tunnel默认ospf网络类型为p2p,但此时Hub需要对多个Spoke建立邻居关系
# P2P并不支持,所以修改OSPF的网络类型为广播 
[Hub-Tunnel1]ospf network-type broadcast
[Hub-Tunnel1]source g1/0
# 调用IPSec安全策略
[Hub-Tunnel1]tunnel protection ipsec profile advpn

Spoke 1

基础配置

[H3C]sysname Spoke1

[Spoke1]int g1/0
[Spoke1-GigabitEthernet1/0]ip address 202.101.20.2 30
[Spoke1-GigabitEthernet1/0]quit

[Spoke1]int LoopBack 1
[Spoke1-LoopBack1]ip address 172.16.2.1 32
[Spoke1-LoopBack1]quit

[Spoke1]int LoopBack 2
[Spoke1-LoopBack2]ip address 172.16.2.2 32
[Spoke1-LoopBack2]quit

[Spoke1]int LoopBack 3
[Spoke1-LoopBack3]ip address 172.16.2.3 32
[Spoke1-LoopBack3]quit

[Spoke1]ip route-static 0.0.0.0 0 202.101.20.1

配置VAM Client

[Spoke1]vam client name Spoke1
[Spoke1-vam-client-Spoke1]advpn-domain advpn
[Spoke1-vam-client-Spoke1]pre-shared-key simple 123456
[Spoke1-vam-client-Spoke1]user spoke1 password simple spoke1
[Spoke1-vam-client-Spoke1]server primary ip-address 202.101.100.100
[Spoke1-vam-client-Spoke1]client enable 
[Spoke1-vam-client-Spoke1]quit

IPSec安全策略

[Spoke1]ike keychain advpn
[Spoke1-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke1-ike-keychain-advpn]quit

[Spoke1]ike profile advpn
[Spoke1-ike-profile-advpn]keychain advpn
[Spoke1-ike-profile-advpn]quit

[Spoke1]ipsec transform-set advpn
[Spoke1-ipsec-transform-set-advpn]encapsulation-mode transport 
[Spoke1-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Spoke1-ipsec-transform-set-advpn]esp authentication-algorithm md5
[Spoke1-ipsec-transform-set-advpn]quit

[Spoke1]ipsec profile advpn isakmp 
[Spoke1-ipsec-profile-isakmp-advpn]ike-profile advpn
[Spoke1-ipsec-profile-isakmp-advpn]transform-set advpn
[Spoke1-ipsec-profile-isakmp-advpn]quit

配置advpn隧道

[Spoke1]ospf 1
[spoke1-ospf-1]area 0
[Spoke1-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0]network 172.16.1.0 0.0.0.255
[spoke1-ospf-1-area-0.0.0.0]quit
[spoke1-ospf-1]quit

# 配置ADVPN隧道,并修改网络类型
[Spoke1]interface Tunnel1 mode advpn gre
[Spoke1-Tunnel1] ip address 10.255.1.2 255.255.255.0
[Spoke1-Tunnel1] ospf network-type broadcast
# Hub为DR,其它Spoke为DRother,所以DR优先级为 0
[Spoke1-Tunnel1] ospf dr-priority 0
[Spoke1-Tunnel1] source GigabitEthernet1/0
[Spoke1-Tunnel1] tunnel protection ipsec profile advpn
[Spoke1-Tunnel1] vam client Spoke1

Spoke 2

基础配置

[H3C]sysname Spoke2

[Spoke2]int g1/0
[Spoke2-GigabitEthernet1/0]ip address 202.101.30.2 30
[Spoke2-GigabitEthernet1/0]quit

[Spoke2]int LoopBack 1
[Spoke2-LoopBack1] ip address 172.16.3.1 32
[Spoke2-LoopBack1] quit

[Spoke2] int LoopBack 2
[Spoke2-LoopBack2] ip address 172.16.3.2 32
[Spoke2-LoopBack2] quit

[Spoke2] int LoopBack 3
[Spoke2-LoopBack3] ip address 172.16.3.3 32
[Spoke2-LoopBack3] quit

[Spoke2] ip route-static 0.0.0.0 0 202.101.30.1

配置VAM Client

[Spoke2]vam client name Spoke2
[Spoke2-vam-client-Spoke2]advpn-domain advpn
[Spoke2-vam-client-Spoke2]pre-shared-key simple 123456
[Spoke2-vam-client-Spoke2]user spoke2 password simple spoke2
[Spoke2-vam-client-Spoke2]server primary ip-address 202.101.100.100
[Spoke2-vam-client-Spoke2]client enable 
[Spoke2-vam-client-Spoke2]quit

IPSec安全策略

[Spoke2]ike keychain advpn
[Spoke2-ike-keychain-advpn]pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456
[Spoke2-ike-keychain-advpn]quit

[Spoke2]ike profile advpn
[Spoke2-ike-profile-advpn]keychain advpn
[Spoke2-ike-profile-advpn]quit

[Spoke2]ipsec transform-set advpn
[Spoke2-ipsec-transform-set-advpn]encapsulation-mode transport 
[Spoke2-ipsec-transform-set-advpn]esp encryption-algorithm des-cbc 
[Spoke2-ipsec-transform-set-advpn]esp authentication-algorithm md5
[Spoke2-ipsec-transform-set-advpn]quit

[Spoke2]ipsec profile advpn isakmp 
[Spoke2-ipsec-profile-isakmp-advpn]transform-set advpn
[Spoke2-ipsec-profile-isakmp-advpn]ike-profile advpn
[Spoke2-ipsec-profile-isakmp-advpn]quit

配置advpn隧道

[Spoke2]ospf 1
[Spoke2-ospf-1]area 0
[Spoke2-ospf-1-area-0.0.0.0]network 10.255.1.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0]network 172.16.3.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0]quit
[Spoke2-ospf-1]quit

[Spoke2]int Tunnel1 mode advpn gre 
[Spoke2-Tunnel1]ip address 10.255.1.3 24
[Spoke2-Tunnel1]source g1/0
[Spoke2-Tunnel1]vam client Spoke2
[Spoke2-Tunnel1]ospf dr-priority 0
[Spoke2-Tunnel1]ospf network-type broadcast 
[Spoke2-Tunnel1]tunnel protection ipsec profile advpn
[Spoke2-Tunnel1]quit

AAA服务器(Win7)

配置IP地址和网关

在这里插入图片描述
ping成功
在这里插入图片描述

WinRadius配置

多重秘钥

在这里插入图片描述

在这里插入图片描述

添加用来认证的本地用户

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

查看WinRadius的日志

在添加好本地用户后,Hub和Spoke都认证通过了

在这里插入图片描述

检查

查看注册到VAM Server的VAM Client映射信息

在这里插入图片描述

查看Hub上的IPv4 ADVPN隧道信息

在这里插入图片描述

查看Spoke上的IPv4 ADVPN隧道信息

在这里插入图片描述

查看Spoke上的IPv4 ADVPN隧道信息(Spoke数据交互)

在这里插入图片描述

查看Hub和Spoke的路由表

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

标签:ADVPN,华三,Full,Hub,advpn,0.0,VAM,Spoke2,Spoke1
From: https://blog.csdn.net/2301_77161465/article/details/142719250

相关文章

  • 频繁full gc 如何排查
    频繁fullgc通常表明应用程序在内存管理方面存在问题,可能导致性能下降,下面是排查步骤和一个详细的示例排查步骤收集GC日志首先,需要开启详细的GC日志,在JVM参数中添加-XX:+PrintGCDetails-XX:+PrintGCDateStamps-Xloggc:/path/to/gc.log分析GC日志使用工具GCViewer......
  • Fully-developed Web App
    Assessment2:Fully-developedWebApp-DetailsWeighting:50%(PairorIndividual)NB:youshouldnotstartthisassignmentuntil after youhavesubmittedassignment1Overview- Fully-developedWebAppDue:Sunday27/10/24@11:59:00PM(Week5)Taskdes......
  • 如何排查系统频繁执行full GC
    前言:频繁的FullGarbageCollection(FullGC)通常表明了Java应用程序中的内存管理存在问题。这可能是由于堆内存不足、对象生命周期过长、或是内存泄漏等原因导致的。以下是一些排查系统频繁执行FullGC的方法:分析堆内存使用情况:使用JVM提供的工具如jstat或可视化工具如Vis......
  • MySQL 默认 only_full_group_by
    ONLY_FULL_GROUP_BY是MySQL中的一个SQL模式,它要求在使用GROUPBY语句时,SELECT列表、HAVING条件或ORDERBY列表中的每个列,要么是聚合函数的一部分(如COUNT(),SUM(),AVG()等),要么必须在GROUPBY子句中明确指定。这个模式的设计初衷是增强查询的准确性和可预测性,避免因为列的不明确引......
  • 华三设备的用户创建、ssh、telnet等的配置
    sshserverenabletelnetserverenablepublic-keylocalcreatersapublic-keylocalcreatedsauser-interfacevty04authentication-modeschemeprotocolinboundsshqulocal-usertonyclassmanagepasswordsimpleroot#12345service-typeterminalsshteln......
  • show processlist和show full processlist说明
    showprocesslist和showfullprocesslistprocesslist命令的输出结果显示了有哪些线程在运行,不仅可以查看当前所有的连接数,还可以查看当前的连接状态帮助识别出有问题的查询语句等。如果是root帐号,能看到所有用户的当前连接。如果是其他普通帐号,则只能看到自己占用的连接。showp......
  • 华三设备开启dhcp服务 堆叠
    华三交换机堆叠[SW1]irfmember1priority10#配置设备号,调整优先级[SW1]interfacerangeTen-GigabitEthernet1/0/51toTen-GigabitEthernet1/0/52#批量管理做堆叠的接口[SW1-if-range]shutdown#先down接口[SW1-irf-port1/1]disthirf-port1/1#创建虚拟接口,将接口......
  • 关于RESTfull
    目录关于RESTful资源资源表现总结关于RESTfulREST的全称是RepresentationalStateTransfer中文含义表现层状态转化。符合REST规范的设计,我们称为RESTful设计。它的设计哲学主要是将服务器提供的内容实体看作一个资源,并表现在URL上。资源如下地址,这个地址代表了一个资源......
  • 华三防火墙对象组-策略
    1.1 对象策略简介对象策略基于全局进行配置,基于安全域间实例进行应用。在安全域间实例上应用对象策略可实现对报文流的检查,并根据检查结果允许或拒绝其通过。对象策略通过配置对象策略规则实现。有关安全域间实例的详细介绍和配置,请参见“安全配置指导”中的“安全域”。1.1.1 ......
  • WPF window fill the full screen and overlap on the taskbar
    WindowState="Maximized"WindowStyle="None"   <Windowx:Class="WpfApp409.MainWindow"xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"xmlns:x="http://schemas.microsof......