不同域名用户拨入不同MPLS VPN网络(VPE)典型配置案例
不同域名用户拨入不同MPLS VPN网络(VPE)典型配置案例
【用户需求】
客户已部署全网的MPLS VPN 3层网络,并划分了两个不同业务的VPN,VPN10和VPN20。对于移动办公的人员,客户希望他们拨号进来后只能访问本业务所属VPN的资源,而不能访问其他资源。为拨号的易用性,最好只根据用户名就能匹配到不同的VPN中;为保证拨号接入的安全性,使用L2TP+IPSec的拨号方式。
【拓扑图】
【满足客户需求的配置(VPE部分)】
#
sysname VPE
#
l2tp enable //启用L2TP
l2tpmoreexam enable //启用L2TP多实例
#
ike local-name VPE
#
mpls lsr-id 1.1.1.1
#
mpls
lsp-trigger all
#
mpls ldp
#
ip vpn-instance 10 //配置VPN 10
route-distinguisher 10:1
vpn-target 10:1 export-extcommunity
vpn-target 10:1 import-extcommunity
#
ip vpn-instance 20 //配置VPN 20
route-distinguisher 20:1
vpn-target 20:1 export-extcommunity
vpn-target 20:1 import-extcommunity
#
domain 10 //配置domain 10地址池
ip pool 10 10.100.100.2 10.100.100.200
domain 20 //配置domain 20地址池
ip pool 20 20.100.100.2 20.100.100.200
domain system
#
local-user 10 // 用户名中不含“@”和域名
password simple 10
local-user 20
password simple 20
#
ike proposal 1 //配置IKE策略
#
ike peer pc
exchange-mode aggressive
pre-shared-key vpe
id-type name
remote-name pc
nat traversal
#
ipsec proposal pro1
#
ipsec policy-template ipsec_t 10
ike-peer pc
proposal pro1
#
ipsec policy ipsec 10 isakmp template ipsec_t
#
interface Virtual-Template1 //配置虚模板,不同的域需要配置不同的虚模板
ppp authentication-mode pap domain 10
ip binding vpn-instance 10 //不同的虚模板绑定到不同的VRF中
ip address 10.100.100.1 255.255.255.0
remote address pool 10
#
interface Virtual-Template2
ppp authentication-mode pap domain 20
ip binding vpn-instance 20
ip address 20.100.100.1 255.255.255.0
remote address pool 20
#
interface Ethernet1/0
ip address 99.99.99.1 255.255.255.252
mpls
mpls ldp enable
#
interface Ethernet2/0
ip address 88.88.88.8 255.255.255.0
ipsec policy ipsec
#
interface Ethernet3/0
#
interface Ethernet4/0
#
interface NULL0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
l2tp-group 1 //配置l2tp-group,不同的域需要不同的l2tp-group
undo tunnel authentication
allow l2tp virtual-template 1 remote 10 domain 10 //指定拨号用户的LAC和域名
#
l2tp-group 2
undo tunnel authentication //不同的l2tp-group,LAC必须不同
allow l2tp virtual-template 2 remote 20 domain 20
#
bgp 65530
undo synchronization
group in internal
peer 2.2.2.2 group in
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family vpn-instance 10
import-route direct
undo synchronization
#
ipv4-family vpn-instance 20
import-route direct
undo synchronization
#
ipv4-family vpnv4
peer in enable
peer 2.2.2.2 group in
#
ip route-static 2.2.2.2 255.255.255.255 99.99.99.2 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
【验证拨号能否成功】
[VPE]dis l2tp tun
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName KeepStanding
1 1 88.88.88.9 57344 1 20 NO
Total tunnel = 1
[VPE]dis l2tp user
User Name LocalSID RemoteSID LocalTID
20@20 619 1049 1
Total user = 1
[VPE]dis ipsec tun
------------------------------------------------
Connection ID : 6
Perfect forward secrecy: None
SA's SPI :
Inbound : 803308295 (0x2fe18307) [ESP]
Outbound : 1038224899 (0x3de20e03) [ESP]
Tunnel :
Local Address: 88.88.88.8 Remote Address : 88.88.88.9
Flow : (238 times matched)
Sour Addr : 88.88.88.8/255.255.255.255 Port: 1701 Protocol : UDP
Dest Addr : 88.88.88.9/255.255.255.255 Port: 0 Protocol : UDP
结论:L2TP隧道成功建立,IPSec 隧道成功建立,L2TP+IPSec拨号成功,用户20@20成功拨入,同样也可以验证用户20@20能否成功拨入
【验证拨号用户是否接入MPLS VPN中】
[VPE]dis ip rou vpn 20
20 Route Information
Routing Table: 20 Route-Distinguisher: 20:1
Destination/Mask Protocol Pre Cost Nexthop Interface
20.0.0.0/24 BGP 256 0 2.2.2.2 InLoopBack0
20.100.100.0/24 DIRECT 0 0 20.100.100.1 Virtual-Template2
20.100.100.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0
20.100.100.7/32 DIRECT 0 0 20.100.100.7 Virtual-Template2
结论:虚模板的直联路由成功引入VPN 20的VRF中,用户成功拨入VPN 20。当然,最佳的验证方式是拨号用户能正常访问需要访问的业务。
