论坛 › 经验交流 › 多Virtual Private Network协议的终极嵌套使用

network123 发表于 2026-3-8 21:05:07

多Virtual Private Network协议的终极嵌套使用

本帖最后由 network123 于 2026-3-12 09:04 编辑

<p>最近做了一个项目，客户的网络环境中，用到多个<em>Virtual</em> Private Network协议，数目之多，令人咋舌，今天把这个案例给大家分享出来，方便大家更好地理解<em>Virtual</em> Private Network的本质。</p>
<p>何谓<em>Virtual</em> Private Network，就是用户的私网原始数据经由某种封装协议进行封装，然后在不安全的公网环境中进行传递。</p>
<p>为了实现不同的功能，就会用到不同的封装协议：</p>
<p>L2TP <em>Virtual</em> Private Network，SSL <em>Virtual</em> Private Network可实现移动办公用户灵活接入公司总部网络</p>
<p>IPSEC <em>Virtual</em> Private Network可实现对用户原始数据的机密性，完整性校验</p>
<p>GRE <em>Virtual</em> Private Network可实现在单播环境中传递组播协议数据</p>
<p>各种<em>Virtual</em> Private Network技术既可以单独使用，也可以根据客户需求，嵌套使用。</p>
<p>今天就通过一个真实案例，给大家介绍下<em>Virtual</em> Private Network技术的嵌套使用。</p>
<hr />
<p>网络拓扑</p>
<p><img src="data/attachment/forum/202603/08/212101c1qlclnw0w17lz9t.png" alt="1.png" title="1.png" /></p>
<p>1，总部网络出口为安全防火墙，配置对中心路由器业务接口的 L2TP协议的NAT Server映射。</p>
<p>中心设备使用路由器，配置各种<em>Virtual</em> Private Network技术，满足客户业务需求。</p>
<p>2，网点出口路由器，拨入中心路由器设备，实现Client安全访问公司总部的Server。</p>
<hr />
<p>中心路由器关键配置</p>
<pre><code>ZhongXin#sh running-config
!
hostname ZhongXin
！
aaa new-model
!
!
aaa authentication ppp default local
!
!
ip vrf aa
rd 100:1
route-target export 200:1
route-target import 200:1
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
username test password 0 test
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ruijie address 0.0.0.0
!
!
crypto ipsec transform-set aa ah-sha256-hmac
mode transport
!
!
crypto map ipsec 10 ipsec-isakmp
set peer 172.16.10.2
set transform-set aa
match address 100
!
!   
interface Loopback1
ip address 172.16.10.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.200.1 255.255.255.0
mpls bgp forwarding
mpls ip
tunnel source 172.16.10.1
tunnel destination 172.16.10.2
!
interface Ethernet0/0
ip address 172.16.99.100 255.255.255.0
duplex auto
!
interface Ethernet0/1
ip vrf forwarding aa
ip address 172.16.200.1 255.255.255.0
duplex auto
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp
ppp authentication chap
crypto map ipsec
!
router bgp 100
bgp log-neighbor-changes
neighbor 192.168.200.2 remote-as 200
!
address-family vpnv4
neighbor 192.168.200.2 activate
neighbor 192.168.200.2 send-community both
exit-address-family
!
address-family ipv4 vrf aa
redistribute connected
exit-address-family
!
ip local pool l2tp 172.16.10.2 172.16.10.100
!
!
ip route 0.0.0.0 0.0.0.0 172.16.99.1
!
!
mpls ldp router-id Loopback1 force
！
access-list 100 permit gre host 172.16.10.1 host 172.16.10.2
!
!

</code></pre>
<hr />
<p>网点设备关键配置</p>
<pre><code>WangDian#sh running-config
!
hostname WangDian
!
!
ip vrf aa
rd 100:1
route-target export 200:1
route-target import 200:1
!
!
l2tp-class lac
!
vpdn enable
!
pseudowire-class lac
encapsulation l2tpv2
protocol l2tpv2 lac
ip local interface Ethernet0/0
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ruijie address 172.16.10.1
!
!
crypto ipsec transform-set aa ah-sha256-hmac
mode transport
!
!
crypto map ipsec 10 ipsec-isakmp
set peer 172.16.10.1
set transform-set aa
match address 100
!
!
interface Tunnel1
ip address 192.168.200.2 255.255.255.0
mpls bgp forwarding
mpls ip
tunnel source 172.16.10.2
tunnel destination 172.16.10.1
!
interface Ethernet0/0
ip address 200.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
ip vrf forwarding aa
ip address 192.168.100.1 255.255.255.0
duplex auto
!
!
interface Virtual-PPP1
ip address 172.16.10.2 255.255.255.0
ppp chap hostname test
ppp chap password 0 test
pseudowire 100.1.1.2 12 encapsulation l2tpv2 pw-class lac
crypto map ipsec
!
router bgp 200
bgp log-neighbor-changes
neighbor 192.168.200.1 remote-as 100
!
address-family vpnv4
neighbor 192.168.200.1 activate
neighbor 192.168.200.1 send-community both
exit-address-family
!
address-family ipv4 vrf aa
redistribute connected
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 200.1.1.1
!
!
mpls ldp router-id Virtual-PPP1 force
！
access-list 100 permit gre host 172.16.10.2 host 172.16.10.1
!
</code></pre>
<hr />
<p>上述配置完成后，网点Client可以正常访问中心的Server，下面是最终的数据封装</p>
<p><img src="data/attachment/forum/202603/12/090206ofycee2ip2ci6j3i.png" alt="无标题.png" title="无标题.png" /></p>
<p>通过上面的数据封装可以看出，客户的原始数据在传递时需封装4层<em>Virtual</em> Private Network进行传输，每层<em>Virtual</em> Private Network实现不同的功能需求，这样既增加了配置复杂度，同时传输用户原始数据时，需额外增加100多字节的封装数据，造成带宽利用率比较低。</p>
<p>当然啦，这是一种极端的数据封装，在实际项目中用的很少。</p>

查看完整版本: 多Virtual Private Network协议的终极嵌套使用