网络拓扑

XRV1的配置:

===========================================================================

#
sysname XRV1
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.133.0.0 0.0.255.255 destination 10.125.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.38.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.2
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.10
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.1000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.1 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.9 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.1 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.2 source-ip 10.201.1.1
#
bfd 20 bind peer-ip 10.201.1.10 source-ip 10.201.1.9
#
bgp 65000
router-id 10.255.255.1
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.2 as-number 65001
peer 10.201.1.2 group external
peer 10.201.1.10 as-number 65002
peer 10.201.1.10 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.2 enable
peer 10.201.1.2 group external
peer 10.201.1.10 enable
peer 10.201.1.10 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix as65001-bangong-import
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
ip ip-prefix external-as65001-bangong-import index 10 permit 10.125.1.0 24
ip ip-prefix external-as65001-bangong-import index 20 permit 10.125.2.0 24
ip ip-prefix external-as65001-bangong-import index 30 permit 10.125.3.0 24
ip ip-prefix external-as65001-bangong-import index 40 permit 10.125.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV2的配置:

===========================================================================

#
sysname XRV2
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.54.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.6
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.14
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.2000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.5 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.13 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.2 255.255.255.255
isis enable 100
#
bfd 20 bind peer-ip 10.201.1.14 source-ip 10.201.1.13
#
bgp 65000
router-id 10.255.255.2
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.6 as-number 65001
peer 10.201.1.6 group external
peer 10.201.1.14 as-number 65002
peer 10.201.1.14 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer 10.201.1.6 enable
peer 10.201.1.6 group external
peer 10.201.1.14 enable
peer 10.201.1.14 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65001-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-shengchan-import index 10 permit 10.54.1.0 24
ip ip-prefix external-as65001-shengchan-import index 20 permit 10.54.2.0 24
ip ip-prefix external-as65001-shengchan-import index 30 permit 10.54.3.0 24
ip ip-prefix external-as65001-shengchan-import index 40 permit 10.54.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV3的配置:

===========================================================================

#
sysname XRV3
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.125.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.1
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.2 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.3 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.1 source-ip 10.201.1.2
#
bgp 65001
router-id 10.255.255.3
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.1 as-number 65000
peer 10.201.1.1 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.1 enable
peer 10.201.1.1 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.125.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV4的配置:

===========================================================================

#
sysname XRV4
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.54.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.5
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.4000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.6 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.4 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.5 source-ip 10.201.1.6
#
bgp 65001
router-id 10.255.255.4
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.5 as-number 65000
peer 10.201.1.5 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.5 enable
peer 10.201.1.5 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV5的配置:

===========================================================================

#
sysname XRV5
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.200.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.9
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.5000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.10 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.5 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.9 source-ip 10.201.1.10
#
bgp 65002
router-id 10.255.255.5
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.9 as-number 65000
peer 10.201.1.9 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.9 enable
peer 10.201.1.9 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.200.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV6的配置:

===========================================================================

#
sysname XRV6
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.114.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.13
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.6000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.14 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.6 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.13 source-ip 10.201.1.14
#
bgp 65002
router-id 10.255.255.6
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.13 as-number 65000
peer 10.201.1.13 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.13 enable
peer 10.201.1.13 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-exprot permit node 10
if-match ip-prefix internal-shengchan-exprot
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-exprot permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

SW1的配置:

===========================================================================

#
sysname SW1
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.7000.00
#
interface Vlanif1
ip address 10.158.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.158.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.158.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.158.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.133.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.133.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.133.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.133.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.79.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.79.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.79.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.79.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.1.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.1.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.7 255.255.255.255
isis enable 100
#
bgp 65000
router-id 10.255.255.7
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
#
ipv4-family unicast
undo synchronization
network 10.79.1.0 255.255.255.0
network 10.79.2.0 255.255.255.0
network 10.79.3.0 255.255.255.0
network 10.79.4.0 255.255.255.0
network 10.133.1.0 255.255.255.0
network 10.133.2.0 255.255.255.0
network 10.133.3.0 255.255.255.0
network 10.133.4.0 255.255.255.0
network 10.158.1.0 255.255.255.0
network 10.158.2.0 255.255.255.0
network 10.158.3.0 255.255.255.0
network 10.158.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65000:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65000:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65000:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.158.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.158.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.158.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.158.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa index 40 permit 10.79.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW2的配置:

===========================================================================

#
sysname SW2
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.8000.00
#
interface Vlanif1
ip address 10.125.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.125.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.125.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.125.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.54.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.54.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.54.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.54.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.38.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.38.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.38.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.38.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.2.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.2.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.8 255.255.255.255
isis enable 100
#
bgp 65001
router-id 10.255.255.8
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
#
ipv4-family unicast
undo synchronization
network 10.38.1.0 255.255.255.0
network 10.38.2.0 255.255.255.0
network 10.38.3.0 255.255.255.0
network 10.38.4.0 255.255.255.0
network 10.54.1.0 255.255.255.0
network 10.54.2.0 255.255.255.0
network 10.54.3.0 255.255.255.0
network 10.54.4.0 255.255.255.0
network 10.125.1.0 255.255.255.0
network 10.125.2.0 255.255.255.0
network 10.125.3.0 255.255.255.0
network 10.125.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65001:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65001:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65001:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.125.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa index 40 permit 10.38.4.0 24
#
ip community-filter basic import-oa permit 65000:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW3的配置:

===========================================================================

#
sysname SW3
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
interface Vlanif1
ip address 10.200.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.200.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.200.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.200.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.114.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.114.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.114.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.114.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.45.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.45.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.45.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.45.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.3.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.3.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.9 255.255.255.255
isis enable 100
isis circuit-level level-2
#
bgp 65002
router-id 10.255.255.9
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
#
ipv4-family unicast
undo synchronization
network 10.45.1.0 255.255.255.0
network 10.45.2.0 255.255.255.0
network 10.45.3.0 255.255.255.0
network 10.45.4.0 255.255.255.0
network 10.114.1.0 255.255.255.0
network 10.114.2.0 255.255.255.0
network 10.114.3.0 255.255.255.0
network 10.114.4.0 255.255.255.0
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0
network 10.200.3.0 255.255.255.0
network 10.200.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65002:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65002:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65002:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.200.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa index 40 permit 10.45.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65000:300
#
user-interface con 0
user-interface vty 0 4
#
return

在XRV3上使用show ike sa查看ike的第一阶段

===========================================================================

<XRV3>display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
22 10.201.1.1 0 RD 2
21 10.201.1.1 0 RD|ST 2
15 10.201.1.1 0 RD|ST 1

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

在XRV3上使用show ipsec sa查看ike的第二阶段

===========================================================================

<XRV3>display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 21
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.125.0.0/255.255.0.0 0/0
Flow destination : 10.133.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 121135015 (0x7385fa7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3851064655 (0xe58a954f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 22
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.38.0.0/255.255.0.0 0/0
Flow destination : 10.79.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 2545515130 (0x97b97a7a)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3831477031 (0xe45fb327)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

在SW3上使用display ip routing-table protocol bgp 查看路由

===========================================================================

<SW3>display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 4 Routes : 4

BGP routing table status : <Active>
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.79.1.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.2.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.3.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.4.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100

BGP routing table status : <Inactive>
Destinations : 0 Routes : 0

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/60 ms

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.9 10 ms 50 ms 50 ms
2 10.10.1.6 60 ms 50 ms 30 ms

在XRV5上shutdown掉g0/0/2接口,等路由收敛后在SW3上查看路由

===========================================================================

<SW3>display bgp routing-table

BGP Local router ID is 10.255.255.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 16
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.45.1.0/24 0.0.0.0 0 0 i
*> 10.45.2.0/24 0.0.0.0 0 0 i
*> 10.45.3.0/24 0.0.0.0 0 0 i
*> 10.45.4.0/24 0.0.0.0 0 0 i
*>i 10.79.1.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.2.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.3.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.4.0/24 10.255.255.6 2000 0 65000i
*> 10.114.1.0/24 0.0.0.0 0 0 i
*> 10.114.2.0/24 0.0.0.0 0 0 i
*> 10.114.3.0/24 0.0.0.0 0 0 i
*> 10.114.4.0/24 0.0.0.0 0 0 i
*> 10.200.1.0/24 0.0.0.0 0 0 i
*> 10.200.2.0/24 0.0.0.0 0 0 i
*> 10.200.3.0/24 0.0.0.0 0 0 i
*> 10.200.4.0/24 0.0.0.0 0 0 i
<SW3>

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/58/60 ms

<SW3>

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.13 50 ms 50 ms 40 ms
2 10.10.1.10 50 ms 30 ms 50 ms
<SW3>

huawei 通过BGP的团体属性进行路由控制的更多相关文章

  1. BGP团体属性的应用案例

    XRV1 ===================================================================== version 15.5service times ...

  2. HCNP Routing&Switching之BGP团体属性和团体属性过滤器

    前文我们了解了BGP的路由过滤已经as-path过滤器的使用相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15542559.html:今天我们来聊一聊 ...

  3. BGP路由控制属性

    控制BGP路由概述: BGP与IGP不同,其着跟点主要在于不同的AS之间控制路由的传播和选择最佳路由 通过修改BGP基本属性可以实现基本的BGP路由控制和最佳路由的选择 引入其他路由协议发现的路由时. ...

  4. Local-Pref(本地优先属性)路由本地优先术

    Local-Pref(本地优先属性)路由本地优先术: ①:抓取感兴趣流量——前缀与访问——prefix and access ②:创建路由地图——router-map ③:第一法则——permit 1 ...

  5. AS-PATH(路径属性)路由路径欺骗术

    AS-PATH(路径属性)路由路径欺骗术: ①:抓取感兴趣流量——前缀与访问 ②:创建路由地图 ③:路由地图第一法则——permit 10 ④:在第一法则中,匹配(感兴趣流量) ⑤:设置 路径欺骗术— ...

  6. HCNP Routing&Switching之BGP防环机制和路由聚合

    前文我们了解了BGP路由宣告相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15440860.html:今天我们来聊一聊BGP防环机制和路由聚合相关话题 ...

  7. HCNP Routing&Switching之BGP路由控制

    前文我们了解了BGP的路由属性和优选规则相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15489497.html:今天我们来聊一聊BGP路由控制相关话 ...

  8. BGP:我们不生产路由,而是路由的搬运工

    1.BGP协议自身不能生产路由,它主要通过配置来将本地路由进行发布或者引入其他路由协议产生的路由. 有两种方法, 方法一.在BGP视图下,通过network命令将本地路由发布到BGP路由表中, 通过本 ...

  9. AngularJS路由系列(5)-- UI-Router的路由约束、Resolve属性、路由附加数据、路由进入退出事件

    本系列探寻AngularJS的路由机制,在WebStorm下开发.主要包括: ● UI-Router约束路由参数● UI-Router的Resolve属性● UI-Router给路由附加数据● UI- ...

随机推荐

  1. Android推送进阶课程学习笔记

    今天在慕课网学习了Android进阶课程推送的server端处理回执的消息 . 这集课程主要介绍了,当server往client推送消息的时候,client须要发送一个回执回来确认收到了推送消息才算一 ...

  2. 前端Js框架汇总(工具多看)

    前端Js框架汇总(工具多看) 一.总结 一句话总结: 二.前端Js框架汇总 概述: 有些日子没有正襟危坐写博客了,互联网飞速发展的时代,技术更新迭代的速度也在加快.看着Java.Js.Swift在各领 ...

  3. Spring学习笔记之六(数据源的配置)

    1.前言 上一篇博客分析了,Spring中实现AOP的两种动态代理的机制,以下这篇博客.来解说一下Spring中的数据源的配置.  2.DAO支持的模板类 Spring提供了非常多关于Dao支持的模板 ...

  4. CodeBlocks环境搭建及创建第一个C++程序

    某业界大牛推荐最佳的途径是从raytracing入门,所以本屌开始学习<Ray Tracing In One Weekend>. 该书是基于C++的.本屌从未学过C++.感觉告诉我,要先搭 ...

  5. quartz结合多线程处理后台业务

    最近项目中有播放视频的需求,技术选型采用UMS播放器,免费版只能播放FLV格式的视频文件,因此需要对用户上传的视频进行格式转换,转换工具为FormatFactory,功能还是比较强大的.但是面临的一个 ...

  6. webpack打包不引入vue、echarts等公共库

    如果我们打包的时候不想将vue.echarts等公共库包含在内,需要配置两处地方, 以下以基于vue-cli生成的项目为基准: 1webpack配置: // webpack.base.conf.js ...

  7. 自己动手编写一个VS插件(五)

    作者:朱金灿 来源:http://blog.csdn.net/clever101 继续编写VisualStudio插件.这次我编写的插件叫DevAssist(意思是开发助手).在看了前面的文章之后你知 ...

  8. ssh基础(1)

    1.链接远程 命令:ssh root@1.1.1.1 2.执行远程脚本 命令:ssh root@1.1.1.1  /data/demo/test.sh > 111.txt   (执行远程的tes ...

  9. shell问题集合

    1.syntax error near unexpected token `then' if后要有空格,[] 中括号的开头和结尾要有空格! [ $1-eq"root" ]中括号中的 ...

  10. Gamma 函数及其应用

    1. Γ(⋅) 函数定义 Γ(α)=∫∞0tα−1e−tdt 可知以下基本性质: Γ(α+1)=αΓ(α)(分部积分法) Γ(1)=1 ⇒ Γ(n+1)=n! Γ(12)=π√ 2. 常见变形 对于 ...