网络拓扑

XRV1的配置:

===========================================================================

#
sysname XRV1
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.133.0.0 0.0.255.255 destination 10.125.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.38.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.2
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.10
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.1000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.1 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.9 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.1 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.2 source-ip 10.201.1.1
#
bfd 20 bind peer-ip 10.201.1.10 source-ip 10.201.1.9
#
bgp 65000
router-id 10.255.255.1
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.2 as-number 65001
peer 10.201.1.2 group external
peer 10.201.1.10 as-number 65002
peer 10.201.1.10 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.2 enable
peer 10.201.1.2 group external
peer 10.201.1.10 enable
peer 10.201.1.10 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix as65001-bangong-import
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
ip ip-prefix external-as65001-bangong-import index 10 permit 10.125.1.0 24
ip ip-prefix external-as65001-bangong-import index 20 permit 10.125.2.0 24
ip ip-prefix external-as65001-bangong-import index 30 permit 10.125.3.0 24
ip ip-prefix external-as65001-bangong-import index 40 permit 10.125.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV2的配置:

===========================================================================

#
sysname XRV2
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.54.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.6
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.14
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.2000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.5 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.13 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.2 255.255.255.255
isis enable 100
#
bfd 20 bind peer-ip 10.201.1.14 source-ip 10.201.1.13
#
bgp 65000
router-id 10.255.255.2
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.6 as-number 65001
peer 10.201.1.6 group external
peer 10.201.1.14 as-number 65002
peer 10.201.1.14 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer 10.201.1.6 enable
peer 10.201.1.6 group external
peer 10.201.1.14 enable
peer 10.201.1.14 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65001-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-shengchan-import index 10 permit 10.54.1.0 24
ip ip-prefix external-as65001-shengchan-import index 20 permit 10.54.2.0 24
ip ip-prefix external-as65001-shengchan-import index 30 permit 10.54.3.0 24
ip ip-prefix external-as65001-shengchan-import index 40 permit 10.54.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV3的配置:

===========================================================================

#
sysname XRV3
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.125.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.1
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.2 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.3 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.1 source-ip 10.201.1.2
#
bgp 65001
router-id 10.255.255.3
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.1 as-number 65000
peer 10.201.1.1 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.1 enable
peer 10.201.1.1 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.125.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV4的配置:

===========================================================================

#
sysname XRV4
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.54.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.5
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.4000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.6 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.4 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.5 source-ip 10.201.1.6
#
bgp 65001
router-id 10.255.255.4
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.5 as-number 65000
peer 10.201.1.5 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.5 enable
peer 10.201.1.5 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV5的配置:

===========================================================================

#
sysname XRV5
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.200.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.9
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.5000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.10 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.5 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.9 source-ip 10.201.1.10
#
bgp 65002
router-id 10.255.255.5
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.9 as-number 65000
peer 10.201.1.9 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.9 enable
peer 10.201.1.9 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.200.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV6的配置:

===========================================================================

#
sysname XRV6
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.114.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.13
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.6000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.14 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.6 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.13 source-ip 10.201.1.14
#
bgp 65002
router-id 10.255.255.6
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.13 as-number 65000
peer 10.201.1.13 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.13 enable
peer 10.201.1.13 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-exprot permit node 10
if-match ip-prefix internal-shengchan-exprot
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-exprot permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

SW1的配置:

===========================================================================

#
sysname SW1
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.7000.00
#
interface Vlanif1
ip address 10.158.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.158.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.158.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.158.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.133.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.133.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.133.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.133.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.79.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.79.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.79.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.79.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.1.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.1.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.7 255.255.255.255
isis enable 100
#
bgp 65000
router-id 10.255.255.7
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
#
ipv4-family unicast
undo synchronization
network 10.79.1.0 255.255.255.0
network 10.79.2.0 255.255.255.0
network 10.79.3.0 255.255.255.0
network 10.79.4.0 255.255.255.0
network 10.133.1.0 255.255.255.0
network 10.133.2.0 255.255.255.0
network 10.133.3.0 255.255.255.0
network 10.133.4.0 255.255.255.0
network 10.158.1.0 255.255.255.0
network 10.158.2.0 255.255.255.0
network 10.158.3.0 255.255.255.0
network 10.158.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65000:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65000:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65000:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.158.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.158.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.158.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.158.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa index 40 permit 10.79.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW2的配置:

===========================================================================

#
sysname SW2
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.8000.00
#
interface Vlanif1
ip address 10.125.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.125.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.125.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.125.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.54.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.54.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.54.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.54.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.38.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.38.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.38.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.38.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.2.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.2.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.8 255.255.255.255
isis enable 100
#
bgp 65001
router-id 10.255.255.8
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
#
ipv4-family unicast
undo synchronization
network 10.38.1.0 255.255.255.0
network 10.38.2.0 255.255.255.0
network 10.38.3.0 255.255.255.0
network 10.38.4.0 255.255.255.0
network 10.54.1.0 255.255.255.0
network 10.54.2.0 255.255.255.0
network 10.54.3.0 255.255.255.0
network 10.54.4.0 255.255.255.0
network 10.125.1.0 255.255.255.0
network 10.125.2.0 255.255.255.0
network 10.125.3.0 255.255.255.0
network 10.125.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65001:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65001:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65001:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.125.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa index 40 permit 10.38.4.0 24
#
ip community-filter basic import-oa permit 65000:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW3的配置:

===========================================================================

#
sysname SW3
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
interface Vlanif1
ip address 10.200.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.200.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.200.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.200.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.114.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.114.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.114.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.114.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.45.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.45.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.45.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.45.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.3.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.3.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.9 255.255.255.255
isis enable 100
isis circuit-level level-2
#
bgp 65002
router-id 10.255.255.9
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
#
ipv4-family unicast
undo synchronization
network 10.45.1.0 255.255.255.0
network 10.45.2.0 255.255.255.0
network 10.45.3.0 255.255.255.0
network 10.45.4.0 255.255.255.0
network 10.114.1.0 255.255.255.0
network 10.114.2.0 255.255.255.0
network 10.114.3.0 255.255.255.0
network 10.114.4.0 255.255.255.0
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0
network 10.200.3.0 255.255.255.0
network 10.200.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65002:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65002:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65002:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.200.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa index 40 permit 10.45.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65000:300
#
user-interface con 0
user-interface vty 0 4
#
return

在XRV3上使用show ike sa查看ike的第一阶段

===========================================================================

<XRV3>display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
22 10.201.1.1 0 RD 2
21 10.201.1.1 0 RD|ST 2
15 10.201.1.1 0 RD|ST 1

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

在XRV3上使用show ipsec sa查看ike的第二阶段

===========================================================================

<XRV3>display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 21
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.125.0.0/255.255.0.0 0/0
Flow destination : 10.133.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 121135015 (0x7385fa7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3851064655 (0xe58a954f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 22
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.38.0.0/255.255.0.0 0/0
Flow destination : 10.79.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 2545515130 (0x97b97a7a)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3831477031 (0xe45fb327)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

在SW3上使用display ip routing-table protocol bgp 查看路由

===========================================================================

<SW3>display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 4 Routes : 4

BGP routing table status : <Active>
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.79.1.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.2.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.3.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.4.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100

BGP routing table status : <Inactive>
Destinations : 0 Routes : 0

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/60 ms

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.9 10 ms 50 ms 50 ms
2 10.10.1.6 60 ms 50 ms 30 ms

在XRV5上shutdown掉g0/0/2接口,等路由收敛后在SW3上查看路由

===========================================================================

<SW3>display bgp routing-table

BGP Local router ID is 10.255.255.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 16
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.45.1.0/24 0.0.0.0 0 0 i
*> 10.45.2.0/24 0.0.0.0 0 0 i
*> 10.45.3.0/24 0.0.0.0 0 0 i
*> 10.45.4.0/24 0.0.0.0 0 0 i
*>i 10.79.1.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.2.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.3.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.4.0/24 10.255.255.6 2000 0 65000i
*> 10.114.1.0/24 0.0.0.0 0 0 i
*> 10.114.2.0/24 0.0.0.0 0 0 i
*> 10.114.3.0/24 0.0.0.0 0 0 i
*> 10.114.4.0/24 0.0.0.0 0 0 i
*> 10.200.1.0/24 0.0.0.0 0 0 i
*> 10.200.2.0/24 0.0.0.0 0 0 i
*> 10.200.3.0/24 0.0.0.0 0 0 i
*> 10.200.4.0/24 0.0.0.0 0 0 i
<SW3>

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/58/60 ms

<SW3>

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.13 50 ms 50 ms 40 ms
2 10.10.1.10 50 ms 30 ms 50 ms
<SW3>

huawei 通过BGP的团体属性进行路由控制的更多相关文章

  1. BGP团体属性的应用案例

    XRV1 ===================================================================== version 15.5service times ...

  2. HCNP Routing&Switching之BGP团体属性和团体属性过滤器

    前文我们了解了BGP的路由过滤已经as-path过滤器的使用相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15542559.html:今天我们来聊一聊 ...

  3. BGP路由控制属性

    控制BGP路由概述: BGP与IGP不同,其着跟点主要在于不同的AS之间控制路由的传播和选择最佳路由 通过修改BGP基本属性可以实现基本的BGP路由控制和最佳路由的选择 引入其他路由协议发现的路由时. ...

  4. Local-Pref(本地优先属性)路由本地优先术

    Local-Pref(本地优先属性)路由本地优先术: ①:抓取感兴趣流量——前缀与访问——prefix and access ②:创建路由地图——router-map ③:第一法则——permit 1 ...

  5. AS-PATH(路径属性)路由路径欺骗术

    AS-PATH(路径属性)路由路径欺骗术: ①:抓取感兴趣流量——前缀与访问 ②:创建路由地图 ③:路由地图第一法则——permit 10 ④:在第一法则中,匹配(感兴趣流量) ⑤:设置 路径欺骗术— ...

  6. HCNP Routing&Switching之BGP防环机制和路由聚合

    前文我们了解了BGP路由宣告相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15440860.html:今天我们来聊一聊BGP防环机制和路由聚合相关话题 ...

  7. HCNP Routing&Switching之BGP路由控制

    前文我们了解了BGP的路由属性和优选规则相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15489497.html:今天我们来聊一聊BGP路由控制相关话 ...

  8. BGP:我们不生产路由,而是路由的搬运工

    1.BGP协议自身不能生产路由,它主要通过配置来将本地路由进行发布或者引入其他路由协议产生的路由. 有两种方法, 方法一.在BGP视图下,通过network命令将本地路由发布到BGP路由表中, 通过本 ...

  9. AngularJS路由系列(5)-- UI-Router的路由约束、Resolve属性、路由附加数据、路由进入退出事件

    本系列探寻AngularJS的路由机制,在WebStorm下开发.主要包括: ● UI-Router约束路由参数● UI-Router的Resolve属性● UI-Router给路由附加数据● UI- ...

随机推荐

  1. [React] Modify file structure

    In React app, you might create lots of components. We can use index.js to do both 'import' & 'ex ...

  2. Python 网络爬虫与信息获取(一)—— requests 库的网络爬虫

    1. 安装与测试 进入 cmd(以管理员权限),使用 pip 工具,pip install requests 进行安装: 基本用法: >> import requests >> ...

  3. CEO 系列之一:如何当好创业公司 CEO?(不要用战术的勤奋掩盖战略的懒惰,在创业过程中,最核心问题,就是能把创业情怀变成具体问题。这个问题越具体越好)

    1. 创业公司要先定一个目标,要善于把目标简化, 分解成一个, 一个更具体,更简单的问题2. 针对简单的问题进行聚焦, 做深做强3. 在做的过程中, 把断地推出自己的产品到市场上去试错, 要用事实来证 ...

  4. 通过引入SiteMesh的JSP标签库,解决Freemarker与SiteMesh整合时,自定义SiteMesh标签的问题

    不少web项目,都用到了SiteMesh.SiteMesh可以和JSP.Freemarker等模版进行整合,有一定的好处,当然也有其不好的地方.我个人觉得,如果没有必要,不要在项目中引入太多的工具和技 ...

  5. 全文检索(elasticsearch入门)

    Elasticsearch篇: Elasticsearch是一个采用java语言开发的,基于Lucene构造的开源,分布式的搜索引擎. 设计用于云计算中,能够达到实时搜索,稳定可靠. Elastics ...

  6. make 的参数

    1. -j -j(表示 job 的数目)参数可以对项目在进行并行编译,比如在一台双核的机器上,完全可以用 make -j4,让make 最多允许 4 个编译命令同时执行,这样可以更有效的利用 CPU ...

  7. Struts2——(2)配置文件、通配符

    一.Struts配置文件 (1)struts-default.xml(框架自带) 定义了一些框架自带的Result组件,拦截器组件. <package name="struts-def ...

  8. C# Span 入门

    原文:C# Span 入门 版权声明:博客已迁移到 http://lindexi.gitee.io 欢迎访问.如果当前博客图片看不到,请到 http://lindexi.gitee.io 访问博客.本 ...

  9. WPF 在image控件用鼠标拖拽出矩形

    原文:WPF 在image控件用鼠标拖拽出矩形 版权声明:博客已迁移到 http://lindexi.gitee.io 欢迎访问.如果当前博客图片看不到,请到 http://lindexi.gitee ...

  10. Struts2中文件的上传与下载

    文件上传 1.jsp页面 <s:form action="fileAction" namespace="/file" method="POST& ...