网络拓扑

XRV1的配置:

===========================================================================

#
sysname XRV1
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.133.0.0 0.0.255.255 destination 10.125.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.38.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.2
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.10
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.1000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.1 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.9 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.1 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.2 source-ip 10.201.1.1
#
bfd 20 bind peer-ip 10.201.1.10 source-ip 10.201.1.9
#
bgp 65000
router-id 10.255.255.1
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.2 as-number 65001
peer 10.201.1.2 group external
peer 10.201.1.10 as-number 65002
peer 10.201.1.10 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.2 enable
peer 10.201.1.2 group external
peer 10.201.1.10 enable
peer 10.201.1.10 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix as65001-bangong-import
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
ip ip-prefix external-as65001-bangong-import index 10 permit 10.125.1.0 24
ip ip-prefix external-as65001-bangong-import index 20 permit 10.125.2.0 24
ip ip-prefix external-as65001-bangong-import index 30 permit 10.125.3.0 24
ip ip-prefix external-as65001-bangong-import index 40 permit 10.125.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV2的配置:

===========================================================================

#
sysname XRV2
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.54.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.6
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.14
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.2000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.5 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.13 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.2 255.255.255.255
isis enable 100
#
bfd 20 bind peer-ip 10.201.1.14 source-ip 10.201.1.13
#
bgp 65000
router-id 10.255.255.2
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.6 as-number 65001
peer 10.201.1.6 group external
peer 10.201.1.14 as-number 65002
peer 10.201.1.14 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer 10.201.1.6 enable
peer 10.201.1.6 group external
peer 10.201.1.14 enable
peer 10.201.1.14 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65001-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-shengchan-import index 10 permit 10.54.1.0 24
ip ip-prefix external-as65001-shengchan-import index 20 permit 10.54.2.0 24
ip ip-prefix external-as65001-shengchan-import index 30 permit 10.54.3.0 24
ip ip-prefix external-as65001-shengchan-import index 40 permit 10.54.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV3的配置:

===========================================================================

#
sysname XRV3
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.125.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.1
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.2 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.3 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.1 source-ip 10.201.1.2
#
bgp 65001
router-id 10.255.255.3
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.1 as-number 65000
peer 10.201.1.1 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.1 enable
peer 10.201.1.1 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.125.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV4的配置:

===========================================================================

#
sysname XRV4
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.54.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.5
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.4000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.6 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.4 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.5 source-ip 10.201.1.6
#
bgp 65001
router-id 10.255.255.4
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.5 as-number 65000
peer 10.201.1.5 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.5 enable
peer 10.201.1.5 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV5的配置:

===========================================================================

#
sysname XRV5
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.200.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.9
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.5000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.10 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.5 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.9 source-ip 10.201.1.10
#
bgp 65002
router-id 10.255.255.5
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.9 as-number 65000
peer 10.201.1.9 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.9 enable
peer 10.201.1.9 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.200.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV6的配置:

===========================================================================

#
sysname XRV6
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.114.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.13
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.6000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.14 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.6 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.13 source-ip 10.201.1.14
#
bgp 65002
router-id 10.255.255.6
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.13 as-number 65000
peer 10.201.1.13 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.13 enable
peer 10.201.1.13 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-exprot permit node 10
if-match ip-prefix internal-shengchan-exprot
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-exprot permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

SW1的配置:

===========================================================================

#
sysname SW1
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.7000.00
#
interface Vlanif1
ip address 10.158.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.158.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.158.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.158.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.133.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.133.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.133.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.133.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.79.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.79.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.79.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.79.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.1.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.1.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.7 255.255.255.255
isis enable 100
#
bgp 65000
router-id 10.255.255.7
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
#
ipv4-family unicast
undo synchronization
network 10.79.1.0 255.255.255.0
network 10.79.2.0 255.255.255.0
network 10.79.3.0 255.255.255.0
network 10.79.4.0 255.255.255.0
network 10.133.1.0 255.255.255.0
network 10.133.2.0 255.255.255.0
network 10.133.3.0 255.255.255.0
network 10.133.4.0 255.255.255.0
network 10.158.1.0 255.255.255.0
network 10.158.2.0 255.255.255.0
network 10.158.3.0 255.255.255.0
network 10.158.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65000:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65000:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65000:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.158.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.158.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.158.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.158.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa index 40 permit 10.79.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW2的配置:

===========================================================================

#
sysname SW2
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.8000.00
#
interface Vlanif1
ip address 10.125.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.125.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.125.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.125.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.54.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.54.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.54.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.54.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.38.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.38.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.38.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.38.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.2.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.2.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.8 255.255.255.255
isis enable 100
#
bgp 65001
router-id 10.255.255.8
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
#
ipv4-family unicast
undo synchronization
network 10.38.1.0 255.255.255.0
network 10.38.2.0 255.255.255.0
network 10.38.3.0 255.255.255.0
network 10.38.4.0 255.255.255.0
network 10.54.1.0 255.255.255.0
network 10.54.2.0 255.255.255.0
network 10.54.3.0 255.255.255.0
network 10.54.4.0 255.255.255.0
network 10.125.1.0 255.255.255.0
network 10.125.2.0 255.255.255.0
network 10.125.3.0 255.255.255.0
network 10.125.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65001:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65001:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65001:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.125.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa index 40 permit 10.38.4.0 24
#
ip community-filter basic import-oa permit 65000:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW3的配置:

===========================================================================

#
sysname SW3
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
interface Vlanif1
ip address 10.200.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.200.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.200.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.200.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.114.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.114.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.114.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.114.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.45.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.45.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.45.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.45.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.3.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.3.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.9 255.255.255.255
isis enable 100
isis circuit-level level-2
#
bgp 65002
router-id 10.255.255.9
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
#
ipv4-family unicast
undo synchronization
network 10.45.1.0 255.255.255.0
network 10.45.2.0 255.255.255.0
network 10.45.3.0 255.255.255.0
network 10.45.4.0 255.255.255.0
network 10.114.1.0 255.255.255.0
network 10.114.2.0 255.255.255.0
network 10.114.3.0 255.255.255.0
network 10.114.4.0 255.255.255.0
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0
network 10.200.3.0 255.255.255.0
network 10.200.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65002:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65002:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65002:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.200.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa index 40 permit 10.45.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65000:300
#
user-interface con 0
user-interface vty 0 4
#
return

在XRV3上使用show ike sa查看ike的第一阶段

===========================================================================

<XRV3>display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
22 10.201.1.1 0 RD 2
21 10.201.1.1 0 RD|ST 2
15 10.201.1.1 0 RD|ST 1

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

在XRV3上使用show ipsec sa查看ike的第二阶段

===========================================================================

<XRV3>display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 21
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.125.0.0/255.255.0.0 0/0
Flow destination : 10.133.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 121135015 (0x7385fa7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3851064655 (0xe58a954f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 22
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.38.0.0/255.255.0.0 0/0
Flow destination : 10.79.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 2545515130 (0x97b97a7a)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3831477031 (0xe45fb327)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

在SW3上使用display ip routing-table protocol bgp 查看路由

===========================================================================

<SW3>display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 4 Routes : 4

BGP routing table status : <Active>
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.79.1.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.2.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.3.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.4.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100

BGP routing table status : <Inactive>
Destinations : 0 Routes : 0

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/60 ms

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.9 10 ms 50 ms 50 ms
2 10.10.1.6 60 ms 50 ms 30 ms

在XRV5上shutdown掉g0/0/2接口,等路由收敛后在SW3上查看路由

===========================================================================

<SW3>display bgp routing-table

BGP Local router ID is 10.255.255.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 16
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.45.1.0/24 0.0.0.0 0 0 i
*> 10.45.2.0/24 0.0.0.0 0 0 i
*> 10.45.3.0/24 0.0.0.0 0 0 i
*> 10.45.4.0/24 0.0.0.0 0 0 i
*>i 10.79.1.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.2.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.3.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.4.0/24 10.255.255.6 2000 0 65000i
*> 10.114.1.0/24 0.0.0.0 0 0 i
*> 10.114.2.0/24 0.0.0.0 0 0 i
*> 10.114.3.0/24 0.0.0.0 0 0 i
*> 10.114.4.0/24 0.0.0.0 0 0 i
*> 10.200.1.0/24 0.0.0.0 0 0 i
*> 10.200.2.0/24 0.0.0.0 0 0 i
*> 10.200.3.0/24 0.0.0.0 0 0 i
*> 10.200.4.0/24 0.0.0.0 0 0 i
<SW3>

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/58/60 ms

<SW3>

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.13 50 ms 50 ms 40 ms
2 10.10.1.10 50 ms 30 ms 50 ms
<SW3>

huawei 通过BGP的团体属性进行路由控制的更多相关文章

  1. BGP团体属性的应用案例

    XRV1 ===================================================================== version 15.5service times ...

  2. HCNP Routing&Switching之BGP团体属性和团体属性过滤器

    前文我们了解了BGP的路由过滤已经as-path过滤器的使用相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15542559.html:今天我们来聊一聊 ...

  3. BGP路由控制属性

    控制BGP路由概述: BGP与IGP不同,其着跟点主要在于不同的AS之间控制路由的传播和选择最佳路由 通过修改BGP基本属性可以实现基本的BGP路由控制和最佳路由的选择 引入其他路由协议发现的路由时. ...

  4. Local-Pref(本地优先属性)路由本地优先术

    Local-Pref(本地优先属性)路由本地优先术: ①:抓取感兴趣流量——前缀与访问——prefix and access ②:创建路由地图——router-map ③:第一法则——permit 1 ...

  5. AS-PATH(路径属性)路由路径欺骗术

    AS-PATH(路径属性)路由路径欺骗术: ①:抓取感兴趣流量——前缀与访问 ②:创建路由地图 ③:路由地图第一法则——permit 10 ④:在第一法则中,匹配(感兴趣流量) ⑤:设置 路径欺骗术— ...

  6. HCNP Routing&Switching之BGP防环机制和路由聚合

    前文我们了解了BGP路由宣告相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15440860.html:今天我们来聊一聊BGP防环机制和路由聚合相关话题 ...

  7. HCNP Routing&Switching之BGP路由控制

    前文我们了解了BGP的路由属性和优选规则相关话题,回顾请参考https://www.cnblogs.com/qiuhom-1874/p/15489497.html:今天我们来聊一聊BGP路由控制相关话 ...

  8. BGP:我们不生产路由,而是路由的搬运工

    1.BGP协议自身不能生产路由,它主要通过配置来将本地路由进行发布或者引入其他路由协议产生的路由. 有两种方法, 方法一.在BGP视图下,通过network命令将本地路由发布到BGP路由表中, 通过本 ...

  9. AngularJS路由系列(5)-- UI-Router的路由约束、Resolve属性、路由附加数据、路由进入退出事件

    本系列探寻AngularJS的路由机制,在WebStorm下开发.主要包括: ● UI-Router约束路由参数● UI-Router的Resolve属性● UI-Router给路由附加数据● UI- ...

随机推荐

  1. js字符串转换为数字的三种方法。(转换函数)(强制类型转换)(利用js变量弱类型转换)

    js字符串转换为数字的三种方法.(转换函数)(强制类型转换)(利用js变量弱类型转换) 一.总结 js字符串转换为数字的三种方法(parseInt("1234blue"))(Num ...

  2. DesignPattern_Java:SingletonPattern

    单例模式 SingletonPattern Ensure a class has only one instance,and provide a global point of access to i ...

  3. [Flow] The Fundamentals of Flow

    Install: yarn global add flow-typed /*get type defination*/ yarn add flow-bin -D For example you hav ...

  4. 小强的HTML5移动开发之路(27)—— JavaScript回顾2

    Javascript面向对象基础知识 1.如何定义一个类,使用如下语法来创建一个类 function Person(name, age){ //习惯上第一个字母大写 //this修饰的变量称为属性 t ...

  5. Eclipse 一直不停 building workspace... 完美解决总结

    Eclipse 一直不停 building workspace... 一.产生这个问题的原因多种 1.自动升级 2.未正确关闭  3.maven下载lib挂起 等..二.解决总结 (1).解决方法  ...

  6. mingw qt(可以去掉mingwm10.dll、libgcc_s_dw2-1.dll、libstdc++-6.dll的依赖,mingw默认都是动态链接gcc的库而TDM是静态链接gcc库,tdm版本更好用。用aspack压缩没有问题。qt本身不使用异常处理)good

    原文地址:mingw qt作者:孙1东 不使用Qt SDK,使用mingw编译qt源代码所遇问题及解决方法: configure -fast -release -no-exceptions -no-r ...

  7. UWP 和 WPF 对比

    原文:UWP 和 WPF 对比 本文告诉大家 UWP 和 WPF 的不同. 如果在遇到技术选择或者想和小伙伴吹的时候可以让他以为自己很厉害,那么请继续看. 如果在看这文章还不知道什么是 UWP 和 W ...

  8. FreeBSD 5.0中强制访问控制机制的使用与源代码分析【转】

    本文主要讲述FreeBSD 5.0操作系统中新增的重要安全机制,即强制访问控制机制(MAC)的使用与源代码分析,主要包括强制访问控制框架及多级安全(MLS)策略两部分内容.这一部分讲述要将MAC框架与 ...

  9. 关于javascript中的深拷贝问题

    一直在尝试为javascript找一个快捷可靠的对象深拷贝的方法,昨天突发奇想,把对象push到一个空数组里,然后对改数组通过concat()或slice()进行拷贝,然后取出数组的第一个元素复制给变 ...

  10. VS2015编译环境下CUDA安装配置

    CUDA下载 CUDA是NVIDIA推出的通用并行计算架构,该架构使GPU能够解决复杂的计算问题,CUDA只支持NVIDIA自家的显卡,过旧的版本型号也不被支持. 下载地址:https://devel ...