主设备数据头 {#%E4%B8%BB%E8%AE%BE%E5%A4%87%E6%95%B0%E6%8D%AE%E5%A4%B4}

LineID:601697G1
PE:dgb-vpnpe2
Tunnel:Tunnel0/0/1020
wanip:10.10.43.244/30
PE 对接:10.20.241.253
CE 对接:10.20.241.212
PE AS号:65000
CE AS号:65205

拨号PE:dgb-upe2
对接IP:10.20.241.253
LoopIP:10.20.241.212
拨号ip:183.60.153.188
秘钥:both-win

主设备wan口（电路专线）：
IP：10.231.231.186/30
网关：10.231.231.185/30

备设备wan口（ADSL宽带）：
IP：120.197.159.67/29
网关：120.197.159.65/29

LAN IP：
主：192.168.50.252
备：192.168.50.253
vrrp：192.168.50.254

配置模板 {#%E9%85%8D%E7%BD%AE%E6%A8%A1%E6%9D%BF}

clock timezone bj add 08:00 sys telnet server enable sysname 601697G1-DGQSDZ-Main aaa undo local-user admin local-user bothwin password irreversible-cipher Tfe28@w% local-user bothwin privilege level 15 local-user bothwin service-type telnet terminal ssh http acl number 2707 rule 10 permit source 192.168.0.0 0.0.255.255 rule 20 permit source 172.16.0.0 0.15.255.255 rule 30 permit source 10.0.0.0 0.255.255.255 rule 40 permit source 114.112.238.8 0.0.0.7 rule 50 permit source 192.168.55.250 0 rule 60 permit source 113.105.190.147 0 rule 70 permit source 202.104.174.178 0 rule 80 permit source 120.76.31.146 0 rule 90 permit source 59.37.126.140 0 rule 100 permit source 183.61.239.168 0 user-interface vty 0 4 acl 2707 inbound authentication-mode aaa user privilege level 15

ntp-service enable ntp-service unicast-server 192.168.55.250

AAA配置 {#aaa%E9%85%8D%E7%BD%AE}

hwtacacs-server template fnetlink_tacacs
hwtacacs-server authentication 192.168.55.250
hwtacacs-server authorization 192.168.55.250
hwtacacs-server accounting 192.168.55.250

设定认证源IP {#%E8%AE%BE%E5%AE%9A%E8%AE%A4%E8%AF%81%E6%BA%90ip}

hwtacacs-server source-ip 10.10.43.246 #认证源IP是WANIP地址

图片-1677405262629

hwtacacs-server shared-key cipher bothwin
aaa
authentication-scheme fnet_tac
authentication-mode hwtacacs local
authorization-scheme fnet_tac
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme fnet_tac
accounting start-fail online
accounting interim-fail online
accounting-mode hwtacacs
recording-scheme fnet_tac
recording-mode hwtacacs fnetlink_tacacs
cmd recording-scheme fnet_tac
service-scheme fnet_tac
admin-user privilege level 15
domain fnet_tac
authentication-scheme fnet_tac
accounting-scheme fnet_tac
authorization-scheme fnet_tac
hwtacacs-server fnetlink_tacacs
domain fnet_tac admin
interface LoopBack1 #编号别冲突
description To IPSec
ip address 10.20.241.212 255.255.255.255
acl number 3333
rule 1 permit ip source 10.20.241.212 0 destination 10.20.241.253 0
ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1
ipsec proposal ipsectran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ike peer main
undo version 2
pre-shared-key cipher %^%#CI$E&lt;'^}6UkO=v&amp;g$:D!O0J8I+vA_,tA*q0_*49P%^%#
ike-proposal 10
remote-address 183.60.153.188
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable
ipsec policy S2S-IPSEC 10 isakmp
security acl 3333
pfs dh-group2
ike-peer main
proposal ipsectran1
interface GigabitEthernet0/0/9
description wan
ip address 10.231.231.186 255.255.255.252
ipsec policy S2S-IPSEC
interface GigabitEthernet0/0/0
undo portswitch
description "lan vip:192.168.60.254 pri:192.168.60.252 bk:192.168.60.253"
ip address 192.168.60.252 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.60.254
vrrp vrid 1 priority 120
ip route-static 0.0.0.0 0.0.0.0 10.231.231.185 preference 222 tag 7777
ip route-static 183.60.153.188 255.255.255.255 10.231.231.185 tag 7777
ip route-static 114.113.245.99 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.10 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.250 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_center
ip route-static 192.168.254.107 255.255.255.255 10.10.43.245 preference 1 tag 7777 description To_netflow
ip route-static 10.20.241.253 255.255.255.255 10.231.231.185 tag 7777
interface Tunnel0/0/1020
description "pri to dgb-vpnpe2-Tunnel1020"
mtu 1400
tcp adjust-mss 1300
ip address 10.10.43.246 255.255.255.252
tunnel-protocol gre
source 10.20.241.212
destination 10.20.241.253
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard
route-policy bgp-To--VPN-Redistribute-Static deny node 100 description Deny Redistribution of Static Routes to MPLS VPN if-match tag 7777

route-policy bgp-To--VPN-Redistribute-Static permit node 200
if-match tag 8888
apply community 65201:100
route-policy bgp-To--VPN-Redistribute-Static permit node 300
description Redistribute All Other Static Routes Without Tag
route-policy bgp-route-policy-pri-import permit node 100
apply local-preference 200
route-policy bgp-route-policy-pri-import permit node 200
ip ip-prefix bgp-filte-pre-export index 10 permit 192.168.60.0 24 greater-equal 24 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.10.43.244 30 greater-equal 30 less-equal 32
bgp 65205
router-id 10.10.43.246
peer 10.20.241.253 as-number 65000
peer 192.168.60.253 as-number 65205
ipv4-family unicast
undo synchronization
preference 20 200 200
filter-policy ip-prefix bgp-filte-pre-export export
import-route direct
import-route static route-policy bgp-To--VPN-Redistribute-Static
peer 10.20.241.253 enable
peer 10.20.241.253 advertise-community
peer 10.20.241.253 ip-prefix bgp-filte-pre-export export
peer 10.20.241.253 route-policy bgp-route-policy-pri-import import
peer 10.20.241.253 next-hop-local
peer 192.168.60.253 enable
peer 192.168.60.253 advertise-community
peer 192.168.60.253 next-hop-local
snmp-agent trap enable snmp-agent sys-info version all snmp-agent community read both-win