51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落

华为传统组网-单设备-主备线路-建GER-over-IPSec

项目说明:华为AR和打通骨干,Epoch建BGPSERVER 分流 {#%E9%A1%B9%E7%9B%AE%E8%AF%B4%E6%98%8E%EF%BC%9A%E5%8D%8E%E4%B8%BAar%E5%92%8C%E6%89%93%E9%80%9A%E9%AA%A8%E5%B9%B2%EF%BC%8Cepoch%E5%BB%BAbgpserver-%E5%88%86%E6%B5%81}

拓扑: {#%E6%8B%93%E6%89%91%EF%BC%9A}

1

数据头: {#%E6%95%B0%E6%8D%AE%E5%A4%B4%EF%BC%9A}

date:604889
MAIN
lineid: 604889B1
拨号pe:sha-upe2
拨号ip:58.33.113.122
PE对接:10.20.239.249
CE对接:10.50.44.75

主PE: sha-flr2
WANIP: 10.10.65.188/30
TUNNEL: tun43275
Docking:10.20.239.249
CE 对接: 10.50.44.75
HKIP:103.169.97.50
BGPSERVER IP: 10.10.99.162,10.10.99.163


BACKUP
lineid: 604889B2
拨号pe:szc-upe1
拨号ip:183.3.221.43
PE对接:10.30.43.249
CE对接:10.50.40.30

`PE:szc-bk4
WANIP: 10.11.65.188/30
TUNNEL: tun53275
Docking: 10.30.43.249
CE 对接: 10.50.40.30
HKIP:103.169.97.50
BGPSERVER IP:10.10.99.198,10.10.99.199
`

华为配置: {#%E5%8D%8E%E4%B8%BA%E9%85%8D%E7%BD%AE%EF%BC%9A}

clock timezone bj add 08:00
sys
telnet server enable
sysname 604889B-DMXX-SH
aaa
undo local-user admin
local-user bothwin password irreversible-cipher Tfe28@w%
local-user bothwin privilege level 15
local-user bothwin service-type telnet terminal ssh http

acl number 2707
rule 10 permit source 192.168.0.0 0.0.255.255
rule 20 permit source 172.16.0.0 0.15.255.255
rule 30 permit source 10.0.0.0 0.255.255.255
rule 40 permit source 114.112.238.8 0.0.0.7
rule 50 permit source 192.168.55.250 0
rule 60 permit source 113.105.190.147 0
rule 70 permit source 202.104.174.178 0
rule 80 permit source 120.76.31.146 0
rule 90 permit source 59.37.126.140 0
rule 100 permit source 183.61.239.168 0


user-interface vty 0 4
acl 2707 inbound
authentication-mode aaa
user privilege level 15


ntp-service enable
ntp-service unicast-server 192.168.55.250


hwtacacs-server template fnetlink_tacacs
hwtacacs-server authentication 192.168.55.250
hwtacacs-server authorization 192.168.55.250
hwtacacs-server accounting 192.168.55.250
#认证源IP写主tun的WANIP地址
hwtacacs-server source-ip 10.10.65.190
hwtacacs-server shared-key cipher bothwin


aaa
authentication-scheme fnet_tac
authentication-mode hwtacacs local
authorization-scheme fnet_tac
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme fnet_tac
accounting start-fail online
accounting interim-fail online
accounting-mode hwtacacs
recording-scheme fnet_tac
recording-mode hwtacacs fnetlink_tacacs
cmd recording-scheme fnet_tac
service-scheme fnet_tac
admin-user privilege level 15
domain fnet_tac
authentication-scheme fnet_tac
accounting-scheme fnet_tac
authorization-scheme fnet_tac
hwtacacs-server fnetlink_tacacs


domain fnet_tac admin


#编号别冲突
interface LoopBack1
description To IPSec
ip address 10.50.44.75 255.255.255.255


interface LoopBack2
description to-backup-ipsec
ip address 10.50.40.30 255.255.255.255


acl number 3333
rule 1 permit ip source 10.50.44.75 0 destination 10.20.239.249 0


acl number 3334
rule 1 permit ip source 10.50.40.30 0 destination 10.30.43.249 0


ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1


ipsec proposal ipsectran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ike peer main
undo version 2
pre-shared-key cipher %\^%#CI$E\<'\^}6UkO=v\&g$:D!O0J8I+vA_,tA\*q0_\*49P%\^%#
ike-proposal 10
remote-address 58.33.113.122
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable


ike peer backup
undo version 2
pre-shared-key cipher %\^%#CI$E\<'\^}6UkO=v\&g$:D!O0J8I+vA_,tA\*q0_\*49P%\^%#
ike-proposal 10
remote-address 183.3.221.43
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable


ipsec policy S2S-IPSEC 10 isakmp
security acl 3333
pfs dh-group2
ike-peer main
proposal ipsectran1


ipsec policy S2S-IPSEC 20 isakmp
security acl 3334
ike-peer backup
proposal ipsectran1


interface GigabitEthernet0/0/0
undo portswitch
description to-fw-172.16.102.100
ip address 172.16.102.240 255.255.255.0
ipsec policy S2S-IPSEC


interface GigabitEthernet0/0/1
undo portswitch
description to-epoch-eth0-172.16.200.2
ip address 172.16.200.1 255.255.255.252


ip route-static 0.0.0.0 0.0.0.0 172.16.102.100 preference 222 tag 7777
ip route-static 58.33.113.122 255.255.255.255 172.16.102.100 tag 7777
ip route-static 114.113.245.99 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.10 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.250 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_center
ip route-static 192.168.254.107 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_netflow


ip route-static 10.20.239.249 255.255.255.255 172.16.102.100 tag 7777
interface Tunnel0/0/1020
description "pri to sha-flr2-tun43275"
mtu 1400
tcp adjust-mss 1300
ip address 10.10.65.190 255.255.255.252
tunnel-protocol gre
source 10.50.44.75
destination 10.20.239.249
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard


ip route-static 10.30.43.249 255.255.255.255 172.16.102.100 tag 7777
interface Tunnel0/0/1021
description "pri to szc-bk4-tun53275"
mtu 1400
tcp adjust-mss 1300
ip address 10.11.65.190 255.255.255.252
tunnel-protocol gre
source 10.50.40.30
destination 10.30.43.249
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard


route-policy bgp-To--VPN-Redistribute-Static deny node 100
description Deny Redistribution of Static Routes to MPLS VPN
if-match tag 7777


route-policy bgp-To--VPN-Redistribute-Static permit node 200
if-match tag 8888
apply community 65201:100


route-policy bgp-To--VPN-Redistribute-Static permit node 300
description Redistribute All Other Static Routes Without Tag


route-policy bgp-route-policy-pri-import permit node 100
apply local-preference 200


route-policy bgp-route-policy-pri-import permit node 200


ip ip-prefix bgp-filte-pre-export index 10 permit 172.16.102.0 24 greater-equal 24 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.10.65.188 30 greater-equal 30 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.11.65.188 30 greater-equal 30 less-equal 32

`snmp-agent trap enable
y
snmp-agent sys-info version all
snmp-agent community read both-win
`

赞(2)
未经允许不得转载:工具盒子 » 华为传统组网-单设备-主备线路-建GER-over-IPSec