51工具盒子

依楼听风雨
笑看云卷云舒,淡观潮起潮落
当前位置:工具盒子 > 开发笔记 > 正文

华为传统组网-单设备-主备线路-建GER-over-IPSec

2024-11-15 分类:开发笔记 阅读(42) 评论(0)

项目说明:华为AR和打通骨干,Epoch建BGPSERVER 分流 {#%E9%A1%B9%E7%9B%AE%E8%AF%B4%E6%98%8E%EF%BC%9A%E5%8D%8E%E4%B8%BAar%E5%92%8C%E6%89%93%E9%80%9A%E9%AA%A8%E5%B9%B2%EF%BC%8Cepoch%E5%BB%BAbgpserver-%E5%88%86%E6%B5%81}

拓扑: {#%E6%8B%93%E6%89%91%EF%BC%9A}

1

数据头: {#%E6%95%B0%E6%8D%AE%E5%A4%B4%EF%BC%9A}

date:604889
MAIN
lineid: 604889B1
拨号pe:sha-upe2
拨号ip:58.33.113.122
PE对接:10.20.239.249
CE对接:10.50.44.75

主PE: sha-flr2
WANIP: 10.10.65.188/30
TUNNEL: tun43275
Docking:10.20.239.249
CE 对接: 10.50.44.75
HKIP:103.169.97.50
BGPSERVER IP: 10.10.99.162,10.10.99.163


BACKUP
lineid: 604889B2
拨号pe:szc-upe1
拨号ip:183.3.221.43
PE对接:10.30.43.249
CE对接:10.50.40.30


PE:szc-bk4 WANIP: 10.11.65.188/30 TUNNEL: tun53275 Docking: 10.30.43.249 CE 对接: 10.50.40.30 HKIP:103.169.97.50 BGPSERVER IP:10.10.99.198,10.10.99.199

华为配置: {#%E5%8D%8E%E4%B8%BA%E9%85%8D%E7%BD%AE%EF%BC%9A}

clock timezone bj add 08:00
sys
telnet server enable
sysname 604889B-DMXX-SH
aaa
undo local-user admin
local-user bothwin password irreversible-cipher Tfe28@w%
local-user bothwin privilege level 15
local-user bothwin service-type telnet terminal ssh http

acl number 2707
rule 10 permit source 192.168.0.0 0.0.255.255
rule 20 permit source 172.16.0.0 0.15.255.255
rule 30 permit source 10.0.0.0 0.255.255.255
rule 40 permit source 114.112.238.8 0.0.0.7
rule 50 permit source 192.168.55.250 0
rule 60 permit source 113.105.190.147 0
rule 70 permit source 202.104.174.178 0
rule 80 permit source 120.76.31.146 0
rule 90 permit source 59.37.126.140 0
rule 100 permit source 183.61.239.168 0


user-interface vty 0 4
acl 2707 inbound
authentication-mode aaa
user privilege level 15


ntp-service enable
ntp-service unicast-server 192.168.55.250


hwtacacs-server template fnetlink_tacacs
hwtacacs-server authentication 192.168.55.250
hwtacacs-server authorization 192.168.55.250
hwtacacs-server accounting 192.168.55.250
#认证源IP写主tun的WANIP地址
hwtacacs-server source-ip 10.10.65.190
hwtacacs-server shared-key cipher bothwin


aaa
authentication-scheme fnet_tac
authentication-mode hwtacacs local
authorization-scheme fnet_tac
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local
accounting-scheme fnet_tac
accounting start-fail online
accounting interim-fail online
accounting-mode hwtacacs
recording-scheme fnet_tac
recording-mode hwtacacs fnetlink_tacacs
cmd recording-scheme fnet_tac
service-scheme fnet_tac
admin-user privilege level 15
domain fnet_tac
authentication-scheme fnet_tac
accounting-scheme fnet_tac
authorization-scheme fnet_tac
hwtacacs-server fnetlink_tacacs


domain fnet_tac admin


#编号别冲突
interface LoopBack1
description To IPSec
ip address 10.50.44.75 255.255.255.255


interface LoopBack2
description to-backup-ipsec
ip address 10.50.40.30 255.255.255.255


acl number 3333
rule 1 permit ip source 10.50.44.75 0 destination 10.20.239.249 0


acl number 3334
rule 1 permit ip source 10.50.40.30 0 destination 10.30.43.249 0


ike proposal 10
encryption-algorithm 3des
dh group2
authentication-algorithm sha1
sa duration 28800
authentication-method pre-share
integrity-algorithm hmac-sha1-96
prf hmac-sha1


ipsec proposal ipsectran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ike peer main
undo version 2
pre-shared-key cipher %^%#CI$E<'^}6UkO=v&g$:D!O0J8I+vA_,tA*q0_*49P%^%#
ike-proposal 10
remote-address 58.33.113.122
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable


ike peer backup
undo version 2
pre-shared-key cipher %^%#CI$E<'^}6UkO=v&g$:D!O0J8I+vA_,tA*q0_*49P%^%#
ike-proposal 10
remote-address 183.3.221.43
dpd idle-time 30
dpd retry-limit 3
dpd retransmit-interval 30
dpd packet receive if-related enable


ipsec policy S2S-IPSEC 10 isakmp
security acl 3333
pfs dh-group2
ike-peer main
proposal ipsectran1


ipsec policy S2S-IPSEC 20 isakmp
security acl 3334
ike-peer backup
proposal ipsectran1


interface GigabitEthernet0/0/0
undo portswitch
description to-fw-172.16.102.100
ip address 172.16.102.240 255.255.255.0
ipsec policy S2S-IPSEC


interface GigabitEthernet0/0/1
undo portswitch
description to-epoch-eth0-172.16.200.2
ip address 172.16.200.1 255.255.255.252


ip route-static 0.0.0.0 0.0.0.0 172.16.102.100 preference 222 tag 7777
ip route-static 58.33.113.122 255.255.255.255 172.16.102.100 tag 7777
ip route-static 114.113.245.99 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.10 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.250 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_center
ip route-static 192.168.254.107 255.255.255.255 10.10.65.189 preference 1 tag 7777 description To_netflow


ip route-static 10.20.239.249 255.255.255.255 172.16.102.100 tag 7777
interface Tunnel0/0/1020
description "pri to sha-flr2-tun43275"
mtu 1400
tcp adjust-mss 1300
ip address 10.10.65.190 255.255.255.252
tunnel-protocol gre
source 10.50.44.75
destination 10.20.239.249
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard


ip route-static 10.30.43.249 255.255.255.255 172.16.102.100 tag 7777
interface Tunnel0/0/1021
description "pri to szc-bk4-tun53275"
mtu 1400
tcp adjust-mss 1300
ip address 10.11.65.190 255.255.255.252
tunnel-protocol gre
source 10.50.40.30
destination 10.30.43.249
qos car outbound cir 10240 pir 10240 cbs 1925120 pbs 3205120 green pass yellow pass red discard


route-policy bgp-To--VPN-Redistribute-Static deny node 100
description Deny Redistribution of Static Routes to MPLS VPN
if-match tag 7777


route-policy bgp-To--VPN-Redistribute-Static permit node 200
if-match tag 8888
apply community 65201:100


route-policy bgp-To--VPN-Redistribute-Static permit node 300
description Redistribute All Other Static Routes Without Tag


route-policy bgp-route-policy-pri-import permit node 100
apply local-preference 200


route-policy bgp-route-policy-pri-import permit node 200


ip ip-prefix bgp-filte-pre-export index 10 permit 172.16.102.0 24 greater-equal 24 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.10.65.188 30 greater-equal 30 less-equal 32
ip ip-prefix bgp-filte-pre-export index 20 permit 10.11.65.188 30 greater-equal 30 less-equal 32


snmp-agent trap enable y snmp-agent sys-info version all snmp-agent community read both-win

赞(8)
未经允许不得转载:工具盒子 » 华为传统组网-单设备-主备线路-建GER-over-IPSec
标签:

厉飞雨

众生皆苦,唯有自渡!

相关推荐

最新文章

猜你喜欢

快捷分类

云服务器 日常运维 在线免费 开源工具 科学上网 开发笔记 区块链 白嫖帮 新视野 人工智能 网赚思路 Python笔记 Php笔记 Java笔记 链知识 币知识 IOS笔记 Android笔记 Mysql C语言笔记 前端开发 R笔记 Go笔记 mybatis笔记 Golang笔记 数据库 市场营销 软件教程 vps Rust笔记 软件使用 经验分享 Stable Diffusion chatgpt Midjourney 操作系统 Photoscape 加密货币 挖矿 Coze Meta 网络安全 网络运营 开源软件 Github ComfyUI 数字人 Docker笔记 Claude Oracle web3 linux windows mac redis git笔记 nginx kafka maven spring RocketMQ Zabbix ubuntu centos kubesphere ffmpeg jenkins hbase JavaScript笔记 WordPress nginx Hadoop vuejs mongo SQL Server PostgreSQL SQLite ElasticSearch Spark netty zookeeper RabbitMQ ClickHoust cocos2d gradle tomcat Markdown MinIO react Hexo git intellij idea android studio svn C++ spdlog nodejs C WordPress 宝塔面板 vim shell logstash 软件渗透 NeoDB CSS3 HTML Lua笔记 数据算法 嵌入式 debian 红帽RHEL Neo4j jquery nas 1panel aapanel 浏览器 谷歌 .net 微信 telegram Cloudflare 大数据 rust layui JumpServer DataEase TiDB DM数据库 虚拟机 elk sqlmap nacos Firefox C# Swagger Foxmail