• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

SecPath F1000-AK145 ADVPN结合BGP配置案例

2023-03-21提问
  • 0关注
  • 0收藏,722浏览
粉丝:0人 关注:0人

问题描述:

请问有ADVPN采用BGP路由协议,Full-Mesh网络相关案例能提供一下吗?感谢!

官网只有结合OSPF路由协议的案例,现在使用ospf路由协议已经建立起来了,想修改成BGP路由协议,请问需要修改哪些地方呢?


组网及组网描述:

终端-核心-防火墙-MSR路由器-公网-F1000防火墙-核心-终端,终端网关在核心上

最佳答案

knox 七段
粉丝:2人 关注:4人

可以贴一下配置。

hub配置: # sysname MSR_02 # router id 1.1.1.12 # ospf 1 router-id 1.1.1.4 default-route-advertise area 0.0.0.0 network 10.3.254.232 0.0.0.3 network 10.3.254.248 0.0.0.3 # ospf 2 area 0.0.0.0 network 172.32.245.0 0.0.0.255 network 172.32.254.11 0.0.0.0 # stp global enable # interface GigabitEthernet1/4/3 port link-mode route description to_NewISP ip address X.X.X.X 255.255.255.X nat outbound # interface Tunnel1 mode advpn gre service slot 1 ip address 172.32.254.11 255.255.255.0 ospf network-type broadcast source GigabitEthernet1/4/3 tunnel protection ipsec profile dvpn vam client mem # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21 ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X # ssh server enable # domain mem authentication advpn local none accounting advpn local none # domain system # domain default enable mem # user-group system # local-user hub1 class network password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user mem class network password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # public-key peer 10.3.254.250 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C 3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46 D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651 6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76 8CC0E7981A84961D2B0203010001 public-key-code end peer-public-key end # ipsec transform-set dvpn encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile dvpn isakmp transform-set dvpn ike-profile dvpn # ike profile dvpn keychain dvpn # ike keychain dvpn pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg== # ike keychain mem # blacklist ip X.X.X.X blacklist global enable # vam client name mem advpn-domain mem server primary ip-address X.X.X.X server secondary ip-address X.X.X.X pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ== user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw== client enable # vam server advpn-domain mem id 1 pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw== server enable hub-group 0 hub private-address 172.32.254.10 hub private-address 172.32.254.11 spoke private-address range 172.16.254.0 172.35.254.254 # cloud-management server domain oasis.h3c.com # return Spoke配置: sysname FW # context Admin id 1 # router id 1.1.1.15 # ospf 2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 172.32.254.0 0.0.0.255 # lldp global enable # password-recovery enable # vlan 1 # object-group ip address advpn 0 network subnet 10.7.19.0 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/15 port link-mode route bandwidth 50000 ip address X.X.X.X 255.255.255.X nat outbound 3000 # interface Tunnel1 mode advpn gre ip address 172.16.1.8 255.255.255.0 ospf network-type broadcast ospf dr-priority 0 source GigabitEthernet1/0/15 tunnel protection ipsec profile mem vam client mem # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/14 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/15 import interface Tunnel1 # security-zone name Management import interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3 ip route-static 10.1.19.0 24 Tunnel1X.X.X.X # ssh server enable # acl advanced 3000 description NAT rule 50 permit ip # ipsec logging negotiation enable # ipsec transform-set mem encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile mem isakmp transform-set mem ike-profile mem # ike logging negotiation enable # ike profile mem keychain mem # ike keychain mem pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ== # vam client name mem advpn-domain mem server primary ip-address X.X.X.X pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ== user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww== client enable # anti-virus signature auto-update update schedule daily start-time 02:00:00 tingle 120 # return

zhiliao_CCqIVP 发表时间:2023-03-21 更多>>

hub配置: # sysname MSR_02 # router id 1.1.1.12 # ospf 1 router-id 1.1.1.4 default-route-advertise area 0.0.0.0 network 10.3.254.232 0.0.0.3 network 10.3.254.248 0.0.0.3 # ospf 2 area 0.0.0.0 network 172.32.245.0 0.0.0.255 network 172.32.254.11 0.0.0.0 # stp global enable # interface GigabitEthernet1/4/3 port link-mode route description to_NewISP ip address X.X.X.X 255.255.255.X nat outbound # interface Tunnel1 mode advpn gre service slot 1 ip address 172.32.254.11 255.255.255.0 ospf network-type broadcast source GigabitEthernet1/4/3 tunnel protection ipsec profile dvpn vam client mem # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21 ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X # ssh server enable # domain mem authentication advpn local none accounting advpn local none # domain system # domain default enable mem # user-group system # local-user hub1 class network password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user mem class network password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # public-key peer 10.3.254.250 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C 3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46 D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651 6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76 8CC0E7981A84961D2B0203010001 public-key-code end peer-public-key end # ipsec transform-set dvpn encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile dvpn isakmp transform-set dvpn ike-profile dvpn # ike profile dvpn keychain dvpn # ike keychain dvpn pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg== # ike keychain mem # blacklist ip X.X.X.X blacklist global enable # vam client name mem advpn-domain mem server primary ip-address X.X.X.X server secondary ip-address X.X.X.X pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ== user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw== client enable # vam server advpn-domain mem id 1 pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw== server enable hub-group 0 hub private-address 172.32.254.10 hub private-address 172.32.254.11 spoke private-address range 172.16.254.0 172.35.254.254 # cloud-management server domain oasis.h3c.com # return Spoke配置: sysname FW # context Admin id 1 # router id 1.1.1.15 # ospf 2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 172.32.254.0 0.0.0.255 # lldp global enable # password-recovery enable # vlan 1 # object-group ip address advpn 0 network subnet 10.7.19.0 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/15 port link-mode route bandwidth 50000 ip address X.X.X.X 255.255.255.X nat outbound 3000 # interface Tunnel1 mode advpn gre ip address 172.16.1.8 255.255.255.0 ospf network-type broadcast ospf dr-priority 0 source GigabitEthernet1/0/15 tunnel protection ipsec profile mem vam client mem # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/14 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/15 import interface Tunnel1 # security-zone name Management import interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3 ip route-static 10.1.19.0 24 Tunnel1X.X.X.X # ssh server enable # acl advanced 3000 description NAT rule 50 permit ip # ipsec logging negotiation enable # ipsec transform-set mem encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile mem isakmp transform-set mem ike-profile mem # ike logging negotiation enable # ike profile mem keychain mem # ike keychain mem pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ== # vam client name mem advpn-domain mem server primary ip-address X.X.X.X pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ== user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww== client enable # anti-virus signature auto-update update schedule daily start-time 02:00:00 tingle 120 # return

zhiliao_CCqIVP 发表时间:2023-03-21
1 个回答
zhiliao_CCqIVP 知了小白
粉丝:0人 关注:0人

hub配置:

#
sysname MSR_02
#
router id 1.1.1.12
#
ospf 1 router-id 1.1.1.4
default-route-advertise
area 0.0.0.0
network 10.3.254.232 0.0.0.3
network 10.3.254.248 0.0.0.3
#
ospf 2
area 0.0.0.0
network 172.32.245.0 0.0.0.255
network 172.32.254.11 0.0.0.0
#
stp global enable
#
interface GigabitEthernet1/4/3
port link-mode route
description to_NewISP
ip address X.X.X.X 255.255.255.X
nat outbound
#
interface Tunnel1 mode advpn gre
service slot 1
ip address 172.32.254.11 255.255.255.0
ospf network-type broadcast
source GigabitEthernet1/4/3
tunnel protection ipsec profile dvpn
vam client mem
#
ip route-static 0.0.0.0 0 X.X.X.X
ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21
ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X
#
ssh server enable
#
domain mem
authentication advpn local none
accounting advpn local none
#
domain system
#
domain default enable mem
#
user-group system
#
local-user hub1 class network
password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A==
service-type advpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user mem class network
password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw==
service-type advpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
public-key peer 10.3.254.250
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C
3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46
D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651
6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76
8CC0E7981A84961D2B0203010001
public-key-code end
peer-public-key end
#
ipsec transform-set dvpn
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile dvpn isakmp
transform-set dvpn
ike-profile dvpn
#
ike profile dvpn
keychain dvpn
#
ike keychain dvpn
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg==
#
ike keychain mem
#
blacklist ip X.X.X.X
blacklist global enable
#
vam client name mem
advpn-domain mem
server primary ip-address X.X.X.X
server secondary ip-address X.X.X.X
pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ==
user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw==
client enable
#
vam server advpn-domain mem id 1
pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw==
server enable
hub-group 0
hub private-address 172.32.254.10
hub private-address 172.32.254.11
spoke private-address range 172.16.254.0 172.35.254.254
#
cloud-management server domain oasis.h3c.com
#
return


Spoke配置:


sysname FW
#
context Admin id 1
#
router id 1.1.1.15
#
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.32.254.0 0.0.0.255
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
object-group ip address advpn
0 network subnet 10.7.19.0 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/15
port link-mode route
bandwidth 50000
ip address X.X.X.X 255.255.255.X
nat outbound 3000
#
interface Tunnel1 mode advpn gre
ip address 172.16.1.8 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source GigabitEthernet1/0/15
tunnel protection ipsec profile mem
vam client mem
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/14
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/15
import interface Tunnel1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0 X.X.X.X
ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3
ip route-static 10.1.19.0 24 Tunnel1X.X.X.X
#
ssh server enable
#
acl advanced 3000
description NAT
rule 50 permit ip
#
ipsec logging negotiation enable
#
ipsec transform-set mem
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile mem isakmp
transform-set mem
ike-profile mem
#
ike logging negotiation enable
#
ike profile mem
keychain mem
#
ike keychain mem
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ==
#
vam client name mem
advpn-domain mem
server primary ip-address X.X.X.X
pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ==
user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww==
client enable
#
anti-virus signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
return

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明