如题:
本侧路由通过2M线接入企业内网,按接入方式要求,接入网内部路由应通过OSPF获取,不允许使用GBP,通过以下配置接入后,对端截获到本侧有BGP协议,本侧路由表也确有GBP获取到的路由信息。
配置和接入方式如下,烦请指出配置哪里有问题,应如何修改,仅通过OSPF获取路由,不使用BGP的配置?谢谢!
拓扑:
<CQNA-DFSB.R1>dis cu
#
version 7.1.059, Release 0304P15
#
sysname CQNA-DFSB.R1
#
clock timezone beijing add 08:00:00
#
ip vpn-instance vpn-nrt
route-distinguisher 25513:2
vpn-target 25513:2110 30000:802 20000:200 import-extcommunity
vpn-target 25513:2110 25588:200 export-extcommunity
#
ip vpn-instance vpn-rt
route-distinguisher 25513:1
vpn-target 25513:1110 30000:801 20000:100 import-extcommunity
vpn-target 25513:1110 25588:100 export-extcommunity
#
router id 55.2.42.49
#
ospf 1
area 0.0.0.3
network 55.2.42.49 0.0.0.0
network 55.3.74.192 0.0.0.3
network 55.3.77.192 0.0.0.3
#
mpls lsr-id 55.2.42.49
mpls ttl propagate vpn
#
password-recovery enable
#
vlan 1
#
traffic classifier c_vpn-nrt-in operator and
if-match acl 2001
#
traffic classifier c_vpn-nrt-out operator and
if-match mpls-exp 3
#
traffic classifier c_vpn-rt-in operator and
if-match acl 2001
#
traffic classifier c_vpn-rt-out operator and
if-match mpls-exp 4
#
traffic behavior b_vpn-nrt-in
remark dscp af31
#
traffic behavior b_vpn-nrt-out
queue af bandwidth pct 30
#
traffic behavior b_vpn-rt-in
remark dscp af41
#
traffic behavior b_vpn-rt-out
queue af bandwidth pct 70
#
qos policy p_vpn-nrt-in
classifier c_vpn-nrt-in behavior b_vpn-nrt-in
#
qos policy p_vpn-out
classifier c_vpn-rt-out behavior b_vpn-rt-out
classifier c_vpn-nrt-out behavior b_vpn-nrt-out
#
qos policy p_vpn-rt-in
classifier c_vpn-rt-in behavior b_vpn-rt-in
#
mpls ldp
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface Serial3/0
description DD2-DFSB1-2M
fe1 unframed
ip address 55.3.74.194 255.255.255.252
ospf authentication-mode md5 1 cipher $c$3$WMl1Z2MYGKzrg92B0lKzs9TjtchL/gbDGA==
mpls enable
mpls ldp enable
mpls ldp transport-address interface
#
interface Serial3/1
shutdown
#
interface Serial4/0
description BD2-DFSB1-2M
fe1 unframed
ip address 55.3.77.194 255.255.255.252
ospf authentication-mode md5 1 cipher $c$3$SPqUzpH7rwULmfoA0+aGtTRiCntrDuoa4g==
mpls enable
mpls ldp enable
mpls ldp transport-address interface
#
interface Serial4/1
shutdown
#
interface NULL0
#
interface LoopBack0
ip address 55.2.42.49 255.255.255.255
#
interface Ethernet2/0
port link-mode bridge
shutdown
#
interface Ethernet2/1
port link-mode bridge
shutdown
#
interface Ethernet2/2
port link-mode bridge
shutdown
#
interface Ethernet2/3
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0
port link-mode route
description R1-S1
combo enable copper
ip binding vpn-instance vpn-rt
ip address 55.110.32.126 255.255.255.128
#
interface GigabitEthernet0/1
port link-mode route
description R1-S2
combo enable copper
ip binding vpn-instance vpn-nrt
ip address 55.111.32.126 255.255.255.128
#
interface GigabitEthernet0/2
port link-mode route
shutdown
#
bgp 25513
group ibgp-peer internal
peer ibgp-peer connect-interface LoopBack0
peer 55.2.40.2 group ibgp-peer
peer 55.2.40.5 group ibgp-peer
#
address-family ipv4 unicast
import-route direct
peer ibgp-peer enable
#
address-family vpnv4
peer ibgp-peer enable
#
ip vpn-instance vpn-nrt
#
address-family ipv4 unicast
import-route direct
#
ip vpn-instance vpn-rt
#
address-family ipv4 unicast
import-route direct
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
authentication-mode scheme
user-role level-15
user-role network-admin
idle-timeout 5 0
#
line vty 0 4
authentication-mode scheme
user-role level-15
user-role network-admin
protocol inbound ssh
idle-timeout 5 0
#
line vty 5 63
user-role network-operator
#
info-center loghost 55.254.13.1
#
snmp-agent
snmp-agent local-engineid 800063A280D461FE43CA2900000001
snmp-agent community read CQEP-READ
snmp-agent community write CQEP-WRITE
snmp-agent sys-info version v3
snmp-agent group v3 CQEP privacy read-view CQEP-READ write-view CQEP-WRITE notify-view CQEP-READ
snmp-agent target-host trap address udp-domain 55.254.13.1 params securityname CQEP-READ
snmp-agent mib-view included CQEP-READ iso
snmp-agent mib-view included CQEP-WRITE iso
snmp-agent usm-user v3 cqdl CQEP cipher authentication-mode sha $c$3$zUJ3vlz2/td/QKfBkBlH7tD5YyNV1GTTzikvWCMGN2iTISyS3cw= privacy-mode des56 $c$3$5xdVHLv69qIpcvayjR45JyTa3TcB7YtLUIIxSqEryG0clg==
snmp-agent trap source LoopBack0
#
ssh server enable
ssh user cqdl-ssh service-type stelnet authentication-type password
#
ntp-service unicast-server 55.2.40.2
ntp-service unicast-server 55.2.40.5
#
acl basic 2001
rule 0 permit source 55.254.13.0 0.0.0.255
rule 5 permit source 55.3.0.0 0.0.255.255
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user cqdl-con class manage
password hash $h$6$spxLOTDn+b99u2k4$bhcSm9KNOfjxbcw5Qwk5BN31nDwXR0W8KQ0S3jDTP1qtctEmG2Dv5iWhCIOBKxtkyRgbmvE0uEiVpGOHbsFaww==
service-type terminal
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
#
local-user cqdl-ssh class manage
password hash $h$6$UvnTyFOktg0s5tvl$yJy5divtM8HQ+lMxC+mqKSO6O4N22ItRByP/3memdCgJFOT+DkeYI8IMgICHHQRk0872PV5tpn6Si9b7pFYYlA==
service-type ssh
authorization-attribute user-role level-15
authorization-attribute user-role network-admin
#
public-key peer 55.110.32.124
public-key-code begin
308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381840002818071810E8D5F8C3609D843DA2750E8E9ADAB69
58FDD3D827BBEE75344568A7E730FBD132712F53217F3F1C96B128246CDE826BC284224FA7
42A0E49B0C44645D731F5ADB53F4FA19920FABD1697ED9BC000A936FB23575A6C1F8389615
1954AD65FA22E95E33AE7C9FBEB36346845492266FF905B6B7AFD9F8A4DFD3DBB777DBAF
public-key-code end
peer-public-key end
#
return
<CQNA-DFSB.R1>
接入方式要求:
调度数据网接入网网络设备/应用系统接入方式单
方式单编号:201807 日期:2018年07月13日
厂站名称 |
110千伏大佛寺电站 |
||||||||||||
接入网名称 |
南岸地调接入网 |
||||||||||||
网络设备接入方式 |
基本参数 |
||||||||||||
LoopBack地址 |
55.2.42.49 |
||||||||||||
router id |
55.2.42.49 |
||||||||||||
Mplslsr-id |
55.2.42.49 |
||||||||||||
sysname |
CQNA-DFSB.R1 |
||||||||||||
上联节点1相关 |
|||||||||||||
上联节点1 LoopBack地址 |
55.2.40.2 |
上联节点1名称 |
CQNA-DD.R2 |
||||||||||
本侧互联地址 |
55.3.74.194/30 |
端口号 |
S5/0 |
||||||||||
对侧互联地址 |
55.3.74.193/30 |
端口号 |
|
||||||||||
链路名称 |
DD2-DFSB1-2M |
||||||||||||
OSPF区域 |
3 |
链路协议 |
PPP |
||||||||||
ospf timer hello |
10s |
ospf timer dead |
40s |
||||||||||
上联节点2相关 |
|||||||||||||
上联节点2 LoopBack地址 |
55.2.40.5 |
上联节点2名称 |
CQNA-BD.R1 |
||||||||||
本侧互联地址 |
55.3.77.194/30 |
端口号 |
S6/0 |
||||||||||
对侧互联地址 |
55.3.77.193/30 |
端口号 |
|
||||||||||
链路名称 |
BD1-DFSB1-2M |
||||||||||||
OSPF区域 |
3 |
链路协议 |
PPP |
||||||||||
ospf timer hello |
10s |
ospf timer dead |
40s |
||||||||||
OSPF要求 |
1、关闭网络边界OSPF路由功能 2、启用OSPF MD5认证,key为1,至县调汇聚密码:5J74Vn |
||||||||||||
实时交换机 |
sysname |
CQNA-DFSB.S1 |
|||||||||||
路由器侧 互联地址 |
55.110.32.126/25 |
端口号 |
GE0/0 |
||||||||||
交换机侧互联VLAN |
1 |
端口号 |
DFSH0/0/1 |
||||||||||
交换机侧互联地址 |
55.110.32.124/25 |
I区加密认证装置管理地址 |
55.110.32.125/25 |
||||||||||
业务VLAN |
1 |
未使用端口情况 |
全部关闭 |
||||||||||
非实时交换机 |
sysname |
CQNA-DFSB.S2 |
|||||||||||
路由器侧 互联地址 |
55.111.32.126/25 |
端口号 |
GE0/1 |
||||||||||
交换机侧互联VLAN |
1 |
端口号 |
DFSH0/0/1 |
||||||||||
交换机侧互联地址 |
55.111.32.124/25 |
II区加密认证装置管理地址 |
55.111.32.125/25 |
||||||||||
|
业务VLAN |
1 |
未使用端口情况 |
全部关闭 |
|||||||||
设备基本配置 |
|||||||||||||
自治系统号 |
25513 |
||||||||||||
BGP邻居 |
55.2.40.2/55.2.40.5 |
||||||||||||
RD编码实时VPN |
vpn-rt25513:1 |
||||||||||||
RD编码非实时VPN |
vpn-nrt25513:2 |
||||||||||||
实时RT编码 VPN TargDFS import |
25513:1110 30000:801 20000:100 |
||||||||||||
实时RT编码 VPN TargDFS export |
25513:1110 25588:100 |
||||||||||||
非实时RT编码 VPN TargDFS import |
25513:2110 30000:802 20000:200 |
||||||||||||
非实时RT编码 VPN TargDFS export |
25513:2110 25588:200 |
||||||||||||
QoS参数 |
实时业务匹配ACL 2001,标记为MPLS EXP 4,设置DSCP为af41,保证70%带宽;非实时业务匹配ACL 2001,标记为MPLS EXP 3,设置DSCP为af31,保证30%带宽;将QOS策略应用与相应的端口,保证QOS能正常运行并起作用。 |
||||||||||||
SNMP 版本 |
仅启用V3 |
||||||||||||
SNMP ACL |
Ø 启用group CQEP; Ø 启用snmp v3 用户cqdl; Ø 发送TRAP地址: 55.254.13.1 Ø Ø privacy-mode:des56,密码:cqep-zdhc Ø 设置ACL,仅允许55.254.13.0/24能远程SNMP管理。 |
||||||||||||
路由器管理要求 |
Ø 远程管理只开启SSH,最高级权限。用户名cqdl-ssh,密码cqep-123! Ø 对console要求:最高级权限。用户名cqdl-con,密码cqep-456! Ø 关闭dhcp、ftp、telnet、http、https等服务; Ø 设置ACL,仅允许55.254.13.0/24及55.3.0.0/16能远程登录管理。 Ø 设置5分钟超时退出。 |
||||||||||||
NTP Server地址及时区配置 |
55.2.40.2/55.2.40.5 时区:北京 |
||||||||||||
未使用端口 |
全部关闭 |
||||||||||||
syslog服务器地址 |
55.254.13.1 |
||||||||||||
其他要求 |
请参见国网公司或重庆电力公司相关规范 |
||||||||||||
|
交换机基本配置 |
||||||||||||
交换机管理要求 |
Ø 远程登录管理只开启SSH,最高级权限。用户名cqdl-ssh,密码cqep-123! Ø 对console要求:最高级权限。用户名cqdl-con,密码cqep-456! Ø 关闭dhcp、ftp、telnet、http、https等服务; Ø 设置ACL,交换机仅允许10.55.0.0/16和55.13.0.0/16能远程登录及SNMP管理; Ø |
||||||||||||
SNMP相关要求 |
Ø 仅启用V3 Ø 启用group CQEP; Ø 启用snmp v3 用户cqdl; Ø Ø 加密模式:des56,密码:cqep-zdhc Ø |
||||||||||||
NTP Server地址及时区配置 |
实时交换机:以本地实时业务网关地址为NTP server; 非实时交换机:以本地非实时业务网关地址为NTP server; 时区:北京 |
||||||||||||
路由表项 |
1、不允许使用缺省路由; 2、交换机静态路由目的地址:10.55.0.0/16和55.13.0.0/16 |
||||||||||||
未使用端口 |
全部关闭 |
||||||||||||
安全要求(此项作为验收必查项) |
1、 2、 |
||||||||||||
其他要求 |
请参见国网公司或重庆电力公司相关规范 |
||||||||||||
应用系统接入方式 |
实时VPN(I区) |
||||||||||||
应用系统名称 |
业务地址/掩码 |
网关地址 |
交换机端口 |
||||||||||
监控系统 |
55.110.32.1/25 |
55.110.32.126 |
2 |
||||||||||
监控系统 |
55.110.32.2/25 |
55.110.32.126 |
3 |
||||||||||
告警直传和远程浏览 |
55.110.32.3/25 |
55.110.32.126 |
4 |
||||||||||
告警直传和远程浏览 |
55.110.32.4/25 |
55.110.32.126 |
5 |
||||||||||
非实时VPN(II区) |
|||||||||||||
应用系统名称 |
业务地址/掩码 |
网关地址 |
交换机端口 |
||||||||||
电量采集系统 |
55.111.32.1 /25 |
55.111.32.126 |
2 |
||||||||||
|
|
|
|
||||||||||
|
|
|
|
||||||||||
备注 |
应用系统:已接入监控系统、电量采集系统,后续系统接入需提交方式申请。
实时:监控系统端口号:2404;告警直传:3000;远程调阅:3001 非实时:端口号:9001
要求交换机其余未用端口全部关闭 |
||||||||||||
批准单位名称 |
|
||||||||||||
审核人 |
|
联系电话 |
|
||||||||||
制单人 |
联系电话 | ||||||||||||
(0)
最佳答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论