请问有ADVPN采用BGP路由协议,Full-Mesh网络相关案例能提供一下吗?感谢!
官网只有结合OSPF路由协议的案例,现在使用ospf路由协议已经建立起来了,想修改成BGP路由协议,请问需要修改哪些地方呢?
终端-核心-防火墙-MSR路由器-公网-F1000防火墙-核心-终端,终端网关在核心上
(0)
最佳答案
可以贴一下配置。
(0)
hub配置: # sysname MSR_02 # router id 1.1.1.12 # ospf 1 router-id 1.1.1.4 default-route-advertise area 0.0.0.0 network 10.3.254.232 0.0.0.3 network 10.3.254.248 0.0.0.3 # ospf 2 area 0.0.0.0 network 172.32.245.0 0.0.0.255 network 172.32.254.11 0.0.0.0 # stp global enable # interface GigabitEthernet1/4/3 port link-mode route description to_NewISP ip address X.X.X.X 255.255.255.X nat outbound # interface Tunnel1 mode advpn gre service slot 1 ip address 172.32.254.11 255.255.255.0 ospf network-type broadcast source GigabitEthernet1/4/3 tunnel protection ipsec profile dvpn vam client mem # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21 ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X # ssh server enable # domain mem authentication advpn local none accounting advpn local none # domain system # domain default enable mem # user-group system # local-user hub1 class network password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user mem class network password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # public-key peer 10.3.254.250 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C 3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46 D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651 6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76 8CC0E7981A84961D2B0203010001 public-key-code end peer-public-key end # ipsec transform-set dvpn encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile dvpn isakmp transform-set dvpn ike-profile dvpn # ike profile dvpn keychain dvpn # ike keychain dvpn pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg== # ike keychain mem # blacklist ip X.X.X.X blacklist global enable # vam client name mem advpn-domain mem server primary ip-address X.X.X.X server secondary ip-address X.X.X.X pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ== user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw== client enable # vam server advpn-domain mem id 1 pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw== server enable hub-group 0 hub private-address 172.32.254.10 hub private-address 172.32.254.11 spoke private-address range 172.16.254.0 172.35.254.254 # cloud-management server domain oasis.h3c.com # return Spoke配置: sysname FW # context Admin id 1 # router id 1.1.1.15 # ospf 2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 172.32.254.0 0.0.0.255 # lldp global enable # password-recovery enable # vlan 1 # object-group ip address advpn 0 network subnet 10.7.19.0 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/15 port link-mode route bandwidth 50000 ip address X.X.X.X 255.255.255.X nat outbound 3000 # interface Tunnel1 mode advpn gre ip address 172.16.1.8 255.255.255.0 ospf network-type broadcast ospf dr-priority 0 source GigabitEthernet1/0/15 tunnel protection ipsec profile mem vam client mem # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/14 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/15 import interface Tunnel1 # security-zone name Management import interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3 ip route-static 10.1.19.0 24 Tunnel1X.X.X.X # ssh server enable # acl advanced 3000 description NAT rule 50 permit ip # ipsec logging negotiation enable # ipsec transform-set mem encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile mem isakmp transform-set mem ike-profile mem # ike logging negotiation enable # ike profile mem keychain mem # ike keychain mem pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ== # vam client name mem advpn-domain mem server primary ip-address X.X.X.X pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ== user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww== client enable # anti-virus signature auto-update update schedule daily start-time 02:00:00 tingle 120 # return
hub配置:
#
sysname MSR_02
#
router id 1.1.1.12
#
ospf 1 router-id 1.1.1.4
default-route-advertise
area 0.0.0.0
network 10.3.254.232 0.0.0.3
network 10.3.254.248 0.0.0.3
#
ospf 2
area 0.0.0.0
network 172.32.245.0 0.0.0.255
network 172.32.254.11 0.0.0.0
#
stp global enable
#
interface GigabitEthernet1/4/3
port link-mode route
description to_NewISP
ip address X.X.X.X 255.255.255.X
nat outbound
#
interface Tunnel1 mode advpn gre
service slot 1
ip address 172.32.254.11 255.255.255.0
ospf network-type broadcast
source GigabitEthernet1/4/3
tunnel protection ipsec profile dvpn
vam client mem
#
ip route-static 0.0.0.0 0 X.X.X.X
ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21
ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X
#
ssh server enable
#
domain mem
authentication advpn local none
accounting advpn local none
#
domain system
#
domain default enable mem
#
user-group system
#
local-user hub1 class network
password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A==
service-type advpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user mem class network
password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw==
service-type advpn
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
public-key peer 10.3.254.250
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C
3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46
D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651
6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76
8CC0E7981A84961D2B0203010001
public-key-code end
peer-public-key end
#
ipsec transform-set dvpn
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile dvpn isakmp
transform-set dvpn
ike-profile dvpn
#
ike profile dvpn
keychain dvpn
#
ike keychain dvpn
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg==
#
ike keychain mem
#
blacklist ip X.X.X.X
blacklist global enable
#
vam client name mem
advpn-domain mem
server primary ip-address X.X.X.X
server secondary ip-address X.X.X.X
pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ==
user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw==
client enable
#
vam server advpn-domain mem id 1
pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw==
server enable
hub-group 0
hub private-address 172.32.254.10
hub private-address 172.32.254.11
spoke private-address range 172.16.254.0 172.35.254.254
#
cloud-management server domain oasis.h3c.com
#
return
Spoke配置:
sysname FW
#
context Admin id 1
#
router id 1.1.1.15
#
ospf 2
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.32.254.0 0.0.0.255
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
object-group ip address advpn
0 network subnet 10.7.19.0 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/15
port link-mode route
bandwidth 50000
ip address X.X.X.X 255.255.255.X
nat outbound 3000
#
interface Tunnel1 mode advpn gre
ip address 172.16.1.8 255.255.255.0
ospf network-type broadcast
ospf dr-priority 0
source GigabitEthernet1/0/15
tunnel protection ipsec profile mem
vam client mem
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/14
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/15
import interface Tunnel1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
ip route-static 0.0.0.0 0 X.X.X.X
ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3
ip route-static 10.1.19.0 24 Tunnel1X.X.X.X
#
ssh server enable
#
acl advanced 3000
description NAT
rule 50 permit ip
#
ipsec logging negotiation enable
#
ipsec transform-set mem
encapsulation-mode transport
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile mem isakmp
transform-set mem
ike-profile mem
#
ike logging negotiation enable
#
ike profile mem
keychain mem
#
ike keychain mem
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ==
#
vam client name mem
advpn-domain mem
server primary ip-address X.X.X.X
pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ==
user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww==
client enable
#
anti-virus signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
return
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
hub配置: # sysname MSR_02 # router id 1.1.1.12 # ospf 1 router-id 1.1.1.4 default-route-advertise area 0.0.0.0 network 10.3.254.232 0.0.0.3 network 10.3.254.248 0.0.0.3 # ospf 2 area 0.0.0.0 network 172.32.245.0 0.0.0.255 network 172.32.254.11 0.0.0.0 # stp global enable # interface GigabitEthernet1/4/3 port link-mode route description to_NewISP ip address X.X.X.X 255.255.255.X nat outbound # interface Tunnel1 mode advpn gre service slot 1 ip address 172.32.254.11 255.255.255.0 ospf network-type broadcast source GigabitEthernet1/4/3 tunnel protection ipsec profile dvpn vam client mem # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.32.254.21 ip route-static 10.1.19.0 24 Tunnel1 X.X.X.X # ssh server enable # domain mem authentication advpn local none accounting advpn local none # domain system # domain default enable mem # user-group system # local-user hub1 class network password cipher $c$3$GL7ka7z4Gz/eqa/rC82Ue8JiHLCg0A== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # local-user mem class network password cipher $c$3$35Fg42ZW9uQlcM91AExaTBbZEZ+2Pw== service-type advpn authorization-attribute user-role network-admin authorization-attribute user-role network-operator # public-key peer 10.3.254.250 public-key-code begin 30819F300D06092A864886F70D010101050003818D0030818902818100BAF4ED13A762BF2C 3141985FFAD59A52AFBAC64C1F593777064F2EBD33BD26E8E0EEB71B83FF94DDC726DC1F46 D7439CAF7AB639D5FC784942E6DC0DABE83D5100D3EFB0D5570B2B86A897DE340F62B45651 6E9AABE6A017769318DAAE67756D90FA6A111B469889E5B01F5A270EB5914B5488BC2BCB76 8CC0E7981A84961D2B0203010001 public-key-code end peer-public-key end # ipsec transform-set dvpn encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile dvpn isakmp transform-set dvpn ike-profile dvpn # ike profile dvpn keychain dvpn # ike keychain dvpn pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$UhBZ5n5ONLsCYNtAp+/begnouZXfcg== # ike keychain mem # blacklist ip X.X.X.X blacklist global enable # vam client name mem advpn-domain mem server primary ip-address X.X.X.X server secondary ip-address X.X.X.X pre-shared-key cipher $c$3$tVtAVLbMYKyCcEwOr2hx/Zcix3RhbQ== user hub1 password cipher $c$3$YLOlXcSJlptymPjORDXD2Dy83NxmMw== client enable # vam server advpn-domain mem id 1 pre-shared-key cipher $c$3$EvINoIJE8NCpbmg4LkiitNwtKIgKFw== server enable hub-group 0 hub private-address 172.32.254.10 hub private-address 172.32.254.11 spoke private-address range 172.16.254.0 172.35.254.254 # cloud-management server domain oasis.h3c.com # return Spoke配置: sysname FW # context Admin id 1 # router id 1.1.1.15 # ospf 2 area 0.0.0.0 network 172.16.1.0 0.0.0.255 network 172.32.254.0 0.0.0.255 # lldp global enable # password-recovery enable # vlan 1 # object-group ip address advpn 0 network subnet 10.7.19.0 255.255.255.0 # interface GigabitEthernet1/0/0 port link-mode route ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet1/0/15 port link-mode route bandwidth 50000 ip address X.X.X.X 255.255.255.X nat outbound 3000 # interface Tunnel1 mode advpn gre ip address 172.16.1.8 255.255.255.0 ospf network-type broadcast ospf dr-priority 0 source GigabitEthernet1/0/15 tunnel protection ipsec profile mem vam client mem # security-zone name Local # security-zone name Trust import interface GigabitEthernet1/0/14 # security-zone name DMZ # security-zone name Untrust import interface GigabitEthernet1/0/15 import interface Tunnel1 # security-zone name Management import interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0 X.X.X.X ip route-static 10.1.0.0 24 Tunnel1 172.16.1.3 ip route-static 10.1.19.0 24 Tunnel1X.X.X.X # ssh server enable # acl advanced 3000 description NAT rule 50 permit ip # ipsec logging negotiation enable # ipsec transform-set mem encapsulation-mode transport esp encryption-algorithm des-cbc esp authentication-algorithm sha1 # ipsec profile mem isakmp transform-set mem ike-profile mem # ike logging negotiation enable # ike profile mem keychain mem # ike keychain mem pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$sl0gba7iQ0WJ5AlZXCejg3B9d+pxVQ== # vam client name mem advpn-domain mem server primary ip-address X.X.X.X pre-shared-key cipher $c$3$FPw/OBkvdXSzIRkAvo3/+VrtSRcWaQ== user mem password cipher $c$3$Zh8fxOofpQ923Y9St1kTtFg53Sn5Ww== client enable # anti-virus signature auto-update update schedule daily start-time 02:00:00 tingle 120 # return