huawei 通过BGP的团体属性进行路由控制

时间:2021-01-23 21:49:33

网络拓扑

huawei 通过BGP的团体属性进行路由控制

XRV1的配置:

===========================================================================

#
sysname XRV1
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.133.0.0 0.0.255.255 destination 10.125.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.38.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.2
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.10
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.1000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.1 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.9 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.1 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.2 source-ip 10.201.1.1
#
bfd 20 bind peer-ip 10.201.1.10 source-ip 10.201.1.9
#
bgp 65000
router-id 10.255.255.1
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.2 as-number 65001
peer 10.201.1.2 group external
peer 10.201.1.10 as-number 65002
peer 10.201.1.10 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.2 enable
peer 10.201.1.2 group external
peer 10.201.1.10 enable
peer 10.201.1.10 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix as65001-bangong-import
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
ip ip-prefix external-as65001-bangong-import index 10 permit 10.125.1.0 24
ip ip-prefix external-as65001-bangong-import index 20 permit 10.125.2.0 24
ip ip-prefix external-as65001-bangong-import index 30 permit 10.125.3.0 24
ip ip-prefix external-as65001-bangong-import index 40 permit 10.125.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV2的配置:

===========================================================================

#
sysname XRV2
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.54.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
acl number 3020
rule 5 permit ip source 10.158.0.0 0.0.255.255 destination 10.114.0.0 0.0.255.255
rule 10 permit ip source 10.79.0.0 0.0.255.255 destination 10.45.0.0 0.0.255.255
#
ipsec proposal tran1
ipsec proposal tran2
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.6
ike peer spuc v1
pre-shared-key simple huawei
remote-address 10.201.1.14
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
ipsec policy map2 10 isakmp
security acl 3020
ike-peer spuc
proposal tran2
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.2000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.5 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.201.1.13 255.255.255.252
ipsec policy map2
#
interface GigabitEthernet1/0/0
ip address 10.10.1.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.2 255.255.255.255
isis enable 100
#
bfd 20 bind peer-ip 10.201.1.14 source-ip 10.201.1.13
#
bgp 65000
router-id 10.255.255.2
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.6 as-number 65001
peer 10.201.1.6 group external
peer 10.201.1.14 as-number 65002
peer 10.201.1.14 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.7 as-number 65000
peer 10.255.255.7 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer 10.201.1.6 enable
peer 10.201.1.6 group external
peer 10.201.1.14 enable
peer 10.201.1.14 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.7 enable
peer 10.255.255.7 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65000 65000 65000 65000 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65001-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65001-oa-import
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.79.4.0 24
ip ip-prefix external-as65001-shengchan-import index 10 permit 10.54.1.0 24
ip ip-prefix external-as65001-shengchan-import index 20 permit 10.54.2.0 24
ip ip-prefix external-as65001-shengchan-import index 30 permit 10.54.3.0 24
ip ip-prefix external-as65001-shengchan-import index 40 permit 10.54.4.0 24
ip ip-prefix external-as65001-oa-import index 10 permit 10.38.1.0 24
ip ip-prefix external-as65001-oa-import index 20 permit 10.38.2.0 24
ip ip-prefix external-as65001-oa-import index 30 permit 10.38.3.0 24
ip ip-prefix external-as65001-oa-import index 40 permit 10.38.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV3的配置:

===========================================================================

#
sysname XRV3
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.125.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.1
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.2 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.3 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.1 source-ip 10.201.1.2
#
bgp 65001
router-id 10.255.255.3
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.1 as-number 65000
peer 10.201.1.1 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.1 enable
peer 10.201.1.1 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.125.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV4的配置:

===========================================================================

#
sysname XRV4
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.54.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.38.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.5
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.4000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.2.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.201.1.6 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet0/0/2
ip address 10.10.2.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.4 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.5 source-ip 10.201.1.6
#
bgp 65001
router-id 10.255.255.4
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.5 as-number 65000
peer 10.201.1.5 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.8 as-number 65001
peer 10.255.255.8 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.5 enable
peer 10.201.1.5 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.8 enable
peer 10.255.255.8 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-shengchan-export
apply as-path 65001 65001 65001 65001 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.38.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV5的配置:

===========================================================================

#
sysname XRV5
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.200.0.0 0.0.255.255 destination 10.133.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.9
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.5000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.1 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.5 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.10 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.5 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.9 source-ip 10.201.1.10
#
bgp 65002
router-id 10.255.255.5
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.9 as-number 65000
peer 10.201.1.9 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.9 enable
peer 10.201.1.9 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-export permit node 10
if-match ip-prefix internal-bangong-export
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-export permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-bangong
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-bangong-export index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong-export index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong-export index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong-export index 40 permit 10.200.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-bangong index 10 permit 10.158.1.0 24
ip ip-prefix external-as65000-bangong index 20 permit 10.158.2.0 24
ip ip-prefix external-as65000-bangong index 30 permit 10.158.3.0 24
ip ip-prefix external-as65000-bangong index 40 permit 10.158.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

XRV6的配置:

===========================================================================

#
sysname XRV6
#
board add 0/1 1GEC
board add 0/2 1GEC
board add 0/3 1GEC
board add 0/4 1GEC
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
bfd
#
acl number 3010
rule 5 permit ip source 10.114.0.0 0.0.255.255 destination 10.158.0.0 0.0.255.255
rule 10 permit ip source 10.45.0.0 0.0.255.255 destination 10.79.0.0 0.0.255.255
#
ipsec proposal tran1
#
ike peer spub v1
pre-shared-key simple huawei
remote-address 10.201.1.13
#
ipsec policy map1 10 isakmp
security acl 3010
ike-peer spub
proposal tran1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.6000.00
#
firewall zone Local
priority 15
#
interface GigabitEthernet0/0/0
ip address 10.10.3.2 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/1
ip address 10.10.3.9 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface GigabitEthernet0/0/2
ip address 10.201.1.14 255.255.255.252
ipsec policy map1
#
interface GigabitEthernet1/0/0
#
interface GigabitEthernet2/0/0
#
interface GigabitEthernet3/0/0
#
interface GigabitEthernet4/0/0
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.6 255.255.255.255
isis enable 100
#
bfd 10 bind peer-ip 10.201.1.13 source-ip 10.201.1.14
#
bgp 65002
router-id 10.255.255.6
graceful-restart
group external external
peer external bfd min-tx-interval 250 min-rx-interval 250
peer external bfd enable
peer external password simple cisco
peer 10.201.1.13 as-number 65000
peer 10.201.1.13 group external
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.9 as-number 65002
peer 10.255.255.9 group internal
#
ipv4-family unicast
undo synchronization
peer external enable
peer external route-policy external-import import
peer external route-policy internal-export export
peer external advertise-community
peer 10.201.1.13 enable
peer 10.201.1.13 group external
peer internal enable
peer internal next-hop-local
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.9 enable
peer 10.255.255.9 group internal
#
route-policy internal-exprot permit node 10
if-match ip-prefix internal-shengchan-exprot
apply as-path 65002 65002 65002 65002 additive
#
route-policy internal-exprot permit node 20
if-match ip-prefix internal-oa-export
#
route-policy external-import permit node 10
if-match ip-prefix external-as65000-shengchan
apply cost + 12000
#
route-policy external-import permit node 20
if-match ip-prefix external-as65000-oa
apply local-preference 2000
#
ip ip-prefix internal-shengchan-export index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan-export index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan-export index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan-export index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa-export index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa-export index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa-export index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa-export index 40 permit 10.45.4.0 24
ip ip-prefix external-as65000-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix external-as65000-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix external-as65000-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix external-as65000-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix external-as65000-oa index 10 permit 10.79.1.0 24
ip ip-prefix external-as65000-oa index 20 permit 10.79.2.0 24
ip ip-prefix external-as65000-oa index 30 permit 10.79.3.0 24
ip ip-prefix external-as65000-oa index 40 permit 10.79.4.0 24
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

SW1的配置:

===========================================================================

#
sysname SW1
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.7000.00
#
interface Vlanif1
ip address 10.158.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.158.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.158.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.158.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.133.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.133.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.133.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.133.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.79.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.79.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.79.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.79.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.1.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.1.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
eth-trunk 10
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.7 255.255.255.255
isis enable 100
#
bgp 65000
router-id 10.255.255.7
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.1 as-number 65000
peer 10.255.255.1 group internal
peer 10.255.255.2 as-number 65000
peer 10.255.255.2 group internal
#
ipv4-family unicast
undo synchronization
network 10.79.1.0 255.255.255.0
network 10.79.2.0 255.255.255.0
network 10.79.3.0 255.255.255.0
network 10.79.4.0 255.255.255.0
network 10.133.1.0 255.255.255.0
network 10.133.2.0 255.255.255.0
network 10.133.3.0 255.255.255.0
network 10.133.4.0 255.255.255.0
network 10.158.1.0 255.255.255.0
network 10.158.2.0 255.255.255.0
network 10.158.3.0 255.255.255.0
network 10.158.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.1 enable
peer 10.255.255.1 group internal
peer 10.255.255.2 enable
peer 10.255.255.2 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65000:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65000:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65000:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.158.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.158.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.158.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.158.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.133.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.133.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.133.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.133.4.0 24
ip ip-prefix internal-oa index 10 permit 10.79.1.0 24
ip ip-prefix internal-oa index 20 permit 10.79.2.0 24
ip ip-prefix internal-oa index 30 permit 10.79.3.0 24
ip ip-prefix internal-oa index 40 permit 10.79.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW2的配置:

===========================================================================

#
sysname SW2
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.8000.00
#
interface Vlanif1
ip address 10.125.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.125.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.125.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.125.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.54.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.54.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.54.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.54.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.38.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.38.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.38.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.38.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.2.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.2.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.8 255.255.255.255
isis enable 100
#
bgp 65001
router-id 10.255.255.8
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.3 as-number 65001
peer 10.255.255.3 group internal
peer 10.255.255.4 as-number 65001
peer 10.255.255.4 group internal
#
ipv4-family unicast
undo synchronization
network 10.38.1.0 255.255.255.0
network 10.38.2.0 255.255.255.0
network 10.38.3.0 255.255.255.0
network 10.38.4.0 255.255.255.0
network 10.54.1.0 255.255.255.0
network 10.54.2.0 255.255.255.0
network 10.54.3.0 255.255.255.0
network 10.54.4.0 255.255.255.0
network 10.125.1.0 255.255.255.0
network 10.125.2.0 255.255.255.0
network 10.125.3.0 255.255.255.0
network 10.125.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.3 enable
peer 10.255.255.3 group internal
peer 10.255.255.4 enable
peer 10.255.255.4 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65001:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65001:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65001:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.125.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.125.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.125.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.125.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.54.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.54.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.54.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.54.4.0 24
ip ip-prefix internal-oa index 10 permit 10.38.1.0 24
ip ip-prefix internal-oa index 20 permit 10.38.2.0 24
ip ip-prefix internal-oa index 30 permit 10.38.3.0 24
ip ip-prefix internal-oa index 40 permit 10.38.4.0 24
#
ip community-filter basic import-oa permit 65000:300
ip community-filter basic import-oa permit 65002:300
#
user-interface con 0
user-interface vty 0 4
#
return

SW3的配置:

===========================================================================

#
sysname SW3
#
vlan batch 2 to 12 100 200
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
isis 100
is-level level-2
network-entity 49.0000.1025.5255.3000.00
#
interface Vlanif1
ip address 10.200.1.254 255.255.255.0
#
interface Vlanif2
ip address 10.200.2.254 255.255.255.0
#
interface Vlanif3
ip address 10.200.3.254 255.255.255.0
#
interface Vlanif4
ip address 10.200.4.254 255.255.255.0
#
interface Vlanif5
ip address 10.114.1.254 255.255.255.0
#
interface Vlanif6
ip address 10.114.2.254 255.255.255.0
#
interface Vlanif7
ip address 10.114.3.254 255.255.255.0
#
interface Vlanif8
ip address 10.114.4.254 255.255.255.0
#
interface Vlanif9
ip address 10.45.1.254 255.255.255.0
#
interface Vlanif10
ip address 10.45.2.254 255.255.255.0
#
interface Vlanif11
ip address 10.45.3.254 255.255.255.0
#
interface Vlanif12
ip address 10.45.4.254 255.255.255.0
#
interface Vlanif100
ip address 10.10.3.6 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface Vlanif200
ip address 10.10.3.10 255.255.255.252
isis enable 100
isis circuit-level level-2
#
interface MEth0/0/1
#
interface Eth-Trunk10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
eth-trunk 10
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
interface LoopBack0
ip address 10.255.255.9 255.255.255.255
isis enable 100
isis circuit-level level-2
#
bgp 65002
router-id 10.255.255.9
graceful-restart
group internal internal
peer internal connect-interface LoopBack0
peer internal password simple cisco
peer 10.255.255.5 as-number 65002
peer 10.255.255.5 group internal
peer 10.255.255.6 as-number 65002
peer 10.255.255.6 group internal
#
ipv4-family unicast
undo synchronization
network 10.45.1.0 255.255.255.0
network 10.45.2.0 255.255.255.0
network 10.45.3.0 255.255.255.0
network 10.45.4.0 255.255.255.0
network 10.114.1.0 255.255.255.0
network 10.114.2.0 255.255.255.0
network 10.114.3.0 255.255.255.0
network 10.114.4.0 255.255.255.0
network 10.200.1.0 255.255.255.0
network 10.200.2.0 255.255.255.0
network 10.200.3.0 255.255.255.0
network 10.200.4.0 255.255.255.0
maximum load-balancing ibgp 2
peer internal enable
peer internal route-policy external-import-oa import
peer internal route-policy interna-community export
peer internal advertise-community
peer 10.255.255.5 enable
peer 10.255.255.5 group internal
peer 10.255.255.6 enable
peer 10.255.255.6 group internal
#
route-policy interna-community permit node 10
if-match ip-prefix internal-bangong
apply community 65002:100
#
route-policy interna-community permit node 20
if-match ip-prefix internal-shengchan
apply community 65002:200
#
route-policy interna-community permit node 30
if-match ip-prefix internal-oa
apply community 65002:300
#
route-policy external-import-oa permit node 10
if-match community-filter import-oa
#
ip ip-prefix internal-bangong index 10 permit 10.200.1.0 24
ip ip-prefix internal-bangong index 20 permit 10.200.2.0 24
ip ip-prefix internal-bangong index 30 permit 10.200.3.0 24
ip ip-prefix internal-bangong index 40 permit 10.200.4.0 24
ip ip-prefix internal-shengchan index 10 permit 10.114.1.0 24
ip ip-prefix internal-shengchan index 20 permit 10.114.2.0 24
ip ip-prefix internal-shengchan index 30 permit 10.114.3.0 24
ip ip-prefix internal-shengchan index 40 permit 10.114.4.0 24
ip ip-prefix internal-oa index 10 permit 10.45.1.0 24
ip ip-prefix internal-oa index 20 permit 10.45.2.0 24
ip ip-prefix internal-oa index 30 permit 10.45.3.0 24
ip ip-prefix internal-oa index 40 permit 10.45.4.0 24
#
ip community-filter basic import-oa permit 65001:300
ip community-filter basic import-oa permit 65000:300
#
user-interface con 0
user-interface vty 0 4
#
return

在XRV3上使用show ike sa查看ike的第一阶段

===========================================================================

<XRV3>display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
22 10.201.1.1 0 RD 2
21 10.201.1.1 0 RD|ST 2
15 10.201.1.1 0 RD|ST 1

Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP

在XRV3上使用show ipsec sa查看ike的第二阶段

===========================================================================

<XRV3>display ipsec sa

===============================
Interface: GigabitEthernet0/0/1
Path MTU: 1500
===============================

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 21
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.125.0.0/255.255.0.0 0/0
Flow destination : 10.133.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 121135015 (0x7385fa7)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3851064655 (0xe58a954f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2938
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

-----------------------------
IPSec policy name: "map1"
Sequence number : 10
Acl Group : 3010
Acl rule : 10
Mode : ISAKMP
-----------------------------
Connection ID : 22
Encapsulation mode: Tunnel
Tunnel local : 10.201.1.2
Tunnel remote : 10.201.1.1
Flow source : 10.38.0.0/255.255.0.0 0/0
Flow destination : 10.79.0.0/255.255.0.0 0/0
Qos pre-classify : Disable

[Outbound ESP SAs]
SPI: 2545515130 (0x97b97a7a)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max sent sequence-number: 0
UDP encapsulation used for NAT traversal: N

[Inbound ESP SAs]
SPI: 3831477031 (0xe45fb327)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec): 1887436800/2943
Max received sequence-number: 0
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N

在SW3上使用display ip routing-table protocol bgp 查看路由

===========================================================================

<SW3>display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 4 Routes : 4

BGP routing table status : <Active>
Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.79.1.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.2.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.3.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100
10.79.4.0/24 IBGP 255 0 RD 10.255.255.5 Vlanif100

BGP routing table status : <Inactive>
Destinations : 0 Routes : 0

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=40 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/46/60 ms

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.9 10 ms 50 ms 50 ms
2 10.10.1.6 60 ms 50 ms 30 ms

在XRV5上shutdown掉g0/0/2接口,等路由收敛后在SW3上查看路由

===========================================================================

<SW3>display bgp routing-table

BGP Local router ID is 10.255.255.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete

Total Number of Routes: 16
Network NextHop MED LocPrf PrefVal Path/Ogn

*> 10.45.1.0/24 0.0.0.0 0 0 i
*> 10.45.2.0/24 0.0.0.0 0 0 i
*> 10.45.3.0/24 0.0.0.0 0 0 i
*> 10.45.4.0/24 0.0.0.0 0 0 i
*>i 10.79.1.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.2.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.3.0/24 10.255.255.6 2000 0 65000i
*>i 10.79.4.0/24 10.255.255.6 2000 0 65000i
*> 10.114.1.0/24 0.0.0.0 0 0 i
*> 10.114.2.0/24 0.0.0.0 0 0 i
*> 10.114.3.0/24 0.0.0.0 0 0 i
*> 10.114.4.0/24 0.0.0.0 0 0 i
*> 10.200.1.0/24 0.0.0.0 0 0 i
*> 10.200.2.0/24 0.0.0.0 0 0 i
*> 10.200.3.0/24 0.0.0.0 0 0 i
*> 10.200.4.0/24 0.0.0.0 0 0 i
<SW3>

在SW3上使用ping探测AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>ping -a 10.45.1.254 10.79.1.254
PING 10.79.1.254: 56 data bytes, press CTRL_C to break
Reply from 10.79.1.254: bytes=56 Sequence=1 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=2 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 10.79.1.254: bytes=56 Sequence=4 ttl=254 time=60 ms
Reply from 10.79.1.254: bytes=56 Sequence=5 ttl=254 time=60 ms

--- 10.79.1.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/58/60 ms

<SW3>

在SW3上使用tracert跟踪AS 65000的OA流  10.79.1.254/32

===========================================================================

<SW3>tracert -a 10.45.1.254 10.79.1.254
traceroute to 10.79.1.254(10.79.1.254), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.201.1.13 50 ms 50 ms 40 ms
2 10.10.1.10 50 ms 30 ms 50 ms
<SW3>