VPE配置
|
#
sysname VPE1-15.181
#
clock protocol ntp
#
ip vpn-instance CPE41-47@210bae
route-distinguisher 200:56
#
bfd multi-hop min-transmit-interval 300
bfd multi-hop min-receive-interval 300
bfd multi-hop detect-multiplier 3
#
ospf 2
area 0.0.0.0
area 0.0.0.2
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
dhcp server always-broadcast
#
lldp global enable
#
flow-interval 5
#
password-recovery enable
#
vlan 1
#
irf-port
#
nqa entry sdwan vpe1_tunnel102
type udp-jitter
destination ip 223.1.1.10
destination port 10000
frequency 10000
high-performance-mode enable
source ip 223.1.1.11
vpn-instance CPE41-47@210bae
#
nqa schedule sdwan vpe1_tunnel102 start-time now lifetime forever
#
mpls te
#
l2vpn enable
#
vsi CPE41-47@210bae
gateway vsi-interface 36
vxlan 56
tunnel 102
tunnel 103
#
bgp 181
#
ip vpn-instance CPE41-47@210bae
compare-different-as-med
peer 223.1.1.9 as-number 5
peer 223.1.1.9 connect-interface Vsi-interface36
peer 223.1.1.9 bfd multi-hop
peer 223.1.1.10 as-number 47
peer 223.1.1.10 connect-interface Vsi-interface36
peer 223.1.1.10 bfd multi-hop
#
address-family ipv4 unicast
default med 255
preference 255 255 255
import-route direct
import-route static
import-route ospf all-processes
peer 223.1.1.9 enable
peer 223.1.1.9 next-hop-local
peer 223.1.1.10 enable
peer 223.1.1.10 next-hop-local
#
route-policy public-filter permit node 1
if-match ip address prefix-list public-filter
#
ip prefix-list public-filter index 10 permit 0.0.0.0 0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
idle-timeout 0 0
#
ip route-static 0.0.0.0 0 172.171.0.1
ip route-static 7.3.1.0 24 12.2.1.2
ip route-static 7.5.1.0 24 12.2.1.2
ip route-static 100.47.47.47 32 47.1.1.2
ip route-static 103.3.3.0 24 12.2.1.2
ip route-static 172.17.2.0 24 172.171.0.1
#
ssh server enable
#
nqa server enable
nqa server udp-echo high-performance enable
nqa server udp-echo 223.1.1.11 10000 vpn-instance CPE41-47@210bae high-performance-mode
#
ntp-service enable
ntp-service refclock-master 2
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user ceni class manage
password hash $h$6$hjNBAY+fPRwAxdp9$/D4FZS/RdN+9myka1RVFO8rk/qx5cIItOuZrIrvl/vq1A9lj0VI88p4wngU88MGFMLxJJsA1QosufQVPocqV7A==
service-type ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user guest class manage
password hash $h$6$bNJcV4UPEaF5C3fH$2+vtj98J+SHQRhci6UgkqIC4iqdO+3gHQ37UxoSFoyOGncVYA0EXR/k2O6LpLufQcb3LsgYdluvXygiKsyu6hw==
service-type ssh
authorization-attribute user-role level-1
#
public-key peer 47.1.1.2
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100A57B76E9805EF3C5
767033362ACB0F25B84FBD11C336C57966E105736D6B2092B7BCF4610E334ADD98E4341A8F
64DF0E9B4CE9E667DEDE7C6535ABC8CF3F5BB3D96365ACF659AE564E064C962D450B70E646
9262B0374822ECB2001DEAC300F57260396E5880883D3DBFDC33639231AB41B07F4EFCF857
EFE3BEC79F09A22D9D0203010001
public-key-code end
peer-public-key end
#
ipsec transform-set VPE1
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy-template VPE1 65535
transform-set VPE1
ike-profile VPE1
reverse-route dynamic
#
ipsec policy VPE1 65535 isakmp template VPE1
#
ike profile VPE1
keychain VPE1
dpd interval 10 periodic
match remote identity address 0.0.0.0 0.0.0.0
priority 65535
#
ike keychain VPE1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$VvaFDmcFaAZz3D7pZHS/vjq/+BY1DQcX
priority 65535
#
netconf ssh server enable
#
return
#
interface NULL0
#
interface LoopBack0
ip address 181.181.181.181 255.255.255.255
#
interface GigabitEthernet1/0
description overlay
ip address 172.171.15.181 255.255.240.0
#
interface GigabitEthernet2/0
description lan
ip address 12.2.1.2 255.255.255.0
#
interface GigabitEthernet3/0
description wan
ip address 47.1.1.1 255.255.255.252
ipsec apply policy VPE1
#
interface Vsi-interface36
ip binding vpn-instance CPE41-47@210bae
ip address 223.1.1.11 255.255.0.0
#
interface Tunnel102 mode vxlan
description CPE41-47@210bae
source 181.181.181.181
destination 100.47.47.47
#
interface Tunnel103 mode vxlan
source 172.171.15.181
destination 172.171.15.182
#
return
|
| —- |
CPE配置
| #
sysname CPE_47
#
ip vpn-instance CPE41-47@210bae
route-distinguisher 200:56
#
address-family ipv4
route-replicate from public protocol static route-policy public-filter
#
bfd multi-hop min-transmit-interval 300
bfd multi-hop min-receive-interval 300
#
ip unreachables enable
ip ttl-expires enable
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
lldp global enable
#
flow-interval 5
#
password-recovery enable
#
vlan 1
#
traffic classifier f6ebc00afb004483980df3dc7 operator and
if-match dscp af12
if-match acl 3046
#
traffic behavior f6ebc00afb004483980df3dc7
filter deny
#
qos policy CPE47-0/4.181
classifier f6ebc00afb004483980df3dc7 behavior f6ebc00afb004483980df3dc7
#
nqa entry sdwan cpe47_tunnel11
type udp-jitter
destination ip 223.1.1.11
destination port 10000
frequency 10000
high-performance-mode enable
source ip 223.1.1.10
vpn-instance CPE41-47@210bae
#
nqa schedule sdwan cpe47_tunnel11 start-time now lifetime forever
#
l2vpn enable
#
vsi CPE41-47@210bae
gateway vsi-interface 12
vxlan 56
tunnel 11
#
bgp 47
#
ip vpn-instance CPE41-47@210bae
compare-different-as-med
peer 223.1.1.11 as-number 181
peer 223.1.1.11 connect-interface Vsi-interface12
peer 223.1.1.11 bfd multi-hop
#
address-family ipv4 unicast
default med 255
preference 255 255 255
import-route direct
import-route static
import-route ospf all-processes
peer 223.1.1.11 enable
peer 223.1.1.11 next-hop-local
#
route-policy public-filter permit node 1
if-match ip address prefix-list public-filter
#
ip prefix-list public-filter index 10 permit 0.0.0.0 0
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class usb
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
idle-timeout 0 0
#
ip route-static 0.0.0.0 0 172.171.0.1
ip route-static 172.17.0.0 16 172.171.0.1
ip route-static 181.181.181.181 32 47.1.1.1
ip route-static vpn-instance CPE41-47@210bae 181.181.1.0 24 181.1.1.1 preference 1
#
ssh server enable
#
nqa server enable
nqa server udp-echo high-performance enable
nqa server udp-echo 223.1.1.10 10000 vpn-instance CPE41-47@210bae high-performance-mode
#
ntp-service enable
ntp-service unicast-server 47.1.1.1
#
acl number 2010 name CPE47_01_bae
rule 0 permit vpn-instance CPE41-47@210bae source 181.181.1.0 0.0.0.255
rule 5 permit vpn-instance CPE41-47@210bae source 181.1.1.0 0.0.0.255
#
acl number 3045 name CPE47_VPE1_bae
rule 0 permit ip source 100.47.47.47 0 destination 181.181.181.181 0
#
acl number 3046 name qos-3046
rule 0 permit ip vpn-instance CPE41-47@210bae
#
acl advanced name SDWAN-ACL
rule 1 permit ip source 100.47.47.47 0 destination 172.171.0.0 0.0.15.255
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type telnet http
authorization-attribute user-role network-admin
#
local-user ceni class manage
service-type ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user guest class manage
service-type ssh
authorization-attribute user-role level-1
#
public-key peer 47.1.1.1
public-key-code begin
30819F300D06092A864886F70D010101050003818D0030818902818100AC7D3F95F0F732EF
FA79B2842676324C512AD6B8C2B607B1D725B86074BAC614E994969D426AB9048073AEEE0F
53B8E9297ACF00AF07B8E1CC3AEBD57C33EC41CF4D9397C9A17F62F3F9479181837722A658
3FA900A9B132B6E69147E92813BDA5E089517BF8178C7F7C82D0F2F60F08315AA95878FA47
3C1A616F35F83E5D290203010001
public-key-code end
peer-public-key end
#
ipsec transform-set CPE47_VPE1_bae
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec transform-set SDWAN-SET
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy ADWAN-Ipsec-Policy 300 isakmp
transform-set SDWAN-SET
security acl name SDWAN-ACL
remote-address 172.171.15.17
ike-profile ADWAN-IKE-PRO
sa trigger-mode auto
#
ipsec policy CPE47_VPE1_ab0 100 isakmp
transform-set CPE47_VPE1_bae
security acl name CPE47_VPE1_bae
remote-address 47.1.1.1
ike-profile CPE47_VPE1_bae
sa trigger-mode auto
reverse-route dynamic
#
ike profile ADWAN-IKE-PRO
keychain SDWAN-KEYCHAIN
dpd interval 10 periodic
exchange-mode aggressive
match remote identity address 172.171.15.17 255.255.255.255
priority 65535
#
ike profile CPE47_VPE1_bae
keychain CPE47_VPE1_bae
dpd interval 10 periodic
match remote identity address 47.1.1.1 255.255.255.252
#
ike keychain CPE47_VPE1_bae
pre-shared-key address 47.1.1.1 255.255.255.252 key cipher $c$3$Y8xN2dCUgyIn8OZec1KnW+TctLPTyS7I
#
ike keychain SDWAN-KEYCHAIN
pre-shared-key address 172.171.15.17 255.255.255.255 key cipher $c$3$fq/yeUsSVcxfxiDqjxVmRqTkBnBoUwPon+bYzr6V
#
netconf ssh server enable
#
ip http enable
#
wlan global-configuration
#
wlan ap-group default-group
vlan 1
#
return
#
interface NULL0
#
interface LoopBack0
ip address 100.47.47.47 255.255.255.0
#
interface GigabitEthernet0/0
port link-mode route
description wan
ip address 172.171.15.47 255.255.240.0
tcp mss 1280
ipsec apply policy ADWAN-Ipsec-Policy
#
interface GigabitEthernet0/1
port link-mode route
description wan-SW-G1/0/19
mtu 1650
ip address 47.1.1.2 255.255.255.252
nat outbound name CPE47_01_bae
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
#
interface GigabitEthernet0/3
port link-mode route
combo enable copper
#
interface GigabitEthernet0/4
port link-mode route
description to-SPT-port1
#
interface GigabitEthernet0/4.181
ip binding vpn-instance CPE41-47@210bae
ip address 181.1.1.254 255.255.255.0
qos apply policy CPE47-0/4.181 inbound
vlan-type dot1q vid 181
#
interface GigabitEthernet0/5
port link-mode route
loopback internal
#
interface Vsi-interface12
ip binding vpn-instance CPE41-47@210bae
ip address 223.1.1.10 255.255.0.0
#
interface Tunnel11 mode vxlan
description CPE41-47@210bae
source 100.47.47.47
destination 181.181.181.181
#
|
| —- |
若有收获,就点个赞吧
0 人点赞
