拓扑图
1.总部和分部之间使用MPLS/BGP 虚拟专用网络和OSPF通信
1.PE-1上去往CE-5的NAT地址的静态路由的目的地址掩码可以不做限制
有去往CE-5的路由就可以了
2.配置DHCP时DHCP-relay的路由要通
1.display ip -instance verbose 查看VPN实例是否正确
2.display current-configuration configuration bgp命令查看
BGP配置
3.display bgp v4 all routing-table ipv4-address[
mask| mask-length] 命令查看目标路由确认VPNv4路由是否
可以迭代到隧道 显示信息中 Relay Tunnel Out-Interface
和Relay token字段不为空表示该路由可以迭代到隧道
4.display bgp v4 all routing-table ipv4-address[
mask| mask-length]查看目标路由,确定该目标路由是否分到私网标签
5.dis bgp v4 all routing-table label 查看BGP为私网分配的标签
6.dis mpls lsp verbose [ip addrss mask ] verbose详情
信息 下一跳标签转发表项(LFIB)
7.display current-configuration configuration [特定的协
议] 查看一些特定的协议的配置
8.display firewall session table 检查会话
sysname AR3
#
interface Ethernet0/0/0
ip address 10.0.134.3 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.0.13.3 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.34.3 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.35.3 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.35.0 0.0.0.255
network 10.0.134.0 0.0.0.255
network 10.0.13.0 0.0.0.255
network 10.0.34.0 0.0.0.255
#
return
sysname AR4
#
interface Ethernet0/0/0
ip address 10.0.134.4 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.0.24.4 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.34.4 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.45.4 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.45.0 0.0.0.255
network 10.0.134.0 0.0.0.255
network 10.0.24.0 0.0.0.255
network 10.0.34.0 0.0.0.255
#
return
sysname CE-5
#
interface GigabitEthernet1/0/0
ip address 10.0.45.5 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.0.35.5 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.0.15.5 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
bgp 100
peer 10.0.15.1 as-number 200
#
ipv4-family unicast
undo synchronization
network 10.0.1.0 255.255.255.0
network 10.0.2.0 255.255.255.0
network 10.0.3.0 255.255.255.0
peer 10.0.15.1 enable
#
ospf 1
default-route-advertise
import-route bgp
area 0.0.0.0
network 10.0.35.0 0.0.0.255
network 10.0.45.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 10.0.15.1
ip route-static 200.0.1.1 0.0.0.0 NULL 0
#
nat address-group 1 0
mode pat
section 0 200.0.1.1 200.0.1.2
#
security-policy
rule name policy1
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
rule name policy2
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
#
nat-policy
rule name nat-policy1
source-zone trust
destination-zone untrust
destination-address-exclude 10.0.6.0 mask 255.255.255.0
action source-nat address-group 1
#
return
sysname
#
interface GigabitEthernet0/0/0
ip address 10.0.26.6 255.255.255.0
#
interface LoopBack1
ip address 10.0.6.1 255.255.255.0
#
bgp 300
peer 10.0.26.2 as-number 200
#
ipv4-family unicast
undo synchronization
network 10.0.6.0 255.255.255.0
peer 10.0.26.2 enable
#
return
sysname DHCP-Server
#
dhcp enable
#
ip pool vlan10
gateway-list 10.0.1.254
network 10.0.1.0 mask 255.255.255.0
#
ip pool vlan20
gateway-list 10.0.2.254
network 10.0.2.0 mask 255.255.255.0
#
ip pool vlan30
gateway-list 10.0.3.254
network 10.0.3.0 mask 255.255.255.0
#
interface Ethernet0/0/0
ip address 10.0.134.1 255.255.255.0
dhcp select global
#
ospf 1
area 0.0.0.0
network 10.0.134.0 0.0.0.255
#
return
sysname LSW1
#
vlan batch 2 to 3 10 20 30
#
stp instance 0 priority 4096
stp instance 10 root primary
stp instance 20 root secondary
stp instance 30 root secondary
#
stp region-configuration
region-name vlan
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
#
interface Vlanif2
ip address 10.0.12.1 255.255.255.0
#
interface Vlanif3
ip address 10.0.13.1 255.255.255.0
#
interface Vlanif10
ip address 10.0.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 10
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Vlanif20
ip address 10.0.2.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.2.254
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Vlanif30
ip address 10.0.3.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.0.3.254
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Eth-Trunk1
port link-type trunk
port trunk pvid vlan 2
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 3
#
ospf 1
area 0.0.0.0
network 10.0.1.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.13.0 0.0.0.255
#
return
sysname LSW2
#
vlan batch 2 to 3 10 20 30
#
stp instance 10 root secondary
stp instance 20 root primary
stp instance 30 root primary
#
dhcp enable
#
stp region-configuration
region-name vlan
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
#
interface Vlanif2
ip address 10.0.12.2 255.255.255.0
#
interface Vlanif3
ip address 10.0.24.2 255.255.255.0
#
interface Vlanif10
ip address 10.0.1.3 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.1.254
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Vlanif20
ip address 10.0.2.3 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.2.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 10
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Vlanif30
ip address 10.0.3.3 255.255.255.0
vrrp vrid 3 virtual-ip 10.0.3.254
vrrp vrid 3 priority 120
vrrp vrid 3 preempt-mode timer delay 10
dhcp select relay
dhcp relay server-ip 10.0.134.1
#
interface Eth-Trunk1
port link-type trunk
port trunk pvid vlan 2
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
eth-trunk 1
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 3
#
ospf 1
area 0.0.0.0
network 10.0.1.0 0.0.0.255
network 10.0.2.0 0.0.0.255
network 10.0.3.0 0.0.0.255
network 10.0.12.0 0.0.0.255
network 10.0.24.0 0.0.0.255
#
return
sysname LSW3
#
vlan batch 10
#
stp region-configuration
region-name vlan
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
port link-type access
port default vlan 10
#
return
sysname LSW4
#
vlan batch 20
#
stp region-configuration
region-name vlan
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 20
#
interface Ethernet0/0/4
port link-type access
port default vlan 20
#
return
sysname LSW5
#
vlan batch 30
#
stp region-configuration
region-name vlan
instance 10 vlan 10
instance 20 vlan 20
instance 30 vlan 30
active region-configuration
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 30
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 30
#
interface Ethernet0/0/3
port link-type access
port default vlan 30
#
interface Ethernet0/0/4
port link-type access
port default vlan 30
#
return
sysname P-3
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 100.0.23.3 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip address 100.0.13.3 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.0.13.0 0.0.0.255
network 100.0.23.0 0.0.0.255
#
return
sysname PE-1
#
ip -instance a
ipv4-family
route-distinguisher 1:2
-target 1:1 export-extcommunity
-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Ethernet0/0/0
ip address 100.0.1.2 255.255.255.0
#
interface GigabitEthernet0/0/0
ip binding -instance a
ip address 10.0.15.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 100.0.13.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 200
peer 2.2.2.2 as-number 200
peer 2.2.2.2 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
peer 2.2.2.2 next-hop-local
#
ipv4-family v4
policy -target
peer 2.2.2.2 enable
#
ipv4-family -instance a
peer 10.0.15.5 as-number 100
#
ospf 1
area 0.0.0.0
network 100.0.13.0 0.0.0.255
network 1.1.1.1 0.0.0.0
#
ip route-static 200.0.1.0 255.255.255.248 GigabitEthernet0/0/0
ip route-static 200.0.1.1 255.255.255.255 GigabitEthernet0/0/0
ip route-static 200.0.1.2 255.255.255.255 GigabitEthernet0/0/0
//上面三条路由都可以生效,因为从CE-5访问公网的源地址的掩码不确定,只要有指向NAT地址的路由即可。
ip route-static -instance a 0.0.0.0 0.0.0.0 100.0.1.1 public
//这个VPN实例中,没有的路由,会查找这个公共的路由
#
return
sysname PE-2
#
ip -instance b
ipv4-family
route-distinguisher 2:1
-target 1:1 export-extcommunity
-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet0/0/0
ip address 100.0.23.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet0/0/1
ip binding -instance b
ip address 10.0.26.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 200
peer 1.1.1.1 as-number 200
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
peer 1.1.1.1 next-hop-local
#
ipv4-family v4
policy -target
peer 1.1.1.1 enable
#
ipv4-family -instance b
peer 10.0.26.6 as-number 300
#
ospf 1
area 0.0.0.0
network 100.0.23.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return