MPLS-VPN&IPSec VPN双专线使用

最新推荐文章于 2025-03-10 20:37:59 发布

MissSun636

最新推荐文章于 2025-03-10 20:37:59 发布

阅读量1.3k

点赞数 5

分类专栏：华为HCIAP实验笔记文章标签：网络

本文链接：https://blog.youkuaiyun.com/qq_33794290/article/details/135905760

版权

华为HCIAP实验笔记专栏收录该内容

18 篇文章

订阅专栏

配置步骤

实验拓扑
配置步骤（设备完整配置）
- FW1
- AR1
- AR2
- AR3
- AR4
- FW2

实验拓扑

在这里插入图片描述

配置步骤（设备完整配置）

FW1

[FW1]dis current-configuration  
#
sysname FW1
#
acl number 3101
 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 20.1.0.0 0.0.255.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ipsec policy map1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 220.2.100.2
 tunnel remote 220.2.200.2
 sa spi inbound esp 54321
 sa string-key inbound esp qwq
 sa spi outbound esp 12345
 sa string-key outbound esp qwq
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.0.254 255.255.255.0
 service-manage all permit

#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.1.1.254 255.255.255.0
 service-manage all permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 10.1.2.254 255.255.255.0
 service-manage all permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 220.1.100.2 255.255.255.252
 service-manage all permit
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 220.2.100.2 255.255.255.252
 service-manage all permit
 ipsec policy map1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/6
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1
#
bgp 65001
 router-id 11.11.11.11
 peer 220.1.100.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  network 10.1.0.0 255.255.255.0
  network 10.1.1.0 255.255.255.0
  network 10.1.2.0 255.255.255.0
  peer 220.1.100.1 enable
  peer 220.1.100.1 allow-as-loop
#
ip route-static 20.1.0.0 255.255.0.0 220.2.100.1
ip route-static 220.2.200.0 255.255.255.252 220.2.100.1
#
security-policy
 rule name P1
  source-zone local
  action permit
 rule name P2
  source-zone trust
  destination-zone dmz
  destination-zone untrust
  action permit
 rule name p3
  source-zone untrust
  destination-zone dmz
  destination-zone local
  destination-zone trust
  action permit

AR1

[R1]dis current-configuration  
#
 sysname R1
#
ip vpn-instance shsb
 ipv4-family
  route-distinguisher 1:1
  vpn-target 1:2 export-extcommunity
  vpn-target 2:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 network-entity 49.0000.0000.0001.00
 is-name R1
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance shsb
 ip address 220.1.100.1 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.1 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
 isis enable 1
#
bgp 100
 router-id 1.1.1.1
 undo default ipv4-unicast
 peer 3.3.3.3 as-number 100 
 peer 3.3.3.3 connect-interface LoopBack0
 # 
 ipv4-family vpnv4
  peer 3.3.3.3 enable
 #
 ipv4-family vpn-instance shsb 
  peer 220.1.100.2 as-number 65001

AR2

[R2]dis current-configuration 
#
 sysname R2
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 network-entity 49.0000.0000.0002.00
 is-name R2
#
interface GigabitEthernet0/0/1
 ip address 12.1.1.2 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface GigabitEthernet0/0/2
 ip address 23.1.1.2 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255 
 isis enable 1

AR3

[R3]dis current-configuration  
#
 sysname R3
#
ip vpn-instance bjsb
 ipv4-family
  route-distinguisher 2:2
  vpn-target 2:1 export-extcommunity
  vpn-target 1:2 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
isis 1
 is-level level-2
 network-entity 49.0000.0000.0003.00
 is-name R3
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance bjsb
 ip address 220.1.200.1 255.255.255.252 
#
interface GigabitEthernet0/0/2
 ip address 23.1.1.1 255.255.255.252 
 isis enable 1
 mpls
 mpls ldp
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255 
 isis enable 1
#
bgp 100
 router-id 3.3.3.3
 undo default ipv4-unicast
 peer 1.1.1.1 as-number 100 
 peer 1.1.1.1 connect-interface LoopBack0
 # 
 ipv4-family vpnv4
  peer 1.1.1.1 enable
 #
 ipv4-family vpn-instance bjsb 
  peer 220.1.200.2 as-number 65001

AR4

[R4]dis current-configuration  
#
 sysname R4
#
interface GigabitEthernet0/0/0
 ip address 220.2.100.1 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 220.2.200.1 255.255.255.252 
#
interface GigabitEthernet0/0/2
 ip address 220.220.220.254 255.255.255.0

FW2

[FW2]dis current-configuration  
#
sysname FW2
#
acl number 3101
 rule 5 permit ip source 20.1.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255
#
ipsec proposal tran1
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-128
#
ipsec policy use1 10 manual
 security acl 3101
 proposal tran1
 tunnel local 220.2.200.2
 tunnel remote 220.2.100.2
 sa spi inbound esp 12345
 sa string-key inbound esp qwq
 sa spi outbound esp 54321
 sa string-key outbound esp qwq
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 20.1.3.254 255.255.255.0
 service-manage all permit
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 20.1.4.254 255.255.255.0
 service-manage all permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 20.1.5.254 255.255.255.0
 service-manage all permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 220.1.200.2 255.255.255.252
 service-manage all permit
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 220.2.200.2 255.255.255.252
 service-manage all permit
 ipsec policy use1
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/0
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/6
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet1/0/1
#
bgp 65001
 router-id 22.22.22.22
 peer 220.1.200.1 as-number 100
 #
 ipv4-family unicast
  network 20.1.3.0 255.255.255.0
  network 20.1.4.0 255.255.255.0
  network 20.1.5.0 255.255.255.0
  peer 220.1.200.1 enable
  peer 220.1.200.1 allow-as-loop
#
ip route-static 10.1.0.0 255.255.0.0 220.2.200.1
ip route-static 220.2.100.0 255.255.255.252 220.2.200.1
#
security-policy
 rule name P1
  source-zone local
  action permit
 rule name P2
  source-zone trust
  destination-zone dmz
  destination-zone untrust
  action permit
 rule name P3
  source-zone untrust
  destination-zone dmz
  destination-zone local
  destination-zone trust
  action permit