拓扑

ger

数据头

dgb-vpnpe2 MSTP:GigabitEthernet0/0/15.450
wanip:10.30.113.92/30
pe as:65000
ce as:65205

R1配置

clock timezone bj add 08:00
sys
telnet server enable 
telnet server permit interface all
ssh server permit interface all
sysname 601697G1-DGQSDZ-Main
aaa
undo local-user admin
local-user bothwin password irreversible-cipher Tfe28@w%
local-user bothwin privilege level 15
local-user bothwin service-type telnet terminal ssh http

acl number 2707
rule 10 permit source 192.168.0.0 0.0.255.255
rule 20 permit source 172.16.0.0 0.15.255.255
rule 30 permit source 10.0.0.0 0.255.255.255
rule 40 permit source 114.112.238.8 0.0.0.7
rule 50 permit source 192.168.55.250 0
rule 60 permit source 113.105.190.147 0
rule 70 permit source 202.104.174.178 0
rule 80 permit source 120.76.31.146 0
rule 90 permit source 59.37.126.140 0
rule 100 permit source 183.61.239.168 0

acl number 3999                           
rule 100 permit ip source 192.168.60.0 0.0.0.255 
rule 101 permit ip source 192.168.61.0 0.0.0.255 

user-interface vty 0 4
acl 2707 inbound
authentication-mode aaa
user privilege level 15

ntp-service enable
ntp-service unicast-server 192.168.55.250

hwtacacs-server template fnetlink_tacacs
hwtacacs-server authentication 192.168.55.250
hwtacacs-server authorization 192.168.55.250
hwtacacs-server accounting 192.168.55.250

hwtacacs-server source-ip 10.30.113.94
hwtacacs-server shared-key cipher bothwin

aaa
authentication-scheme fnet_tac
authentication-mode hwtacacs local
authorization-scheme fnet_tac
authorization-mode hwtacacs local
authorization-cmd 15 hwtacacs local

accounting-scheme fnet_tac

accounting start-fail online
accounting interim-fail online

accounting-mode hwtacacs
recording-scheme fnet_tac
recording-mode hwtacacs fnetlink_tacacs
cmd recording-scheme fnet_tac
service-scheme fnet_tac
admin-user privilege level 15
domain fnet_tac
authentication-scheme fnet_tac
accounting-scheme fnet_tac
authorization-scheme fnet_tac
hwtacacs-server fnetlink_tacacs

domain fnet_tac admin

interface GigabitEthernet0/0/9
description wan
tcp adjust-mss 1300
ip address 10.30.113.94 255.255.255.252

interface GigabitEthernet0/0/0
undo portswitch 
description "lan vip:192.168.60.254 pri:192.168.60.252 bk:192.168.60.253"
ip address 192.168.60.252 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.60.254
vrrp vrid 1 priority 120

interface Tunnel0/0/1001
description to_HK
tcp adjust-mss 1300
ip address 10.255.254.5 255.255.255.252
tunnel-protocol gre
source 10.30.113.94
destination 10.10.44.210
nat outbound 3999  #不打NAT来回路径一直,去时大陆流量从主R1进到HK的备R4设备出,回时先到R4,然后R4是备机,R3是主机,去192.168.60.0的路由是从R3回来的,导致来回路径不一致,打了NAT后,大陆的源变成10.255.254.5去访问,回时可以直接从R4原路返回

nqa test-instance admin ipsecmain
test-type icmp
destination-address ipv4 10.255.254.6
source-address ipv4 10.255.254.5
frequency 30
probe-count 6
start now

ip route-static 0.0.0.0 0.0.0.0 192.168.60.253 preference 222 tag 7777
ip route-static 0.0.0.0 0.0.0.0 10.255.254.6 track nqa admin ipsecmain
ip route-static 114.113.245.99 255.255.255.255 10.30.113.93 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.10 255.255.255.255 10.30.113.93 preference 1 tag 7777 description To_zabbix
ip route-static 192.168.55.250 255.255.255.255 10.30.113.93 preference 1 tag 7777 description To_center
ip route-static 192.168.254.107 255.255.255.255 10.30.113.93 preference 1 tag 7777 description To_netflow

route-policy bgp-To--VPN-Redistribute-Static deny node 100
description Deny Redistribution of Static Routes to MPLS VPN
if-match tag 7777

route-policy bgp-To--VPN-Redistribute-Static permit node 200
if-match tag 8888
apply community 65201:100

route-policy bgp-To--VPN-Redistribute-Static permit node 300
description Redistribute All Other Static Routes Without Tag

route-policy bgp-route-policy-pri-import permit node 100

apply local-preference 200
route-policy bgp-route-policy-pri-import permit node 200

ip ip-prefix bgp-filte-pre-export index 10 permit 192.168.60.0 24 
ip ip-prefix bgp-filte-pre-export index 20 permit 10.30.113.92 30 
ip ip-prefix bgp-filte-pre-export index 30 permit 192.168.61.0 24

bgp 65205
router-id 10.30.113.94
peer 10.30.113.93 as-number 65000
peer 192.168.60.253 as-number 65205

ipv4-family unicast
undo synchronization
preference 20 200 200
filter-policy ip-prefix bgp-filte-pre-export export
import-route direct
import-route static route-policy bgp-To--VPN-Redistribute-Static
peer 10.30.113.93 enable
peer 10.30.113.93 advertise-community
peer 10.30.113.93 ip-prefix bgp-filte-pre-export export
peer 10.30.113.93 route-policy bgp-route-policy-pri-import import
peer 10.30.113.93 next-hop-local
peer 192.168.60.253 enable
peer 192.168.60.253 advertise-community
peer 192.168.60.253 next-hop-local

snmp-agent trap enable
y
snmp-agent sys-info version all
snmp-agent community read both-win

R4配置

interface Tunnel1001
description to-DG:601697G
ip address 10.255.254.6 255.255.255.252
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
tunnel source 10.10.44.210
tunnel destination 10.30.113.94

ip access-list extended LAN-NETWORK
permit ip 10.255.254.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.255.255 any