拨号 VPN 运行动态路由
2025/10/29大约 15 分钟
拨号 VPN 运行动态路由
网络需求
某公司总部内部有一台 OA 服务器,其余分 2 个支机构都需要通过 vpn 拨入总部内网对 OA 服务器进行访问,为了方便配置,总部不想有太多的配置,总部只建立一条 vpn 隧道,实现所有分支机构和总部的通讯。同时需要运行动态路由协议将总部和分支的路由全部打通,SPOKE 之间的流量通过 HUB 进行中转。
##网络拓扑
HUB and SPOKE 通过动态路由学习到整网的业务网段路由,SPOKE 之间相互的流量通过 HUB 进行中转。
VPN Tunnel IP 地址分配,以及 BGP 的规划:
| 角色 | 公网 IP | 私网网段 | VPN 隧道 IP | BGP 信息 |
|---|---|---|---|---|
| HUB | 100.1.1.2 | 192.168.0.1/24 | 10.10.10.1 | AS 65001 RR |
| SPOKE1 | 200.1.1.2 | 192.168.1.1/24 | 10.10.10.2 | AS 65001 RR Client |
| SPOKE2 | 201.1.1.2 | 192.168.2.1/24 | 10.10.10.3 | AS 65001 RR Client |
| SPOKE3 | ... | ... | ... | ... |
| SPOKEX | ... | ... | ... | ... |
配置步骤
HUB 端配置
1.基本配置
配置接口 IP 和路由
2.配置 IPSEC VPN
创建 IPSEC VPN。
IPSEC VPN 阶段一配置。
由于 HUB 和 SPOKE 之间是通过动态路由学习,因此“添加路由”选项禁用,不用 HUB 自动学习 SPOKE 的路由;Exchange 接口 IP 打开,需要交换 HUB 和 SPOKE 之间 VPN 接口的 IP。
IPSEC VPN 阶段二配置。
创建完成。
对应的命令行
config vpn ipsec phase1-interface
edit "HUB"
set type dynamic
set interface "port2"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set psksecret ENC m9c6Qk4uhwWLRTRDI2EzYQym02Uma0709h07KB2pmS0Ek+8ZUOpRTH6OZdFEZPdlZktXajf/KRkR6SNO7UwW27pYAWoRygwcWhvJrO67tIWl5AksoOX3uy2YTjFX+kVbrw5WTVoLogqtJ4yPk7coZpMKUvqJkAv8flqIIi3EfY4TgY2avzSOkBVm8ZLgokTkmt3PMQ==
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "HUB"
set phase1name "HUB"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
next
end3.配置 VPN 接口 IP
HUB 端的”对端网关 IP“ 10.10.10.254 是不被 Spoke 所使用的预留 IP,IPsec Tunnel 是一个点对点的隧道,但是 ADVPN 中这条隧道需要同时对应多个 SPOKE,因此不能将 Remote IP 写成一个存在的 SPOKE 端 IP。
4.配置策略
创建 3 条策略,从上到下分别是:分支到总部的放通策略;总部到分支的放通策略;分支到分支的放通策略。
SPOKE1 配置
1.基本配置
2.配置 IPSEC VPN
创建 IPSEC VPN。
IPSEC VPN 阶段一配置。
由于 HUB 和 SPOKE 之间是通过动态路由学习,因此 Exchange 接口 IP 打开,需要交换 HUB 和 SPOKE 之间 VPN 接口的 IP;SPOKE1 是静态 IPSEC,所以“添加路由”选项对 SPOKE1 没有意义,不用关注。
IPSEC VPN 阶段二配置。
第二阶段感兴趣流配置为 0.0.0.0/0.0.0.0,后续通过动态路由将流量指向 VPN 隧道。
VPN 创建完成。
对应的命令行
config vpn ipsec phase1-interface
edit "SPOKE1"
set interface "port2"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 100.1.1.2
set psksecret ENC SasMccP3qWqglxEV1I2Z8ESNcmdXyPqkxyIoMpEM3haEKdLyi6qcOoc9WtdukEH2zXuV/bcVW6HyYqi8rh+KZ533z7cH6zqNpXCrOicxBYDXrEPVU6NXtp4UgL+bqiG6Vm1FzA62V+YN4Rfchkuk49CuipVrer1xFqqIgXQVxM5GVuq+5wFvtWf5VBeuFbw+GHJlPQ==
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "SPOKE1"
set phase1name "SPOKE1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end3.配置 VPN 接口 IP
SPOKE1 的“对端网关 IP”是指向 HUB 的。
4.配置策略
由于 SPOKE1 开启了自动连接,当配置策略后,就会主动与 HUB 协商,策略中的接口已经是绿色的,说明 VPN 接口已经 UP。
SPOKE2 配置
基本配置
2.配置 IPSEC VPN
创建 IPSEC VPN。
IPSEC VPN 阶段一配置。
由于 HUB 和 SPOKE 之间是通过动态路由学习,因此 Exchange 接口 IP 打开,需要交换 HUB 和 SPOKE 之间 VPN 接口的 IP;SPOKE2 是静态 IPSEC,所以“添加路由”选项对 SPOKE2 没有意义,不用关注。
IPSEC VPN 阶段二配置。
第二阶段感兴趣流配置为 0.0.0.0/0.0.0.0,后续通过动态路由将流量指向 VPN 隧道。
VPN 创建完成。
对应的命令行
config vpn ipsec phase1-interface
edit "SPOKE2"
set interface "port2"
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set remote-gw 100.1.1.2
set psksecret ENC H3nAayIN5AWs3FomZpZri+tl6IAqg3iVu66h3qNXTjw1oSkiHauyAa/IUNw4xeJxD5dmiLfcAd/zzDb6BVai19ekg0Qvejqy39Mxr9UaRniPKE4dvoaoVLWy4OvamxRzf82+JAUYKlF0NvVlMQ/+0JUYOunFeUlLLtht4dW69X9VTXfEBdwav496AzfYgI4gRTFFSg==
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "SPOKE2"
set phase1name "SPOKE2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set auto-negotiate enable
next
end3.配置 VPN 接口 IP
SPOKE2 的“对端网关 IP”是指向 HUB 的。
4.配置策略
由于 SPOKE2 开启了自动连接,当配置策略后,就会主动与 HUB 协商,策略中的接口已经是绿色的,说明 VPN 接口已经 UP。
查看 VPN 状态和路由表
1.HUB 端 VPN 状态和路由表
# diagnose vpn ike gateway list
vd: root/0
name: HUB_0
version: 1
interface: port2 10
addr: 100.1.1.2:500 -> 200.1.1.2:500
tun_id: 200.1.1.2/::10.0.0.4
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.10.10.1 -> 0.0.0.0
created: 33s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 2 b114b317daa486b7/29ede80ef4398500
direction: responder
status: established 33-33s ago = 0ms
proposal: aes128-sha256
key: 770b2cdeba34d096-8edcf542d0c07ef5
lifetime/rekey: 86400/86096
DPD sent/recv: 00000004/00000000
vd: root/0
name: HUB_1
version: 1
interface: port2 10
addr: 100.1.1.2:500 -> 201.1.1.2:500
tun_id: 201.1.1.2/::10.0.0.5
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.10.10.1 -> 0.0.0.0
created: 22s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 3 a0d49273057cb2d8/146f94f98305de8d
direction: responder
status: established 22-22s ago = 0ms
proposal: aes128-sha256
key: 4dc2b68b5795fd1c-0a400a810f439a19
lifetime/rekey: 86400/86107
DPD sent/recv: 00000000/00000008
FGT-wangxiang-used # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=HUB_0 ver=1 serial=4 100.1.1.2:0->200.1.1.2:0 tun_id=200.1.1.2 tun_id6=::10.0.0.4 dst_mtu=1500 dpd-link=on weight=1
bound_if=10 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/8872 options[22a8]=npu rgwy-chg frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
parent=HUB index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=5 olast=5 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=HUB proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=43155/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43191/43200
dec: spi=d87e91b4 esp=aes key=16 f598636b2f6feb532e32f883300f4595
ah=sha1 key=20 663bcb60b48c072daebdc011e27c35836e2f45eb
enc: spi=d56f5619 esp=aes key=16 f3059875bf7c1915eb711a5355a603a8
ah=sha1 key=20 f8d348a6abdb169781f2e1b3aae099c70d16ea92
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.1.1.2 npu_lgwy=100.1.1.2 npu_selid=2 dec_npuid=0 enc_npuid=0
------------------------------------------------------
name=HUB_1 ver=1 serial=5 100.1.1.2:0->201.1.1.2:0 tun_id=201.1.1.2 tun_id6=::10.0.0.5 dst_mtu=1500 dpd-link=on weight=1
bound_if=10 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/8872 options[22a8]=npu rgwy-chg frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
parent=HUB index=1
proxyid_num=1 child_num=0 refcnt=5 ilast=4 olast=4 ad=/0
stat: rxp=1 txp=0 rxb=60 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=HUB proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=4 options=226 type=00 soft=0 mtu=1438 expire=43162/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=d87e91b5 esp=aes key=16 f7229ae8b4fe965ea7346f41ffae201a
ah=sha1 key=20 8ada15a3ef8a71fdb3037ee1f7014ca930009cdb
enc: spi=c7b86106 esp=aes key=16 a6346a22cf40fba236f0cfaacc720261
ah=sha1 key=20 e093aed38364b32892da5ae4f99413be54a7c635
dec:pkts/bytes=2/120, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=201.1.1.2 npu_lgwy=100.1.1.2 npu_selid=3 dec_npuid=1 enc_npuid=0
------------------------------------------------------
name=HUB ver=1 serial=1 100.1.1.2:0->0.0.0.0:0 tun_id=10.0.0.1 tun_id6=::10.0.0.1 dst_mtu=0 dpd-link=on weight=1
bound_if=10 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc role=primary accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=2 refcnt=4 ilast=42949600 olast=42949600 ad=/0
stat: rxp=3 txp=0 rxb=180 txb=0
dpd: mode=on-idle on=0 idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0查看路由表
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.1.1.1, port2, [1/0]
C 10.10.10.0/24 is directly connected, HUB
C 10.10.10.1/32 is directly connected, HUB
C 100.1.1.0/24 is directly connected, port2
C 192.168.0.0/24 is directly connected, port5从 HUB 端分别 ping SPOKE1 和 SPOKE2 的隧道接口地址。
# execute ping-options source 10.10.10.1
# execute ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=0.3 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=0.3 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=0.4 ms
--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.7 ms
# execute ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3): 56 data bytes
64 bytes from 10.10.10.3: icmp_seq=0 ttl=255 time=0.4 ms
64 bytes from 10.10.10.3: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 10.10.10.3: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 10.10.10.3: icmp_seq=3 ttl=255 time=0.5 ms
64 bytes from 10.10.10.3: icmp_seq=4 ttl=255 time=0.2 ms
--- 10.10.10.3 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.3/0.5 ms2.SPOKE1 端 VPN 状态
# diagnose vpn ike gateway list
vd: root/0
name: SPOKE1
version: 1
interface: port2 10
addr: 200.1.1.2:500 -> 100.1.1.2:500
tun_id: 100.1.1.2/::100.1.1.2
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.10.10.2 -> 10.10.10.1
created: 139s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 0 33b5335c7174437e/c89906c6196f3cd7
direction: initiator
status: established 139-139s ago = 0ms
proposal: aes128-sha256
key: ad3e41d87eb3b8b8-c97c621b25fe9a48
lifetime/rekey: 86400/85960
DPD sent/recv: 00000004/0000000a
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SPOKE1 ver=1 serial=1 200.1.1.2:0->100.1.1.2:0 tun_id=100.1.1.2 tun_id6=::100.1.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=10 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=12 ad=/0
stat: rxp=0 txp=6 rxb=0 txb=360
dpd: mode=on-demand on=1 idle=10000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SPOKE1 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=5 options=18227 type=00 soft=0 mtu=1438 expire=42762/0B replaywin=2048
seqno=7 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=1a45fdb4 esp=aes key=16 373c729e4164750638f8ff0d37dbdd12
ah=sha1 key=20 323ffd35fb089657505202639ad92371df146881
enc: spi=a7d1cc77 esp=aes key=16 6da00eca8e15572377040c982e206526
ah=sha1 key=20 3ea0959e65417277e75bdc5f52bdbc768f33d9b0
dec:pkts/bytes=0/0, enc:pkts/bytes=12/1080
npu_flag=01 npu_rgwy=100.1.1.2 npu_lgwy=200.1.1.2 npu_selid=0 dec_npuid=0 enc_npuid=1
run_tally=0查看路由表
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 200.1.1.1, port2, [1/0]
S 10.10.10.0/24 [5/0] via SPOKE1 tunnel 100.1.1.2, [1/0]
S 10.10.10.1/32 [15/0] via SPOKE1 tunnel 100.1.1.2, [1/0]
C 10.10.10.2/32 is directly connected, SPOKE1
C 192.168.1.0/24 is directly connected, port5
C 200.1.1.0/24 is directly connected, port2从 SPOKE1 端 ping HUB 的隧道地址。
# execute ping-options source 10.10.10.2
# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.6 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=0.6 ms
--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.7 ms3.SPOKE2 端 VPN 状态
# diagnose vpn ike gateway list
vd: root/0
name: SPOKE2
version: 1
interface: port2 6
addr: 201.1.1.2:500 -> 100.1.1.2:500
tun_id: 100.1.1.2/::100.1.1.2
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.10.10.3 -> 10.10.10.1
created: 166s ago
IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 0 712a042d8d25877d/437eb372be68f67e
direction: initiator
status: established 166-166s ago = 10ms
proposal: aes128-sha256
key: 48fb4b35b9a67aa3-f2f62d8949523c2d
lifetime/rekey: 86400/85933
DPD sent/recv: 0000000f/00000004
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=SPOKE2 ver=1 serial=1 201.1.1.2:0->100.1.1.2:0 tun_id=100.1.1.2 tun_id6=::100.1.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=6 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=8 olast=8 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=10000ms retry=3 count=0 seqno=15
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=SPOKE2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=18203 type=00 soft=0 mtu=1438 expire=42730/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=99b97fa0 esp=aes key=16 6da0cd14244e96c9224fdfc526104c88
ah=sha1 key=20 c15decb70b3de9678d1313b564ec2e6e912b9540
enc: spi=a7d1cc78 esp=aes key=16 023a05cc8cd9224c781ca640b044c5b3
ah=sha1 key=20 96da3fa1c8207a267200aac94db3718944574a1b
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=100.1.1.2 npu_lgwy=201.1.1.2 npu_selid=0 dec_npuid=0 enc_npuid=0
run_tally=0查看路由表
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 201.1.1.1, port2, [1/0]
S 10.10.10.0/24 [5/0] via SPOKE2 tunnel 100.1.1.2, [1/0]
S 10.10.10.1/32 [15/0] via SPOKE2 tunnel 100.1.1.2, [1/0]
C 10.10.10.3/32 is directly connected, SPOKE2
C 192.168.2.0/24 is directly connected, port3
C 201.1.1.0/24 is directly connected, port2从 SPOKE2 端 ping HUB 隧道接口地址。
# execute ping-options source 10.10.10.3
# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.6 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.6 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=0.6 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=0.4 ms
--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms配置动态路由
1.HUB 端 BGP 配置
利用 BGP neighbor-group 特性,只要匹配前缀列表 10.10.10.0/24 的 BGP-Peer 均可以和 HUB 建立 BGP 邻居。
将邻居设置为 Route-Reflector-Client,自己即为路由反射器(Route-Reflector),通过路由反射器原理实时同步整网路由。
config router bgp
set as 65001
set router-id 100.1.1.2
config neighbor-group
edit "group1"
set next-hop-self enable
set soft-reconfiguration enable
set interface "HUB"
set remote-as 65001
set route-reflector-client enable
next
end
config neighbor-range
edit 1
set prefix 10.10.10.0 255.255.255.0
set neighbor-group "group1"
next
end
config network
edit 1
set prefix 192.168.0.0 255.255.255.0
next
end
end2.SPOKE1 端 BGP 配置
与 HUB 端建立 BGP 邻居
config router bgp
set as 65001
set router-id 200.1.1.2
config neighbor
edit "10.10.10.1"
set next-hop-self enable
set soft-reconfiguration enable
set interface "SPOKE1"
set remote-as 65001
next
end
config network
edit 1
set prefix 192.168.1.0 255.255.255.0
next
end
end3.SPOKE2 端 BGP 配置
与 HUB 端建立 BGP 邻居
config router bgp
set as 65001
set router-id 201.1.1.2
config neighbor
edit "10.10.10.1"
set next-hop-self enable
set soft-reconfiguration enable
set interface "SPOKE2"
set remote-as 65001
next
end
config network
edit 1
set prefix 192.168.2.0 255.255.255.0
next
end
config network6
edit 1
set prefix6 ::/128
next
end
end查看路由表
1.HUB 端路由表
FGT-wangxiang-used # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.1.1.1, port2, [1/0]
C 10.10.10.0/24 is directly connected, HUB
C 10.10.10.1/32 is directly connected, HUB
C 100.1.1.0/24 is directly connected, port2
C 192.168.0.0/24 is directly connected, port5
B 192.168.1.0/24 [200/0] via 10.10.10.2 (recursive is directly connected, HUB), 00:21:21
B 192.168.2.0/24 [200/0] via 10.10.10.3 (recursive is directly connected, HUB), 00:21:212.SPOKE1 端路由表
FGT-wangxiang-used # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 200.1.1.1, port2, [1/0]
S 10.10.10.0/24 [5/0] via SPOKE1 tunnel 100.1.1.2, [1/0]
S 10.10.10.1/32 [15/0] via SPOKE1 tunnel 100.1.1.2, [1/0]
C 10.10.10.2/32 is directly connected, SPOKE1
C 200.1.1.0/24 is directly connected, port2
C 192.168.1.0/24 is directly connected, port5
B 192.168.0.0/24 [200/0] via 10.10.10.1 (recursive via SPOKE1 tunnel 100.1.1.2), 00:21:41
B 192.168.2.0/24 [200/0] via 10.10.10.3 (recursive via SPOKE1 tunnel 100.1.1.2), 00:21:183.SPOKE2 端路由表
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 200.1.1.1, port2, [1/0]
S 10.10.10.0/24 [5/0] via SPOKE2 tunnel 100.1.1.2, [1/0]
S 10.10.10.1/32 [15/0] via SPOKE2 tunnel 100.1.1.2, [1/0]
C 10.10.10.3/32 is directly connected, SPOKE2
C 192.168.2.0/24 is directly connected, port3
C 201.1.1.0/24 is directly connected, port2
B 192.168.0.0/24 [200/0] via 10.10.10.1 (recursive via SPOKE2 tunnel 100.1.1.2), 00:22:27
B 192.168.1.0/24 [200/0] via 10.10.10.2 (recursive via SPOKE2 tunnel 100.1.1.2), 00:22:27业务测试
1.HUB 端业务测试
PC1# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::82c8:edfd:199d:70b0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:e8:ad:a9 txqueuelen 1000 (Ethernet)
RX packets 6140132 bytes 1760274153 (1.6 GiB)
RX errors 0 dropped 3749603 overruns 0 frame 0
TX packets 51686 bytes 3833219 (3.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
访问SPOKE1
PC1# ping 192.168.1.10 -c 4
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=62 time=1.42 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=62 time=0.788 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=62 time=0.751 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=62 time=0.688 ms
--- 192.168.1.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.688/0.913/1.427/0.300 ms
访问SPOKE2
PC1# ping 192.168.2.10 -c 4
PING 192.168.2.10 (192.168.2.10) 56(84) bytes of data.
64 bytes from 192.168.2.10: icmp_seq=1 ttl=62 time=1.09 ms
64 bytes from 192.168.2.10: icmp_seq=2 ttl=62 time=0.935 ms
64 bytes from 192.168.2.10: icmp_seq=3 ttl=62 time=0.991 ms
64 bytes from 192.168.2.10: icmp_seq=4 ttl=62 time=1.06 ms
--- 192.168.2.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.935/1.021/1.098/0.070 ms2.SPOKE1 端业务测试
PC2# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::1a6c:e61:d2b9:a415 prefixlen 64 scopeid 0x20<link>
inet6 2001::2 prefixlen 64 scopeid 0x0<global>
ether 00:0c:29:0e:4e:c5 txqueuelen 1000 (Ethernet)
RX packets 5904889 bytes 459674552 (438.3 MiB)
RX errors 0 dropped 58 overruns 0 frame 0
TX packets 3224540 bytes 205411564402 (191.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
访问HUB
PC2# ping 192.168.0.10 -c 4
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=62 time=0.746 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=62 time=0.765 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=62 time=0.862 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=62 time=0.677 ms
--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.677/0.762/0.862/0.071 ms
访问SPOKE2
PC2# ping 192.168.2.10 -c 4
PING 192.168.2.10 (192.168.2.10) 56(84) bytes of data.
64 bytes from 192.168.2.10: icmp_seq=1 ttl=61 time=1.14 ms
64 bytes from 192.168.2.10: icmp_seq=2 ttl=61 time=0.952 ms
64 bytes from 192.168.2.10: icmp_seq=3 ttl=61 time=1.51 ms
64 bytes from 192.168.2.10: icmp_seq=4 ttl=61 time=0.886 ms
--- 192.168.2.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.886/1.124/1.519/0.248 ms3.SPOKE2 端业务测试
PC3# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.10 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::2652:4dd7:5d0e:941d prefixlen 64 scopeid 0x20<link>
inet6 240e:604:109:39::216 prefixlen 64 scopeid 0x0<global>
ether 00:0c:29:37:f0:ac txqueuelen 1000 (Ethernet)
RX packets 9638867 bytes 205844622412 (191.7 GiB)
RX errors 0 dropped 118 overruns 0 frame 0
TX packets 5737914 bytes 378901312 (361.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
访问HUB
PC3# ping 192.168.0.10 -c 4
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=62 time=0.848 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=62 time=0.935 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=62 time=0.899 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=62 time=1.04 ms
--- 192.168.0.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.848/0.931/1.045/0.081 ms
访问SPOKE1
PC3# ping 192.168.1.10 -c 4
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=61 time=1.13 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=61 time=1.22 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=61 time=1.21 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=61 time=1.04 ms
--- 192.168.1.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.043/1.151/1.220/0.075 ms