...
| Блок кода | ||||
|---|---|---|---|---|
| ||||
hostname HUB
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.1
peer-group Cloud1
remote-as 65000
route-reflector-client
update-source 198.51.100.1
address-family ipv4 unicast
enable
exit
exit
listen-range 198.51.100.0/25
peer-group Cloud1
enable
exit
enable
exit
interface gigabitethernet 1/0/21
ip firewall disable
ip address 203.0.113.2/30
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.2
ip address 198.51.100.1/25
ip tcp adjust-mss 1340
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast dynamic
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.2
local network 203.0.113.2/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.1 |
...
| Блок кода | ||||
|---|---|---|---|---|
| ||||
hostname SPOKE-1
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.2
neighbor 198.51.100.1
description "Cloud_1"
remote-as 65000
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.0/25
exit
enable
exit
interface gigabitethernet 1/0/21
ip firewall disable
ip address 203.0.113.6/30
exit
interface gigabitethernet 1/0/43
ip firewall disable
ip address 192.0.2.1/25
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.6
ip address 198.51.100.2/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.1 203.0.113.2
ip nhrp nhs 198.51.100.1
ip nhrp ipsec ipsec_for_hub static
ip nhrp ipsec ipsec_for_spokes dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_hub
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_spokes
ike-policy ike_policy
local address 203.0.113.6
local network 203.0.113.6/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_hub
type transport
ike establish-tunnel route
ike gateway ike_for_hub
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_spokes
type transport
ike establish-tunnel route
ike gateway ike_for_spokes
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 203.0.113.5 |
...
| Примечание |
|---|
Поскольку MultiWAN используется в режиме балансировки, то GRE-пакеты могут передаваться с любого интерфейса. |
| Примечание |
С версии ПО 1.28.1 вместо настройки local PBR достаточно включить stickiness в конфигурации MultiWAN: |
1) Настроим local PBR:
| панель |
|---|
|
...
| панель |
|---|
|
...
| Блок кода | ||||
|---|---|---|---|---|
| ||||
hostname SPOKE-2
ip access-list extended LOCAL_1
rule 1
action permit
match source-address 203.0.113.14 255.255.255.255
enable
exit
exit
ip access-list extended LOCAL_2
rule 1
action permit
match source-address 203.0.113.10 255.255.255.255
enable
exit
exit
route-map PBR_LOCAL
rule 1
match ip access-group LOCAL_1
action set ip next-hop verify-availability 203.0.113.13 1
exit
rule 2
match ip access-group LOCAL_2
action set ip next-hop verify-availability 203.0.113.9 1
exit
exit
ip local policy route-map PBR_LOCAL
router bgp log-neighbor-changes
router bgp 65000
router-id 198.51.100.3
neighbor 198.51.100.1
description "Cloud_1"
remote-as 65000
weight 10
update-source 198.51.100.3
address-family ipv4 unicast
enable
exit
enable
exit
neighbor 198.51.100.129
description "Cloud_2"
remote-as 65000
address update-source 198.51.100.131
address-family ipv4 unicast
enable
exit
enable
exit
address-family ipv4 unicast
network 192.0.2.128/25
exit
enable
exit
interface gigabitethernet 1/0/1
ip firewall disable
ip address 203.0.113.14/30
wan load-balance nexthop 203.0.113.13
wan load-balance enable
exit
interface gigabitethernet 1/0/2
ip firewall disable
ip address 203.0.113.10/30
wan load-balance nexthop 203.0.113.9
wan load-balance enable
exit
interface gigabitethernet 1/0/3
ip firewall disable
ip address 192.0.2.129/25
exit
tunnel gre 1
key 10
ttl 255
mtu 1400
multipoint
ip firewall disable
local address 203.0.113.14
ip address 198.51.100.3/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.1 203.0.113.2
ip nhrp nhs 198.51.100.1
ip nhrp ipsec ipsec_for_hub_cloud1 static
ip nhrp ipsec ipsec_for_spokes_cloud1 dynamic
ip nhrp multicast nhs
ip nhrp enable
enable
exit
tunnel gre 2
key 20
ttl 255
mtu 1400
ip firewall disable
local address 203.0.113.10
remote address 203.0.113.2
ip address 198.51.100.131/25
ip tcp adjust-mss 1340
ip nhrp holding-time 90
ip nhrp map 198.51.100.129 203.0.113.2
ip nhrp nhs 198.51.100.129
ip nhrp ipsec ipsec_for_hub_cloud2 static
ip nhrp multicast nhs
ip nhrp enable
enable
exit
security ike proposal ike_proposal
authentication algorithm sha2-384
encryption algorithm aes256
dh-group 21
exit
security ike policy ike_policy
pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
proposal ike_proposal
exit
security ike gateway ike_for_hub_cloud1
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_hub_cloud2
ike-policy ike_policy
local address 203.0.113.10
local network 203.0.113.10/32 protocol gre
remote address 203.0.113.2
remote network 203.0.113.2/32 protocol gre
mode policy-based
exit
security ike gateway ike_for_spokes_cloud1
ike-policy ike_policy
local address 203.0.113.14
local network 203.0.113.14/32 protocol gre
remote address any
remote network any protocol gre
mode policy-based
exit
security ipsec proposal ipsec_proposal
authentication algorithm sha2-256
encryption algorithm aes256
pfs dh-group 19
exit
security ipsec policy ipsec_policy
proposal ipsec_proposal
exit
security ipsec vpn ipsec_for_hub_cloud1
type transport
ike establish-tunnel route
ike gateway ike_for_hub_cloud1
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_hub_cloud2
type transport
ike establish-tunnel route
ike gateway ike_for_hub_cloud2
ike ipsec-policy ipsec_policy
enable
exit
security ipsec vpn ipsec_for_spokes_cloud1
type transport
ike establish-tunnel route
ike gateway ike_for_spokes_cloud1
ike ipsec-policy ipsec_policy
enable
exit
ip route 0.0.0.0/0 wan load-balance rule 1
wan load-balance rule 1
outbound interface gigabitethernet 1/0/1
outbound interface gigabitethernet 1/0/2
enable
exit |
...