1、网络拓扑
实验拓扑很简单,1台AR作为RR,2台AR作为CPE,不涉及选路,最简单的1个路由域+1个传输端口,tunnel0作为创建BGP EVPN的控制通道,tunnel1作为数据通道。实验目的就是想抓包看下SD-WAN如何进行封装。
2、开启telnet
由于AR6700-V暂不支持telnet登录,不方便复制粘贴,开启命令如下
==========安装不安全的telnet模块
#
install feature-software WEAKEA
#
interface GE0/0/0
ip address 10.100.1.1 255.255.255.0
#
aaa
local-user admin password irreversible-cipher Admin@800
local-user admin privilege level 3
local-user admin service-type telnet
#
telnet server enable
telnet server-source all-interface
#
user-interface vty 0 4
authentication-mode aaa
idle-timeout 0 0
protocol inbound telnet
3、实验配置
(1)HUB01兼做RR
#
sysname RR
#
route-policy test permit node 10
apply extcommunity priority-color 10:2
#
ip vpn-instance vpn1
vn-id 90
ipv4-family
route-distinguisher 9:2
export route-policy test evpn
vpn-target 111:1 export-extcommunity evpn
vpn-target 111:1 import-extcommunity evpn
#
ipsec p2mp-policy sdwan
esp encryption-algorithm aes-256-gcm
esp authentication-algorithm sha2-256
#
interface GE0/0/1
ip address 172.16.2.2 255.255.255.0
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface LoopBack0
ip address 10.2.2.2 255.255.255.255
ospf enable 100 area 0.0.0.0
#
interface Tunnel0
ip address 11.2.2.2 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
#
interface Tunnel1
ip binding vpn-instance vpn1
ip address 12.2.2.2 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
ipsec-p2mp-policy sdwan
#
bgp 100
undo default ipv4-unicast
private-4-byte-as enable
peer 10.1.1.1 as-number 100
peer 10.3.3.3 as-number 100
group cpe internal
#
ipv4-family vpn-instance vpn1
import-route direct
advertise l2vpn evpn
#
l2vpn-family evpn
undo policy vpn-target
peer cpe enable
peer cpe advertise encap-type sd-wan
peer cpe reflect-client
peer 10.1.1.1 group cpe
y
peer 10.3.3.3 group cpe
y
#
ipv4-family sd-wan
peer cpe enable
peer cpe reflect-client
peer 10.1.1.1 group cpe
y
peer 10.3.3.3 group cpe
y
#
ospf 100 router-id 10.1.1.1
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 Tunnel0
ip route-static 10.1.1.1 255.255.255.255 color 1
ip route-static 10.3.3.3 255.255.255.255 color 3
#
evpn site 2 site-type rr
system-id 10.2.2.2
routing-domain 100 name mpls
transport-network 10 name mpls
transport-network-port 1
routing-domain mpls
transport-network mpls
source-interface GE0/0/1
#
dtls server
dtls server enable
listening-port 55100
listening-ip 172.16.2.2
(2)CPE01
#
sysname CPE1
#
route-policy test permit node 10
apply extcommunity priority-color 10:1
#
ip vpn-instance vpn1
vn-id 90
ipv4-family
route-distinguisher 9:1
export route-policy test evpn
vpn-target 111:1 export-extcommunity evpn
vpn-target 111:1 import-extcommunity evpn
#
ipsec p2mp-policy sdwan
esp encryption-algorithm aes-256-gcm
esp authentication-algorithm sha2-256
#
interface GE0/0/1
ip address 172.16.1.2 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE0/0/2
ip binding vpn-instance vpn1
ip address 192.168.1.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.255
ospf enable 100 area 0.0.0.0
#
interface Tunnel0
ip address 11.1.1.1 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
#
interface Tunnel1
ip binding vpn-instance vpn1
ip address 12.1.1.1 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
ipsec-p2mp-policy sdwan
#
bgp 100
undo default ipv4-unicast
private-4-byte-as enable
peer 10.2.2.2 as-number 100
peer 10.2.2.2 connect-interface LoopBack0
#
ipv4-family vpn-instance vpn1
import-route direct
advertise l2vpn evpn
#
l2vpn-family evpn
undo policy vpn-target
peer 10.2.2.2 enable
y
peer 10.2.2.2 advertise encap-type sd-wan
#
ipv4-family sd-wan
peer 10.2.2.2 enable
y
#
ospf 100 router-id 10.1.1.1
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 Tunnel0
ip route-static 10.2.2.2 255.255.255.255 color 2
#
evpn site 1 site-type cpe
system-id 10.1.1.1
routing-domain 100 name mpls
transport-network 10 name mpls
transport-network-port 1
routing-domain mpls
transport-network mpls
source-interface GE0/0/1
#
dtls client
peer system-id 10.2.2.2 ip 172.16.2.2 port 55100
(3)CPE02
#
sysname CPE2
#
route-policy test permit node 10
apply extcommunity priority-color 10:3
#
ip vpn-instance vpn1
vn-id 90
ipv4-family
route-distinguisher 9:3
export route-policy test evpn
vpn-target 111:1 export-extcommunity evpn
vpn-target 111:1 import-extcommunity evpn
#
ipsec p2mp-policy sdwan
esp encryption-algorithm aes-256-gcm
esp authentication-algorithm sha2-256
#
interface GE0/0/1
ip address 172.16.3.2 255.255.255.0
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE0/0/2
ip binding vpn-instance vpn1
ip address 192.168.3.1 255.255.255.0
#
interface LoopBack0
ip address 10.3.3.3 255.255.255.255
ospf enable 100 area 0.0.0.0
#
interface Tunnel0
ip address 11.3.3.3 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
#
interface Tunnel1
ip binding vpn-instance vpn1
ip address 12.3.3.3 255.255.255.255
tunnel-protocol sd-wan
sd-wan service enable
ipsec-p2mp-policy sdwan
#
bgp 100
undo default ipv4-unicast
private-4-byte-as enable
peer 10.2.2.2 as-number 100
peer 10.2.2.2 connect-interface LoopBack0
#
ipv4-family vpn-instance vpn1
import-route direct
advertise l2vpn evpn
#
l2vpn-family evpn
undo policy vpn-target
peer 10.2.2.2 enable
y
peer 10.2.2.2 advertise encap-type sd-wan
#
ipv4-family sd-wan
peer 10.2.2.2 enable
y
(4)Core-SW01
#
sysname Core-SW1
#
ospf 100 router-id 0.0.0.1
area 0.0.0.0
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 172.16.1.1 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/2
undo portswitch
undo shutdown
ip address 172.16.2.1 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
#
interface GE1/0/3
undo portswitch
undo shutdown
ip address 172.16.3.1 255.255.255.252
ospf network-type p2p
ospf enable 100 area 0.0.0.0
4、激活临时license
AR6700-V的数据转发有约束,需要进行激活,否则路由转发会异常,3台都需要配置
license trial enable
5、实验结果
(1)检查bgp evpn邻居和bgp sd-wan邻居,前者负载业务路由传递和数据隧道建立,后者负责BGP EVPN控制通道和隧道TNP封装信息分发。
(2)查看SD-WAN数据通道
(3)PC01 ping 测PC02 测试,可以通,并在CPE01的G0/0/1口进行抓包,遗憾的是数据包封装错误,无法看到完整数据包。这里做了点小调整,将加密模板去掉,避免被IPSec加密导致无法看到具体数据包,在CPE01和CPE02上执行即可。
#
interface Tunnel1
undo ipsec-p2mp-policy
发表于 2026-1-7 13:15:56
楼主
