H3C 路由SDWAN组网的智能选路配置实例
客户组网需求
在客户集团公司的SDWAN组网中,CPE 1和CPE 2部署在分支网络中,RR部署在数据中心网络中。现需要实现企业分支与数据中心网络互访,通过智能选路,设备可以按照定义的选路策略为企业分支与数据中心之间的业务流量选择合适的路径。
具体组网需求如下:
CPE 1、CPE 2和RR分别属于Site1、Site2和Site3,设备ID都为1,分别通过GigabitEthernet1/0/3连接到分支网络或数据中心网络的本地设备。在CPE 1、CPE 2和RR之间建立SDWAN隧道,分支网络和数据中心网络通过SDWAN隧道实现互联。
CPE 1、CPE 2分别为业务流量配置两条优先级相同的链路,当两条链路都符合业务要求时会实现负载分担;RR分别为业务流量配置两条优先级不同的链路,优先为业务流量选择优先级较高的链路。
CPE 1、CPE 2和RR之间建立SDWAN隧道无法对报文进行加密,通过应用IPsec加密技术对SDWAN隧道上转发的报文进行安全保护。
客户企业基于SDWAN组网的智能选路组网图
配置准备
按照客户需求配置各接口的IP地址和掩码,此部分IP掩码具体配置过程略。
通过FTP、TFTP等协议将证书文件传送到SDWAN server的存储介质中,并配置pki import命令将CA证书、本地证书导入到SDWAN server上指定的PKI域中,过程略。
配置思路
在SDWAN网络中,SDWAN client与SDWAN server之间建立SSL连接完成CPE与RR之间控制通道的建立:
RR作为路由反射器,在CPE 1和CPE 2之间反射TTE信息和私网路由。
通过配置IPsec功能,对SDWAN隧道上转发的报文进行安全保护。
在CPE 1、CPE 2和RR上配置iNQA功能,CPE 1、CPE 2和RR均为Collector,RR同时为Analyzer。
CPE 1、CPE 2和RR的GigabitEthernet1/0/1接口连接到Internet1,GigabitEthernet1/0/2接口连接到Internet2。在CPE 1、CPE 2和RR上分别创建SDWAN隧道Tunnel 1和Tunnel 2,Tunnel 1的源接口和发送隧道报文的出接口为GigabitEthernet1/0/1,Tunnel 2的源接口和发送隧道报文的出接口为GigabitEthernet1/0/2。
配置智能选路策略,使CPE 1、CPE 2和RR可以分别为不同业务报文(通过DSCP区分)选择最高优先级的一条或者两条链路(负载分担)进行转发。
配置业务流量模板1和业务流量模板2,指导DSCP为1和DSCP为2的报文选择最优的SDWAN隧道进行传输。
在CPE 1、CPE 2和RR分别配置业务流量模板1的质量策略关联SLA 1、业务流量模板2的质量策略关联SLA 2,按照质量策略为业务流量进行链路质量探测和评估。
CPE 1、CPE 2和RR的链路负载分担模式均为逐流加权选路模式(缺省模式,无需配置)。
发送SDWAN隧道报文的物理接口带宽均符合业务流量带宽要求。
配置步骤
配置OSPF(1) 配置CPE 1
# 指定运行OSPF协议的接口GE1/0/1的IP地址位于网段11.1.1.0/24,接口GE1/0/2的主IP地址位于网段12.1.1.0/24,所在的OSPF区域ID为0。
<CPE1> system-view
[CPE1] ospf 1
[CPE1-ospf-1] area 0
[CPE1-ospf-1-area-0.0.0.0]] network 11.1.1.0 0.0.0.255
[CPE1-ospf-1-area-0.0.0.0]] network 12.1.1.0 0.0.0.255
[CPE1-ospf-1-area-0.0.0.0]] quit
[CPE1-ospf-1]] quit
(2) 配置CPE 2
# 指定运行OSPF协议的接口GE1/0/1的IP地址位于网段21.1.1.0/24,接口GE1/0/2的主IP地址位于网段22.1.1.0/24,所在的OSPF区域ID为0。
<CPE2> system-view
[CPE2] ospf 1
[CPE2-ospf-1] area 0
[CPE2-ospf-1-area-0.0.0.0]] network 21.1.1.0 0.0.0.255
[CPE2-ospf-1-area-0.0.0.0]] network 22.1.1.0 0.0.0.255
[CPE2-ospf-1-area-0.0.0.0]] quit
[CPE2-ospf-1]] quit
(3) 配置RR
# 指定运行OSPF协议的接口GE1/0/1的IP地址位于网段31.1.1.0/24,接口GE1/0/2的主IP地址位于网段32.1.1.0/24,所在的OSPF区域ID为0。
<RR> system-view
[RR] ospf 1
[RR-ospf-1] area 0
[RR-ospf-1-area-0.0.0.0]] network 31.1.1.0 0.0.0.255
[RR-ospf-1-area-0.0.0.0]] network 32.1.1.0 0.0.0.255
[RR-ospf-1-area-0.0.0.0]] quit
[RR-ospf-1]] quit
配置SDWAN
1. 配置SDWAN全局参数(站点信息和设备信息)
(1) 配置CPE 1
# 配置CPE 1的站点ID为1,站点名称为Site1,设备ID为1,站点角色为CPE,系统IP为Loopback10接口下的主IP地址。
[CPE1] sdwan site-id 1
[CPE1] sdwan site-name Site1
[CPE1] sdwan device-id 1
[CPE1] sdwan site-role cpe
[CPE1] sdwan system-ip loopback 10
# 配置SDWAN报文的源UDP端口号为3000。
[CPE1] sdwan encapsulation global-udp-port 3000
(2) 配置CPE 2
# 配置CPE 2的站点ID为2,站点名称为Site2,设备ID为1,站点角色为CPE,系统IP为Loopback10接口下的主IP地址。
[CPE2] sdwan site-id 2
[CPE2] sdwan site-name Site2
[CPE2] sdwan device-id 1
[CPE2] sdwan site-role cpe
[CPE2] sdwan system-ip loopback 10
# 配置SDWAN报文的源UDP端口号为3000。
[CPE2] sdwan encapsulation global-udp-port 3000
(3) 配置RR
# 配置RR的站点ID为3,站点名称为Site3,设备ID为1,站点角色为RR,系统IP为Loopback10接口下的主IP地址。
[RR] sdwan site-id 3
[RR] sdwan site-name Site3
[RR] sdwan device-id 1
[RR] sdwan site-role rr
[RR] sdwan system-ip loopback 10
# 配置SDWAN报文的源UDP端口号为3000。
[RR] sdwan encapsulation global-udp-port 3000
2. 配置CPE(SDWAN client)与RR(SDWAN server)之间的SSL连接。
(1) 配置CPE 1为SDWAN Client
# 指定SDWAN Server的System IP为130.1.1.1、IP地址为31.1.1.1、TCP端口号为4000,指定与RR(SDWAN server)建立SSL连接时引用的SSL客户端策略为plc1。
[CPE1] ssl client-policy plc1
[CPE1-ssl client-policy plc1] prefer-cipher rsa_aes_256_cbc_sha
[CPE1-ssl client-policy plc1] undo server-verify enable
[CPE1-ssl client-policy plc1] quit
[CPE1] sdwan server system-ip 130.1.1.1 ip 31.1.1.1 port 4000
[CPE1] sdwan ssl-client-policy plc1
(2) 配置CPE 2为SDWAN Client
# 指定SDWAN Server的System IP为130.1.1.1、IP地址为32.1.1.1、TCP端口号为4000,指定与RR(SDWAN server)建立SSL连接时引用的SSL客户端策略为plc1。
[CPE2] ssl client-policy plc1
[CPE2-ssl client-policy plc1] prefer-cipher rsa_aes_256_cbc_sha
[CPE2-ssl client-policy plc1] undo server-verify enable
[CPE2-ssl client-policy plc1] quit
[CPE2] sdwan server system-ip 130.1.1.1 ip 32.1.1.1 port 4000
[CPE2] sdwan ssl-client-policy plc1
(3) 配置RR为SDWAN Server
# 在RR上配置SDWAN Server服务的TCP端口号为4000,与CPE(SDWAN Client)之间建立SSL连接时引用的SSL服务器端策略为plc1,并开启SDWAN Server服务。
[RR] pki domain dm1
[RR-pki-domain-1] public-key rsa general name dm1 length 2048
[RR-pki-domain-1] undo crl check enable
[RR-pki-domain-1] quit
[RR] ssl server-policy plc1
[RR-ssl-server-policy-plcl] pki-domain dm1
[RR-ssl-server-policy-plcl] quit
[RR] sdwan server port 4000
[RR] sdwan ssl-server-policy plc1
[RR] sdwan server enable
3. 配置SDWAN隧道
(1) 配置CPE 1
# 创建SDWAN隧道接口Tunnel 1,配置Tunnel1的源接口为GigabitEthernet1/0/1,指定发送隧道报文的出接口为GigabitEthernet1/0/1,使用的路由域名称为rd1、路由域ID为10,使用的传输网络名称为internet1、传输网络ID为10,接口ID为30。
[CPE1] interface tunnel1 mode sdwan udp
[CPE1-Tunnel1] source gigabitethernet 1/0/1
[CPE1-Tunnel1] tunnel out-interface gigabitethernet 1/0/1
[CPE1-Tunnel1] sdwan routing-domain rd1 id 10
[CPE1-Tunnel1] sdwan transport-network internet1 id 10
[CPE1-Tunnel1] sdwan interface-id 30
[CPE1-Tunnel1] ip address unnumbered interface gigabitethernet 1/0/1
[CPE1-Tunnel1] quit
# 创建SDWAN隧道接口Tunnel 2,配置Tunnel2的源接口为GigabitEthernet1/0/2,指定发送隧道报文的出接口为GigabitEthernet1/0/2,使用的路由域名称为rd2、路由域ID为20,使用的传输网络名称为internet2、传输网络ID为20,接口ID为40。
[CPE1] interface tunnel2 mode sdwan udp
[CPE1-Tunnel2] source gigabitethernet 1/0/2
[CPE1-Tunnel2] tunnel out-interface gigabitethernet 1/0/2
[CPE1-Tunnel2] sdwan routing-domain rd2 id 20
[CPE1-Tunnel2] sdwan transport-network internet2 id 20
[CPE1-Tunnel2] sdwan interface-id 40
[CPE1-Tunnel2] ip address unnumbered interface gigabitethernet 1/0/2
[CPE1-Tunnel2] quit
(2) 配置CPE 2
# 创建SDWAN隧道接口Tunnel 1,配置Tunnel1的源接口为GigabitEthernet1/0/1,指定发送隧道报文的出接口为GigabitEthernet1/0/1,使用的路由域名称为rd1、路由域ID为10,使用的传输网络名称为internet1、传输网络ID为10,接口ID为30。
[CPE2] interface tunnel1 mode sdwan udp
[CPE2-Tunnel1] source gigabitethernet 1/0/1
[CPE2-Tunnel1] tunnel out-interface gigabitethernet 1/0/1
[CPE2-Tunnel1] sdwan routing-domain rd1 id 10
[CPE2-Tunnel1] sdwan transport-network internet1 id 10
[CPE2-Tunnel1] sdwan interface-id 30
[CPE2-Tunnel1] ip address unnumbered interface gigabitethernet 1/0/1
[CPE2-Tunnel1] quit
# 创建SDWAN隧道接口Tunnel 2,配置Tunnel2的源接口为GigabitEthernet1/0/2,指定发送隧道报文的出接口为GigabitEthernet1/0/2,使用的路由域名称为rd2、路由域ID为20,使用的传输网络名称为internet2、传输网络ID为20,接口ID为40。
[CPE2] interface tunnel2 mode sdwan udp
[CPE2-Tunnel2] source gigabitethernet 1/0/2
[CPE2-Tunnel2] tunnel out-interface gigabitethernet 1/0/2
[CPE2-Tunnel2] sdwan routing-domain rd2 id 20
[CPE2-Tunnel2] sdwan transport-network internet2 id 20
[CPE2-Tunnel2] sdwan interface-id 40
[CPE2-Tunnel2] ip address unnumbered interface gigabitethernet 1/0/2
[CPE2-Tunnel2] quit
(3) 配置RR
# 创建SDWAN隧道接口Tunnel 1,配置Tunnel1的源接口为GigabitEthernet1/0/1,指定发送隧道报文的出接口为GigabitEthernet1/0/1,使用的路由域名称为rd1、路由域ID为10,使用的传输网络名称为internet1、传输网络ID为10,接口ID为30。
[RR] interface tunnel1 mode sdwan udp
[RR-Tunnel1] source gigabitethernet 1/0/1
[RR-Tunnel1] tunnel out-interface gigabitethernet 1/0/1
[RR-Tunnel1] sdwan routing-domain rd1 id 10
[RR-Tunnel1] sdwan transport-network internet1 id 10
[RR-Tunnel1] sdwan interface-id 30
[RR-Tunnel1] ip address unnumbered interface gigabitethernet 1/0/1
[RR-Tunnel1] quit
# 创建SDWAN隧道接口Tunnel 2,配置Tunnel2的源接口为GigabitEthernet1/0/2,指定发送隧道报文的出接口为GigabitEthernet1/0/2,使用的路由域名称为rd2、路由域ID为20,使用的传输网络名称为internet2、传输网络ID为20,接口ID为40。
[RR] interface tunnel2 mode sdwan udp
[RR-Tunnel2] source gigabitethernet 1/0/2
[RR-Tunnel2] tunnel out-interface gigabitethernet 1/0/2
[RR-Tunnel2] sdwan routing-domain rd2 id 20
[RR-Tunnel2] sdwan transport-network internet2 id 20
[RR-Tunnel2] sdwan interface-id 40
[RR-Tunnel2] ip address unnumbered interface gigabitethernet 1/0/2
[RR-Tunnel2] quit
4. 配置CPE与RR之间的BGP连接,并配置在二者之间发布IPv4 Tnl-encap-ext路由。
(1) 配置CPE 1
[CPE1] bgp 100
[CPE1-bgp-default] peer 130.1.1.1 as-number 100
[CPE1-bgp-default] peer 130.1.1.1 connect-interface Loopback10
[CPE1-bgp-default] address-family ipv4 tnl-encap-ext
[CPE1-bgp-default-ipv4] peer 130.1.1.1 enable
[CPE1-bgp-default-ipv4] quit
[CPE1-bgp-default] qui
(2) 配置CPE 2
[CPE2] bgp 100
[CPE2-bgp-default] peer 130.1.1.1 as-number 100
[CPE2-bgp-default] peer 130.1.1.1 connect-interface Loopback10
[CPE2-bgp-default] address-family ipv4 tnl-encap-ext
[CPE2-bgp-default-ipv4] peer 130.1.1.1 enable
[CPE2-bgp-default-ipv4] quit
[CPE2-bgp-default] quit
(3) 配置RR
[RR] bgp 100
[RR-bgp-default] peer 110.1.1.1 as-number 100
[RR-bgp-default] peer 110.1.1.1 connect-interface Loopback10
[RR-bgp-default] peer 120.1.1.1 as-number 100
[RR-bgp-default] peer 120.1.1.1 connect-interface Loopback10
[RR-bgp-default] address-family ipv4 tnl-encap-ext
[RR-bgp-default-ipv4] peer 110.1.1.1 enable
[RR-bgp-default-ipv4] peer 120.1.1.1 enable
[RR-bgp-default-ipv4] peer 110.1.1.1 reflect-client
[RR-bgp-default-ipv4] peer 120.1.1.1 reflect-client
[RR-bgp-default-ipv4] quit
[RR-bgp-default] quit
5. 配置IPsec保护SDWAN隧道。
(1) 配置CPE 1
[CPE1] ipsec transform-set tran1
[CPE1-transform-set-tran1] encapsulation-mode transport
[CPE1-transform-set-tran1] esp encryption-algorithm 3des-cbc
[CPE1-transform-set-tran1] esp authentication-algorithm md5
[CPE1-transform-set-tran1] quit
[CPE1] ipsec profile prf1 sdwan
[CPE1-ipsec-profile-sdwan-prf1] transform-set tran1
[CPE1-ipsec-profile-sdwan-prf1] quit
[CPE1] interface tunnel 1
[CPE1-Tunnel1] tunnel protection ipsec profile prf1
[CPE1-Tunnel1] quit
[CPE1] interface tunnel 2
[CPE1-Tunnel1] tunnel protection ipsec profile prf1
[CPE1-Tunnel1] quit
(2) 配置CPE 2
[CPE2] ipsec transform-set tran1
[CPE2-transform-set-tran1] encapsulation-mode transport
[CPE2-transform-set-tran1] esp encryption-algorithm 3des-cbc
[CPE2-transform-set-tran1] esp authentication-algorithm md5
[CPE2-transform-set-tran1] quit
[CPE2] ipsec profile prf1 sdwan
[CPE2-ipsec-profile-sdwan-prf1] transform-set tran1
[CPE2-ipsec-profile-sdwan-prf1] quit
[CPE2] interface tunnel 1
[CPE2-Tunnel1] tunnel protection ipsec profile prf1
[CPE2-Tunnel1] quit
[CPE2] interface tunnel 2
[CPE2-Tunnel1] tunnel protection ipsec profile prf1
[CPE2-Tunnel1] quit
(3) 配置RR
[RR] ipsec transform-set tran1
[RR-transform-set-tran1] encapsulation-mode transport
[RR-transform-set-tran1] esp encryption-algorithm 3des-cbc
[RR-transform-set-tran1] esp authentication-algorithm md5
[RR-transform-set-tran1] quit
[RR] ipsec profile prf1 sdwan
[RR-ipsec-profile-sdwan-prf1] transform-set tran1
[RR-ipsec-profile-sdwan-prf1] quit
[RR] interface tunnel 1
[RR-Tunnel1] tunnel protection ipsec profile prf1
[RR-Tunnel1] quit
[RR] interface tunnel 2
[RR-Tunnel2] tunnel protection ipsec profile prf1
[RR-Tunnel2] quit
6. 在CPE设备上配置VPN实例,将CE接入CPE
(1) 配置CPE 1
[CPE1] ip vpn-instance vpn1
[CPE1-vpn-instance-vpn1] route-distinguisher 1:1
[CPE1-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity
[CPE1-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity
[CPE1-vpn-instance-vpn1] sdwan vn-id 100
[CPE1-vpn-instance-vpn1] quit
[CPE1] interface gigabitethernet 1/0/3
[CPE1-GigabitEthernet1/0/3] ip binding vpn-instance vpn1
[CPE1-GigabitEthernet1/0/3] quit
(2) 配置CPE 2
[CPE2] ip vpn-instance vpn1
[CPE2-vpn-instance-vpn1] route-distinguisher 1:1
[CPE2-vpn-instance-vpn1] vpn-target 1:1 import-extcommunity
[CPE2-vpn-instance-vpn1] vpn-target 1:1 export-extcommunity
[CPE2-vpn-instance-vpn1] sdwan vn-id 100
[CPE2-vpn-instance-vpn1] quit
[CPE1] interface gigabitethernet 1/0/3
[CPE1-GigabitEthernet1/0/3] ip binding vpn-instance vpn1
[CPE1-GigabitEthernet1/0/3] quit
7. 在CPE与CE之间建立EBGP对等体,引入VPN路由
(1) 配置CE 1
<CE1> system-view
[CE1] bgp 200
[CE1-bgp-default] peer 10.1.1.1 as-number 100
[CE1-bgp-default] address-family ipv4 unicast
[CE1-bgp-default-ipv4] peer 10.1.1.1 enable
[CE1-bgp-default-ipv4] import-route direct
[CE1-bgp-default-ipv4] quit
[CE1-bgp-default] quit
(2) 配置CE 2
<CE2> system-view
[CE2] bgp 300
[CE2-bgp-default] peer 20.1.1.1 as-number 100
[CE2-bgp-default] address-family ipv4 unicast
[CE2-bgp-default-ipv4] peer 20.1.1.1 enable
[CE2-bgp-default-ipv4] import-route direct
[CE2-bgp-default-ipv4] quit
[CE2-bgp-default] quit
(3) 配置CPE 1
[CPE1] bgp 100
[CPE1-bgp-default] ip vpn-instance vpn1
[CPE1-bgp-default-vpn1] peer 10.1.1.2 as-number 200
[CPE1-bgp-default-vpn1] address-family ipv4 unicast
[CPE1-bgp-default-ipv4-vpn1] peer 10.1.1.2 enable
[CPE1-bgp-default-ipv4-vpn1] import-route direct
[CPE1-bgp-default-ipv4-vpn1] quit
[CPE1-bgp-default-vpn1] quit
[CPE1-bgp-default] quit
(4) 配置CPE 2
[CPE2] bgp 100
[CPE2-bgp-default] ip vpn-instance vpn1
[CPE2-bgp-default-vpn1] peer 20.1.1.2 as-number 300
[CPE2-bgp-default-vpn1] address-family ipv4 unicast
[CPE2-bgp-default-ipv4-vpn1] peer 20.1.1.2 enable
[CPE2-bgp-default-ipv4-vpn1] import-route direct
[CPE2-bgp-default-ipv4-vpn1] quit
[CPE2-bgp-default-vpn1] quit
[CPE2-bgp-default] quit
8. 配置通过IP前缀路由发布站点的私网路由。
(1) CPE 1
[CPE1] ip vpn-instance vpn1
[CPE1-vpn-instance-vpn1] address-family ipv4
[CPE1-vpn-ipv4-vpn1] evpn sdwan routing-enable
[CPE1-vpn-ipv4-vpn1] quit
[CPE1-vpn-instance-vpn1] quit
[CPE1] bgp 100
[CPE1-bgp-default] address-family l2vpn evpn
[CPE1-bgp-default-evpn] peer 130.1.1.1 enable
[CPE1-bgp-default-evpn] peer 130.1.1.1 advertise encap-type sdwan
[CPE1-bgp-default-evpn] quit
(2) CPE 2
[CPE2] ip vpn-instance vpn1
[CPE2-vpn-instance-vpn1] address-family ipv4
[CPE2-vpn-ipv4-vpn1] evpn sdwan routing-enable
[CPE2-vpn-ipv4-vpn1] quit
[CPE2-vpn-instance-vpn1] quit
[CPE2] bgp 100
[CPE2-bgp-default] address-family l2vpn evpn
[CPE2-bgp-default-evpn] peer 130.1.1.1 enable
[CPE2-bgp-default-evpn] peer 130.1.1.1 advertise encap-type sdwan
[CPE2-bgp-default-evpn] quit
9. 配置RR反射SDWAN封装的IP前缀路由。
# 配置BGP EVPN路由反射。
[RR] bgp 100
[RR-bgp-default] address-family l2vpn evpn
[RR-bgp-default-evpn] undo policy vpn-target
[RR-bgp-default-evpn] peer 110.1.1.1 enable
[RR-bgp-default-evpn] peer 110.1.1.1 reflect-client
[RR-bgp-default-evpn] peer 110.1.1.1 advertise encap-type sdwan
[RR-bgp-default-evpn] peer 120.1.1.1 enable
[RR-bgp-default-evpn] peer 120.1.1.1 reflect-client
[RR-bgp-default-evpn] peer 120.1.1.1 advertise encap-type sdwan
[RR-bgp-default-evpn] quit
4.4.3 配置RIR-SDWAN
(1) 配置CPE 1
# 开启iNQA的Collector功能,并绑定Analyzer标识130.1.1.1。
[CPE1] inqa collector
[CPE1-inqa-collector] analyzer 130.1.1.1
[CPE1-inqa-collector] quit
# 开启RIR-SDWAN服务。
[CPE1] rir sdwan
# 配置选路延迟时间为30秒,选路调整周期为60秒。
[CPE1-rir-sdwan] link-select delay 30
[CPE1-rir-sdwan] link-select suppress-period 60
# 配置链路质量探测。
[CPE1-rir-sdwan] link-quality probe interval 30
# 创建SLA 1和SLA 2,分别配置不同的链路质量阈值。
[CPE1-rir-sdwan] sla 1
[CPE1-rir-sdwan-sla-1] jitter threshold 20
[CPE1-rir-sdwan-sla-1] delay threshold 60
[CPE1-rir-sdwan-sla-1] packet-loss threshold 150
[CPE1-rir-sdwan-sla-1] quit
[CPE1-rir-sdwan] sla 2
[CPE1-rir-sdwan-sla-2] jitter threshold 40
[CPE1-rir-sdwan-sla-2] delay threshold 120
[CPE1-rir-sdwan-sla-2] packet-loss threshold 300
[CPE1-rir-sdwan-sla-2] quit
# 创建业务流量模板1和业务流量模板2,分别在业务流量模板下配置相同的链路优先级,配置会话预计使用的带宽和质量策略,并配置CQI算法的时延、时延抖动和丢包率的权重为2、5、7。
[CPE1-rir-sdwan] flow 1
[CPE1-rir-sdwan-flow-1] path sdwan transport-network internet1 preference 10
[CPE1-rir-sdwan-flow-1] path sdwan transport-network internet2 preference 10
[CPE1-rir-sdwan-flow-1] expect-bandwidth 300
[CPE1-rir-sdwan-flow-1] quality-policy sla 1
[CPE1-rir-sdwan-flow-1] cqi-weight delay 2 jitter 5 packet-loss 7
[CPE1-rir-sdwan-flow-1] quit
[CPE1-rir-sdwan] flow 2
[CPE1-rir-sdwan-flow-2] path sdwan transport-network internet1 preference 20
[CPE1-rir-sdwan-flow-2] path sdwan transport-network internet2 preference 20
[CPE1-rir-sdwan-flow-2] expect-bandwidth 300
[CPE1-rir-sdwan-flow-2] quality-policy sla 2
[CPE1-rir-sdwan-flow-2] cqi-weight delay 2 jitter 5 packet-loss 7
[CPE1-rir-sdwan-flow-2] quit
[CPE1-rir-sdwan] quit
# 配置QoS策略重标记流量,并将策略应用在接口GigabitEthernet1/0/3上,其中DSCP为1的报文Flow ID标记为1,DSCP为2的报文Flow ID标记为2。
[CPE1] traffic classifier class1
[CPE1-classifier-class1] if-match dscp 1
[CPE1-classifier-class1] quit
[CPE1] traffic classifier class2
[CPE1-classifier-class2] if-match dscp 2
[CPE1-classifier-class2] quit
[CPE1] traffic behavior behav1
[CPE1-behavior-behav1] remark flow-id 1
[CPE1-behavior-behav1] quit
[CPE1] traffic behavior behav2
[CPE1-behavior-behav2] remark flow-id 2
[CPE1-behavior-behav2] quit
[CPE1] qos policy policy1
[CPE1-qospolicy-policy1] classifier class1 behavior behav1
[CPE1-qospolicy-policy1] classifier class2 behavior behav2
[CPE1-qospolicy-policy1] quit
[CPE1] interface gigabitethernet 1/0/3
[CPE1-GigabitEthernet1/0/3] qos apply policy policy1 inbound
[CPE1-GigabitEthernet1/0/3] quit
(2) 配置CPE 2
# 开启iNQA的Collector功能,并绑定Analyzer标识130.1.1.1。
[CPE2] inqa collector
[CPE2-inqa-collector] analyzer 130.1.1.1
[CPE2-inqa-collector] quit
# 开启RIR-SDWAN服务。
[CPE2] rir sdwan
# 配置选路延迟时间为30秒,选路调整周期为60秒。
[CPE2-rir-sdwan] link-select delay 30
[CPE2-rir-sdwan] link-select suppress-period 60
# 配置链路质量探测。
[CPE2-rir-sdwan] link-quality probe interval 30
# 创建SLA 1和SLA 2,分别配置不同的链路质量阈值。
[CPE2-rir-sdwan] sla 1
[CPE2-rir-sdwan-sla-1] jitter threshold 20
[CPE2-rir-sdwan-sla-1] delay threshold 60
[CPE2-rir-sdwan-sla-1] packet-loss threshold 150
[CPE2-rir-sdwan-sla-1] quit
[CPE2-rir-sdwan] sla 2
[CPE2-rir-sdwan-sla-2] jitter threshold 40
[CPE2-rir-sdwan-sla-2] delay threshold 120
[CPE2-rir-sdwan-sla-2] packet-loss threshold 300
[CPE2-rir-sdwan-sla-2] quit
# 创建业务流量模板1和业务流量模板2,分别在业务流量模板下配置相同的链路优先级,配置会话预计使用的带宽和质量策略,并配置CQI算法的时延、时延抖动和丢包率的权重为2、5、7。
[CPE2-rir-sdwan] flow 1
[CPE2-rir-sdwan-flow-1] path sdwan transport-network internet1 preference 10
[CPE2-rir-sdwan-flow-1] path sdwan transport-network internet2 preference 10
[CPE2-rir-sdwan-flow-1] expect-bandwidth 300
[CPE2-rir-sdwan-flow-1] quality-policy sla 1
[CPE2-rir-sdwan-flow-1] cqi-weight delay 2 jitter 5 packet-loss 7
[CPE2-rir-sdwan-flow-1] quit
[CPE2-rir-sdwan] flow 2
[CPE2-rir-sdwan-flow-2] path sdwan transport-network internet1 preference 20
[CPE2-rir-sdwan-flow-2] path sdwan transport-network internet2 preference 20
[CPE2-rir-sdwan-flow-2] expect-bandwidth 300
[CPE2-rir-sdwan-flow-2] quality-policy sla 2
[CPE2-rir-sdwan-flow-2] cqi-weight delay 2 jitter 5 packet-loss 7
[CPE2-rir-sdwan-flow-2] quit
[CPE2-rir-sdwan] quit
# 配置QoS策略重标记流量,并将策略应用在接口GigabitEthernet1/0/3上,其中DSCP为1的报文Flow ID标记为1,DSCP为2的报文Flow ID标记为2。
[CPE2] traffic classifier class1
[CPE2-classifier-class1] if-match dscp 1
[CPE2-classifier-class1] quit
[CPE2] traffic classifier class2
[CPE2-classifier-class2] if-match dscp 2
[CPE2-classifier-class2] quit
[CPE2] traffic behavior behav1
[CPE2-behavior-behav1] remark flow-id 1
[CPE2-behavior-behav1] quit
[CPE2] traffic behavior behav2
[CPE2-behavior-behav2] remark flow-id 2
[CPE2-behavior-behav2] quit
[CPE2] qos policy policy1
[CPE2-qospolicy-policy1] classifier class1 behavior behav1
[CPE2-qospolicy-policy1] classifier class2 behavior behav2
[CPE2-qospolicy-policy1] quit
[CPE2] interface gigabitethernet 1/0/3
[CPE2-GigabitEthernet1/0/3] qos apply policy policy1 inbound
[CPE2-GigabitEthernet1/0/3] quit
(3) 配置RR
# 开启iNQA的Analyzer功能,并配置Analyzer标识为130.1.1.1。
[RR] inqa analyzer
[RR-inqa-analyzer] analyzer id 130.1.1.1
[RR-inqa-analyzer] quit
# 开启iNQA的Collector功能,并绑定Analyzer标识130.1.1.1。
[RR] inqa collector
[RR-inqa-collector] analyzer 130.1.1.1
[RR-inqa-collector] quit
# 开启RIR-SDWAN服务。
[RR] rir sdwan
# 配置选路延迟时间为30秒,选路调整周期为60秒。
[RR-rir-sdwan] link-select delay 30
[RR-rir-sdwan] link-select suppress-period 60
# 配置链路质量探测。
[RR-rir-sdwan] link-quality probe interval 30
# 创建SLA 1和SLA 2,分别配置不同的链路质量阈值。
[RR-rir-sdwan] sla 1
[RR-rir-sdwan-sla-1] jitter threshold 20
[RR-rir-sdwan-sla-1] delay threshold 60
[RR-rir-sdwan-sla-1] packet-loss threshold 150
[RR-rir-sdwan-sla-1] quit
[RR-rir-sdwan] sla 2
[RR-rir-sdwan-sla-2] jitter threshold 40
[RR-rir-sdwan-sla-2] delay threshold 120
[RR-rir-sdwan-sla-2] packet-loss threshold 300
[RR-rir-sdwan-sla-2] quit
# 创建业务流量模板1和业务流量模板2,分别在业务流量模板下配置链路优先级、会话预计使用的带宽和质量策略,并配置CQI算法的时延、时延抖动和丢包率的权重为2、5、7。
[RR-rir-sdwan] flow 1
[RR-rir-sdwan-flow-1] path sdwan transport-network internet1 preference 10
[RR-rir-sdwan-flow-1] path sdwan transport-network internet2 preference 20
[RR-rir-sdwan-flow-1] expect-bandwidth 300
[RR-rir-sdwan-flow-1] quality-policy sla 1
[RR-rir-sdwan-flow-1] cqi-weight delay 2 jitter 5 packet-loss 7
[RR-rir-sdwan-flow-1] quit
[RR-rir-sdwan] flow 2
[RR-rir-sdwan-flow-2] path sdwan transport-network internet1 preference 20
[RR-rir-sdwan-flow-2] path sdwan transport-network internet2 preference 10
[RR-rir-sdwan-flow-2] expect-bandwidth 300
[RR-rir-sdwan-flow-2] quality-policy sla 2
[RR-rir-sdwan-flow-2] cqi-weight delay 2 jitter 5 packet-loss 7
[RR-rir-sdwan-flow-2] quit
[RR-rir-sdwan] quit
# 配置QoS策略重标记流量,并将策略应用在接口GigabitEthernet1/0/3上,其中DSCP为1的报文Flow ID标记为1,DSCP为2的报文Flow ID标记为2。
[RR] traffic classifier class1
[RR-classifier-class1] if-match dscp 1
[RR-classifier-class1] quit
[RR] traffic classifier class2
[RR-classifier-class2] if-match dscp 2
[RR-classifier-class2] quit
[RR] traffic behavior behav1
[RR-behavior-behav1] remark flow-id 1
[RR-behavior-behav1] quit
[RR] traffic behavior behav2
[RR-behavior-behav2] remark flow-id 2
[RR-behavior-behav2] quit
[RR] qos policy policy1
[RR-qospolicy-policy1] classifier class1 behavior behav1
[RR-qospolicy-policy1] classifier class2 behavior behav2
[RR-qospolicy-policy1] quit
[RR] interface gigabitethernet 1/0/3
[RR-GigabitEthernet1/0/3] qos apply policy policy1 inbound
[RR-GigabitEthernet1/0/3] quit
4.4.4 开启隧道基于Flow ID的流量速率统计功能
(1) 配置CPE 1
# 开启隧道基于Flow ID的流量速率统计功能,并配置统计时间间隔为5秒。
[CPE1] tunnel flow-statistics enable
[CPE1] tunnel flow-statistics interval 5
(2) 配置CPE 2
# 开启隧道基于Flow ID的流量速率统计功能,并配置统计时间间隔为5秒。
[CPE2] tunnel flow-statistics enable
[CPE2] tunnel flow-statistics interval 5
(3) 配置RR
# 开启隧道基于Flow ID的流量速率统计功能,并配置统计时间间隔为5秒。
[RR] tunnel flow-statistics enable
[RR] tunnel flow-statistics interval 5
4.4.5 配置NTP
(1) 配置CPE 1
# 开启NTP服务。
<CPE1> system-view
[CPE1] ntp-service enable
# 配置通过NTP协议获取时间。
[CPE1] clock protocol ntp
# 设置RR为CPE 1的NTP服务器。
[CPE1] ntp-service unicast-server 3.3.3.3
(2) 配置CPE 2
# 开启NTP服务。
<CPE2> system-view
[CPE2] ntp-service enable
# 配置通过NTP协议获取时间。
[CPE2] clock protocol ntp
# 设置RR为CPE 2的NTP服务器。
[CPE2] ntp-service unicast-server 3.3.3.3
(3) 配置RR
# 开启NTP服务。
[RR] ntp-service enable
# 设置本地时钟作为参考时钟,层数为2。
[RR] ntp-service refclock-master 2
4.5 验证配置
(1) 查看CPE 1
# 以CPE 1为例。查看设备上TTE连接的信息,可以看到CPE 1与RR、CPE 2分别建立了TTE连接。
[CPE1] display sdwan tte connection
Destination SiteID/DevID/IfID/SysIP: 2/1/30/120.1.1.1
Destination IP/port: 21.1.1.1/3000
Source SiteID/DevID/IfID/SysIP: 1/1/30/110.1.1.1
Source IP/port: 11.1.1.1/3000
Created at: 2023/03/06 14:23:43
Status: Reachable
State changed at: 2023/03/06 14:23:43
Destination SiteID/DevID/IfID/SysIP: 2/1/40/120.1.1.1
Destination IP/port: 22.1.1.1/3000
Source SiteID/DevID/IfID/SysIP: 1/1/40/110.1.1.1
Source IP/port: 12.1.1.1/3000
Created at: 2023/03/06 14:23:43
Status: Reachable
State changed at: 2023/03/06 14:23:43
Destination SiteID/DevID/IfID/SysIP: 3/1/30/130.1.1.1
Destination IP/port: 31.1.1.1/3000
Source SiteID/DevID/IfID/SysIP: 1/1/30/110.1.1.1
Source IP/port: 11.1.1.1/3000
Created at: 2023/03/06 14:23:34
Status: Reachable
State changed at: 2023/03/06 14:23:45
Destination SiteID/DevID/IfID/SysIP: 3/1/40/130.1.1.1
Destination IP/port: 32.1.1.1/3000
Source SiteID/DevID/IfID/SysIP: 1/1/40/110.1.1.1
Source IP/port: 12.1.1.1/3000
Created at: 2023/03/06 14:23:34
Status: Reachable
State changed at: 2023/03/06 14:23:34
Number of connections: 4
# 以CPE 1为例,在设备上执行display ip routing-table vpn-instance命令,可以看到去往对端CE 2的路由。
[CPE1] display ip routing-table vpn-instance vpn1
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
4.4.4.4/32 BGP 255 0 10.1.1.2 GE1/0/3
5.5.5.5/32 BGP 255 0 120.1.1.1 Tun2
BGP 255 0 120.1.1.1 Tun1
10.1.1.0/24 Direct 0 0 10.1.1.1 GE1/0/3
10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0
10.1.1.255/32 Direct 0 0 10.1.1.1 GE1/0/3
20.1.1.0/24 BGP 255 0 120.1.1.1 Tun2
BGP 255 0 120.1.1.1 Tun1
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
配置从Branch 1仅发起UDP业务至Data Center,(业务对应多个会话,即有多个不同五元组的业务流量),业务流量的DSCP值为1。查看隧道基于Flow ID的流量速率统计信息,业务流量模板1下Tunnel 1和Tunnel 2都有业务流量。说明设备通过业务流量模板1为DSCP值为1的业务流量,以负载分担的方式选择链路进行传输。
[CPE1] display tunnel flow-statistics
Flow 1:
Interface Out pps Out bps
Tunnel1 30 300000
Tunnel2 30 300000
配置从Branch 1仅发起UDP业务至Data Center,(业务对应多个会话,即有多个不同五元组的业务流量),业务流量的DSCP值为2。查看隧道基于Flow ID的流量速率统计信息,业务流量模板2下Tunnel 1和Tunnel 2都有业务流量。说明设备通过业务流量模板2为DSCP值为2的业务流量,以负载分担的方式选择链路进行传输。
[CPE1] display tunnel flow-statistics
Flow 2:
Interface Out pps Out bps
Tunnel1 30 300000
Tunnel2 30 300000
(2) 查看CPE 2
CPE 2与CPE 1相似,不作介绍。
(3) 查看RR
配置从Data Center仅发起UDP业务至Branch 1(业务对应多个会话,即有多个不同五元组的业务流量),业务流量的DSCP值为1。查看隧道基于Flow ID的流量速率统计信息,仅有业务流量模板1下Tunnel 1有业务流量。说明设备通过业务流量模板1为DSCP值为1的业务流量优先选择Tunnel 1进行传输。
[RR] display tunnel flow-statistics
Flow 1:
Interface Out pps Out bps
Tunnel1 30 300000
配置从Data Center仅发起UDP业务至Branch 1(业务对应多个会话,即有多个不同五元组的业务流量),业务流量的DSCP值为2。查看隧道基于Flow ID的流量速率统计信息,仅有业务流量模板2下的Tunnel 2有业务流量。说明设备通过业务流量模板2为DSCP值为2的业务流量优先选择Tunnel 2进行传输。
[RR] display tunnel flow-statistics
Flow 2:
Interface Out pps Out bps
Tunnel2 30 300000
4.6 配置文件
CE 1:
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 10.1.1.2 255.255.255.0
#
bgp 200
peer 10.1.1.1 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.1 enable
#
CE 2:
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip address 20.1.1.2 255.255.255.0
#
bgp 300
peer 20.1.1.1 as-number 100
#
address-family ipv4 unicast
import-route direct
peer 20.1.1.1 enable
#
CPE 1:
#
ip vpn-instance vpn1
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
sdwan vn-id 100
#
address-family ipv4
evpn sdwan routing-enable
#
tunnel flow-statistics enable
tunnel flow-statistics interval 5
#
ospf 1
area 0.0.0.0
network 11.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
rir sdwan
link-quality probe interval 30
link-select delay 30
link-select suppress-period 60
sla 1
jitter threshold 20
delay threshold 60
packet-loss threshold 150
sla 2
jitter threshold 40
delay threshold 120
packet-loss threshold 300
flow 1
quality-policy sla 1
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 10
path sdwan transport-network internet2 preference 10
flow 2
quality-policy sla 2
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 20
path sdwan transport-network internet2 preference 20
#
inqa collector
analyzer 130.1.1.1
#
traffic classifier class1 operator and
if-match dscp 1
#
traffic classifier class2 operator and
if-match dscp 2
#
traffic behavior behav1
remark flow-id 1
#
traffic behavior behav2
remark flow-id 2
#
qos policy policy1
classifier class1 behavior behav1
classifier class2 behavior behav2
#
interface LoopBack10
ip address 110.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 11.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 12.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 10.1.1.1 255.255.255.0
qos apply policy policy1 inbound
#
interface Tunnel1 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/1
source GigabitEthernet1/0/1
tunnel out-interface GigabitEthernet1/0/1
tunnel protection ipsec profile prf1
sdwan interface-id 30
sdwan routing-domain rd1 id 10
sdwan transport-network internet1 id 10
#
interface Tunnel2 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/2
source GigabitEthernet1/0/2
tunnel out-interface GigabitEthernet1/0/2
tunnel protection ipsec profile prf1
sdwan interface-id 40
sdwan routing-domain rd2 id 20
sdwan transport-network internet2 id 20
#
bgp 100
peer 130.1.1.1 as-number 100
peer 130.1.1.1 connect-interface LoopBack10
#
address-family ipv4 tnl-encap-ext
peer 130.1.1.1 enable
#
address-family l2vpn evpn
peer 130.1.1.1 enable
peer 130.1.1.1 advertise encap-type sdwan
#
ip vpn-instance vpn1
peer 10.1.1.2 as-number 200
#
address-family ipv4 unicast
import-route direct
peer 10.1.1.2 enable
#
ntp-service enable
ntp-service unicast-server 3.3.3.3
#
ssl client-policy plc1
prefer-cipher rsa_aes_256_cbc_sha
undo server-verify enable
#
ipsec transform-set tran1
encapsulation-mode transport
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec profile prf1 sdwan
transform-set tran1
#
sdwan site-id 1
sdwan site-name Site1
sdwan device-id 1
sdwan encapsulation global-udp-port 3000
sdwan system-ip LoopBack10
sdwan site-role cpe
sdwan ssl-client-policy plc1
sdwan server system-ip 130.1.1.1 ip 31.1.1.1 port 4000
#
CPE 2
#
ip vpn-instance vpn1
route-distinguisher 1:1
vpn-target 1:1 import-extcommunity
vpn-target 1:1 export-extcommunity
sdwan vn-id 100
#
address-family ipv4
evpn sdwan routing-enable
#
tunnel flow-statistics enable
tunnel flow-statistics interval 5
#
ospf 1
area 0.0.0.0
network 21.1.1.0 0.0.0.255
network 22.1.1.0 0.0.0.255
#
rir sdwan
link-quality probe interval 30
link-select delay 30
link-select suppress-period 60
sla 1
jitter threshold 20
delay threshold 60
packet-loss threshold 150
sla 2
jitter threshold 40
delay threshold 120
packet-loss threshold 300
flow 1
quality-policy sla 1
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 10
path sdwan transport-network internet2 preference 10
flow 2
quality-policy sla 2
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 20
path sdwan transport-network internet2 preference 20
#
inqa collector
analyzer 130.1.1.1
#
traffic classifier class1 operator and
if-match dscp 1
#
traffic classifier class2 operator and
if-match dscp 2
#
traffic behavior behav1
remark flow-id 1
#
traffic behavior behav2
remark flow-id 2
#
qos policy policy1
classifier class1 behavior behav1
classifier class2 behavior behav2
#
interface LoopBack10
ip address 120.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 21.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 22.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
ip binding vpn-instance vpn1
ip address 20.1.1.1 255.255.255.0
qos apply policy policy1 inbound
#
interface Tunnel1 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/1
source GigabitEthernet1/0/1
tunnel out-interface GigabitEthernet1/0/1
tunnel protection ipsec profile prf1
sdwan interface-id 30
sdwan routing-domain rd1 id 10
sdwan transport-network internet1 id 10
#
interface Tunnel2 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/2
source GigabitEthernet1/0/2
tunnel out-interface GigabitEthernet1/0/2
tunnel protection ipsec profile prf1
sdwan interface-id 40
sdwan routing-domain rd2 id 20
sdwan transport-network internet2 id 20
#
bgp 100
peer 130.1.1.1 as-number 100
peer 130.1.1.1 connect-interface LoopBack10
#
address-family ipv4 unicast
#
address-family ipv4 tnl-encap-ext
peer 130.1.1.1 enable
#
address-family l2vpn evpn
peer 130.1.1.1 enable
peer 130.1.1.1 advertise encap-type sdwan
#
ip vpn-instance vpn1
peer 20.1.1.2 as-number 300
#
address-family ipv4 unicast
import-route direct
peer 20.1.1.2 enable
#
ntp-service enable
ntp-service unicast-server 3.3.3.3
#
ssl client-policy plc1
prefer-cipher rsa_aes_256_cbc_sha
undo server-verify enable
#
ipsec transform-set tran1
encapsulation-mode transport
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec profile prf1 sdwan
transform-set tran1
#
sdwan site-id 2
sdwan site-name Site2
sdwan device-id 1
sdwan encapsulation global-udp-port 3000
sdwan system-ip LoopBack10
sdwan site-role cpe
sdwan ssl-client-policy plc1
sdwan server system-ip 130.1.1.1 ip 31.1.1.1 port 4000
#
RR
#
tunnel flow-statistics enable
tunnel flow-statistics interval 5
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 31.1.1.0 0.0.0.255
network 32.1.1.0 0.0.0.255
#
rir sdwan
link-quality probe interval 30
link-select delay 30
link-select suppress-period 60
sla 1
jitter threshold 20
delay threshold 60
packet-loss threshold 150
sla 2
jitter threshold 40
delay threshold 120
packet-loss threshold 300
flow 1
quality-policy sla 1
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 10
path sdwan transport-network internet2 preference 20
flow 2
quality-policy sla 2
expect-bandwidth 300
cqi-weight delay 2 jitter 5 packet-loss 7
path sdwan transport-network internet1 preference 20
path sdwan transport-network internet2 preference 10
#
inqa analyzer
analyzer id 130.1.1.1
#
inqa collector
analyzer 130.1.1.1
#
traffic classifier class1 operator and
if-match dscp 1
#
traffic classifier class2 operator and
if-match dscp 2
#
traffic behavior behav1
remark flow-id 1
#
traffic behavior behav2
remark flow-id 2
#
qos policy policy1
classifier class1 behavior behav1
classifier class2 behavior behav2
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
interface LoopBack10
ip address 130.1.1.1 255.255.255.255
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 31.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 32.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
combo enable copper
qos apply policy policy1 inbound
#
interface Tunnel1 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/1
source GigabitEthernet1/0/1
tunnel out-interface GigabitEthernet1/0/1
tunnel protection ipsec profile prf1
sdwan interface-id 30
sdwan routing-domain rd1 id 10
sdwan transport-network internet1 id 10
#
interface Tunnel2 mode sdwan udp
ip address unnumbered interface GigabitEthernet1/0/2
source GigabitEthernet1/0/2
tunnel out-interface GigabitEthernet1/0/2
tunnel protection ipsec profile prf1
sdwan interface-id 40
sdwan routing-domain rd2 id 20
sdwan transport-network internet2 id 20
#
bgp 100
peer 110.1.1.1 as-number 100
peer 110.1.1.1 connect-interface LoopBack10
peer 120.1.1.1 as-number 100
peer 120.1.1.1 connect-interface LoopBack10
#
address-family ipv4 tnl-encap-ext
peer 110.1.1.1 enable
peer 110.1.1.1 reflect-client
peer 120.1.1.1 enable
peer 120.1.1.1 reflect-client
#
address-family l2vpn evpn
undo policy vpn-target
peer 110.1.1.1 enable
peer 110.1.1.1 reflect-client
peer 110.1.1.1 advertise encap-type sdwan
peer 120.1.1.1 enable
peer 120.1.1.1 reflect-client
peer 120.1.1.1 advertise encap-type sdwan
#
ntp-service enable
ntp-service refclock-master 2
#
pki domain dm1
public-key rsa general name dm1 length 2048
undo crl check enable
#
ssl server-policy plc1
pki-domain dm1
#
ipsec transform-set tran1
encapsulation-mode transport
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec profile prf1 sdwan
transform-set tran1
#
sdwan site-id 3
sdwan site-name Site3
sdwan device-id 1
sdwan encapsulation global-udp-port 3000
sdwan system-ip LoopBack10
sdwan site-role rr
sdwan server port 4000
sdwan server enable
#
