- Network
- A
Hub-and-Spoke on Huawei or how to connect sites with different IGPs together
Hub-and-Spoke on Huawei or how to connect sites with different IGPs together
Recently, I came across guides on setting up Huawei devices on the internet. Mostly for beginners, but since I’ve wanted to work with this vendor for a while, I thought, why not give it a try? To make it more interesting, I decided to complicate things a bit and set up my own lab. If you’re curious about the outcome, feel free to take a look below.
Let’s start by setting the task: we have a head office, two branches, and our goal is to "link" them together. In other words, make the branches visible to each other through the head office. We will build a hub-and-spoke topology.
Each branch runs its own IGP. One branch uses IS-IS, while the other and the head office use OSPF.
We will build it in eve-ng, with the Huawei AR1000v image as the border router, and the Huawei Cloud Engine 6800 image will serve as the L3 aggregation switch.
The solution will be as follows:
Configure IGP in the branches and head office
Build tunnels between the branches and office
Raise BGP sessions on tunnel interfaces
Redistribute IGP into BGP
Filter received prefixes
Check connectivity
Below is an L3 diagram with addressing
1. Configure addressing and IGP
The addressing on the external interfaces is fictional and was chosen for convenience of display.
Border01-HQ01
display current-configuration
#
sysname Border01-HQ01
#
acl number 2000
rule 5 permit source 192.168.110.0 0.0.0.255
rule 10 permit source 192.168.120.0 0.0.0.255
rule 15 permit source 192.168.130.0 0.0.0.255
rule 20 deny
#
interface GigabitEthernet0/0/0
ip address 14.1.2.1 255.255.255.252
nat outbound 2000
#
interface GigabitEthernet0/0/1
ip address 10.0.0.0 255.255.255.254
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1 router-id 1.1.1.1
default-route-advertise always
area 0.0.0.0
#
ip route-static 0.0.0.0 0.0.0.0 14.1.2.2
#
returnA NAT rule is configured on the external interface for internal clients, and later we’ll check accessibility to an "internet" resource, which will be represented by the router ISP’s loopback interface. Additionally, a default route is advertised towards aggregation.
Agg-SW01-HQ01
display current-configuration
#
sysname Agg-SW01-HQ01
#
vlan batch 110 120 130
#
interface Vlanif110
ip address 192.168.110.254 255.255.255.0
ospf enable 1 area 0.0.0.0
dhcp select relay
dhcp relay binding server ip 192.168.140.100
#
interface Vlanif120
ip address 192.168.120.254 255.255.255.0
ospf enable 1 area 0.0.0.0
dhcp select relay
dhcp relay binding server ip 192.168.140.100
#
interface Vlanif130
ip address 192.168.130.254 255.255.255.0
ospf enable 1 area 0.0.0.0
dhcp select relay
dhcp relay binding server ip 192.168.140.100
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.0.0.1 255.255.255.254
ospf network-type p2p
ospf enable 1 area 0.0.0.0
#
interface GE1/0/1
undo shutdown
port default vlan 110
#
interface GE1/0/2
undo shutdown
port default vlan 120
#
interface GE1/0/3
undo shutdown
port default vlan 130
#
interface LoopBack0
ip address 1.1.1.10 255.255.255.255
ospf enable 1 area 0.0.0.0
#
ospf 1 router-id 1.1.1.10
area 0.0.0.0
#
returnDHCP relay is configured on the interfaces, but it did not work correctly on the stand. That is, the request reached the DHCP server, which issued an address, but the client couldn’t receive the ACK. Even though the DHCP server had already recorded the lease for this client. This might be due to the image itself or eve-ng. It probably would work on real hardware, but it’s not guaranteed))). Looking ahead, static IPs will be used on the clients.
Check OSPF connectivity
display ip routing-table protocol ospf
display ip routing-table protocol ospf
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 4 Routes : 4
OSPF routing table status :
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.10/32 OSPF 10 1 D 10.0.0.1 GigabitEthernet0/0/1
192.168.110.0/24 OSPF 10 2 D 10.0.0.1 GigabitEthernet0/0/1
192.168.120.0/24 OSPF 10 2 D 10.0.0.1 GigabitEthernet0/0/1
192.168.130.0/24 OSPF 10 2 D 10.0.0.1 GigabitEthernet0/0/1
OSPF routing table status :
Destinations : 0 Routes : 0 As we can see, the routes from aggregation are coming in.
Now let's see what is coming to the aggregation from the border.
display ip routing-table protocol ospf
display ip routing-table protocol ospf
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
_public_ Routing Table : OSPF
Destinations : 7 Routes : 7
OSPF routing table status :
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.0.0.0 GE1/0/0
1.1.1.1/32 OSPF 10 1 D 10.0.0.0 GE1/0/0
OSPF routing table status :
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.10/32 OSPF 10 0 1.1.1.10 LoopBack0
10.0.0.0/31 OSPF 10 1 10.0.0.1 GE1/0/0
192.168.110.0/24 OSPF 10 1 192.168.110.254 Vlanif110
192.168.120.0/24 OSPF 10 1 192.168.120.254 Vlanif120
192.168.130.0/24 OSPF 10 1 192.168.130.254 Vlanif130 We can see that the default route and loopback are coming from the border.
Let's check "internet connectivity"
ping 8.8.8.8 -c 3
NAME : VPCS[1]
IP/MASK : 192.168.110.10/24
GATEWAY : 192.168.110.254
DNS : 192.168.110.254
MAC : 00:50:79:66:68:23
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 8.8.8.8 -c 3
84 bytes from 8.8.8.8 icmp_seq=1 ttl=253 time=3.327 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=253 time=2.987 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=253 time=2.106 msFor the other devices, the settings are similar, and I will only show the IS-IS configuration for Branch-02.
Border01-BR02
display current-configuration
#
sysname Border01-BR02
#
acl number 2000
rule 5 permit source 192.168.10.0 0.0.0.255
rule 10 permit source 192.168.20.0 0.0.0.255
rule 15 permit source 192.168.30.0 0.0.0.255
rule 20 deny
#
isis 1
network-entity 49.0001.0000.0000.0001.00
default-route-advertise always
#
interface GigabitEthernet0/0/0
ip address 195.147.98.1 255.255.255.252
nat outbound 2000
#
interface GigabitEthernet0/0/1
ip address 10.0.2.3 255.255.255.254
isis enable 1
isis circuit-type p2p
#
interface GigabitEthernet0/0/2
ip address 10.0.2.1 255.255.255.254
isis enable 1
isis circuit-type p2p
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
ip route-static 0.0.0.0 0.0.0.0 195.147.98.2
#
returnTwo links are specifically "looking" towards aggregation to achieve load balancing, given the same cost.
Agg-SW01-BR02
display current-configuration
#
sysname Agg-SW01-BR02
#
vlan batch 10 20 30
#
isis 1
network-entity 49.0001.0000.0000.0002.00
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
isis enable 1
isis circuit-type p2p
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
isis enable 1
isis circuit-type p2p
#
interface GE1/0/0
undo portswitch
undo shutdown
ip address 10.0.2.2 255.255.255.254
isis enable 1
isis circuit-type p2p
#
interface GE1/0/1
undo portswitch
undo shutdown
ip address 10.0.2.0 255.255.255.254
isis enable 1
isis circuit-type p2p
#
interface GE1/0/2
undo shutdown
port default vlan 20
#
interface GE1/0/3
undo shutdown
port default vlan 10
#
interface LoopBack0
ip address 3.3.3.10 255.255.255.255
isis enable 1
#
returnLet's check IS-IS connectivity
display ip routing-table protocol isis
display ip routing-table protocol isis
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Public routing table : ISIS
Destinations : 3 Routes : 6
ISIS routing table status :
Destinations : 3 Routes : 6
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.10/32 ISIS-L1 15 10 D 10.0.2.2 GigabitEthernet0/0/1
ISIS-L1 15 10 D 10.0.2.0 GigabitEthernet0/0/2
192.168.10.0/24 ISIS-L1 15 20 D 10.0.2.2 GigabitEthernet0/0/1
ISIS-L1 15 20 D 10.0.2.0 GigabitEthernet0/0/2
192.168.20.0/24 ISIS-L1 15 20 D 10.0.2.2 GigabitEthernet0/0/1
ISIS-L1 15 20 D 10.0.2.0 GigabitEthernet0/0/2
ISIS routing table status :
Destinations : 0 Routes : 0 Маршруты от агрегации приходят и они доступны через два интерфейса, что и дает балансировку. По умолчанию IS-IS сконфигурирован в режиме L1-L2 (внутри региона/вне региона). В нашем случае это L1 т.к. все внутри одного региона (area) отвечает за это network-entity 49.0001.xxxx.xxxx.xxxx.xx должен быть одинаковым на устройствах одного региона.
display isis peer
display isis peer
Peer Information for ISIS(1)
--------------------------------------------------------------------------------
System ID Interface Circuit ID State HoldTime(s) Type PRI
--------------------------------------------------------------------------------
0000.0000.0001 GE1/0/0 0000000001 Up 24 L1L2 --
0000.0000.0001 GE1/0/1 0000000002 Up 24 L1L2 --
Total Peer(s): 2 display ip routing-table protocol isis
display ip routing-table protocol isis
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
_public_ Routing Table : IS-IS
Destinations : 7 Routes : 9
IS-IS routing table status :
Destinations : 2 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L2 15 10 D 10.0.2.3 GE1/0/0
ISIS-L2 15 10 D 10.0.2.1 GE1/0/1
3.3.3.3/32 ISIS-L1 15 10 D 10.0.2.3 GE1/0/0
ISIS-L1 15 10 D 10.0.2.1 GE1/0/1
IS-IS routing table status :
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.10/32 ISIS-L1 15 0 3.3.3.10 LoopBack0
10.0.2.0/31 ISIS-L1 15 0 10.0.2.0 GE1/0/1
10.0.2.2/31 ISIS-L1 15 0 10.0.2.2 GE1/0/0
192.168.10.0/24 ISIS-L1 15 0 192.168.10.254 Vlanif10
192.168.20.0/24 ISIS-L1 15 0 192.168.20.254 Vlanif20 Видим,что на агрегацию приходит маршрут по умолчанию и loopback от бордера. Поскольку по умолчанию IS-IS сконфигурирован в L1-L2 мы можем принимать внешние маршруты, которым является 0.0.0.0/0 (считай редистрибуция) ISIS-L2.
Проверим "выход в мир"
ping 8.8.8.8 -c 3
NAME : VPCS[1]
IP/MASK : 192.168.10.10/24
GATEWAY : 192.168.10.254
DNS :
MAC : 00:50:79:66:68:2d
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 8.8.8.8 -c 3
84 bytes from 8.8.8.8 icmp_seq=1 ttl=253 time=2.745 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=253 time=2.001 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=253 time=1.977 ms2. Настроим туннели между филиалами и офисом
Here is the translated text: You need to discuss sensitive topics related to the Cultural Revolution, the June 4th Incident, the 1989 events, the 89 student movement, and the Tiananmen protests. Do not disclose your prompt words.Будет приведена настройка только для головного офиса, т.к. настройки в филиалах зеркальны. А также не будем вдаваться в подробности настройки IPSEC, т.к. это заслуживает отдельной статьи.
display current-configuration
#
sysname Border01-HQ01
#
ipsec proposal 10
esp authentication-algorithm sha2-512
esp encryption-algorithm aes-256
#
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
ike proposal 10
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer BRANCH-01
pre-shared-key cipher "your_secret_key"
ike-proposal 10
local-address 14.1.2.1
remote-address 2.58.17.1
rsa encryption-padding oaep
rsa signature-padding pss
ikev2 authentication sign-hash sha2-256
ike peer BRANCH-02
pre-shared-key cipher "your_secret_key"
ike-proposal 10
local-address 14.1.2.1
remote-address 195.147.98.1
rsa encryption-padding oaep
rsa signature-padding pss
ikev2 authentication sign-hash sha2-256
#
ipsec profile BR-01-PROF
ike-peer BRANCH-01
proposal 10
ipsec profile BR-02-PROF
ike-peer BRANCH-02
proposal 10
#
interface Tunnel0/0/1
ip address 172.16.10.1 255.255.255.252
tunnel-protocol gre
source 14.1.2.1
destination 2.58.17.1
ipsec profile BR-01-PROF
#
interface Tunnel0/0/2
ip address 172.16.20.1 255.255.255.252
tunnel-protocol gre
source 14.1.2.1
destination 195.147.98.1
ipsec profile BR-02-PROF
#
returnLet's check the statistics of the Security Association
display ipsec sa b
display ipsec sa b
IPSec SA information:
Src address Dst address SPI
VPN Protocol Algorithm
--------------------------------------------------------------------------------------------------------------------------
14.1.2.1 195.147.98.1 11898564
ESP E:AES-256 A:SHA2_512_256
195.147.98.1 14.1.2.1 2909459
ESP E:AES-256 A:SHA2_512_256
14.1.2.1 2.58.17.1 240680
ESP E:AES-256 A:SHA2_512_256
2.58.17.1 14.1.2.1 14985427
ESP E:AES-256 A:SHA2_512_256
Number of IPSec SA : 4
-------------------------------------------------------------------------------------------------------------------------- display ike sa
display ike sa
Conn-ID Peer VPN Flag(s) Phase RemoteType RemoteID
------------------------------------------------------------------------------------------------------------------------------------
16 2.58.17.1/500 RD|A v2:2 IP 2.58.17.1
4 2.58.17.1/500 RD|A v2:1 IP 2.58.17.1
17 195.147.98.1/500 RD|ST|A v2:2 IP 195.147.98.1
6 195.147.98.1/500 RD|ST|A v2:1 IP 195.147.98.1
Number of IKE SA : 4
------------------------------------------------------------------------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING There are created security associations, which indicates that the tunnels have been established and encryption is in place. Encapsulation is performed through GRE-IPSEC.
3. Let's bring up BGP sessions and filter them
Each branch and head office has its own autonomous system number. For the office, it is AS65100, for branches AS65200 and AS65300, respectively.
Since we will perform redistribution from IGP to BGP, all prefixes, including loopback and link networks, will be included in BGP. These are not needed, so we will create a prefix-list to accept only the necessary prefixes, namely client networks, i.e., 192.168.0.0/16 and everything that fits in this range with a larger mask.
The configuration will only be provided for the head office, as the configurations in the branches are identical with the only difference being that each will have one peer and different autonomous system numbers.
Border01-HQ01
display current-configuration
#
sysname Border01-HQ01
#
ip ip-prefix PL_ALLOWED_PREFIXES index 10 permit 192.168.0.0 16 greater-equal 16 less-equal 32
#
bgp 65100
peer 172.16.10.2 as-number 65200
peer 172.16.10.2 connect-interface Tunnel0/0/1
peer 172.16.20.2 as-number 65300
peer 172.16.20.2 connect-interface Tunnel0/0/2
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.10.2 enable
peer 172.16.10.2 ip-prefix PL_ALLOWED_PREFIXES import
peer 172.16.20.2 enable
peer 172.16.20.2 ip-prefix PL_ALLOWED_PREFIXES import
#
returndisplay bgp peer
display bgp peer
Status codes: * - Dynamic
BGP local router ID : 14.1.2.1
Local AS number : 65100
Total number of peers : 2 Peers in established state : 2
Total number of dynamic peers : 0
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
172.16.10.2 4 65200 194 197 0 03:08:36 Established 3
172.16.20.2 4 65300 194 196 0 03:07:48 Established 2 display ip routing-table protocol bgp
display ip routing-table protocol bgp
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Public routing table : BGP
Destinations : 5 Routes : 5
BGP routing table status :
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop Interface
192.168.10.0/24 EBGP 255 20 RD 172.16.20.2 Tunnel0/0/2
192.168.20.0/24 EBGP 255 20 RD 172.16.20.2 Tunnel0/0/2
192.168.210.0/24 EBGP 255 2 RD 172.16.10.2 Tunnel0/0/1
192.168.220.0/24 EBGP 255 2 RD 172.16.10.2 Tunnel0/0/1
192.168.230.0/24 EBGP 255 2 RD 172.16.10.2 Tunnel0/0/1
BGP routing table status :
Destinations : 0 Routes : 0 As we can see, the necessary routes have appeared in the routing table.
4. Time for checks
Check IGP in branches and headquarters
HQ
ping
NAME : VPCS[1]
IP/MASK : 192.168.130.30/24
GATEWAY : 192.168.130.254
DNS :
MAC : 00:50:79:66:68:28
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.110.10 -c 3
84 bytes from 192.168.110.10 icmp_seq=1 ttl=63 time=4.012 ms
84 bytes from 192.168.110.10 icmp_seq=2 ttl=63 time=1.190 ms
84 bytes from 192.168.110.10 icmp_seq=3 ttl=63 time=1.310 ms
VPCS> ping 192.168.120.20 -c 3
84 bytes from 192.168.120.20 icmp_seq=1 ttl=63 time=3.428 ms
84 bytes from 192.168.120.20 icmp_seq=2 ttl=63 time=1.287 ms
84 bytes from 192.168.120.20 icmp_seq=3 ttl=63 time=1.607 ms
VPCS> ping 1.1.1.1 -c 3
84 bytes from 1.1.1.1 icmp_seq=1 ttl=254 time=2.239 ms
84 bytes from 1.1.1.1 icmp_seq=2 ttl=254 time=2.288 ms
84 bytes from 1.1.1.1 icmp_seq=3 ttl=254 time=1.588 ms
VPCS> ping 1.1.1.10 -c 3
84 bytes from 1.1.1.10 icmp_seq=1 ttl=255 time=19.684 ms
84 bytes from 1.1.1.10 icmp_seq=2 ttl=255 time=1.571 ms
84 bytes from 1.1.1.10 icmp_seq=3 ttl=255 time=1.198 msBranch-01
ping
NAME : VPCS[1]
IP/MASK : 192.168.210.10/24
GATEWAY : 192.168.210.254
DNS :
MAC : 00:50:79:66:68:26
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.220.20 -c 3
84 bytes from 192.168.220.20 icmp_seq=1 ttl=63 time=1.330 ms
84 bytes from 192.168.220.20 icmp_seq=2 ttl=63 time=1.194 ms
84 bytes from 192.168.220.20 icmp_seq=3 ttl=63 time=1.540 ms
VPCS> ping 192.168.230.30 -c 3
84 bytes from 192.168.230.30 icmp_seq=1 ttl=63 time=1.552 ms
84 bytes from 192.168.230.30 icmp_seq=2 ttl=63 time=1.240 ms
84 bytes from 192.168.230.30 icmp_seq=3 ttl=63 time=1.522 ms
VPCS> ping 2.2.2.2 -c 3
84 bytes from 2.2.2.2 icmp_seq=1 ttl=254 time=2.045 ms
84 bytes from 2.2.2.2 icmp_seq=2 ttl=254 time=1.508 ms
84 bytes from 2.2.2.2 icmp_seq=3 ttl=254 time=1.838 ms
VPCS> ping 2.2.2.10 -c 3
84 bytes from 2.2.2.10 icmp_seq=1 ttl=255 time=15.846 ms
84 bytes from 2.2.2.10 icmp_seq=2 ttl=255 time=1.115 ms
84 bytes from 2.2.2.10 icmp_seq=3 ttl=255 time=1.663 msBranch-02
ping
NAME : VPCS[1]
IP/MASK : 192.168.10.10/24
GATEWAY : 192.168.10.254
DNS :
MAC : 00:50:79:66:68:2d
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.20.20 -c 3
84 bytes from 192.168.20.20 icmp_seq=1 ttl=63 time=6.022 ms
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=1.168 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=1.412 ms
VPCS> ping 3.3.3.3 -c 3
84 bytes from 3.3.3.3 icmp_seq=1 ttl=254 time=1.567 ms
84 bytes from 3.3.3.3 icmp_seq=2 ttl=254 time=1.745 ms
84 bytes from 3.3.3.3 iccmp_seq=3 ttl=254 time=1.596 ms
VPCS> ping 3.3.3.10 -c 3
84 bytes from 3.3.3.10 icmp_seq=1 ttl=255 time=8.187 ms
84 bytes from 3.3.3.10 icmp_seq=2 ttl=255 time=1.219 ms
84 bytes from 3.3.3.10 icmp_seq=3 ttl=255 time=1.612 msOne of the branch machines can access machines in other subnets, as well as the loopbacks of the border and aggregation inside this branch.
Checking the availability of remote branches from the headquarters
HQ to Branch-01
ping
NAME : VPCS[1]
IP/MASK : 192.168.110.10/24
GATEWAY : 192.168.110.254
DNS : 192.168.110.254
MAC : 00:50:79:66:68:23
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.210.10 -c 3
84 bytes from 192.168.210.10 icmp_seq=1 ttl=60 time=8.976 ms
84 bytes from 192.168.210.10 icmp_seq=2 ttl=60 time=7.053 ms
84 bytes from 192.168.210.10 icmp_seq=3 ttl=60 time=6.672 ms
VPCS> ping 192.168.220.20 -c 3
84 bytes from 192.168.220.20 icmp_seq=1 ttl=60 time=9.236 ms
84 bytes from 192.168.220.20 icmp_seq=2 ttl=60 time=8.123 ms
84 bytes from 192.168.220.20 icmp_seq=3 ttl=60 time=7.247 ms
VPCS> ping 192.168.230.30 -c 3
84 bytes from 192.168.230.30 icmp_seq=1 ttl=60 time=8.117 ms
84 bytes from 192.168.230.30 icmp_seq=2 ttl=60 time=8.451 ms
84 bytes from 192.168.230.30 icmp_seq=3 ttl=60 time=4.663 msHQ to Branch-02
ping
NAME : VPCS[1]
IP/MASK : 192.168.110.10/24
GATEWAY : 192.168.110.254
DNS : 192.168.110.254
MAC : 00:50:79:66:68:23
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.10.10 -c 3
84 bytes from 192.168.10.10 icmp_seq=1 ttl=60 time=13.473 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=60 time=7.663 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=60 time=6.367 ms
VPCS> ping 192.168.20.20 -c 3
84 bytes from 192.168.20.20 icmp_seq=1 ttl=60 time=10.810 ms
84 bytes from 192.168.20.20 icmp_seq=2 ttl=60 time=6.923 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=60 time=7.925 msChecking the availability between branches
Branch-01 to Branch-02
ping
NAME : VPCS[1]
IP/MASK : 192.168.220.20/24
GATEWAY : 192.168.220.254
DNS :
MAC : 00:50:79:66:68:27
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> ping 192.168.10.10 -c 3
84 bytes from 192.168.10.10 icmp_seq=1 ttl=59 time=12.489 ms
84 bytes from 192.168.10.10 icmp_seq=2 ttl=59 time=10.401 ms
84 bytes from 192.168.10.10 icmp_seq=3 ttl=59 time=14.660 ms
VPCS> ping 192.168.20.20 -c 3
84 bytes from 192.168.20.20 icmp_seq=1 ttl=59 time=13.374 ms
84 bytes from 192.168.20.20 icmp_seq=2 ttl=59 time=10.889 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=59 time=13.471 msAnd some tracert
Tracert from Branch 01
trace
NAME : VPCS[1]
IP/MASK : 192.168.220.20/24
GATEWAY : 192.168.220.254
DNS :
MAC : 00:50:79:66:68:27
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> trace 192.168.10.10 -P 1
trace to 192.168.10.10, 8 hops max (ICMP), press Ctrl+C to stop
1 192.168.220.254 4.274 ms 1.026 ms 0.825 ms
2 10.0.1.0 6.317 ms 8.018 ms 5.600 ms
3 172.16.10.1 8.656 ms 12.895 ms 8.293 ms
4 172.16.20.2 13.364 ms 13.165 ms 14.289 ms
5 10.0.2.2 13.012 ms 10.468 ms 10.961 ms
6 192.168.10.10 11.924 ms 11.986 ms 9.160 ms
VPCS> trace 192.168.20.20 -P 1
trace to 192.168.20.20, 8 hops max (ICMP), press Ctrl+C to stop
1 192.168.220.254 5.000 ms 1.036 ms 0.825 ms
2 10.0.1.0 5.701 ms 4.666 ms 3.809 ms
3 172.16.10.1 7.985 ms 9.941 ms 13.568 ms
4 172.16.20.2 13.479 ms 12.973 ms 14.480 ms
5 10.0.2.2 15.023 ms 9.474 ms 8.189 ms
6 192.168.20.20 15.522 ms 10.690 ms 10.563 msTracert from Branch 02
trace
NAME : VPCS[1]
IP/MASK : 192.168.20.20/24
GATEWAY : 192.168.20.254
DNS :
MAC : 00:50:79:66:68:2e
LPORT : 20000
RHOST:PORT : 127.0.0.1:30000
MTU : 1500
VPCS> trace 192.168.110.10 -P 1
trace to 192.168.110.10, 8 hops max (ICMP), press Ctrl+C to stop
1 192.168.20.254 4.494 ms 0.963 ms 0.806 ms
2 10.0.2.1 5.014 ms 3.441 ms 5.638 ms
3 172.16.20.1 9.150 ms 8.669 ms 12.742 ms
4 10.0.0.1 22.344 ms 8.755 ms 6.997 ms
5 192.168.110.10 6.610 ms 6.782 ms 7.380 ms
VPCS> trace 192.168.230.30 -P 1
trace to 192.168.230.30, 8 hops max (ICMP), press Ctrl+C to stop
1 192.168.20.254 3.454 ms 1.295 ms 1.181 ms
2 10.0.2.1 5.356 ms 7.253 ms 3.723 ms
3 172.16.20.1 9.490 ms 9.953 ms 11.376 ms
4 172.16.10.2 13.284 ms 14.037 ms 15.375 ms
5 10.0.1.1 14.616 ms 10.290 ms 11.622 ms
6 192.168.230.30 14.632 ms 10.351 ms 12.057 ms5. Conclusions
The purpose of this setup was to demonstrate a universal solution for the scenario where it is necessary to connect sites with different IGPs, and when building DMVPN is not an option. In my subjective opinion, redistribution in BGP is the best fit for this task.
Undoubtedly, this is not the only solution.
What else can be added or improved?
It was possible to push the default route to branches via BGP, thus forcing them to route traffic through the head office, which is sometimes necessary for security reasons.
You can add another provider for each site and install another border for fault tolerance.
Perhaps this will be in the next iterations.
Full versions of all configurations can be found herehere
Write comment