1、实现总部和分部的oa、财务网段互通
2、分部之间oa也能互通
3、分部之间不能互通财务
主要用到bgp自定义团体属性、一级二级RR配置、bgp正则表达式匹配规则
R1
router id 1.1.1.1 //配全局地址池,又可以给ospf用也可以给bgp用
interface GigabitEthernet0/0/0
ip address 10.0.12.1 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ip address 10.0.11.1 255.255.255.0
interface GigabitEthernet0/0/2
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
ospf enable 1 area 0.0.0.0
bgp 65100
peer 10.0.11.2 as-number 65001
peer 10.0.11.2 password cipher admin
peer 10.0.11.2 valid-ttl-hops 255 //开启ttl最大限制,为了安全
group ibgp internal //igp设备太多了,用组省事
peer ibgp connect-interface LoopBack0
peer 2.2.2.2 as-number 65100
peer 2.2.2.2 group ibgp
peer 4.4.4.4 as-number 65100
peer 4.4.4.4 group ibgp
ipv4-family unicast
undo synchronization
peer 10.0.11.2 enable
peer 10.0.11.2 route-policy finance export //发去分公司路由进行策略匹配
peer 10.0.11.2 advertise-community //开启传递团队属性功能
peer ibgp enable
peer ibgp next-hop-local
peer ibgp advertise-community //开启传递团队属性功能
peer 2.2.2.2 enable
peer 2.2.2.2 group ibgp
peer 4.4.4.4 enable
peer 4.4.4.4 group ibgp
ospf 1
area 0.0.0.0
route-policy finance permit node 10 //先检测调用匹配到的oa包策略并放行
if-match community-filter oa
route-policy finance deny node 20 //再匹配财务的策略
if-match as-path-filter finance
route-policy finance permit node 30 //其它没有匹配的放行
ip as-path-filter finance permit 65002$ //把起源结尾标签bgp号是65002的财务给正则出来
ip community-filter basic oa permit 65002:2 //把带有这个标签的oa办公包给匹配出来
R2
router id 2.2.2.2
interface GigabitEthernet0/0/0
ip address 10.0.23.2 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ip address 10.0.12.2 255.255.255.0
ospf enable 1 area 0.0.0.0
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
ospf enable 1 area 0.0.0.0
bgp 65100
group ibgp internal
peer ibgp connect-interface LoopBack0
peer 1.1.1.1 as-number 65100
peer 1.1.1.1 group ibgp
peer 3.3.3.3 as-number 65100
peer 3.3.3.3 group ibgp
peer 4.4.4.4 as-number 65100
peer 4.4.4.4 group ibgp
peer 5.5.5.5 as-number 65100
peer 5.5.5.5 group ibgp
ipv4-family unicast
undo synchronization
reflector cluster-id 24.24.24.24 //用于标识二级RR
peer ibgp enable
peer ibgp reflect-client //把学到的路由RR给所有的对等体
peer ibgp advertise-community //所有的IBGP对开启团体属性传递
peer 1.1.1.1 enable
peer 1.1.1.1 group ibgp
peer 3.3.3.3 enable
peer 3.3.3.3 group ibgp
peer 4.4.4.4 enable
peer 4.4.4.4 group ibgp
peer 5.5.5.5 enable
peer 5.5.5.5 group ibgp
ospf 1
area 0.0.0.0
R3
router id 3.3.3.3
interface GigabitEthernet0/0/0
ip address 10.0.23.3 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ip address 10.0.34.3 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/2
ip address 10.0.33.3 255.255.255.0
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
ospf enable 1 area 0.0.0.0
bgp 65100
peer 10.0.33.1 as-number 65003
peer 10.0.33.1 password cipher admin
peer 10.0.33.1 valid-ttl-hops 255
group ibgp internal
peer ibgp connect-interface LoopBack0
peer 2.2.2.2 as-number 65100
peer 2.2.2.2 group ibgp
peer 4.4.4.4 as-number 65100
peer 4.4.4.4 group ibgp
ipv4-family unicast
undo synchronization
peer 10.0.33.1 enable
peer 10.0.33.1 advertise-community //开启bgp团体属性传递功能
peer ibgp enable
peer ibgp reflect-client
peer ibgp next-hop-local
peer ibgp advertise-community //开启bgp团体属性传递功能
peer 2.2.2.2 enable
peer 2.2.2.2 group ibgp
peer 4.4.4.4 enable
peer 4.4.4.4 group ibgp
ospf 1
area 0.0.0.0
R4
router id 4.4.4.4
interface GigabitEthernet0/0/0
ip address 10.0.34.4 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ip address 10.0.45.4 255.255.255.0
ospf enable 1 area 0.0.0.0
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
ospf enable 1 area 0.0.0.0
bgp 65100
group ibgp internal
peer ibgp connect-interface LoopBack0
peer 1.1.1.1 as-number 65100
peer 1.1.1.1 group ibgp
peer 2.2.2.2 as-number 65100
peer 2.2.2.2 group ibgp
peer 3.3.3.3 as-number 65100
peer 3.3.3.3 group ibgp
peer 5.5.5.5 as-number 65100
peer 5.5.5.5 group ibgp
ipv4-family unicast
undo synchronization
reflector cluster-id 24.24.24.24
peer ibgp enable
peer ibgp reflect-client
peer ibgp advertise-community
peer 1.1.1.1 enable
peer 1.1.1.1 group ibgp
peer 2.2.2.2 enable
peer 2.2.2.2 group ibgp
peer 3.3.3.3 enable
peer 3.3.3.3 group ibgp
peer 5.5.5.5 enable
peer 5.5.5.5 group ibgp
ospf 1
area 0.0.0.0
R5
router id 5.5.5.5
interface GigabitEthernet0/0/0
ip address 10.0.45.5 255.255.255.0
ospf enable 1 area 0.0.0.0
interface GigabitEthernet0/0/1
ip address 10.0.52.5 255.255.255.0
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
ospf enable 1 area 0.0.0.0
bgp 65100
peer 10.0.52.2 as-number 65002
peer 10.0.52.2 password cipher % % ;^^:7p’wdXiw4.Pc;G9+<*7i% %
peer 10.0.52.2 valid-ttl-hops 255
group ibgp internal
peer ibgp connect-interface LoopBack0
peer 2.2.2.2 as-number 65100
peer 2.2.2.2 group ibgp
peer 4.4.4.4 as-number 65100
peer 4.4.4.4 group ibgp
ipv4-family unicast
undo synchronization
peer 10.0.52.2 enable
peer 10.0.52.2 route-policy finance export
peer 10.0.52.2 advertise-community
peer ibgp enable
peer ibgp next-hop-local
peer ibgp advertise-community
peer 2.2.2.2 enable
peer 2.2.2.2 group ibgp
peer 4.4.4.4 enable
peer 4.4.4.4 group ibgp
ospf 1
area 0.0.0.0
route-policy finance permit node 10
if-match community-filter oa
route-policy finance deny node 20
if-match as-path-filter finance
route-policy finance permit node 30
ip as-path-filter finance permit 65001$
ip community-filter basic oa permit 65001:1
sw1
interface Vlanif1
ip address 10.0.11.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
interface LoopBack0
ip address 11.1.1.1 255.255.255.0
interface LoopBack1
ip address 21.1.1.1 255.255.255.0
bgp 65001
peer 10.0.11.1 as-number 65100
peer 10.0.11.1 password cipher admin
ipv4-family unicast
undo synchronization
network 11.0.0.0
network 11.1.1.0 255.255.255.0
network 21.1.1.0 255.255.255.0
peer 10.0.11.1 enable
peer 10.0.11.1 route-policy attr export //发出去对端时调用策略
peer 10.0.11.1 advertise-community //开启bgp团体属性传递功能
route-policy attr permit node 10 //调用匹配出的oa网段
if-match ip-prefix com
apply community 65001:1 //打上标签
route-policy attr permit node 20 //其它放行
ip ip-prefix com index 10 permit 11.1.1.0 24 //匹配出oa的数据网段
SW2
interface Vlanif1
ip address 10.0.52.2 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
interface LoopBack0
ip address 22.1.1.1 255.255.255.0
interface LoopBack1
ip address 32.1.1.1 255.255.255.0
bgp 65002
peer 10.0.52.5 as-number 65100
peer 10.0.52.5 password cipher admin
ipv4-family unicast
undo synchronization
network 22.1.1.0 255.255.255.0
network 32.1.1.0 255.255.255.0
peer 10.0.52.5 enable
peer 10.0.52.5 route-policy attr export
peer 10.0.52.5 advertise-community
route-policy attr permit node 10
if-match ip-prefix com
apply community 65002:2
route-policy attr permit node 20
ip ip-prefix com index 10 permit 22.1.1.0 24
SW3
interface Vlanif1
ip address 10.0.33.1 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
interface LoopBack0
ip address 33.1.1.1 255.255.255.0
interface LoopBack1
ip address 43.1.1.1 255.255.255.0
bgp 65003
peer 10.0.33.3 as-number 65100
peer 10.0.33.3 password cipher Q`OT=C0XP2sPddVIN=17t&I#
ipv4-family unicast
undo synchronization
network 33.1.1.0 255.255.255.0
network 43.1.1.0 255.255.255.0
peer 10.0.33.3 enable
peer 10.0.33.3 route-policy attr export
peer 10.0.33.3 advertise-community
route-policy attr permit node 10
if-match ip-prefix com
apply community 65003:3
route-policy attr permit node 20
ip ip-prefix com index 10 permit 33.1.1.0 24
![[ctfshow 2023元旦水友赛]web题解](https://img-blog.csdnimg.cn/direct/7f44d411a0f64cdf883171d42d0c7a6b.png)
