vyos配置命令_vyos配置脚本

H3-R4
R4-R2/R4-R3
R2-R1-H1/R3-R5-H2

su vyos
$ configure
# set system host-name R1
# commit
# save
# exit

R1
$ configure
# set interfaces ethernet eth1 address 10.0.0.1/24
# set interfaces ethernet eth2 address 192.168.1.1/24
# set interfaces loopback lo address 1.1.1.1/32
# commit
# save
# exit

R2
# set interfaces ethernet eth1 address 10.0.0.2/24
# set interfaces ethernet eth2 address 30.0.0.1/24
# set interfaces ethernet eth3 address 40.0.0.2/24
# set interfaces loopback lo address 2.2.2.2/32
# commit
# save
# exit

R3
# set interfaces ethernet eth1 address 30.0.0.2/24
# set interfaces ethernet eth2 address 50.0.0.2/24
# set interfaces ethernet eth3 address 20.0.0.2/24
# set interfaces loopback lo address 3.3.3.3/32
# commit
# save
# exit

R4
# set interfaces ethernet eth1 address 50.0.0.1/24
# set interfaces ethernet eth2 address 40.0.0.1/24
# set interfaces ethernet eth3 address 60.0.0.1/24
# set interfaces loopback lo address 4.4.4.4/32
# commit
# save
# exit

R5
# set interfaces ethernet eth1 address 20.0.0.1/24
# set interfaces ethernet eth2 address 192.168.0.1/24
# set interfaces loopback lo address 5.5.5.5/32
# commit
# save
# exit

R1
DHCP
$ configure
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' start '192.168.1.10' stop '192.168.1.254'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' domain-name 'internal-net'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' lease 86400
# commit

H1
# dhclient ens4
///
IP
# ifconfig ens4 192.168.1.10 netmask 255.255.255.0

R2
OSPF
$ configure
# set protocols ospf area 0 network 30.0.0.0/24
# set protocols ospf area 0 network 40.0.0.0/24
# set protocols ospf area 0 network 2.2.2.2/32
# commit
# save

R3
$ configure
# set protocols ospf area 0 network 30.0.0.0/24
# set protocols ospf area 0 network 50.0.0.0/24
# set protocols ospf area 0 network 3.3.3.3/32
# commit
# save

R4
$ configure
# set protocols ospf area 0 network 40.0.0.0/24
# set protocols ospf area 0 network 50.0.0.0/24
# set protocols ospf area 0 network 60.0.0.0/24
# set protocols ospf area 0 network 4.4.4.4/32
# commit
# save

run show ip route

ping 60.0.0.2 -c 3

R2
BGP
$ configure
# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 2.2.2.2
# set protocols bgp 100 neighbor 3.3.3.3 nexthop-self

# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 2.2.2.2
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit

eBGP
# set protocols bgp 100 neighbor 10.0.0.1 remote-as 200
# set protocols bgp 100 neighbor 10.0.0.1 update-source 10.0.0.2
# set protocols bgp 100 neighbor 10.0.0.1 ebgp-multihop 2
# commit

OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

R1-Host-AS200
eBGP
# set protocols bgp 200 neighbor 10.0.0.2 remote-as 100
# set protocols bgp 200 neighbor 10.0.0.2 update-source 10.0.0.1
# set protocols bgp 200 neighbor 10.0.0.2 ebgp-multihop 2
# commit
# save

R4-Host-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 4.4.4.4

# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 4.4.4.4
# commit

R3-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 3.3.3.3
# set protocols bgp 100 neighbor 2.2.2.2 nexthop-self

# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 3.3.3.3
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit

eBGP
# set protocols bgp 100 neighbor 20.0.0.1 remote-as 300
# set protocols bgp 100 neighbor 20.0.0.1 update-source 20.0.0.2
# set protocols bgp 100 neighbor 20.0.0.1 ebgp-multihop 2
# commit

# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save

R5-Host-AS300
eBGP
# set protocols bgp 300 neighbor 20.0.0.2 remote-as 100
# set protocols bgp 300 neighbor 20.0.0.2 update-source 20.0.0.1
# set protocols bgp 300 neighbor 20.0.0.2 ebgp-multihop 2
# commit
# save

NAT
R1
# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.1.0/24
# set nat source rule 100 translation address masquerade
# commit
# save

R5
# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.0.0/24
# set nat source rule 100 translation address masquerade
# commit
# save

show nat

HOST-ROUTE
route add -net 20.0.0.0/24 gw 60.0.0.1

vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens33:
      dhcp4: true
      nameservers:
              addresses: [192.168.23.152]
      routes:
              - to: 10.10.10.0/24
                via: 192.168.23.2
  version: 2
netplan apply

VPN
R5
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

# set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
# set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
# set vpn ipsec ike-group office-srv-ike lifetime '3600'
# set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
# set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'

# set vpn ipsec ipsec-interfaces interface 'eth1'

# set vpn ipsec site-to-site peer 10.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 10.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 10.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 10.0.0.1 local-address '20.0.0.1'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 local prefix '192.168.0.0/24'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 remote prefix '192.168.1.0/24'
# show vpn ipsec site-to-site peer 10.0.0.1

R1
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'

# set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
# set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
# set vpn ipsec ike-group office-srv-ike lifetime '3600'
# set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
# set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'

# set vpn ipsec ipsec-interfaces interface 'eth1'

# set vpn ipsec site-to-site peer 20.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 20.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 20.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 20.0.0.1 local-address '10.0.0.1'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 local prefix '192.168.1.0/24'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 remote prefix '192.168.0.0/24'
# show vpn ipsec site-to-site peer 20.0.0.1

run show vpn ike sa
run show vpn ipsec sa

R1-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.0.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99

R5-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.1.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99