H3C devices used hwtacacs for authentication. hwtacacs able to talk to tacacs+ server. The configuration for the H3C devices as below.
###tacacs configuration
hwtacacs scheme hwtac
primary authentication 123.123.123.123 <--- this is the ip address of tacacs+ server
primary authorization 123.123.123.123 <--- most of the time same with authentication
primary accounting 123.123.123.123 <--- depend on configuration, if have dedicated server for accounting, then put the ip address of the accounting server here.
key authentication KEY <--- this key must be same a.k.a match with key at tacacs+ server. this key also case sensitive, every character must be the same as key at server.
key authorization KEY
key accounting KEY
user-name-format without-domain
domain 1
authentication login hwtacacs-scheme hwtac
authorization login hwtacacs-scheme hwtac
accounting login hwtacacs-scheme hwtac
access-limit disable
state active
idle-cut disable
self-service-url disable
domain default enable 1
###end of configuration
i will draw the network diagram and upload it later.
Sunday, July 15, 2012
Friday, July 13, 2012
H3C Router - BGP single router with 2 different AS number
This is one of the example using H3C router to peer with 2 Autonomous System number a.k.a 2 different ISP.
The diagram as below.
Router A connect to 2 different ISP. ISP A and ISP B. Internal network that advertised to bgp is 192.168.0.0 / 21. This is the example of router received full internet route and have to do the filtering in order to avoid the Router A become a transit router in the network.
[Router A]dis cu
#
version 5.20, Release 2420P03
#
sysname Router A
#
domain default enable system
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
interface Serial1/0
link-protocol ppp
#
interface Serial1/1
link-protocol ppp
#
interface NULL0
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/1
#
interface GigabitEthernet0/2
#
interface GigabitEthernet0/3
#
bgp 10
router-id 1.1.1.1
network 192.168.0.0 255.255.248.0
undo synchronization
peer 10.10.10.10 as-number 20
peer 20.20.20.20 as-number 30
group 20 external
peer 10.10.10.10 group 20
peer 10.10.10.10 description Connection to ISP-A
peer 10.10.10.10 route-policy ISP-A-outbound export
peer 10.10.10.10 route-policy ISP-A-inbound import
group 30 external
peer 20.20.20.20 group 30
peer 20.20.20.20 description Coonection to ISP-B
peer 20.20.20.20 route-policy ISP-B-outbound export
peer 20.20.20.20 route-policy ISP-B-inbound import
#
route-policy ISP-B-outbound permit node 10
if-match ip-prefix Company-A
route-policy ISP-A-inbound permit node 10
if-match as-path 20
apply cost 100
route-policy ISP-B-inbound permit node 10
if-match as-path 30
route-policy ISP-A-outbound permit node 10
if-match ip-prefix Company-A
#
ip ip-prefix Company-A index 10 permit 192.168.0.0 21
#
ip as-path 20 permit ^20_
ip as-path 30 permit ^30_
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.10
ip route-static 0.0.0.0 0.0.0.0 20.20.20.20
ip route-static 192.168.0.0 255.255.248.0 NULL0
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
[Router A]
#
version 5.20, Release 2420P03
#
sysname Router A
#
domain default enable system
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
interface Serial1/0
link-protocol ppp
#
interface Serial1/1
link-protocol ppp
#
interface NULL0
#
interface GigabitEthernet0/0
#
interface GigabitEthernet0/1
#
interface GigabitEthernet0/2
#
interface GigabitEthernet0/3
#
bgp 10
router-id 1.1.1.1
network 192.168.0.0 255.255.248.0
undo synchronization
peer 10.10.10.10 as-number 20
peer 20.20.20.20 as-number 30
group 20 external
peer 10.10.10.10 group 20
peer 10.10.10.10 description Connection to ISP-A
peer 10.10.10.10 route-policy ISP-A-outbound export
peer 10.10.10.10 route-policy ISP-A-inbound import
group 30 external
peer 20.20.20.20 group 30
peer 20.20.20.20 description Coonection to ISP-B
peer 20.20.20.20 route-policy ISP-B-outbound export
peer 20.20.20.20 route-policy ISP-B-inbound import
#
route-policy ISP-B-outbound permit node 10
if-match ip-prefix Company-A
route-policy ISP-A-inbound permit node 10
if-match as-path 20
apply cost 100
route-policy ISP-B-inbound permit node 10
if-match as-path 30
route-policy ISP-A-outbound permit node 10
if-match ip-prefix Company-A
#
ip ip-prefix Company-A index 10 permit 192.168.0.0 21
#
ip as-path 20 permit ^20_
ip as-path 30 permit ^30_
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.10
ip route-static 0.0.0.0 0.0.0.0 20.20.20.20
ip route-static 192.168.0.0 255.255.248.0 NULL0
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
#
return
[Router A]
Subscribe to:
Posts (Atom)