古河電工ネットワーク機器の総合ブランド ファイテルネット
古河電工
FITELnetトップ製品ラインナップイベント&セミナーセールス&サポート
Routing to the Future FITELnet
設定例
BGPとスタティックによるフローティングスタティック設定
F200
説明
メイン経路はEBGPを使用し、EBGPの経路が消失したらバックアップ回線に切り替えます。
構成
コマンド設定

Router A

ip route 192.168.2.0 255.255.255.0 connected ipsecif 1 250
ip route 203.0.113.25 255.255.255.255 dialer 1 250
access-list 1 permit any
proxydns mode v4
vpn enable
vpnlog enable
ipsec access-list 1 ipsec ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ipsec access-list 128 bypass ip any any
ipsec transform-set aes256-sha esp-aes-256 esp-sha-hmac
service dhcp-server
hostname Router_A
ip dhcp pool lan 1
 dns-server 0.0.0.0
 default-router 0.0.0.0
exit
interface dialer 1
 max-call off
 ip nat inside source list 1 interface
 caller ********
 ppp account ********@*****.ne.jp ***
exit
interface ewan 1
 ip address 192.0.2.6 255.255.255.252
exit
interface ipsecif 1
 crypto map map1
exit
interface lan 1
 ip address 192.168.1.1 255.255.255.0
exit
interface modem 1
 idle-timer send off
 idle-timer receive off
 forced disconnect packet off
 forced disconnect cumulative-time off
 auto connect on continuous
 physical-layer usb 1
exit
crypto isakmp policy 1
 authentication prekey
 encryption aes 256
 hash sha
 key ascii secret1
 lifetime 86400
 my-identity Router_A
 negotiation-mode aggressive
 peer-identity address 203.0.113.25
exit
crypto map map1 1
 match address 1
 set peer address 203.0.113.25
 set security-association lifetime seconds 28800
 set security-association always-up
 set transform-set aes256-sha
exit
router bgp 65000
 neighbor 192.0.2.5 remote-as 65001
 network 192.0.2.4 255.255.255.252
 redistribute connected
exit
end

Router B

ip route 0.0.0.0 0.0.0.0 pppoe 1 250
ip route 192.168.1.0 255.255.255.0 connected ipsecif 1 250
access-list 1 permit any
proxydns mode v4
vpn enable
vpnlog enable
ipsec access-list 1 ipsec ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ipsec access-list 128 bypass ip any any
ipsec transform-set aes256-sha esp-aes-256 esp-sha-hmac
service dhcp-server
hostname Router_B
ip dhcp pool lan 1
 dns-server 0.0.0.0
 default-router 0.0.0.0
exit
interface ewan 1
 ip address 192.0.2.2 255.255.255.252
exit
interface ipsecif 1
 crypto map map1
exit
interface lan 1
 ip address 192.168.2.1 255.255.255.0
exit
interface pppoe 1
 ip address 203.0.113.25
 ip nat inside source list 1 interface
 pppoe server test1
 pppoe account ********@***.***.ne.jp ******
 pppoe interface ewan 2
exit
crypto isakmp policy 1
 authentication prekey
 encryption aes 256
 hash sha
 key ascii secret1
 lifetime 86400
 negotiation-mode aggressive
 peer-identity host Router_A
exit
crypto map map1 1
 match address 1
 set peer host Router_A
 set security-association lifetime seconds 28800
 set transform-set aes256-sha
exit
router bgp 65002
 neighbor 192.0.2.1 remote-as 65001
 network 192.0.2.0 255.255.255.252
 redistribute connected
exit
end
設定手順

Router A

設定内容 画面表示例
特権ユーザモードへの移行
パスワードの入力

設定情報の初期化

設定モードの変更
設定入力


















※1
※1















※2
















※3










設定保存



装置再起動 		Router>enable
Enter password:
Router#
Router#clear working.cfg
Router#
Router#configure terminal
Router(config)#ip route 192.168.2.0 255.255.255.0 connected ipsecif 1 250
Router(config)#ip route 203.0.113.25 255.255.255.255 dialer 1 250
Router(config)#access-list 1 permit any
Router(config)#proxydns mode v4
Router(config)#vpn enable
Router(config)#vpnlog enable
Router(config)#ipsec access-list 1 ipsec ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config)#ipsec access-list 128 bypass ip any any
Router(config)#ipsec transform-set aes256-sha esp-aes-256 esp-sha-hmac
Router(config)#service dhcp-server
Router(config)#hostname Router_A
Router_A(config)#ip dhcp pool lan 1
Router_A(config-dhcp-pool)# dns-server 0.0.0.0
Router_A(config-dhcp-pool)# default-router 0.0.0.0
Router_A(config-dhcp-pool)#exit
Router_A(config)#interface dialer 1
Router_A(config-if dialer 1)# max-call off
Router_A(config-if dialer 1)# ip nat inside source list 1 interface
Router_A(config-if dialer 1)# caller ********
Router_A(config-if dialer 1)# ppp account ********@*****.ne.jp ***
Router_A(config-if dialer 1)#exit
Router_A(config)#interface ewan 1
Router_A(config-if ewan 1)# ip address 192.0.2.6 255.255.255.252
Router_A(config-if ewan 1)#exit
Router_A(config)#interface ipsecif 1
Router_A(config-if ipsecif 1)# crypto map map1
Router_A(config-if ipsecif 1)#exit
Router_A(config)#interface lan 1
Router_A(config-if lan 1)# ip address 192.168.1.1 255.255.255.0
Router_A(config-if lan 1)#exit
Router_A(config)#interface modem 1
Router_A(config-if modem 1)# idle-timer send off
Router_A(config-if modem 1)# idle-timer receive off
Router_A(config-if modem 1)# forced disconnect packet off
Router_A(config-if modem 1)# forced disconnect cumulative-time off
Router_A(config-if modem 1)# auto connect on continuous
Router_A(config-if modem 1)# physical-layer usb 1
Router_A(config-if modem 1)#exit
Router_A(config)#crypto isakmp policy 1
Router_A(config-isakmp)# authentication prekey
Router_A(config-isakmp)# encryption aes 256
Router_A(config-isakmp)# hash sha
Router_A(config-isakmp)# key ascii secret1
Router_A(config-isakmp)# lifetime 86400
Router_A(config-isakmp)# my-identity Router_A
Router_A(config-isakmp)# negotiation-mode aggressive
Router_A(config-isakmp)# peer-identity address 203.0.113.25
Router_A(config-isakmp)#exit
Router_A(config)#crypto map map1 1
Router_A(config-crypto-map)# match address 1
Router_A(config-crypto-map)# set peer address 203.0.113.25
Router_A(config-crypto-map)# set security-association lifetime seconds 28800
Router_A(config-crypto-map)# set security-association always-up
Router_A(config-crypto-map)# set transform-set aes256-sha
Router_A(config-crypto-map)#exit
Router_A(config)#router bgp 65000
Router_A(config-bgp)# neighbor 192.0.2.5 remote-as 65001
Router_A(config-bgp)# network 192.0.2.4 255.255.255.252
Router_A(config-bgp)# redistribute connected
Router_A(config-bgp)#exit
Router_A(config)#
Router_A(config)#end
Router_A#
Router_A#save SIDE-A
% saving working-config
% finished saving

Router_A#reset
Going to reset with SIDE-A.frm and SIDE-A.cfg.
Boot-back not scheduled for next boot.
Next rebooting firmware SIDE-A.frm is fine.
Are you OK to cold start?(y/n)y

※1:キャリアから指定される、接続先電話番号、認証用ID、パスワードを設定してください。

※2:"continuous"オプションをつけて設定することにより、通信の有無にかかわらず回線との接続を常時試みるようになります。

※3:SAの確立に合わせてIPsecインターフェースやIPsec経路が動的にアップダウンします。

Router B

設定内容 画面表示例
特権ユーザモードへの移行
パスワードの入力

設定情報の初期化

設定モードの変更
設定入力






















































設定保存



装置再起動 		Router>enable
Enter password:
Router#
Router#clear working.cfg
Router#
Router#configure terminal
Router(config)#ip route 0.0.0.0 0.0.0.0 pppoe 1 250
Router(config)#ip route 192.168.1.0 255.255.255.0 connected ipsecif 1 250
Router(config)#access-list 1 permit any
Router(config)#proxydns mode v4
Router(config)#vpn enable
Router(config)#vpnlog enable
Router(config)#ipsec access-list 1 ipsec ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Router(config)#ipsec access-list 128 bypass ip any any
Router(config)#ipsec transform-set aes256-sha esp-aes-256 esp-sha-hmac
Router(config)#service dhcp-server
Router(config)#hostname Router_B
Router_B(config)#ip dhcp pool lan 1
Router_B(config-dhcp-pool)# dns-server 0.0.0.0
Router_B(config-dhcp-pool)# default-router 0.0.0.0
Router_B(config-dhcp-pool)#exit
Router_B(config)#interface ewan 1
Router_B(config-if ewan 1)# ip address 192.0.2.2 255.255.255.252
Router_B(config-if ewan 1)#exit
Router_B(config)#interface ipsecif 1
Router_B(config-if ipsecif 1)# crypto map map1
Router_B(config-if ipsecif 1)#exit
Router_B(config)#interface lan 1
Router_B(config-if lan 1)# ip address 192.168.2.1 255.255.255.0
Router_B(config-if lan 1)#exit
Router_B(config)#interface pppoe 1
Router_B(config-if pppoe 1)# ip address 203.0.113.25
Router_B(config-if pppoe 1)# ip nat inside source list 1 interface
Router_B(config-if pppoe 1)# pppoe server test1
Router_B(config-if pppoe 1)# pppoe account ********@***.***.ne.jp ******
Router_B(config-if pppoe 1)# pppoe interface ewan 2
Router_B(config-if pppoe 1)#exit
Router_B(config)#crypto isakmp policy 1
Router_B(config-isakmp)# authentication prekey
Router_B(config-isakmp)# encryption aes 256
Router_B(config-isakmp)# hash sha
Router_B(config-isakmp)# key ascii secret1
Router_B(config-isakmp)# lifetime 86400
Router_B(config-isakmp)# negotiation-mode aggressive
Router_B(config-isakmp)# peer-identity host Router_A
Router_B(config-isakmp)#exit
Router_B(config)#crypto map map1 1
Router_B(config-crypto-map)# match address 1
Router_B(config-crypto-map)# set peer host Router_A
Router_B(config-crypto-map)# set security-association lifetime seconds 28800
Router_B(config-crypto-map)# set transform-set aes256-sha
Router_B(config-crypto-map)#exit
Router_B(config)#router bgp 65002
Router_B(config-bgp)# neighbor 192.0.2.1 remote-as 65001
Router_B(config-bgp)# network 192.0.2.0 255.255.255.252
Router_B(config-bgp)# redistribute connected
Router_B(config-bgp)#exit
Router_B(config)#
Router_B(config)#end
Router_B#
Router_B#save SIDE-A
% saving working-config
% finished saving

Router_B#reset
Going to reset with SIDE-A.frm and SIDE-A.cfg.
Boot-back not scheduled for next boot.
Next rebooting firmware SIDE-A.frm is fine.
Are you OK to cold start?(y/n)y

※:固定IPアドレスの契約に従ったIPアドレスを設定してください。

設定状態の確認 1

BGP経路情報を確認します。(Router A)

確認内容 画面表示例
BGP経路情報を表示












 Router_A#show ip bgp
BGP table version is 0, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, p stale, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

    Network            Next Hop      Metric    LocPrf   Weight  Path
*>  198.51.100.144/32  192.0.2.5                             0  65001 65002 ?
*>  203.0.113.22/32    0.0.0.0            0              32768  ?
*>  192.0.2.0/30       192.0.2.5                             0  65001 i
*   192.0.2.4/30       192.0.2.5                             0  65001 i
*>                     0.0.0.0            0              32768  ?
*                      0.0.0.0                           32768  i
*>  192.168.1.0        0.0.0.0            0              32768  ?
*>  192.168.2.0        192.0.2.5                             0  65001 65002 ?

Total number of prefixes 6

※:Router BのLAN側のネットワーク(192.168.2.0/24)がBGPの経路として表示されることを確認してください。

BGP経路情報を確認します。(Router B)

確認内容 画面表示例
BGP経路情報を表示











 Router_A#show ip bgp
BGP table version is 0, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, p stale, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete

    Network            Next Hop      Metric    LocPrf   Weight  Path
*>  198.51.100.144/32  0.0.0.0            0              32768  ?
*>  203.0.113.22/32    192.0.2.1                             0  65001 65002 ?
*   192.0.2.0/30       192.0.2.1                             0  65001 i
*>                     0.0.0.0            0              32768  ?
*                      0.0.0.0                           32768  i
*>  192.0.2.4/30       192.0.2.1                             0  65001 i
*>  192.168.1.0        192.0.2.1                             0  65001 65000 ?
*>  192.168.2.0        0.0.0.0            0              32768  ?

Total number of prefixes 6

※:Router AのLAN側のネットワーク(192.168.1.0/24)がBGPの経路として表示されることを確認してください。

設定状態の確認 2

ネイバー状態を確認します。(Router A)

確認内容 画面表示例
BGPネイバー情報を表示
※1

※2 		Router_A#show ip bgp neighbors
BGP neighbor is 192.0.2.5, remote AS 65001, local AS 65000, external link
 BGP version 4, remote router ID 192.0.2.5
 BGP state = Established, up for 03:20:29
 Last read 00:00:29, hold time is 180, keepalive interval is 60 seconds
 Neighbor capabilities:
  Route refresh: advertised and received (old and new)
  Address family IPv4 Unicast: advertised and received
 Received 259 messages, 0 notifications, 0 in queue
 Sent 263 messages, 0 notifications, 0 in queue
 Route refresh request: received 0, sent 0
 Minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
 Index 1, Offset 0, Mask 0x2
 Community attribute sent to this neighbor (both)
 4 accepted prefixes
 3 announced prefixes

 Connections established 2; dropped 1
Local host: 192.0.2.6, Local port: 179
Foreign host: 192.0.2.5, Foreign port: 64595
Nexthop: 192.0.2.6
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Read thread: on Write thread: off

※1:BGP neighborにRouter BのIPアドレスが表示されることを確認してください。

※2:BGP stateがEstablishedになっていることを確認してください。

ネイバー状態を確認します。(Router B)

確認内容 画面表示例
BGPネイバー情報を表示
※1

※2 		Router_B#show ip bgp neighbors
BGP neighbor is 192.0.2.1, remote AS 65001, local AS 65002, external link
 BGP version 4, remote router ID 192.0.2.5
 BGP state = Established, up for 03:20:39
 Last read 00:00:39, hold time is 180, keepalive interval is 60 seconds
 Neighbor capabilities:
  Route refresh: advertised and received (old and new)
  Address family IPv4 Unicast: advertised and received
 Received 212 messages, 0 notifications, 0 in queue
 Sent 220 messages, 0 notifications, 0 in queue
 Route refresh request: received 0, sent 0
 Minimum time between advertisement runs is 30 seconds

For address family: IPv4 Unicast
 Index 1, Offset 0, Mask 0x2
 Community attribute sent to this neighbor (both)
 4 accepted prefixes
 3 announced prefixes

 Connections established 2; dropped 1
Local host: 192.0.2.2, Local port: 179
Foreign host: 192.0.2.1, Foreign port: 64594
Nexthop: 192.0.2.2
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Read thread: on Write thread: off

※1:BGP neighborにRouter AのIPアドレスが表示されることを確認してください。

※2:BGP stateがEstablishedになっていることを確認してください。

設定状態の確認 3

経路情報を確認します。(Router A)

確認内容 画面表示例
経路情報を表示













 Router_A#show ip route
Max entry: 10000 (Commonness in IPv4 and IPv6)
Active entry:9 (IPv4), 2 (IPv6) Peak:10

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF
   B - BGP, I - IKE, U - SA-UP, D - REDUNDANCY, E - EventAction
   A - AutoConfig, > - selected route, * - FIB route, p - stale info.

B> * 203.0.113.13/32 [20/0] via 192.0.2.5, EWAN1, 00:01:17
C> * 127.0.0.0/8 is directly connected, LOOP0
C> * 198.51.100.2/32 is directly connected, DIALER1
B> * 192.0.2.0/30 [20/0] via 192.0.2.5, EWAN1, 03:20:47
C> * 192.0.2.4/30 is directly connected, EWAN1
C> * 192.168.1.0/24 is directly connected, LAN
B> * 192.168.2.0/24 [20/0] via 192.0.2.5, EWAN1, 03:20:47
S    192.168.2.0/24 [250/0] is directly connected, IPSECIF1
S> * 203.0.113.25/32 [250/0] is directly connected, DIALER1

※:Router BのLAN側のネットワーク(192.168.2.0/24)がBGPの経路として表示されていることを確認してください。

経路情報を確認します。(Router B)

確認内容 画面表示例
経路情報を表示













 Router_B#show ip route
Max entry: 10000 (Commonness in IPv4 and IPv6)
Active entry:9 (IPv4), 2 (IPv6) Peak:10

Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF
   B - BGP, I - IKE, U - SA-UP, D - REDUNDANCY, E - EventAction
   A - AutoConfig, > - selected route, * - FIB route, p - stale info.

S> * 0.0.0.0/0 [250/0] is directly connected, PPPoE1
C> * 203.0.113.13/32 is directly connected, PPPoE1
C> * 127.0.0.0/8 is directly connected, LOOP0
B> * 198.51.100.2/32 [20/0] via 192.0.2.1, EWAN1, 01:59:46
C> * 192.0.2.0/30 is directly connected, EWAN1
B> * 192.0.2.4/30 [20/0] via 192.0.2.1, EWAN1, 03:21:16
B> * 192.168.1.0/24 [20/0] via 192.0.2.1, EWAN1, 03:21:16
S    192.168.1.0/24 [250/0] is directly connected, IPSECIF1
C> * 192.168.2.0/24 is directly connected, LAN

※:Router AのLAN側のネットワーク(192.168.1.0/24)がBGPの経路として表示されていることを確認してください。

設定状態の確認 4

データ通信が行えることを確認します。
例:Router_Aより ping 192.168.2.1 source-interface lan 1を実施します。

確認内容 画面表示例
pingを実行する

ping応答あり 		Router_A#ping 192.168.2.1 source-interface lan 1
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms

ページトップへ

All Rights Reserved, Copyright(C) FURUKAWA ELECTRIC CO., LTD. 2012