設定例  > 冗長設定
設定例



3.F100単体冗長、トンネルルート使用 


<設定条件>

設定環境は図のとおり

IPsecおよび冗長の対象とする中継パケット 192.168.3.0/24 ⇔ 192.168.1.0/24
L3監視先IPアドレス 192.168.1.1
拠点側ISDNインタフェースのIPアドレス 192.168.100.3
IPsec Phase1ポリシー Pre-shared Key DES/MD5 Oakley-Group2
IPsec Phase2ポリシー DES/HMAC-MD5 PFS(Group2)


<コマンド操作>

拠点側FITELnet-F100の設定                                   この設定を適用したい方は
Router> enable
Enter password: super ←パスワードを入力します。(実際は表示されない)

Router#
Router# configure terminal
!
!
! デフォルトルートを設定します。
!
Router(config)#ip route 192.168.1.1 255.255.255.255 pppoe 1
Router(config)#
!
!
! NAT用のアクセスリストを登録します。
!
Router(config)#access-list 1 permit 192.168.3.0 0.0.0.255
Router(config)#
!
!
! ProxyDNSの設定をします。
!
Router(config)#proxydns mode v4
Router(config)#
!
!
! DHCPサーバの設定をします。
!
Router(config)#service dhcp-server
Router(config)#
Router(config)#ip dhcp pool lan1
Router(config-dhcp-pool)# dns-server 0.0.0.0
Router(config-dhcp-pool)# default-router 0.0.0.0
Router(config-dhcp-pool)#exit
Router(config)#
!
!
! VPNの設定をします。
!
Router(config)#vpn enable
Router(config)#vpnlog enable
Router(config)#ipsec access-list 1 ipsec ip 192.168.3.0 0.0.0.255 any
Router(config)#ipsec access-list 64 bypass ip any any
Router(config)#ipsec transform-set P2-des-md5 esp-des esp-md5-hmac
Router(config)#
Router(config)#crypto isakmp policy 1
Router(config-isakmp)# authentication prekey
Router(config-isakmp)# encryption des
Router(config-isakmp)# hash md5
Router(config-isakmp)# idtype-pre userfqdn
Router(config-isakmp)# key ascii mucho
Router(config-isakmp)# my-identity f100kyoten
Router(config-isakmp)# negotiation-mode aggressive
Router(config-isakmp)# peer-identity address 192.168.1.1
Router(config-isakmp)#exit
Router(config)#
Router(config)#crypto map kyoten 1
Router(config-crypto-map)# match address 1
Router(config-crypto-map)# set peer address 192.168.1.1
Router(config-crypto-map)# set transform-set P2-des-md5
Router(config-crypto-map)#exit
Router(config)#
!
!
!  L3監視の設定を行ないます。
!
Router(config)#redundancy pathcheck-list 1
Router(config-red-pathcheck-list 1)# ip address 192.168.1.1
Router(config-red-pathcheck-list 1)# route pppoe 1
Router(config-red-pathcheck-list 1)# source-interface lan 1
Router(config-red-pathcheck-list 1)#exit
Router(config)# 
!
!
!  冗長対象パケットの設定を行ないます。
!
Router(config)#redundancy pathfilter-list 1
Router(config-red-pathfilter-list 1)# destination 0.0.0.0 0.0.0.0
Router(config-red-pathfilter-list 1)# athcheck-list 1
Router(config-red-pathfilter-list 1)# 1st pppoe 1
Router(config-red-pathfilter-list 1)# 2nd dialer 1
Router(config-red-pathfilter-list 1)# exit
!
!
! ダイヤルアップ用の設定をします。
!
Router(config)#interface bri 1
Router(config-if bri 1)#exit
Router(config)#
Router(config)#interface dialer 1
Router(config-if dialer 1)# dialer map ip broadcast 0123456798
Router(config-if dialer 1)# dialer interface bri 1
Router(config-if dialer 1)# ip address 192.168.100.3 255.255.255.0
Router(config-if dialer 1)# ip nat inside source list 1 interface
Router(config-if dialer 1)#exit
Router(config)#
!
!
! LAN側IPアドレスを設定します。
!
Router(config)#interface lan 1
Router(config-if lan 1)# ip address 192.168.3.1 255.255.255.0
Router(config-if lan 1)#exit
Router(config)#
!
!
! PPPoEの設定をします。
!
Router(config)#interface pppoe 1

Router(config-if pppoe 1)# crypto map kyoten
Router(config-if pppoe 1)# ip nat inside source list 1 interface
Router(config-if pppoe 1)# pppoe server ProviderA
Router(config-if pppoe 1)# pppoe account user@xxxx.ne.jp secret
Router(config-if pppoe 1)# pppoe type host
Router(config-if pppoe 1)# exit
Router(config)#end
Router# save SIDE-A.cfg
% saving working-config
% finished saving



<センター側FITELnet-F100の設定>
"clear working.cfg"実行後、以下の設定を貼り付けてください。
ip route 192.168.3.0 255.255.255.0 pppoe 1
ip route 192.168.100.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.3

access-list 1 permit 192.168.1.0 0.0.0.255

proxydns mode v4
vpn enable
vpnlog enable

ipsec access-list 1 ipsec ip any 192.168.3.0 0.0.0.255
ipsec transform-set P2-des-md5 esp-des esp-md5-hmac

service dhcp-server

hostname F100_1

ip dhcp pool lan1
dns-server 0.0.0.0
default-router 0.0.0.0
exit
interface lan 1
ip address 192.168.1.1 255.255.255.0
ip rip receive version 1
exit
interface pppoe 1
crypto map kyoten
ip nat inside source list 1 interface
pppoe server A-Provider
pppoe account f100@furukawa.co.jp
pppoe type host
exit

crypto isakmp policy 2
authentication prekey
encryption des
hash md5
idtype-pre userfqdn
key ascii mucho
negotiation-mode aggressive
peer-identity host f100kyoten
exit
crypto map kyoten 1
match address 1
set peer host f100kyoten
set transform-set P2-des-md5
exit
crypto security-association
tunnel-route interface pppoe 1
exit



<センター側FITELnet-E30の設定>
"reset -d"(デフォルトリスタート)実行後、以下の設定を貼り付けてください。

wan isdn single

hostname add 1 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 2 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 3 nameserver=off netbiosserver=off domainname="" defaultgw=off
hostname add 4 nameserver=off netbiosserver=off domainname="" defaultgw=off
 
target add name=3 dial=9876543210 key=nn, speed=64 continuouslimiter=600,on\
 callinglimiter=40,on cbmode=off dialcheckmask=0 

isdn dialcheck=off recvcheck=off sendcheck=off multimode=off limiter=12\
 congestiontimer=1
isdn -1 dial=* dial2=* retrytimes=8 idletimer=60,60 target=2 mode=traffic\
 recvidletimer=off globalnumber=allow
isdn -2 dial=* dial2=* retrytimes=8 idletimer=60,60 target=3 recvidletimer=off\
 globalnumber=allow
isdn -dp dial=* dial2=* retrytimes=8 idletimer=60,60 recvidletimer=off\
 globalnumber=allow

iptarget add addr=192.168.100.3 name=3

targetinterface add name=2 interface=isdn1

ipripstatic add dst=192.168.3.0,255.255.255.0 nexthop=192.168.100.3 metric=16\
 preference=50
ipripstatic add dst=0.0.0.0,0.0.0.0 nexthop=192.168.1.3 metric=16 preference=50

identifier node="" manager="" location=""

loadsplit congestiontimer=1 lsplitcheckinterval=300 sendrate=90,60\
 recvrate=90,60 poolrate=90,60

connecttimer retry1=5 retry2=180 retry3=6

addrlist 3 add 1 dial=9876543210

datalink -hsd restarttimer=100 restarttimes=10 looptimer=10 watching=on\
 compress=off,rfc,nopfc vjcomp=31
datalink -1 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\
 watching=off compress=off,rfc,nopfc vjcomp=31
datalink -2 restarttimer=100 restarttimes=10 looptimer=10 interface=normal\
 watching=off compress=off,rfc,nopfc vjcomp=31
datalink -async restarttimer=300 restarttimes=10 looptimer=30 interface=normal\
 compress=off,rfc,nopfc vjcomp=31
datalink -dp interface=normal

mtu off size=300

pppecho linktesttimeout=25 replytimer=5 intervaltimer=1

bridging off pvc=off filtering=off ageout=300 delay=200

prioritycontrol off fast=70 medium=20
        
interface ip lan addr=192.168.1.2,255.255.255.0 broadcast=192.168.1.255
interface ip hsd down
interface ip isdn1 addr=192.168.100.1,255.255.255.0 broadcast=192.168.100.255
interface ip isdn2 down
interface ip async down
interface ip dp down

async speed=57600 recvcheck=off sendcheck=off multimode=off limiter=off\
 idletimer=60,60 recvidletimer=off target=3

rtcontrol ip lan sendinterval=30 send=rip1 recv=rip1rip2 metric=0 ageout=180\
 rip2password=
rtcontrol ip hsd sendinterval=off send=off recv=off metric=0 ageout=off\
 rip2password=
rtcontrol ip isdn1 sendinterval=off send=off recv=off metric=0 ageout=off\
 rip2password=
rtcontrol ip isdn2 sendinterval=off send=off recv=off metric=0 ageout=off\
 rip2password=
rtcontrol ip async sendinterval=off send=off recv=off metric=0 ageout=off\
 rip2password=

iprouting on proxyarp=shortcut filtering=on sealed=off\
 sealedinterface=hsd,isdn1,isdn2,async,dp rip=off ifaccept=exclude\
 ifpropagate=exclude

ipfiltering -f add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\
 srcport=0,65535 prot=all recvif=lan,hsd,isdn1,isdn2,async,dp\
 sendif=lan,hsd,isdn1,isdn2,async,dp full

ipfiltering -d add dst=0.0.0.0,0.0.0.0 dstport=0,65535 src=0.0.0.0,0.0.0.0\
 srcport=137,139 prot=udp recvif=lan,hsd,isdn1,isdn2,async,dp\
 sendif=lan,hsd,isdn1,isdn2,async,dp full
    
snmp on authtrap=on

sntp off server=0.0.0.0,0.0.0.0 schedule=off,60 retryinterval=64 retryterm=1024

manager add 1 addr=0.0.0.0 name=public mode=r srcipaddr=normal

dhcpserver off gateway=on sendarpnum=16 arptimeout=10 sendarpcount=1\
 allocateaddr=0.0.0.0 allocatewidth=254 leasetime=infinity

syslogcontrol off autoconn=off

syslogtable addr=0.0.0.0 err=off warning=off info=off facility=1\
 srcipaddr=normal


bacp off protocol=new learning=off

rbod routing=normal audio=normal called=on calling=on

nat group=1 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1

nat group=2 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1

nat group=3 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1
     
nat group=4 off if=hsd,isdn1 t1=1440 t2=5 t3=60 t4=1 t5=1 t6=60 t7=1

radius off auth=chappap maxretry=3 retryinterval=1

modem add init reqcmd=ATE0V0 rspcode=OK,0 timer=3,0
modem add disc reqcmd=ATH rspcode=OK,0 timer=3,0
modem dial=tone hdflow=rscs

dchpacket lcgn=0 dbit=off craddr=off chargereq=off chargeacc=off packetlen=off\
 windows=off

vpn off
        
vpnopt vpnlog=off

vpnparam retrytimer=20 retrymax=1 newsai=90 newsar=30 p1lifesec=0

rgrouping off preference=0 udpport=55555 gipaddr=0.0.0.0 dupchktimer=3\
 sendinterval=5 agingtimer=15 recvwaittimer=5

pathchk off pingtrial=2

remoteconfig off sendinterval=20  udpport=49152 ipaddr=0.0.0.0

unicastrip off

lcd chargeinfo=on

proxydns nameserverip=0.0.0.0,0.0.0.0 timeout=3 retry=2 ageout=1440

mail to= errorto= inform=
mail off

multiroute off



ページトップへ