ip route 0.0.0.0 0.0.0.0 pppoe 1 ip route 172.17.0.0 255.255.0.0 connected ipsecif 1 access-list 101 permit tcp any any eq www access-list 102 permit tcp any any eq ftp access-list 102 permit tcp any any eq ftp-data vpn enable vpnlog enable ipsec access-list 1 ipsec ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255 ipsec access-list 64 bypass ip any any ipsec transform-set t1 esp-null hostname Router_A interface ipsecif 1 qos output bandwidth 100M cbq qos-que cbq default-que bandwidth 50 parent root-que borrow default qos-que cbq root-que bandwidth 100 parent NULL qos-que cbq que1 bandwidth 30 parent root-que priority 3 borrow qos-que cbq que2 bandwidth 20 parent root-que priority 3 borrow service-policy output policy1 crypto map map1 exit interface lan 1 ip address 172.16.0.1 255.255.0.0 exit interface pppoe 1 ip address 192.0.2.1 ip nat inside source list 1 interface pppoe server test1 pppoe account ********@***.***.ne.jp ****** pppoe type lan exit crypto isakmp policy 1 authentication prekey encryption aes 256 hash sha key ascii furukawa lifetime 86400 my-identity kyoten1 negotiation-mode aggressive peer-identity address 192.0.2.129 exit crypto map map1 1 match address 1 set peer address 192.0.2.129 set security-association lifetime seconds 28800 set transform-set t1 anti-replay disable exit class-map class1 match ip access-group 101 exit action-map action1 set queuing que1 exit class-map class2 match ip access-group 102 exit action-map action2 set queuing que2 exit policy-map policy1 class class1 action action1 class class2 action action2 exit end
ip route 0.0.0.0 0.0.0.0 pppoe 1 ip route 172.16.0.0 255.255.0.0 connected ipsecif 1 access-list 101 permit tcp any any eq www access-list 102 permit tcp any any eq ftp access-list 102 permit tcp any any eq ftp-data vpn enable vpnlog enable ipsec access-list 1 ipsec ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 ipsec access-list 64 bypass ip any any ipsec transform-set t1 esp-null hostname Router_B interface pppoe 1 ip address 192.0.2.129 ip nat inside source list 1 interface pppoe server test1 pppoe account ********@***.***.ne.jp ****** pppoe type lan exit interface ipsecif 1 qos output bandwidth 100M cbq qos-que cbq default-que bandwidth 50 parent root-que borrow default qos-que cbq root-que bandwidth 100 parent NULL qos-que cbq que1 bandwidth 30 parent root-que priority 3 borrow qos-que cbq que2 bandwidth 20 parent root-que priority 3 borrow service-policy output policy1 crypto map map1 exit interface lan 1 ip address 172.17.0.2 255.255.255.0 exit crypto isakmp policy 1 authentication prekey encryption aes 256 hash sha key ascii furukawa lifetime 86400 negotiation-mode main peer-identity host kyoten1 exit crypto map map1 1 match address 1 set peer host kyoten1 set security-association lifetime seconds 28800 set transform-set t1 anti-replay disable exit class-map class1 match ip access-group 101 exit action-map action1 set queuing que1 exit class-map class2 match ip access-group 102 exit action-map action2 set queuing que2 exit policy-map policy1 class class1 action action1 class class2 action action2 exit end
設定内容 | 画面表示例 |
---|---|
特権ユーザモードへの移行 パスワードの入力 設定情報の初期化 設定モードの変更 設定入力 設定保存 装置再起動 |
Router>enable Enter password: Router# Router#clear working.cfg Router# Router#configure terminal Router(config)#ip route 0.0.0.0 0.0.0.0 pppoe 1 Router(config)#ip route 172.17.0.0 255.255.0.0 connected ipsecif 1 Router(config)#access-list 101 permit tcp any any eq telnet Router(config)#access-list 102 permit tcp any any eq www Router(config)#access-list 103 permit tcp any any eq ftp Router(config)#access-list 103 permit tcp any any eq ftp-data Router(config)#vpn enable Router(config)#vpnlog enable Router(config)#ipsec access-list 1 ipsec ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255 Router(config)#ipsec access-list 64 bypass ip any any Router(config)#ipsec transform-set t1 esp-null Router(config)#hostname Router_A Router_A(config)#interface ipsecif 1 Router_A(config-if ipsecif 1)# qos output bandwidth 100M cbq Router_A(config-if ipsecif 1)# qos-que cbq default-que bandwidth 50 parent root-que borrow default※ Router_A(config-if ipsecif 1)# qos-que cbq root-que bandwidth 100 parent NULL Router_A(config-if ipsecif 1)# qos-que cbq que1 bandwidth 30 parent root-que priority 3 borrow※ Router_A(config-if ipsecif 1)# qos-que cbq que2 bandwidth 20 parent root-que priority 3 borrow※ Router_A(config-if ipsecif 1)# service-policy output high-policy Router_A(config-if ipsecif 1)# crypto map map1 Router_A(config-if ipsecif 1)#exit Router_A(config)#interface lan 1 Router_A(config-if lan 1)# ip address 172.16.0.1 255.255.0.0 Router_A(config-if lan 1)#exit Router_A(config)#interface pppoe 1 Router_A(config-if pppoe 1)# ip address 192.0.2.1 Router_A(config-if pppoe 1)# ip nat inside source list 1 interface Router_A(config-if pppoe 1)# pppoe server test1 Router_A(config-if pppoe 1)# pppoe account ********@***.***.ne.jp ****** Router_A(config-if pppoe 1)# pppoe type lan Router_A(config-if pppoe 1)#exit Router_A(config)#crypto isakmp policy 1 Router_A(config-isakmp)# authentication prekey Router_A(config-isakmp)# encryption aes 256 Router_A(config-isakmp)# hash sha Router_A(config-isakmp)# key ascii furukawa Router_A(config-isakmp)# lifetime 86400 Router_A(config-isakmp)# my-identity kyoten1 Router_A(config-isakmp)# negotiation-mode aggressive Router_A(config-isakmp)# peer-identity address 192.0.2.129 Router_A(config-isakmp)#exit Router_A(config)#crypto map map1 1 Router_A(config-crypto-map)# match address 1 Router_A(config-crypto-map)# set peer address 192.0.2.129 Router_A(config-crypto-map)# set security-association lifetime seconds 28800 Router_A(config-crypto-map)# set transform-set t1 Router_A(config-crypto-map)# anti-replay disable Router_A(config-crypto-map)#exit Router_A(config)#class-map class1 Router_A(config-class-map)# match ip access-group 101 Router_A(config-class-map)#exit Router_A(config)#action-map action1 Router_A(config-action-map)# set queuing que1 Router_A(config-action-map)#exit Router_A(config)#class-map class2 Router_A(config-class-map)# match ip access-group 102 Router_A(config-class-map)#exit Router_A(config)#action-map action2 Router_A(config-action-map)# set queuing que2 Router_A(config-action-map)#exit Router_A(config)#policy-map policy1 Router_A(config-policy-map)# class class1 action action1 Router_A(config-policy-map)# class class2 action action2 Router_A(config-policy-map)#exit Router_A(config)# Router_A(config)#end Router_A# Router_A#save SIDE-A % saving working-config % finished saving Router_A#reset Going to reset with SIDE-A.frm and SIDE-A Boot-back not scheduled for next boot. Next rebooting firmware SIDE-A.frm is fine. Are you OK to cold start?(y/n)y |
※borrow設定について
親クラスに空きがあればその帯域を利用する設定です。設定帯域に抑制する場合はborrow設定を外してください。
設定内容 | 画面表示例 |
---|---|
特権ユーザモードへの移行 パスワードの入力 設定情報の初期化 設定モードの変更 設定入力 設定保存 装置再起動 |
Router>enable Enter password: Router# Router#clear working.cfg Router# Router#configure terminal Router(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.1 Router(config)#access-list 100 permit udp any any Router(config)#hostname Router_B Router(config)#ip route 172.16.0.0 255.255.0.0 connected ipsecif 1 Router(config)#access-list 101 permit tcp any any eq www Router(config)#access-list 102 permit tcp any any eq ftp Router(config)#access-list 102 permit tcp any any eq ftp-data Router(config)#vpn enable Router(config)#vpnlog enable Router(config)#ipsec access-list 1 ipsec ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 Router(config)#ipsec access-list 64 bypass ip any any Router(config)#ipsec transform-set t1 esp-null Router(config)#hostname Router_B Router_B(config)#interface pppoe 1 Router_B(config-if pppoe 1)# ip address 192.0.2.129 Router_B(config-if pppoe 1)# ip nat inside source list 1 interface Router_B(config-if pppoe 1)# pppoe server test1 Router_B(config-if pppoe 1)# pppoe account ********@***.***.ne.jp ****** Router_B(config-if pppoe 1)# pppoe type lan Router_B(config-if pppoe 1)#exit Router_B(config)#interface ipsecif 1 Router_B(config-if ipsecif 1)# qos output bandwidth 100M cbq Router_B(config-if ipsecif 1)# qos-que cbq default-que bandwidth 50 parent root-que borrow default※ Router_B(config-if ipsecif 1)# qos-que cbq root-que bandwidth 100 parent NULL Router_B(config-if ipsecif 1)# qos-que cbq que1 bandwidth 30 parent root-que priority 3 borrow※ Router_B(config-if ipsecif 1)# qos-que cbq que2 bandwidth 20 parent root-que priority 3 borrow※ Router_B(config-if ipsecif 1)# service-policy output policy1 Router_B(config-if ipsecif 1)# crypto map map1 Router_B(config-if ipsecif 1)#exit Router_B(config)#interface lan 1 Router_B(config-if lan 1)# ip address 172.17.0.2 255.255.255.0 Router_B(config-if lan 1)#exit Router_B(config)#crypto isakmp policy 1 Router_B(config-isakmp)# authentication prekey Router_B(config-isakmp)# encryption aes 256 Router_B(config-isakmp)# hash sha Router_B(config-isakmp)# key ascii furukawa Router_B(config-isakmp)# lifetime 86400 Router_B(config-isakmp)# nat-traversal enable Router_B(config-isakmp)# negotiation-mode main Router_B(config-isakmp)# peer-identity host kyoten1 Router_B(config-isakmp)#exit Router_B(config)#crypto map map1 1 Router_B(config-crypto-map)# match address 1 Router_B(config-crypto-map)# set peer host kyoten1 Router_B(config-crypto-map)# set security-association lifetime seconds 28800 Router_B(config-crypto-map)# set transform-set t1 Router_B(config-crypto-map)# anti-replay disable Router_B(config-crypto-map)#exit Router_B(config)#class-map class1 Router_B(config-class-map)# match ip access-group 101 Router_B(config-class-map)#exit Router_B(config)#action-map action1 Router_B(config-action-map)# set queuing que1 Router_B(config-action-map)#exit Router_B(config)#class-map class2 Router_B(config-class-map)# match ip access-group 102 Router_B(config-class-map)#exit Router_B(config)#action-map action2 Router_B(config-action-map)# set queuing que2 Router_B(config-action-map)#exit Router_B(config)#policy-map policy1 Router_B(config-policy-map)# class class1 action action1 Router_B(config-policy-map)# class class2 action action2 Router_B(config-policy-map)#exit Router_B(config)# Router_B(config)#end Router_B# Router_B#save SIDE-A % saving working-config % finished saving Router_B#reset Going to reset with SIDE-A.frm and SIDE-A Boot-back not scheduled for next boot. Next rebooting firmware SIDE-A.frm is fine. Are you OK to cold start?(y/n)y |
※borrow設定について
親クラスに空きがあればその帯域を利用する設定です。設定帯域に抑制する場合はborrow設定を外してください。
アクセスリストを確認します。
確認内容 | 画面表示例 |
---|---|
アクセスリスト情報を表示 設定が正しいことを確認 設定が正しいことを確認 |
Router_A#show access-lists Extended IP access list 101 permit tcp any any eq www log Extended IP access list 102 permit tcp any any eq ftp log permit tcp any any eq ftp-data log |
キューイング状況を確認します。
確認内容 | 画面表示例 |
---|---|
キューの統計情報を表示 que2 のパケット数がカウントされていることを確認 |
Router_A#show qos queuing interface : ipsecif 1 queuing type : CBQ queuing-name : root-que (root que) priority : 0 queue length/limit : 0/50 sent/drop packets: packets : 18/0 bytes : 836/0 over count 0 delay count 0 queuing-name : default-que (default que) priority : 0 queue length/limit : 0/50 sent/drop packets: packets : 0/0 bytes : 0/0 over count 0 delay count 0 borrow : 0 queuing-name : que2 priority : 3 queue length/limit : 0/50 sent/drop packets: packets : 18/0 bytes : 836/0 over count 0 delay count 0 borrow : 0 queuing-name : que1 priority : 3 queue length/limit : 0/50 sent/drop packets: packets : 0/0 bytes : 0/0 over count 0 delay count 0 borrow : 0 |
確認内容 | 画面表示例 |
---|---|
キューの統計情報を表示 que1 のパケット数がカウントされていることを確認 |
Router_A#show qos queuing interface : ipsecif 1 queuing type : CBQ queuing-name : root-que (root que) priority : 0 queue length/limit : 0/50 sent/drop packets: packets : 18/0 bytes : 836/0 over count 0 delay count 0 queuing-name : default-que (default que) priority : 0 queue length/limit : 0/50 sent/drop packets: packets : 0/0 bytes : 0/0 over count 0 delay count 0 borrow : 0 queuing-name : que2 priority : 3 queue length/limit : 0/50 sent/drop packets: packets : 18/0 bytes : 836/0 over count 0 delay count 0 borrow : 0 queuing-name : que1 priority : 3 queue length/limit : 0/50 sent/drop packets: packets : 35/0 bytes : 10329/0 over count 0 delay count 0 borrow : 0 |