古河電工ネットワーク機器の総合ブランド ファイテルネット
古河電工
FITELnetトップ製品ラインナップイベント&セミナーセールス&サポート
Routing to the Future FITELnet
設定例
IPsec VPNで拠点間を接続する場合の優先制御設定
全機種対応
説明
Router A(本社)とRouter B(支店)間をVPN接続し、IPsec通信を行います。
Router AとRouter BのPPPoE1から出力されるパケットについて、以下の優先順位で送信します。
TELNETが優先度7(最優先)
WWWは優先度3
FTPは優先度1
優先制御をおこなうとパケットの順序の入れ替わりが発生するため、anti-replay機能は無効にします。
構成
コマンド設定

Router A

ip route 0.0.0.0 0.0.0.0 pppoe 1
ip route 172.17.0.0 255.255.0.0 connected ipsecif 1
access-list 101 permit tcp any any eq telnet
access-list 102 permit tcp any any eq www
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
vpn enable
vpnlog enable
ipsec access-list 1 ipsec ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
ipsec access-list 64 bypass ip any any
ipsec transform-set t1 esp-null
hostname Router_A
interface ipsecif 1
 qos output bandwidth 100M priq
 qos-que priq default-que priority 0 default
 qos-que priq high-que priority 7
 qos-que priq low-que priority 1
 qos-que priq middle-que priority 3
 service-policy output policy1
 crypto map map1
exit
interface lan 1
 ip address 172.16.0.1 255.255.0.0
exit
interface pppoe 1
 ip address 192.0.2.1
 ip nat inside source list 1 interface
 pppoe server test1
 pppoe account ********@***.***.ne.jp ******
 pppoe type lan
exit
crypto isakmp policy 1
 authentication prekey
 encryption aes 256
 hash sha
 key ascii furukawa
 lifetime 86400
 my-identity kyoten1
 negotiation-mode aggressive
 peer-identity address 192.0.2.129
exit
crypto map map1 1
 match address 1
 set peer address 192.0.2.129
 set security-association lifetime seconds 28800
 set transform-set t1
 anti-replay disable
exit
class-map low-class
 match ip access-group 103
exit
class-map high-class
 match ip access-group 101
exit
class-map middle-class
 match ip access-group 102
exit
action-map low-action
 set queuing low-que
exit
action-map high-action
 set queuing high-que
exit
action-map middle-action
 set queuing middle-que
exit
policy-map policy1
 class high-class action high-action
 class middle-class action middle-action
 class low-class action low-action
exit
end

Router B

ip route 0.0.0.0 0.0.0.0 pppoe 1
ip route 172.16.0.0 255.255.0.0 connected ipsecif 1
access-list 101 permit tcp any any eq telnet
access-list 102 permit tcp any any eq www
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
vpn enable
vpnlog enable
ipsec access-list 1 ipsec ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
ipsec access-list 64 bypass ip any any
ipsec transform-set t1 esp-null
hostname Router_B
interface pppoe 1
 ip address 192.0.2.129
 ip nat inside source list 1 interface
 pppoe server test1
 pppoe account ********@***.***.ne.jp ******
 pppoe type lan
exit
interface ipsecif 1
 qos output bandwidth 100M priq
 qos-que priq default-que priority 0 default
 qos-que priq high-que priority 7
 qos-que priq low-que priority 1
 qos-que priq middle-que priority 3
 service-policy output policy1
 crypto map map1
exit
interface lan 1
 ip address 172.17.0.2 255.255.0.0
exit
crypto isakmp policy 1
 authentication prekey
 encryption aes 256
 hash sha
 key ascii furukawa
 lifetime 86400
 negotiation-mode main
 peer-identity host kyoten1
exit
crypto map map1 1
 match address 1
 set peer host kyoten1
 set security-association lifetime seconds 28800
 set transform-set t1
 anti-replay disable
exit
class-map low-class
 match ip access-group 103
exit
class-map high-class
 match ip access-group 101
exit
class-map middle-class
 match ip access-group 102
exit
action-map low-action
 set queuing low-que
exit
action-map high-action
 set queuing high-que
exit
action-map middle-action
 set queuing middle-que
exit
policy-map policy1
 class high-class action high-action
 class middle-class action middle-action
 class low-class action low-action
exit
end
設定手順

Router A

設定内容 画面表示例
特権ユーザモードへの移行
パスワードの入力

設定情報の初期化

設定モードの変更
設定入力













































































設定保存



装置再起動
Router>enable
Enter password:
Router#
Router#clear working.cfg
Router#
Router#configure terminal
Router(config)#ip route 0.0.0.0 0.0.0.0 pppoe 1
Router(config)#ip route 172.17.0.0 255.255.0.0 connected ipsecif 1
Router(config)#access-list 101 permit tcp any any eq telnet
Router(config)#access-list 102 permit tcp any any eq www
Router(config)#access-list 103 permit tcp any any eq ftp
Router(config)#access-list 103 permit tcp any any eq ftp-data
Router(config)#vpn enable
Router(config)#vpnlog enable
Router(config)#ipsec access-list 1 ipsec ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
Router(config)#ipsec access-list 64 bypass ip any any
Router(config)#ipsec transform-set t1 esp-null
Router(config)#hostname Router_A
Router_A(config)#interface ipsecif 1
Router_A(config-if ipsecif 1)# qos output bandwidth 100M priq
Router_A(config-if ipsecif 1)# qos-que priq default-que priority 0 default
Router_A(config-if ipsecif 1)# qos-que priq high-que priority 7
Router_A(config-if ipsecif 1)# qos-que priq low-que priority 1
Router_A(config-if ipsecif 1)# qos-que priq middle-que priority 3
Router_A(config-if ipsecif 1)# service-policy output policy1
Router_A(config-if ipsecif 1)# crypto map map1
Router_A(config-if ipsecif 1)#exit
Router_A(config)#interface lan 1
Router_A(config-if lan 1)# ip address 172.16.0.1 255.255.0.0
Router_A(config-if lan 1)#exit
Router_A(config)#interface pppoe 1
Router_A(config-if pppoe 1)# ip address 192.0.2.1
Router_A(config-if pppoe 1)# ip nat inside source list 1 interface
Router_A(config-if pppoe 1)# pppoe server test1
Router_A(config-if pppoe 1)# pppoe account ********@***.***.ne.jp ******
Router_A(config-if pppoe 1)# pppoe type lan
Router_A(config-if pppoe 1)#exit
Router_A(config)#crypto isakmp policy 1
Router_A(config-isakmp)# authentication prekey
Router_A(config-isakmp)# encryption aes 256
Router_A(config-isakmp)# hash sha
Router_A(config-isakmp)# key ascii furukawa
Router_A(config-isakmp)# lifetime 86400
Router_A(config-isakmp)# my-identity kyoten1
Router_A(config-isakmp)# negotiation-mode aggressive
Router_A(config-isakmp)# peer-identity address 192.0.2.129
Router_A(config-isakmp)#exit
Router_A(config)#crypto map map1 1
Router_A(config-crypto-map)# match address 1
Router_A(config-crypto-map)# set peer address 192.0.2.129
Router_A(config-crypto-map)# set security-association lifetime seconds 28800
Router_A(config-crypto-map)# set transform-set t1
Router_A(config-crypto-map)# anti-replay disable
Router_A(config-crypto-map)#exit
Router_A(config)#class-map low-class
Router_A(config-class-map)# match ip access-group 103
Router_A(config-class-map)#exit
Router_A(config)#class-map high-class
Router_A(config-class-map)# match ip access-group 101
Router_A(config-class-map)#exit
Router_A(config)#class-map middle-class
Router_A(config-class-map)# match ip access-group 102
Router_A(config-class-map)#exit
Router_A(config)#action-map low-action
Router_A(config-action-map)# set queuing low-que
Router_A(config-action-map)#exit
Router_A(config)#action-map high-action
Router_A(config-action-map)# set queuing high-que
Router_A(config-action-map)#exit
Router_A(config)#action-map middle-action
Router_A(config-action-map)# set queuing middle-que
Router_A(config-action-map)#exit
Router_A(config)#policy-map policy1
Router_A(config-policy-map)# class high-class action high-action
Router_A(config-policy-map)# class middle-class action middle-action
Router_A(config-policy-map)# class low-class action low-action
Router_A(config-policy-map)#exit
Router_A(config)#
Router_A(config)#end
Router_A#
Router_A#save SIDE-A
% saving working-config
% finished saving

Router_A#reset
Going to reset with SIDE-A.frm and SIDE-A
Boot-back not scheduled for next boot.
Next rebooting firmware SIDE-A.frm is fine.
Are you OK to cold start?(y/n)y

Router B

設定内容 画面表示例
特権ユーザモードへの移行
パスワードの入力

設定情報の初期化

設定モードの変更
設定入力












































































設定保存



装置再起動
Router>enable
Enter password:
Router#
Router#clear working.cfg
Router#
Router#configure terminal
Router(config)#ip route 0.0.0.0 0.0.0.0 192.0.2.130
Router(config)#ip route 172.16.0.0 255.255.0.0 connected ipsecif 1
Router(config)#access-list 101 permit tcp any any eq telnet
Router(config)#access-list 102 permit tcp any any eq www
Router(config)#access-list 103 permit tcp any any eq ftp
Router(config)#access-list 103 permit tcp any any eq ftp-data
Router(config)#vpn enable
Router(config)#vpnlog enable
Router(config)#ipsec access-list 1 ipsec ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255
Router(config)#ipsec access-list 64 bypass ip any any
Router(config)#ipsec transform-set t1 esp-null
Router(config)#hostname Router_B
Router_B(config)#interface pppoe 1
Router_B(config-if pppoe 1)# ip address 192.0.2.129
Router_B(config-if pppoe 1)# ip nat inside source list 1 interface
Router_B(config-if pppoe 1)# pppoe server test1
Router_B(config-if pppoe 1)# pppoe account ********@***.***.ne.jp ******
Router_B(config-if pppoe 1)# pppoe type lan
Router_B(config-if pppoe 1)#exit
Router_B(config)#interface ipsecif 1
Router_B(config-if ipsecif 1)# qos output bandwidth 100M priq
Router_B(config-if ipsecif 1)# qos-que priq default-que priority 0 default
Router_B(config-if ipsecif 1)# qos-que priq high-que priority 7
Router_B(config-if ipsecif 1)# qos-que priq low-que priority 1
Router_B(config-if ipsecif 1)# qos-que priq middle-que priority 3
Router_B(config-if ipsecif 1)# service-policy output policy1
Router_B(config-if ipsecif 1)# crypto map map1
Router_B(config-if ipsecif 1)#exit
Router_B(config)#interface lan 1
Router_B(config-if lan 1)# ip address 172.17.0.2 255.255.0.0
Router_B(config-if lan 1)#exit
Router_B(config)#crypto isakmp policy 1
Router_B(config-isakmp)# authentication prekey
Router_B(config-isakmp)# encryption aes 256
Router_B(config-isakmp)# hash sha
Router_B(config-isakmp)# key ascii furukawa
Router_B(config-isakmp)# lifetime 86400
Router_B(config-isakmp)# negotiation-mode main
Router_B(config-isakmp)# peer-identity host kyoten1
Router_B(config-isakmp)#exit
Router_B(config)#crypto map map1 1
Router_B(config-crypto-map)# match address 1
Router_B(config-crypto-map)# set peer host kyoten1
Router_B(config-crypto-map)# set security-association lifetime seconds 28800
Router_B(config-crypto-map)# set transform-set t1
Router_B(config-crypto-map)# anti-replay disable
Router_B(config-crypto-map)#exit
Router_B(config)#class-map low-class
Router_B(config-class-map)# match ip access-group 103
Router_B(config-class-map)#exit
Router_B(config)#class-map high-class
Router_B(config-class-map)# match ip access-group 101
Router_B(config-class-map)#exit
Router_B(config)#class-map middle-class
Router_B(config-class-map)# match ip access-group 102
Router_B(config-class-map)#exit
Router_B(config)#action-map low-action
Router_B(config-action-map)# set queuing low-que
Router_B(config-action-map)#exit
Router_B(config)#action-map high-action
Router_B(config-action-map)# set queuing high-que
Router_B(config-action-map)#exit
Router_B(config)#action-map middle-action
Router_B(config-action-map)# set queuing middle-que
Router_B(config-action-map)#exit
Router_B(config)#policy-map policy1
Router_B(config-policy-map)# class high-class action high-action
Router_B(config-policy-map)# class middle-class action middle-action
Router_B(config-policy-map)# class low-class action low-action
Router_B(config-policy-map)#exit
Router_B(config)#
Router_B(config)#end
Router_B#
Router_B#save SIDE-A
% saving working-config
% finished saving

Router_B#reset
Going to reset with SIDE-A.frm and SIDE-A
Boot-back not scheduled for next boot.
Next rebooting firmware SIDE-A.frm is fine.
Are you OK to cold start?(y/n)y
設定状態の確認 1

アクセスリストを確認します。

確認内容 画面表示例
アクセスリスト情報を表示

設定が正しいことを確認


設定が正しいことを確認


設定が正しいことを確認
Router_A#show access-lists

Extended IP access list 101
  permit tcp any any eq telnet

Extended IP access list 102
  permit tcp any any eq www

Extended IP access list 103
  permit tcp any any eq ftp
  permit tcp any any eq ftp-data
設定状態の確認 2

キューイング状況を確認します。

1.TELNET通信のパケットは「high-que」にキューイングされ、優先度7で送信されます。

確認内容 画面表示例
キューの統計情報を表示




























high-que のパケット数がカウントされていることを確認
Router_A#show qos queuing

interface : ipsecif 1
queuing type : PRIQ
queuing-name default-que (default que)
 priority : 0
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name low-que
 priority : 1
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name middle-que
 priority : 3
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name high-que
 priority : 7
 queue length/limit : 0/50
 sent/drop packets:
  packets : 54/0
  bytes : 2287/0
 period cnt : 54

2.WWW通信のパケットは「middle-que」にキューイングされ、優先度3で送信されます。

確認内容 画面表示例
キューの統計情報を表示





















middle-que のパケット数がカウントされていることを確認
Router_A#show qos queuing

interface : ipsecif 1
queuing type : PRIQ
queuing-name default-que (default que)
 priority : 0
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name low-que
 priority : 1
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name middle-que
 priority : 3
 queue length/limit : 0/50
 sent/drop packets:
  packets : 42/0
  bytes : 11863/0
 period cnt : 34
queuing-name high-que
 priority : 7
 queue length/limit : 0/50
 sent/drop packets:
  packets : 54/0
  bytes : 2287/0
 period cnt : 54

3.FTP通信のパケットは「low-que」にキューイングされ、優先度1で送信されます。

確認内容 画面表示例
キューの統計情報を表示














low-que のパケット数がカウントされていることを確認
Router_A#show qos queuing

interface : ipsecif 1
queuing type : PRIQ
queuing-name default-que (default que)
 priority : 0
 queue length/limit : 0/50
 sent/drop packets:
  packets : 0/0
  bytes : 0/0
 period cnt : 0
queuing-name low-que
 priority : 1
 queue length/limit : 0/50
 sent/drop packets:
  packets : 18/0
  bytes : 834/0
 period cnt : 18
queuing-name middle-que
 priority : 3
 queue length/limit : 0/50
 sent/drop packets:
  packets : 42/0
  bytes : 11863/0
 period cnt : 38
queuing-name high-que
 priority : 7
 queue length/limit : 0/50
 sent/drop packets:
  packets : 54/0
  bytes : 2287/0
 period cnt : 54

ページトップへ

All Rights Reserved, Copyright(C) FURUKAWA ELECTRIC CO., LTD. 2011