univerge ixシリーズ設定事例集対応高速アクセスルータ univerge ixシリーズ...

VPN

UNIVERGE IX

10.0a Ver.10.0

IX2000 IX2105, IX2106, IX2207, IX2215 IX3000

IX3015, IX3110, IX3315

UNIVERGE IX Ver.10.0

IX2004 Ver.8.0

IX2010, IX2015 Ver.8.4

IX2005 Ver.8.10

IX3010 Ver.9.2

IX2025 Ver.9.6

(1)

(2)

(3)

(4) (3)

IX2215

IX2215

LoopbackTunnel UNIVERGE IX

1. (1)

IX2215

IX2105IX2106

IX2207

GE0

GigaEthernet0.0 GigaEthernet0.0 GigaEthernet0.0

GE0

GigaEthernet0.[1-32] GigaEthernet0.[1-32] GigaEthernet0.[1-32]

GE1

GigaEthernet1.0

GigaEthernet1.0

(SW-HUB) GigaEthernet1.0

GE1

GigaEthernet1.[1-32]


(SW-HUB) GigaEthernet1.[1-32]

GE2

GigaEthernet2.0

(SW-HUB) -

GigaEthernet2.0

(SW-HUB)

GE2


(SW-HUB) -


(SW-HUB)

GE3

- - -

GE3

- - -

GE4

- - -

GE4

- - -

GE5

- - -

GE5

- - -

BRI BRI0.0 - -

USB USB-Serial0.0 - USB-Serial0.0

USB-Serial1.0

2. (2)

*1IX3015 2 4BRI-ST

*2IX3015 2 T1

*3IX3315 system subinterfaces

IX2215

IX3015

IX3110

IX3315

GE0

GigaEthernet0.0 FastEthernet0/0.0 GigaEthernet0.0 GigaEthernet0.0

GE0

GigaEthernet0.[1-32] FastEthernet0/0.[1-32] GigaEthernet0.[1-32]


*3

GE1

GigaEthernet1.0 FastEthernet0/1.0 GigaEthernet1.0 GigaEthernet1.0

GE1

GigaEthernet1.[1-32] FastEthernet0/1.[1-32] GigaEthernet1.[1-32]


*3

GE2

GigaEthernet2.0

(SW-HUB)

FastEthernet1/0.0

(SW-HUB) GigaEthernet2.0 GigaEthernet2.0

GE2


(SW-HUB)

FastEthernet1/0.[1-32]

(SW-HUB) GigaEthernet2.[1-32]


*3

GE3

- - GigaEthernet3.0 GigaEthernet3.0

GE3

- - GigaEthernet3.[1-32]


*3

GE4

- - -

GigaEthernet4.0

(SW-HUB)

GE4

- - -


(SW-HUB)*3

GE5

- - -

GigaEthernet5.0

(SW-HUB)

GE5

- - -


(SW-HUB)*3

BRI BRI0.0 BRI2/0.0*1

Serial2/0.0*2 - -

USB USB-Serial0.0 - - USB-Serial0.0

i

IPv4 LAN 1-3

1-4

1-5

1-6

ARP 1-8

RIPv2 1-10

RIPv1 1-12

RIPv2 1-14

RIPv2 1-16

RIPv2 1-18

RIP 1-20

1-22

IPv6 LAN 2-2

IPv6 2-3

2-4

RIPng 2-5

RIPng 2-7

RIPng 2-9

RIPng 2-11

IPv6PPPoE 2-13

NAT/NAPT NAT 3-2

NAT 3-4

NAT 3-6

NAT 3-7

NAPT 3-8

NAPT 3-9

3-11

VPN 3-13

DHCP DHCP 4-2

CATV 4-4

DHCP 4-6

IPsec/IKE IPsecIPv4 5-6

IKEIPsecIPv4 5-9

IPsecIPv6 5-13

IKEIPsecIPv6 5-16

IPsecIPv4 5-20

IPsecNAT 5-23

ii

IPsecIPv6 over IPv4 5-27

IPsecIPv4 over IPv6 5-30

IPsec 5-33

HTTP 6-2

Telnet 6-4

ICMP echo 6-6

TCP 6-8

6-10

IPv4 7-3

IPv6 7-5

DMZ 7-7

DMZ 7-9

IP IPv6 over IPv4 8-2

IPv4 over IPv6 8-5

IPv4 over IPv4 8-8

IPv6 over IPv6 8-11

PPPoE PPPoE 9-2

PPPoE 9-4

TCP MSS 9-5

PPPoE 9-7

PPPoE 9-10

PPPoE 9-13

LANIPv4 10-2

LANIPv6 10-4

11-2

11-5

IPv6 11-7

DNS 11-9

QoS PQ 12-8

CBQ 12-13

LLQCoS 12-16

12-20

BRIVoIP QoS 12-23

VoIP QoS 12-26

IEEE802.1QVoIP QoS 12-29

PQCoS 12-35

iii

CoS 12-39

HUBWAN 12-41

QoS/IPsec 12-45

QoS/IPsec 12-51

EtherIPPQ 12-60

SNMP 13-4

SNTP 13-7

SYSLOG 13-8

IPv6 SNMP 13-11

13-14

IDS 13-15

OSPFv2 14-2

14-5

14-7

14-9

14-11

14-13

14-15

NSSA 14-18

14-22

14-24

VLAN VLAN 15-2

15-4

ISDN ISDN 16-3

ISDN 16-6

ISDNMLPPP 16-10

ISDN 16-14

INS1500ISDN 16-21

ISDN 16-28

4BRI-STISDN 16-34

ISDN 16-39

ISDN2PPP 16-43

ISDNRAS() 16-46

ISDN 16-49

VRRP, 17-6

ISDN 17-10

ISDN 17-15

VRRPISDN 17-20

VRRPISDN 17-25

VRRP 17-28

iv

IPv6 over IPv4 17-32

2VPN 17-37

RTT 17-46

17-49

IPv4IPv6VRRPv2/v3 17-55

VRRP 17-61

IPsecVPN 2VPN 18-2

VPN 18-6

IPsec-IP 18-11

LANPPPoEVPN 18-18

IPsec 18-22

IPsec 18-28

VRRPIPsec 18-34

VRRPIPIPsec 18-41

IPsec 18-48

IPsecPPPoE 18-52

IPsecDHCP 18-57

IPsecISDN 18-63

VPNISDN 18-68

VPN/ 18-78

DHCPVPN 18-83

GREIPsec 18-88

L2VPN 18-96

IPsec NAT 18-106

IPv6VPNIPoE 18-111

IPv6VPNIPoE 18-117

IPv6VPNPPPoE 18-124

DNSIPsecIKEv1 18-131

VLAN VLAN 19-5

VLANVLAN 19-8

BGP4 eBGP 20-3

iBGP 20-5

20-8

BGPISDN 20-10

MED 20-14

AS 20-17

20-20

BGPOSPF 20-23

BGP 20-25

BGP 20-28

IP IPv4 21-3

IPv6 21-4

IPv4IPsec 21-5

v

IPv4IPv4 over IPv4 21-7

IPv6IPv6 over IPv4 21-9

21-11

PIM-SM 21-12

21-16

VPNPIM-SM 21-22

GRE 2 GRE 22-2

2 GREISDN 22-4

2 GREISDNLANPPPoE 22-8

T1 1.5MbpsLAN 23-2

LAN 23-4

DCE 23-7

AAA/RADIUS 24-3

RADIUS 24-4

PPPRADIUS 24-7

PPPRADIUS 24-11

25-2

IP 25-4

QoSPQ 25-7

PPPoE 25-12

25-15

6OSPFv3 26-2

26-5

RIPng 26-7

EtherIP EtherIP2 27-2

EtherIPIPsec2 27-6

EtherIPIPsec 27-10

EtherIPIPsec 27-14

EtherIP 27-18

EtherIP 27-24

TCP MSSIP 27-28

EtherIP 27-32

VLAN1EtherIP 27-38

VRRPIPEtherIP 27-42

EtherIP 27-49

IPv6EtherIPPPPoE 27-56

DNSIPsecEtherIP 27-60

Ethernet over GRE2 27-66

vi

VLANEthernet over GRE 27-70

IKEv2EtherIP over IPsec 27-75

L2VPN 27-80

MACdot1x 28-2

dot1x 28-4

MAC 28-9

IEEE802.1X 28-11

9NGN NGN 29-2

NGN 29-7

NGN 29-14

NGN 29-21

NGNPQ 29-26

NGNIKEv2 29-35

RADIUS 29-40

IKEv2 2VPNIKEv2 30-2

VPNIKEv2 30-6

IKEv2IPv4/IPv6 30-12

IPv6IKEv2IPoE 30-16

IPv6IKEv2PPPoE 30-21

IPsecIKEv2 30-22

IKEv2GRE over IPsec 30-27

31-2

WAN VPN 32-2

VPN 32-9

VPNDDNS 32-19

32-26

L2TP/IPsec L2TP/IPsec 33-2

L2TP/IPsecRADIUS 33-7

34-2

USB 34-5

Wake on LAN 34-7

VPN VPNVPN 35-2

VPN() 35-10

vii

VPN() 35-23

35-38

() 35-44

IPv6VPNIPoE 35-56

VRF-Lite VRF-Lite 36-2

VRF-LiteVPN 36-4

VRF-LiteVRRP 36-9

VRF-LiteVPN 36-15

VRF-LiteVPN 36-20

URL URL 37-2

URL Office 365 38-2

Office 365 38-7

NetMeister NetMeister 39-2

NetMeisterDNSIPsecIKEv2 39-5

NetMeisterDNSIPsecVPN

39-10

UTM UTM 40-2

UTMVPN 40-6

IPv4 1-1

IPv4

Ver.2

1.3 IP

IPv4 MTU RIP

RIP RIP RIPv2 RIP

Ver.3

OSPFv2RIP Ver.3.0.12

Ver.4

ARP IP

/

RIP OSPFv2Ver.3

TCP MSS Pass-MTU-Black-Hole 9

Ver.5.1

RIPv1

Cisco RIPv1

Ver.6.2

ip forced-fragment MTU IPv4 DF

1-2 IPv4

Ver.6.3

traceroute source no interface show running-config

IPv4 1-3

LAN

GE0 192.168.1.0/24 GE1 192.168.2.0/24

GE0GE1 IP LAN

IP GE0 GigaEthernet0.0 GE1

GigaEthernet1.0

[]

[] ip address 192.168.1.254/24

IPv4/24

no shutdown

Router# enable-config

Router(config)# interface GigaEthernet0.0

Router(config-GigaEthernet0.0)# ip address 192.168.1.254/24

Router(config-GigaEthernet0.0)# no shutdown

Router(config-GigaEthernet0.0)# interface GigaEthernet1.0



192.168.1.1

192.168.1.2

192.168.2.1

192.168.2.2

GE0

192.168.1.254

GE1

192.168.2.254

192.168.1.0/24 192.168.2.0/24

1-4 IPv4

192.168.4.0/24 B

A

192.168.4.0/24 B

A

GE2 192.168.1.0/24 GE0 192.168.2.0/24

[]

[] ip route 192.168.4.0/24 192.168.2.2

192.168.4.0/24

192.168.2.2 B

ip route default 192.168.2.1


Router(config)# ip route 192.168.4.0/24 192.168.2.2

Router(config)# ip route default 192.168.2.1







GE2

192.168.1.254

192.168.2.0/24

B

192.168.4.0/24

192.168.2.2

192.168.2.1

IPv4

A

GE0

192.168.2.254

192.168.1.1

192.168.1.2

192.168.1.0/24

192.168.4.1

IPv4 1-5

IP

GE2 IP

[]

[] interface GigaEthernet2.0

ip address 192.168.0.1/29 secondary

GE2GigaEthernet2.0




Router(config-GigaEthernet2.0)# ip address 192.168.0.1/29 secondary


172.16.10.0/24

192.168.0.0/29

GE2

172.16.10.254

192.168.0.1

LAN172.16.10.0)

192.168.0.2

1-6 IPv4

/

[(A)]


Router(config)# ip route 10.10.20.0/24 192.168.2.2 metric 10


Router(config)# ip multipath per-flow










GE2

10.10.10.1 GE2

10.10.20.1

GE0

192.168.2.1

GE1

192.168.3.1

GE0

192.168.2.2

GE1

192.168.3.2

(A)

10.10.10.0/24 10.10.20.0/24

(B)

IPv4 1-7

[(B)]

[(A)] ip route 10.10.20.0/24 192.168.2.2 metric 10

ip route 10.10.20.0/24 192.168.3.2 metric 10

2

ip multipath per-flow

ip multipath

per-packet

[(B)]

(A)




Router(config)# ip multipath per-flow










1-8 IPv4

ARP

10.1.1.0/24

10.1.1.240/28ARP

(A) GE2GigaEthernet2.0(B) GE210.1.1.241

10.1.1.242ARP

GE0

192.168.2.1

GE2

10.1.1.241

GE0

192.168.2.2

GE2

10.1.1.1

10.1.1.0/24 10.1.1.240/28

(A) (B)

10.1.1.242

IPv4 1-9

[(A)]

[(B)]

[(A)] ip route 10.1.1.241/32 192.168.2.2

ip route 10.1.1.242/32 192.168.2.2

(B) GE2

ip access-list arp-list permit ip src any dest 10.1.1.241/32

ip access-list arp-list permit ip src any dest 10.1.1.242/32

ARP

interface GigaEthernet2.0

ip proxy-arp arp-list

ARParp-list

(A) ARP

[(B)] ip route default 192.168.2.1












Router(config)# ip access-list arp-list permit ip src any dest 10.1.1.241/32

Router(config)# ip access-list arp-list permit ip src any dest 10.1.1.242/32



Router(config-GigaEthernet2.0)# ip proxy-arp arp-list





1-10 IPv4

RIPv2

RIPv2

RIP

[(A)]

[(B)]


Router(config)# ip router rip

Router(config-ip-rip)# exit



Router(config-GigaEthernet0.0)# ip rip enable













GE0

192.168.1.1

(A)

(B)

(C)

192.168.1.0/24 192.168.2.0/24

GE0

192.168.1.2

GE0

192.168.1.3

GE2

192.168.2.10

GE2

192.168.2.11

IPv4 1-11

[(C)]

[(A)(B)(C)] ip router rip

RIP


ip rip enable


ip rip enable

RIP

RIPv2












1-12 IPv4

RIPv1

RIPv1

RIPv2RIPv1

[(A)]

[(B)]







Router(config-GigaEthernet0.0)# ip rip send version 1

Router(config-GigaEthernet0.0)# ip rip receive version 1

















GE0

192.168.1.1

(A)

(B)

(C)

192.168.1.0/24 192.168.2.0/24

GE0

192.168.1.2

GE0

192.168.1.3

GE2

192.168.2.10

GE2

192.168.2.11

IPv4 1-13

[(C)]

[(A)(B)(C)] ip router rip

RIP

ip rip enable

RIP

RIPv2

ip rip send version 1

RIPv1

ip rip receive version 1

RIPv1
















1-14 IPv4

RIPv2

RIPv2RIPv2

redistribute connected

GE2

192.168.0.100

GE0

192.168.1.1

(A)

192.168.0.0/24 192.168.1.0/24

GE2

192.168.1.2

GE0

192.168.2.10

(B)

192.168.2.0/24

IPv4 1-15

[(A)]

[(B)]

[(A)] ip router rip


(A)RIP

GigaEthernet2.0

[(B)]

1.6














Router(config-ip-rip)# redistribute connected









1-16 IPv4

RIPv2

RIP

RIP

RIP

RIP /

GE2

192.168.0.100

GE0

192.168.1.1

(A)

192.168.0.0/24 192.168.1.0/24

GE2

192.168.1.2

GE0

192.168.2.10

(B)

192.168.2.0/24

IPv4 1-17

[(A)]

[(B)]

1.8

[(A)] interface GigaEthernet2.0

no ip rip send

no ip rip receive

RIP











Router(config-GigaEthernet2.0)# no ip rip send

Router(config-GigaEthernet2.0)# no ip rip receive


1-18 IPv4

RIPv2

(A)

[(A)]


Router(config)# ip route default GigaEthernet0.1

Router(config)# ppp profile sample

Router(config-ppp-sample)# authentication myname [email protected]

Router(config-ppp-sample)# authentication password [email protected] password-1

Router(config-ppp-sample)# exit


Router(config-ip-rip)# originate-default







Router(config-GigaEthernet0.1)# ip address ipcp

Router(config-GigaEthernet0.1)# ppp binding sample

Router(config-GigaEthernet0.1)# ip napt enable


PPPoE

(B)

192.168.1.0/24

192.168.2.0/24

GE2

192.168.1.1 GE0

192.168.2.11

(A)

GE2

192.168.2.10 GE0(PPPoE)

IPCP

IPv4

IPv4 1-19

[(B)]

[(A)] ip route default GigaEthernet0.1

ppp profile sample

authentication myname [email protected]

authentication password [email protected] password-1


ppp binding sample

ip address ipcp

PPPoE /

IPIPCP

ip router rip

RIP

originate-default

RIPng


ip rip enable

RIP

RIPv2


ip napt enable

NAPT

[(B)] redistribute connected

192.168.1.0/24(A)



Router(config-ip-rip)# redistribute connected









1-20 IPv4

RIP

RIP

192.168.0.0/24 RIP

distribute-list prefix

[(A)]


Router(config)# ip prefix-list dist-rip 10 deny 172.16.0.0/24



Router(config)# ip prefix-list dist-rip 40 permit any


Router(config-ip-rip)# distribute-list prefix dist-rip out










192.168.1.0/24

GE0

10.10.10.1

(A)

(B)

10.10.10.0/24

GE0

10.10.10.2

GE2

192.168.1.1 (A)

192.168.0.0/24

172.16.0.0/24

172.16.1.0/24

172.16.2.0/24

192.168.0.0/24

RIP

IPv4 1-21

[(B)]

[(A)] ip prefix-list dist-rip 10 deny 172.16.0.0/24

ip prefix-list dist-rip 20 deny 172.16.1.0/24

ip prefix-list dist-rip 30 deny 172.16.2.0/24

ip prefix-list dist-rip 40 permit any

(A)172.16.0.0/24172.16.2.0/24

ip router rip

distribute-list prefix dist-rip out

[(B)]

1.6












1-22 IPv4

192.168.0.0/24 192.168.1.0/24

192.168.1.255directed

(B) GE2GigaEthernet2.0

[(A)]









GE0

10.10.10.1

GE2

192.168.1.1 GE0

10.10.10.2

GE2

192.168.0.1

192.168.0.0/24 192.168.1.0/24

(A) (B)

192.168.1.255(UDP/138)

&

IPv4 1-23

[(B)]

[(A)]

1.1

[(B)] ip access-list b/c-flt permit udp src 192.168.0.0/24 sport any dest 192.168.1.255/32 dport eq 138

ip access-list b/c-flt deny ip src 192.168.0.0/24 dest 192.168.1.255/32

ip access-list b/c-flt permit ip src 192.168.0.0/24 dest 192.168.1.0/24


ip filter b/c-flt 1 out

192.168.0.0/24 192.168.1.255UDP/138

GE2

192.168.0.0/24 192.168.1.0/24

UDP/138


ip directed-broadcast

GE2



Router(config)# ip access-list b/c-flt permit udp src 192.168.0.0/24 sport any

dest 192.168.1.255/32 dport eq 138

Router(config)# ip access-list b/c-flt deny ip src 192.168.0.0/24 dest 192.168.1.255/32

Router(config)# ip access-list b/c-flt permit ip src 192.168.0.0/24 dest 192.168.1.0/24



Router(config-GigaEthernet2.0)# ip directed-broadcast

Router(config-GigaEthernet2.0)# ip filter b/c-flt 1 out





1-24 IPv4

IPv6 2-1

IPv6

Ver.2

IP

IPv6ipv6 enable

Ver1 no shutdown

IPv6

Ver2 no shutdownipv6 address

ipv6 enable IPv6

Ver1 Ver2 ipv6

enable

IPv6

IPv6 over IPv4 IPv6 over IPv6 IPv6

8.1,8.4

Ver.3

Ver.8.3

Ver.8.3

IPv6 RAipv6 nd ra

- ipv6 nd ra cur-hoplimit

- ipv6 nd ra linkmtu

- ipv6 nd ra retrans-timer

show ipv6 neighbor-discovery, show ipv6 interface RA

MTU

2-2 IPv6

LAN

GE02001:db8:100::/64 GE12001:db8:200::/64

GE0GE1 IPv6LAN

IPv6 GE0 GigaEthernet0.0 GE1

GigaEthernet1.0

[]

[] ipv6 address 2001:db8:100::3/64

IPv6/64

no shutdown



Router(config-GigaEthernet0.0)# ipv6 address 2001:db8:100::3/64





2001:db8:100::1

2001:db8:100::2

2001:db8:200::1

2001:db8:200::2

GE0

2001:db8:100::3

GE1

2001:db8:200::3

2001:db8:100::/64 2001:db8:200::/64

IPv6 2-3

IPv6

IPv6

IPv6

IPv6

GE2

[]


ipv6 nd ra enable

GE2GigaEthernet2.0




Router(config-GigaEthernet2.0)# ipv6 nd ra enable


GE2

2001:db8:100::1

2001:db8:100::/64

Router Solicitation

Router Advertisement

IPv6

2-4 IPv6

2001:db8:300::0/64B

A

2001:db8:300::/64B

A

GE2 2001:db8:100::/64 GE0 2001:db8:200::/64

[]

[] ipv6 route 2001:db8:300::/64 2001:db8:200::2

2001:db8:300::/64

2001:db8:200::2 B

ipv6 route default 2001:db8:200::1

ipv6 nd ra enable

GE2GigaEthernet2.0RA


Router(config)# ipv6 route 2001:db8:300::/64 2001:db8:200::2

Router(config)# ipv6 route default 2001:db8:200::1








2001:db8:100::/64 2001:db8:200::/6

GE2

2001:db8:100::3 GE0

2001:db8:200::3

B

2001:db8:300::/64

2001:db8:200::2

2001:db8:200::1

IPv6

A

IPv6 2-5

RIPng

RIPng

RIPng

[(A)]

[(B)]


Router(config)# ipv6 router rip

Router(config-ipv6-rip)# exit



Router(config-GigaEthernet0.0)# ipv6 rip enable













GE0

2001:db8:100::1

(A)

(B)

(C)

2001:db8:100::0/64 2001:db8:200::0/6

GE0

2001:db8:100::2

GE0

2001:db8:100::3

GE2

2001:db8:200::1

GE2

2001:db8:200::2

2-6 IPv6

[(C)]

[(A)(B)(C)] ipv6 router rip

RIPng


ipv6 rip enable


ipv6 rip enable

RIPng












IPv6 2-7

RIPng

RIPng RIPng


GE0

2001:db8:200::1

(A)

(B)

2001:db8:200::/64

GE2

2001:db8:200::2

GE0

2001:db8:300::1

GE2

2001:db8:100::1

2001:db8:100::/64 2001:db8:300::/64

2-8 IPv6

[(A)]

[(B)]

[(A)] ipv6 router rip


(A)RIPng

GigaEthernet2.0

[(B)]

2.4














Router(config-ipv6-rip)# redistribute connected









IPv6 2-9

RIPng

RIPng

RIP

RIPng

RIPng/

GE0

2001:db8:200::1

(A)

(B)

2001:db8:200::/64 2001:db8:300::/64

GE2

2001:db8:200::2GE0

2001:db8:300::1 GE2

2001:db8:100::1

2001:db8:100::/64

2-10 IPv6

[(A)]

[(B)]

2.5

[(A)] interface GigaEthernet2.0

no ipv6 rip send

no ipv6 rip receive

RIPng











Router(config-GigaEthernet2.0)# no ipv6 rip send

Router(config-GigaEthernet2.0)# no ipv6 rip receive


IPv6 2-11

RIPng

RIPng

(A)

[(A)]


Router(config)# ipv6 route default 2001:db8:300::2


Router(config-ipv6-rip)# originate-default









(B)

2001:db8:200::/64

GE2

2001:db8:100::1 GE0

2001:db8:200::1

(A)

GE2

2001:db8:200::2

GE0

2001:db8:300::1

2001:db8:300::/64

2001:db8:300::2

2001:db8:100::/64

2-12 IPv6

[(B)]

[(A)] ipv6 route default 2001:db8:300::2

ipv6 router rip

RIPng

originate-default

RIPng


ipv6 rip enable

RIPng

[(B)] redistribute connected

2001:db8:100::/64 (A)



Router(config-ipv6-rip)# redistribute connected









IPv6 2-13

IPv6 PPPoE

IPv6 IPv6 PPPoE

IX2000/IX3000 IPv6 ISP IPv6

PPPoEISPNTTNTTNGN

IPv6 IX

ISPIPv6DNSLAN

IPv6 IPv6

GE2

GE0(PPPoE)

(DHCPv6-PD)

NGN

IPv6

IPv6

2-14 IPv6

[]


Router(config)# ipv6 ufs-cache enable

Router(config)# ipv6 route default GigaEthernet0.1

Router(config)# ipv6 dhcp enable

Router(config)# ipv6 access-list block-list deny ip src any dest any

Router(config)# ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 546

Router(config)# ipv6 access-list dhcpv6-list permit udp src any sport eq 546 dest any dport any

Router(config)# ipv6 access-list icmpv6-list permit icmp src any dest any

Router(config)# ipv6 access-list permit-list permit ip src any dest any

Router(config)# ipv6 access-list dynamic dflt-list access permit-list

Router(config)# ppp profile sample-v6

Router(config-ppp-sample-v6)# authentication myname [email protected]

Router(config-ppp-sample-v6)# authentication password [email protected] password-1

Router(config-ppp-sample-v6)# exit

Router(config)# ipv6 dhcp client-profile dhcpv6-cl

Router(config-ipv6-dhc-dhcpv6-cl)# option-request dns-servers

Router(config-ipv6-dhc-dhcpv6-cl)# ia-pd subscriber GigaEthernet2.0

Router(config-ipv6-dhc-dhcpv6-cl)# exit

Router(config)# ipv6 dhcp server-profile dhcpv6-sv

Router(config-ipv6-dhc-dhcpv6-sv)# dns-server dhcp

Router(config-ipv6-dhc-dhcpv6-sv)# exit


Router(config-GigaEthernet2.0)# no ip address

Router(config-GigaEthernet2.0)# ipv6 enable

Router(config-GigaEthernet2.0)# ipv6 dhcp server dhcpv6-sv


Router(config-GigaEthernet2.0)# ipv6 nd ra other-config-flag



Router(config-GigaEthernet0.1)# ppp binding sample-v6

Router(config-GigaEthernet0.1)# ipv6 enable

Router(config-GigaEthernet0.1)# ipv6 dhcp client dhcpv6-cl

Router(config-GigaEthernet0.1)# ipv6 filter dhcpv6-list 1 in

Router(config-GigaEthernet0.1)# ipv6 filter icmpv6-list 2 in

Router(config-GigaEthernet0.1)# ipv6 filter block-list 100 in

Router(config-GigaEthernet0.1)# ipv6 filter dhcpv6-list 1 out

Router(config-GigaEthernet0.1)# ipv6 filter icmpv6-list 2 out

Router(config-GigaEthernet0.1)# ipv6 filter dflt-list 100 out


IPv6 2-15

[] ipv6 ufs-cache enable

UFS

ipv6 route default GigaEthernet0.1

ipv6 dhcp enable

DHCPv6

ipv6 access-list block-list deny ip src any dest any

ipv6 access-list dhcpv6-list permit udp src any sport any dest any dport eq 546

ipv6 access-list dhcpv6-list permit udp src any sport eq 546 dest any dport any

ipv6 access-list icmpv6-list permit icmp src any dest any

ipv6 access-list permit-list permit ip src any dest any

ipv6 access-list dynamic dflt-list access permit-list


ipv6 filter dhcpv6-list 1 in

ipv6 filter icmpv6-list 2 in

ipv6 filter block-list 100 in

ipv6 filter dhcpv6-list 1 out

ipv6 filter icmpv6-list 2 out

ipv6 filter dflt-list 100 out

DHCPv6 ICMPv6

LAN

WANGE0.1

ppp profile sample-v6

authentication myname [email protected]

authentication password [email protected] password-1


ppp binding sample-v6

PPP

ipv6 dhcp client-profile dhcpv6-cl

option-request dns-servers

ia-pd subscriber GigaEthernet2.0


ipv6 dhcp client dhcpv6-cl

DHCPv6 WAN GE0.1

DNSLANGE2

ipv6 dhcp server-profile dhcpv6-sv

dns-server dhcp


ipv6 dhcp server dhcpv6-sv

ipv6 nd ra enable

ipv6 nd ra other-config-flag

DHCPv6 DHCPv6 DNS

LANRA o

DNS

2-16 IPv6

NAT/NAPT 3-1

NAT/NAPT

Ver.2

NAT

NAPT

NAPTip napt static

Ver.4.2

NAT/NAPTUFSUnified Forwarding Service Cache

Ver.6.0

NATip nat static

11

NAPTip napt static

Ver.7.2

SIP-NAT SIP-NAT

SIP-NATVer.8.3

3-2 NAT/NAPT

NAT

NAT

203.0.113.1 203.0.113.23

NAT GE0GigaEthernet0.0

NAT203.0.113.2203.0.113.3

[]



Router(config)# ip nat pool natpool 203.0.113.2 203.0.113.3

Router(config)# ip access-list nat-list permit ip src 192.168.1.0/28 dest any

Router(config)# ip ufs-cache enable






Router(config-GigaEthernet0.0)# ip nat enable

Router(config-GigaEthernet0.0)# ip nat translation timeout 6000

Router(config-GigaEthernet0.0)# ip nat dynamic list nat-list pool natpool


192.168.1.3

192.168.1.2 GE2

192.168.1.1

GE0

203.0.113.1

192.168.1.0/24

IPv4

203.0.113.0/24

203.0.113.254

NAT/NAPT 3-3

[] ip route default 203.0.113.254

ip nat pool natpool 203.0.113.2 203.0.113.3

NAT

ip access-list nat-list permit ip src 192.168.1.0/28 dest any

IPv4192.168.1.0/28

ip ufs-cache enable

UFS


ip nat enable

GE0GigaEthernet0.0NAT


ip nat translation timeout 6000

3600


ip nat dynamic list nat-list pool natpool

NAT

NAT

NAT203.0.113.2 203.0.113.3

3-4 NAT/NAPT

NAT

A

203.0.113.2203.0.113.7

B203.0.113.8203.0.113.13

LAN

[]



Router(config)# ip nat pool pool-a 203.0.113.2 203.0.113.7

Router(config)# ip nat pool pool-b 203.0.113.8 203.0.113.13

Router(config)# ip access-list private-a permit ip src 192.168.1.0/28 dest any

Router(config)# ip access-list private-b permit ip src 192.168.2.0/28 dest any





Router(config-GigaEthernet0.0)# ip nat dynamic list private-a pool pool-a

Router(config-GigaEthernet0.0)# ip nat dynamic list private-b pool pool-b








GE1

192.168.1.1

A

192.168.1.0/28

GE0 203.0.113.1 IPv4

203.0.113.0/24

203.0.113.254 GE2

192.168.2.1 B

192.168.2.0/28

NAT/NAPT 3-5


ip nat pool pool-a 203.0.113.2 203.0.113.7

AIP

ip nat pool pool-b 203.0.113.8 203.0.113.13

BIP

ip access-list private-a permit ip src 192.168.1.0/28 dest any

IPv4192.168.1.0/28

ip access-list private-b permit ip src 192.168.2.0/28 dest any

IPv4192.168.2.0/28

ip ufs-cache enable

UFS


ip nat enable

GE0GigaEthernet0.0NAT


ip nat dynamic list private-a pool pool-a

private-a IPpool-a

IP


ip nat dynamic list private-b pool pool-b

private-b IP pool-b

IP

3-6 NAT/NAPT

NAT

NAT

203.0.113.1 203.0.113.2 A203.0.113.3

B

NAT11

[]


ip nat enable

ip nat static 192.168.1.2 203.0.113.2

ip nat static 192.168.1.3 203.0.113.3

NAT










Router(config-GigaEthernet0.0)# ip nat static 192.168.1.2 203.0.113.2

Router(config-GigaEthernet0.0)# ip nat static 192.168.1.3 203.0.113.3


192.168.1.3

A

B

192.168.1.2 GE2

192.168.1.1

GE0

203.0.113.1

192.168.1.0/24

IPv4

203.0.113.0/24

203.0.113.254

NAT/NAPT 3-7

NAT

NAT192.168.1.0/24

172.16.1.0/24

NAT

[]


ip nat enable

ip nat static network 192.168.1.0/24 172.16.1.0/24

NAT192.168.1.1

172.16.1.1 192.168.1.10

172.16.1.10









Router(config-GigaEthernet0.0)# ip nat static network 192.168.1.0/24 172.16.1.0/24


192.168.1.3

A

B

192.168.1.2

GE2

192.168.1.1

GE0

10.1.1.1

192.168.1.0/24

IPv4

10.1.1.1.0/24

172.16.1.1 172.16.1.254

3-8 NAT/NAPT

NAPT

NAPT

NAPTGE0GigaEthernet0.0

[]



ip address 203.0.113.100/24

ip napt enable

GE0GigaEthernet0.0NAPT

ip napt enable

(203.0.113.100)











192.168.1.3

A

B

192.168.1.2 GE2

192.168.1.1 GE0

203.0.113.100

192.168.1.0/24

IPv4

203.0.113.0/24

203.0.113.254

NAT/NAPT 3-9

NAPT

A

203.0.113.1 B

203.0.113.2

LAN

[]



Router(config)# ip access-list private-a permit ip src 192.168.1.0/24 dest any

Router(config)# ip access-list private-b permit ip src 192.168.2.0/24 dest any





Router(config-GigaEthernet0.0)# ip napt address 203.0.113.1

Router(config-GigaEthernet0.0)# ip napt inside list private-a

Router(config-GigaEthernet0.0)# ip napt inside list private-b outside 203.0.113.2







203.0.113.254

GE1

192.168.1.1

A

192.168.1.0/24

GE0 203.0.113.100

203.0.113.0/24

GE2

192.168.2.1 B

192.168.2.0/24

IPv4

3-10 NAT/NAPT


ip ufs-cache enable

UFS

ip access-list private-a permit ip src 192.168.1.0/24 dest any


ip address 203.0.113.100/32

ip napt enable

ip napt address 203.0.113.1

ip napt inside list private-a

GigaEthernet0.0 IPNAPT

ip napt inside list (outside )

private-a203.0.113.1

ip napt address NAPT

(203.0.113.100)

ip access-list private-b permit ip src 192.168.2.0/24 dest any


ip napt inside list private-b outside 203.0.113.2

GigaEthernet0.0 IPNAPT

ip napt inside list outside

private-b203.0.113.2

outside 2

NAPT

NAT/NAPT 3-11

NAPT

AWWWTelnet

HTTP192.168.1.2 Telnet

192.168.1.1

192.168.1.3

A

192.168.1.2 GE2

192.168.1.1 GE0

203.0.113.100

192.168.1.0/24

IPv4

A

203.0.113.0/24

203.0.113.254

Web

Telnet

3-12 NAT/NAPT

[]


ip ufs-cache enable

UFS

telnet-server ip enable

Telnet


ip napt enable



ip napt service http 192.168.1.2 none tcp 80

ip napt service telnet 192.168.1.1 none tcp 23

HTTP (TCP/80)

192.168.1.2 ATelnet (TCP/23)

(192.168.1.1)




Router(config)# telnet-server ip enable







Router(config-GigaEthernet0.0)# ip napt service http 192.168.1.2 none tcp 80

Router(config-GigaEthernet0.0)# ip napt service telnet 192.168.1.1 none tcp 23


NAT/NAPT 3-13

VPN

VPNNAPT IX VPN

PPTPVPN

NAPT GE0.1 PPTP GRE LAN

PPTP192.168.0.100NAPT

VPNIX1

192.168.0.100

PPTP GE2

192.168.0.254

192.168.0.0/24

PPTP

Internet

GE0(PPPoE)

203.0.113.100

PPTP

3-14 NAT/NAPT

[]


ip napt enable



ip napt static 192.168.0.100 tcp 1723

ip napt static 192.168.0.100 47

VPN WAN GigaEthernet0.1 PPTP

TCP/1723 GRE=47 IX PPTP

192.168.0.100



Router(config)# ip route default GigaEthernet0.1

Router(config)# ppp profile sample

Router(config-ppp-sample)# authentication myname [email protected]

Router(config-ppp-sample)# authentication password [email protected] password-1

Router(config-ppp-sample)# exit





Router(config-GigaEthernet0.1)# ppp binding sample



Router(config-GigaEthernet0.1)# ip napt static 192.168.0.100 tcp 1723

Router(config-GigaEthernet0.1)# ip napt static 192.168.0.100 47


DHCP 4-1

DHCP

Ver.2

Ver1

DHCPDHCP

Ver.4.2

IEEE802.1Q VLANDHCP

DHCP

Ver..2

DHCPv6 Plefix DelegationPD

DHCPv6 PD CPEDHCPv6 PD

PE IPv6DNS IPv6

Ver..3

DHCPIP128

256

Ver.7.0

DHCP DHCP 1 4

Ver.8.0

DHCPDHCP

default distance/metric

DHCP

Warning

Ver.8.3

DHCPDHCP

ID/

ip dhcp-client authentication delayed-auth

4-2 DHCP

DHCP

DHCP

NAPT

DHCPGE2GigaEthernet2.0GE0GigaEthernet0.0NAPT

DNSLAN IP

DNS

[]



Router(config)# ip dhcp profile lan1

Router(config-dhcp-lan1)# dns-server 192.168.1.1

Router(config-dhcp-lan1)# exit

Router(config)# ip dhcp enable

Router(config)# proxy-dns server 198.51.100.10 priority 200

Router(config)# proxy-dns server 198.51.100.11

Router(config)# proxy-dns ip enable



Router(config-GigaEthernet2.0)# ip dhcp binding lan1






GE2

192.168.1.1

GE0

203.0.113.1

192.168.1.0/24

203.0.113.0/24

203.0.113.254

IPv4

DNS

198.51.100.10

198.51.100.11

DHCP 4-3


ip dhcp profile lan1

dns-server 192.168.1.1

DHCP lan1 DNS

DNS IPGE2GigaEthernet2.0 IP

ip dhcp enable

DHCP

proxy-dns server 198.51.100.10 priority 200

proxy-dns server 198.51.100.11

DNS IP

100

proxy-dns ip enable

DNS


ip dhcp binding lan1

DHCPlan1GE2GigaEthernet2.0

IP 192.168.1.2192.168.1.2541

255.255.255.0

192.168.1.1

DNS192.168.1.1


ip napt enable


4-4 DHCP

CATV

IPDHCP

DHCP

GE0GigaEthernet0.0DHCPNAPTDHCP

DNS DHCP

DNS

[]


Router(config)# hostname my-router

my-router(config)# proxy-dns ip enable

my-router(config)# ip dhcp profile catv

my-router(config-dhcp-catv)# dns-server 192.168.1.1

my-router(config-dhcp-catv)# exit

my-router(config)# ip dhcp enable

my-router(config)# interface GigaEthernet2.0

my-router(config-GigaEthernet2.0)# ip address 192.168.1.1/24

my-router(config-GigaEthernet2.0)# ip dhcp binding catv

my-router(config-GigaEthernet2.0)# no shutdown

my-router(config-GigaEthernet2.0)# interface GigaEthernet0.0

my-router(config-GigaEthernet0.0)# ip address dhcp receive-default

my-router(config-GigaEthernet0.0)# ip napt enable

my-router(config-GigaEthernet0.0)# no shutdown

GE2

192.168.1.1

GE0

(DHCP)

192.168.1.0/24

CATV

Internet

DHCP 4-5

[] hostname my-router

proxy-dns ip enable

DNS

ip dhcp profile catv

dns-server 192.168.1.1

DHCP catv DNS

DNS IPGE2GigaEthernet2.0 IP


ip dhcp binding catv

DHCPcatvGE2GigaEthernet2.0

IP 192.168.1.2192.168.1.2541

255.255.255.0

192.168.1.1

DNS192.168.1.1


ip address dhcp receive-default

GE0GigaEthernet0.0 IP DHCP


ip napt enable


4-6 DHCP

DHCP

DHCP

DHCP

DHCP DHCP DHCP

[]

[] ip dhcp-relay enable

DHCP


ip dhcp-relay server 192.168.0.100

DHCP IP

DHCP


Router(config)# ip dhcp-relay enable






Router(config-GigaEthernet2.0)# ip dhcp-relay server 192.168.0.100


GE0

192.168.0.1

(DHCP)

GE2

192.168.1.1

DHCP

192.168.0.100

DHCP

DHCP

IPsec/IKE 5-1

IPsec/IKE

IPsec IX 2

Ver.1.0 IPsec

1 IPsec ToS SA

Ver.4.1

IPsec IPsec

IPsec

IPsec

IPsec 1 IPsec 1

Ver 4.1

IPsec

IPsec

4.2 IPsec

Ver.4.2 UFS IPsec

5-2 IPsec/IKE

IPsec

IPsec

DF

TCP TCP MSS

IPv4= AES/SHA1

- MTU=1454: MSS =1350

- MTU=1500: MSS =1398

TCP

ESP AH IPsec

()DES/3DES 8

AES 16

IPv4 IPsec MTU 1,500byte

IPv4 AES/SHA1

= [ ( 1500 - IPv4 - ESP (ESP + ESP ) /16] x 16 - /

= 90 x 16 - 2 = 1438byte

TCP MSS

= 1438 - 40 = 1398byte

IP ESP IP ESP

ESP

,

20byte

(IPv4)

40byte

(IPv6)

8byte

IP 20byte

(DES/3DES)

28byte

(AES)

07byte

()

2byte

IPsec/IKE 5-3

Ver.4.3

IKE Commit IX

VPN

Commit IKE SA SA

IKE 1 IKE 23 IKE 1 3 2

SA Commit IKE

Commit IKE 3 IKE CONNECTED SA

Commit 2 3 SA

SA Commit

CONNECTED 3

1

3 SA 3

SA

Commit SA

CONNECTED SA

Ver.5.0

IPsec/IKE MIB SNMP IPsec/IKE SA

SA / IPsec/IKE MIB

IX2000/IX3000 MIB SNMP

MIB PICO-IPSEC-FLOW-MONITOR-MIB.mib

IPsec IKE 2

ipsec dynamic-map ike policy

IKE

IPsec IPsec SA IPsec

DELETE 60 10

DELETE ipsec delete-notify

Ver.5.2

IPsec/IKE AES-CBC 128

5-4 IPsec/IKE

Ver.6.2

SA

IPsec VPN IPsec SA IKE

IPsec SA

IPsec SA IPsec SA

ike suppress-dangling IKE-POLICY IKE SA IKE SA IPsec SA

VPN

DH 142048-bit modp

IKE Diffie-Hellman DH DH 142048bit

DH 768/1024/1536bit

IPsec/IKE SA IX3010

IPsec/IKE SA IX3010 512 VPN 10

IPsec SA Tunnel ipsec dynamic-map

VPN ipsec dynamic-map dynamic-map

Tunnel IPsec SA Tunnel

IPsec SA

Invalid-Cookie

CoSine IPSX IPsec IKE SA Invalid-Cookie CoSine IPSX

Ver6.2 CoSine IPSX

Quick modeIKE 2

SafeNet Sentinel VPN IPsec SA

(a) (b)SafeNet Sentinel Quick Mode 0.5 (c)Quick Mode

Ver6.2 (c)

IPsec/IKE 5-5

Ver.6.3

ICMP EchoPING IPsec

ICMP Echo IPsec ICMP Echo SA

IKE

IPsec

Ver.7.5

IPsec NAT

IPsec NAPT IPsec 18

IX2004

5-6 IPsec/IKE

IPsec IPv4

(A)(B) IPsec

IPsec

IPsec

---- ESP-SHA1

---- ESP-AES

IPsec ---- 2

(A)(B)

[(A)]


Router(config)# ip route 192.168.2.0/24 Tunnel0.0



Router(config)# ip access-list sec-list permit ip src any dest any

Router(config)# ipsec manualkey mykey esp-aes aes-key-12345678 esp-sha sha-key-123456789012

Router(config)# ipsec manualkey-map ipsec-policy sec-list peer 20.20.20.20 mykey/600/ mykey/300/

Router(config)# ipsec local-id ipsec-policy 192.168.1.0/24

Router(config)# ipsec remote-id ipsec-policy 192.168.2.0/24

Router(config)# no ipsec anti-replay




--- ---

GE0

20.20.20.20

GE2

192.168.2.254

192.168.2.0/24

(B) 10.10.10.1 20.20.20.1

20.20.20.0/24

GE2

192.168.1.254

GE0

10.10.10.10

192.168.1.0/24

(A)

10.10.10.0/24

192.168.2.1 192.168.1.1

IPsec/IKE 5-7

[(B)]

[(A)] ip route 192.168.2.0/24 Tunnel0.0

ip route 20.20.20.0/24 10.10.10.1

ip ufs-cache enable

UFS

ip access-list sec-list permit ip src any dest any

IPsec







Router(config)# ipsec manualkey-map ipsec-policy sec-list peer 10.10.10.10 mykey/300/ mykey/600










Router(config-GigaEthernet2.0)# interface Tunnel0.0

Router(config-Tunnel0.0)# tunnel mode ipsec

Router(config-Tunnel0.0)# ipsec policy tunnel ipsec-policy out

Router(config-Tunnel0.0)# ip unnumbered GigaEthernet2.0

Router(config-Tunnel0.0)# no shutdown








Router(config-Tunnel0.0)# ip tcp adjust-mss auto


5-8 IPsec/IKE

ipsec manualkey mykey esp-aes aes-key-12345678 esp-sha sha-key-123456789012

ESP AESSHA1

AES 16 aes-key-12345678SHA1

20 sha-key-123456789012

ipsec manualkey-map ipsec-policy sec-list peer 20.20.20.20 mykey/600/ mykey/300/

IPsec IPsec

IPsec SA

manualkey

IPsec SA SPI

ESP ESP SPI

mykey/600/ SPI mykey/300/ SPI SPI

(B)

ipsec local-id ipsec-policy 192.168.1.0/24

ipsec remote-id ipsec-policy 192.168.2.0/24

IKE ID IPsec ID

manualkey-map

ID any 0.0.0.0/0

no ipsec anti-replay

Anti-replay

interface Tunnel0.0

tunnel mode ipsec

IPsec

interface Tunnel0.0

ipsec policy tunnel ipsec-policy out

Tunnel0.0

interface Tunnel0.0

ip unnumbered GigaEthernet2.0

IPv4 IPv4

interface Tunnel0.0

ip tcp adjust-mss auto

TCP MSS Tunnel MTU 40

TCP

(A)

[(B)]

(A)/(A)SPI

/(A)

IPsec/IKE 5-9

IKE IPsec IPv4

IKE(A)(B) IPsec

IKEIPsec

IKE IPsec SA

IKE

---- SHA1

---- AES

------------

IKEv1

DH -------- 768bit

ISAKMP ----- 28,800

IPsec

---- ESP-SHA1

---- ESP-AES

PFS --------------- OFF

IPsec SA ---- 28,800 1000000

(A)(B)

GE0

20.20.20.20

GE2

192.168.2.254

192.168.2.0/24

192.168.2.1

(B)

20.20.20.0/24 GE2

192.168.1.254

GE0

10.10.10.10

192.168.1.0/24

192.168.1.1

(A)

10.10.10.0/24

10.10.10.1 20.20.20.1

5-10 IPsec/IKE

[(A)]

[(B)]






Router(config)# ike proposal ike-prop encryption aes hash sha

Router(config)# ike policy ike-policy peer 10.10.10.10 key himitsu ike-prop

Router(config)# ipsec autokey-proposal ipsec-prop esp-aes esp-sha

Router(config)# ipsec autokey-map ipsec-policy sec-list peer 10.10.10.10 ipsec-prop





































IPsec/IKE 5-11

[(A)] ip route 192.168.2.0/24 Tunnel0.0

ip route 20.20.20.0/24 10.10.10.1

ip ufs-cache enable

UFS

ip access-list sec-list permit ip src any dest any

IPsec

ike proposal ike-prop encryption aes hash sha

ike policy ike-policy peer 20.20.20.20 key himitsu ike-prop

IKE IKE

Pre-shared KeyISAKMP SA

ike-policy

IKE

AES SHA1

ipsec autokey-proposal ipsec-prop esp-aes esp-sha

ipsec autokey-map ipsec-policy sec-list peer 20.20.20.20 ipsec-prop

IPsec

AES/SHA1 IPsec

ipsec local-id ipsec-policy 192.168.1.0/24

ipsec remote-id ipsec-policy 192.168.2.0/24

IKE ID IPsec ID

autokey-map

ID any 0.0.0.0/0

interface Tunnel0.0

tunnel mode ipsec

IPsec

interface Tunnel0.0


Tunnel0.0

interface Tunnel0.0

ip unnumbered GigaEthernet2.0

IPv4 IPv4

5-12 IPsec/IKE

interface Tunnel0.0

ip tcp adjust-mss auto


TCP

(A)

[(B)]

(A)(A)

IPsec/IKE 5-13

IPsec IPv6

(A)(B) IPsec

IPv4

IPsec

IPsec

---- ESP-SHA1

---- ESP-AES

IPsec ---- 2

(A)(B)

[(A)]


Router(config)# ipv6 route 2001:db8:600::/64 Tunnel0.0



Router(config)# ipv6 access-list sec-list permit ip src any dest any


Router(config)# ipsec manualkey-map ipsec-policy sec-list peer 2001:db8:2::1 mykey/600/ mykey/300/

Router(config)# ipsec local-id ipsec-policy 2001:db8:500::/64

Router(config)# ipsec remote-id ipsec-policy 2001:db8:600::/64





--- ---

GE0

2001:db8:2::1

1

GE2

2001:db8:600::1

2001:db8:600::/64

(B)

2001:db8:2::/64 GE2

2001:db8:500::1

GE0

2001:db8:1::1

2001:db8:500::/64

(A)

2001:db8:1::2

2001:db8:2::2

2001:db8:1::/64

2001:db8:500::5 2001:db8:600::5

5-14 IPsec/IKE

[(B)]

[(A)] ipv6 route 2001:db8:600::/64 Tunnel0.0

ipv6 route 2001:db8:2::/64 2001:db8:1::2

ipv6 ufs-cache enable

UFS

ipv6 access-list sec-list permit ip src any dest any

IPsec







Router(config)# ipsec manualkey-map ipsec-policy sec-list peer 2001:db8:1::1 mykey/300/ mykey/600/













Router(config-Tunnel0.0)# ipv6 enable

Router(config-Tunnel0.0)# ipv6 unnumbered GigaEthernet2.0










Router(config-Tunnel0.0)# ipv6 tcp adjust-mss auto


IPsec/IKE 5-15

ipsec manualkey mykey esp-aes aes-key-12345678 esp-sha sha-key-123456789012

ESP AESSHA1

AES 16 aes-key-12345678SHA1

20 sha-key-123456789012

ipsec manualkey-map ipsec-policy sec-list peer 20.20.20.20 mykey/600/ mykey/300/

IPsec IPsec

IPsec SA

manualkey

IPsec SA SPI

ESP ESP SPI

mykey/600/ SPI mykey/300/ SPI SPI

(B)

ipsec local-id ipsec-policy 2001:db8:500::/64

ipsec remote-id ipsec-policy 2001:db8:600::/64

IKE ID IPsec ID

no ipsec anti-replay

Anti-replay

interface Tunnel0.0

tunnel mode ipsec

IPsec

interface Tunnel0.0


Tunnel0.0

interface Tunnel0.0

ipv6 enable

ipv6 unnumbered GigaEthernet2.0

IPv6 IPv6

interface Tunnel0.0

ipv6 tcp adjust-mss auto


TCP

(A)

[(B)]

(A)/(A)SPI

/(A)

5-16 IPsec/IKE

IKE IPsec IPv6

(A)(B) IPsec

IPv4

IKEIPsec

IKE IPsec SA

IKE

---- SHA1

---- AES

------------

IKEv1

DH -------- 768bit

ISAKMP ----- 28,800

IPsec

---- ESP-SHA1

---- ESP-AES

PFS --------------- OFF

IPsec SA ---- 28,800 1000000

(A)(B)

GE0

2001:db8:2::1

GE2

2001:db8:600::1

2001:db8:600::/64

2001:db8:600::5

(B)

2001:db8:2::/64 GE2

2001:db8:500::1

GE0

2001:db8:1::1

2001:db8:500::/64

2001:db8:500::5

(A)

2001:db8:1::/64

2001:db8:1::2 2001:db8:2::2

IPsec/IKE 5-17

[(A)]

[(B)]







Router(config)# ike policy ike-policy peer 2001:db8:1::1 key himitsu ike-prop


Router(config)# ipsec autokey-map ipsec-policy sec-list peer 2001:db8:1::1 ipsec-prop





















Router(config)# ike policy ike-policy peer 2001:db8:2::1 key himitsu ike-prop


Router(config)# ipsec autokey-map ipsec-policy sec-list peer 2001:db8:2::1 ipsec-prop














Router(config-Tunnel0.0)# ipv6 tcp adjust-mss auto


5-18 IPsec/IKE

[(A)] ipv6 route 2001:db8:600::/64 Tunnel0.0

ipv6 route 2001:db8:2::/64 2001:db8:1::2

ipv6 ufs-cache enable

UFS

ipv6 access-list sec-list permit ip src any dest any

IPsec


ike policy ike-policy peer 2001:db8:2::1 key himitsu ike-prop

IKE IKE


ike-policy

IKE

AES SHA1

ipsec autokey-proposal ipsec-prop esp-aes esp-sha

ipsec autokey-map ipsec-policy sec-list peer 2001:db8:2::1 ipsec-prop

IPsec

AES/SHA1 IPsec

ipsec local-id ipsec-policy 2001:db8:500::/64

ipsec remote-id ipsec-policy 2001:db8:600::/64

IKE ID IPsec ID

interface Tunnel0.0

tunnel mode ipsec

IPsec

interface Tunnel0.0


Tunnel0.0

interface Tunnel0.0

ipv6 enable

ipv6 unnumbered GigaEthernet2.0

IPv6 IPv6

interface Tunnel0.0

ipv6 tcp adjust-mss auto


IPsec/IKE 5-19

TCP

(A)

[(B)]

(A)(A)

5-20 IPsec/IKE

IPsec IPv4

(A)(B)

IPsec

IKE

IKE

---- SHA1

---- AES

------------

IKEv1

DH -------- 768bit

ISAKMP ----- 28,800

IPsec

---- ESP-SHA1

---- ESP-AES

PFS --------------- OFF

IPsec SA ---- 28,800 1000000

IPsec

IPsec

GE0

192.168.2.1/24

GE0

192.168.2.2/24

GE2

192.168.1.254

GE2

192.168.3.254

192.168.1.0/24 192.168.3.0/24

192.168.1.1 192.168.3.1

(A) (B)

IPsec/IKE 5-21

[(A)]

[(B)]



Router(config)# ip access-list sec-list permit ip src 192.168.2.2/32 dest 192.168.2.1/32







Router(config-GigaEthernet0.0)# ipsec policy transport ipsec-policy














Router(config-GigaEthernet0.0)# ipsec policy transport ipsec-policy





5-22 IPsec/IKE

[(A)] ip ufs-cache enable

UFS

ip access-list sec-list permit ip src 192.168.2.1/32 dest 192.168.2.2/32

IPsec

192.168.2.1(A) 192.168.2.2

(B)



IKE IKE


ike-policy

IKE

AES SHA1

ipsec autokey-proposal ipsec-prop esp-aes esp-sha ipsec-prop ipsec autokey-map ipsec-policy sec-list peer 192.168.2.2

IPsec

AES/SHA1 IPsec


ipsec policy transport ipsec-policy

GE0GigaEthernet0.0

[(B)]

(A)(A)

IPsec/IKE 5-23

IPsec NAT

NAT IPsec

(A) GE2GigaEthernet2.0NAT IPsec

IKE/IPsec

IKE

---- SHA1

---- AES

------------

IKEv1

DH -------- 768bit

ISAKMP ----- 28,800

IPsec

---- ESP-SHA1

---- ESP-AES

PFS --------------- OFF

IPsec SA ---- 28,800 1000000

(A)(B)

GE0

20.20.20.20

GE2

192.168.1.254

192.168.1.0/24

(B)

20.20.20.0/24

192.168.1.1

NAT

172.16.0.0/24

192.168.0.0/24

GE2

172.16.0.254

GE0

10.10.10.10

172.16.0.0/24

(A)

10.10.10.1

10.10.10.0/24

172.16.0.1

20.20.20.1

5-24 IPsec/IKE

[(A)]






Router(config)# ip access-list nat-list permit ip src 172.16.0.0/24 dest any

Router(config)# ip nat pool pool1 192.168.0.1 192.168.0.254

















Router(config-Tunnel0.0)# ip nat dynamic list nat-list pool pool1

Router(config-Tunnel0.0)# ip nat enable



IPsec/IKE 5-25

[(B)]

[(A)] ip route 192.168.1.0/24 Tunnel0.0

ip route 20.20.20.0/24 10.10.10.1

ip ufs-cache enable

UFS

ip access-list sec-list permit ip src 172.16.0.0/24 dest 192.168.1.0/24

IPsec

172.16.0.0/24 192.168.1.0/24

NAT



IKE IKE


ike-policy

IKE

AES SHA1
















Router(config-GigaEthernet2.0)# ip address 192.168

univerge ixシリーズ 設定事例集 対応 高速アクセスルータ univerge ixシリーズ...

Documents

univerge ixシリーズ設定事例集対応高速アクセスルータ univerge ixシリーズ...