■HSRP object tracking


■検証1:ip slaを使用したオブジェクトトラッキング

    ⇒ip slaにて10.0.0.2に対するicmp-echoを設定

    ⇒トラッキングの状態を確認する

    ⇒VLAN101のActive、Standbyの状態を確認する

    ⇒DSW3_3560のfa0/1を抜線

    ⇒トラッキングの状態を確認する

    ⇒VLAN101のActive、Standbyの切り替わりを確認する


■DSW1_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101
vlan 1
shutdown
!
no spanning-tree vlan 101
!
int fa1/0/1
no switchport
ip address 10.0.0.1 255.255.255.252
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int vlan1
shutdown
!
ip sla 10
icmp-echo 10.0.0.2
frequency 5
ip sla schedule 10 start-time now life forever
!
track 5 rtr 10 reachability
!
int vlan101
ip address 172.16.101.2 255.255.255.0
standby version 2
standby 1001 ip 172.16.101.1
standby 1001 priority 150
standby 1001 track 5 decrement 60
standby 1001 preempt
standby 1001 timer 1 3
standby 1001 authentication CCNP_1001
no shut
!
router ospf 1
network 10.0.0.0 0.0.0.3 area 0
network 172.16.101.0 0.0.0.255 area 0
passive-interface vlan101
!
end


■DSW2_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101
vlan 1
shutdown
!
no spanning-tree vlan 101
!
int fa1/0/1
no switchport
ip address 10.0.0.5 255.255.255.252
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int vlan1
shutdown
!
int vlan101
ip address 172.16.101.3 255.255.255.0
standby version 2
standby 1001 ip 172.16.101.1
standby 1001 preempt
standby 1001 timer 1 3
standby 1001 authentication CCNP_1001
no shut
!
router ospf 1
network 10.0.0.4 0.0.0.3 area 0
network 172.16.101.0 0.0.0.255 area 0
passive-interface vlan101
!
end


■DSW3_3560投入コンフィグ
conf t
!
ip routing
!
vlan 101
vlan 1
shutdown
!
no spanning-tree vlan 101
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
no switchport
ip address 10.0.0.2 255.255.255.252
!
int fa0/2
no switchport
ip address 10.0.0.6 255.255.255.252
!
int vlan1
shutdown
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
network 10.0.0.4 0.0.0.3 area 0
!
end


■SW1_2950投入コンフィグ
conf t
!
vlan 101
!
no spanning-tree vlan 101
!
int fa0/1
switchport mode trunk
!
int fa0/2
switchport mode trunk
!
int fa0/3
switchport mode access
switchport access vlan 101
!
end


■検証1:ip slaを使用したオブジェクトトラッキング

    ⇒トラッキングの状態を確認する
DSW1_3750#sh track brief
Track Object Parameter Value
5 ip sla 10 reachability Up


DSW1_3750#sh track
Track 5
IP SLA 10 reachability
Reachability is Up
2 changes, last change 00:06:48
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
HSRP Vlan101 1001


    ⇒VLAN101のActive、Standbyの状態を確認する
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1001 150 P Active local 172.16.101.3 172.16.101.1


    ⇒DSW3_3560のfa0/1を抜線
DSW1_3750#
*Mar 1 00:11:58.995: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
*Mar 1 00:11:59.994: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
*Mar 1 00:11:59.994: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet1/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar 1 00:12:04.977: %TRACKING-5-STATE: 5 ip sla 10 reachability Up->Down
*Mar 1 00:12:05.656: %HSRP-5-STATECHANGE: Vlan101 Grp 1001 state Active -> Speak
*Mar 1 00:12:08.978: %HSRP-5-STATECHANGE: Vlan101 Grp 1001 state Speak -> Standby


    ⇒トラッキングの状態を確認する
DSW1_3750#sh track brief
Track Object Parameter Value
5 ip sla 10 reachability Down


DSW1_3750#sh track
Track 5
IP SLA 10 reachability
Reachability is Down
3 changes, last change 00:01:06
Latest operation return code: Timeout
Tracked by:
HSRP Vlan101 1001


    ⇒VLAN101のActive、Standbyの切り替わりを確認する
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1001 90 P Standby 172.16.101.3 local 172.16.101.1

■HSRP link state tracking(4パス接続)


■検証1:DSW1_3750のfa1/0/1を抜線
    ⇒link state trackingの確認
    ⇒fa1/0/3とfa1/0/4の閉塞を確認する
    ⇒各VLANのActive、Standbyの切り替わりを確認する


■DSW1_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101-103
vlan 1
shutdown
!
spanning-tree vlan 101-103
spanning-tree vlan 101,103 priority 4096
spanning-tree vlan 102 priority 8192
!
link state track 1
!
int fa1/0/1
no switchport
ip address 10.0.0.1 255.255.255.252
link state group 1 upstream
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
!
int fa1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 1 downstream
!
int vlan1
shutdown
!
int vlan101
ip address 172.16.101.2 255.255.255.0
standby 1 ip 172.16.101.1
standby 1 priority 150
standby 1 preempt delay minimum 60
standby 1 track fa1/0/4 55
standby 1 authentication CCNP_101
no shut
!
int vlan102
ip address 172.16.102.2 255.255.255.0
standby 2 ip 172.16.102.1
standby 2 preempt
standby 2 track fa1/0/4
standby 2 authentication CCNP_102
no shut
!
int vlan103
ip address 172.16.103.2 255.255.255.0
standby 3 ip 172.16.103.1
standby 3 priority 150
standby 3 preempt delay minimum 60
standby 3 track fa1/0/4 55
standby 3 authentication CCNP_103
no shut
!
router ospf 1
network 10.0.0.0 0.0.0.3 area 0
network 172.16.101.0 0.0.0.255 area 0
network 172.16.102.0 0.0.0.255 area 0
network 172.16.103.0 0.0.0.255 area 0
!
end


■DSW2_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101-103
vlan 1
shutdown
!
spanning-tree vlan 101-103
spanning-tree vlan 102 priority 4096
spanning-tree vlan 101,103 priority 8192
!
link state track 2
!
int fa1/0/1
no switchport
ip address 10.0.0.5 255.255.255.252
link state group 2 upstream
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 2 downstream
!
int fa1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
link state group 2 downstream
!
int vlan1
shutdown
!
int vlan101
ip address 172.16.101.3 255.255.255.0
standby 1 ip 172.16.101.1
standby 1 preempt
standby 1 track fa1/0/4
standby 1 authentication CCNP_101
no shut
!
int vlan102
ip address 172.16.102.3 255.255.255.0
standby 2 ip 172.16.102.1
standby 2 priority 150
standby 2 preempt delay minimum 60
standby 2 track fa1/0/4 60
standby 2 authentication CCNP_102
no shut
!
int vlan103
ip address 172.16.103.3 255.255.255.0
standby 3 ip 172.16.103.1
standby 3 preempt
standby 3 track fa1/0/4
standby 3 authentication CCNP_103
no shut
!
router ospf 1
network 10.0.0.4 0.0.0.3 area 0
network 172.16.101.0 0.0.0.255 area 0
network 172.16.102.0 0.0.0.255 area 0
network 172.16.103.0 0.0.0.255 area 0
!
end


■DSW3_3560投入コンフィグ
conf t
!
ip routing
!
vlan 101-103
vlan 1
shutdown
!
no spanning-tree vlan 101-103
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
no switchport
ip address 10.0.0.2 255.255.255.252
!
int fa0/2
no switchport
ip address 10.0.0.6 255.255.255.252
!
int vlan1
shutdown
!
router ospf 1
network 1.1.1.1 0.0.0.0 area 0
network 10.0.0.0 0.0.0.3 area 0
network 10.0.0.4 0.0.0.3 area 0
!
end


■SW1_2950投入コンフィグ
conf t
!
vlan 101,102,103
!
int fa0/1
switchport mode trunk
!
int fa0/2
switchport mode trunk
!
int fa0/3
switchport mode access
switchport access vlan 101
!
end


■SW2_2950投入コンフィグ
conf t
!
vlan 101,102,103
!
int fa0/1
switchport mode trunk
!
int fa0/2
switchport mode trunk
!
int fa0/3
switchport mode access
switchport access vlan 103
!
end


■検証1:DSW1_3750のfa1/0/1を抜線
    ⇒link state trackingの確認
DSW1_3750#sh link state group detail

Link State Group: 1 Status: Enabled, Up
Upstream Interfaces : Fa1/0/1(Up)
Downstream Interfaces : Fa1/0/3(Up) Fa1/0/4(Up)

(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled


    ⇒fa1/0/3とfa1/0/4の閉塞を確認する
DSW1_3750#sh link state group detail standby b link state group detail

Link State Group: 1 Status: Enabled, Down
Upstream Interfaces : Fa1/0/1(Dwn)
Downstream Interfaces : Fa1/0/3(Dis) Fa1/0/4(Dis)

(Up):Interface up (Dwn):Interface Down (Dis):Interface disabled


    ⇒各VLANのActive、Standbyの切り替わりを確認する
■抜線前
DSW1_3750#sh standby breif
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1 150 P Active local 172.16.101.3 172.16.101.1
Vl102 2 100 P Standby 172.16.102.3 local 172.16.102.1
Vl103 3 150 P Active local 172.16.103.3 172.16.103.1


■抜線後
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1 95 P Standby 172.16.101.3 local 172.16.101.1
Vl102 2 90 P Standby 172.16.102.3 local 172.16.102.1
Vl103 3 95 P Standby 172.16.103.3 local 172.16.103.1

■HSRP インターフェイストラッキング(4パス接続)


■検証1:DSW1_3750のfa1/0/4を抜線
    ⇒各VLANのActive、Standbyの切り替わりを確認する

■検証2:DSW2_3750のfa1/0/4を抜線
    ⇒各VLANのActive、Standby切り替わりを確認する

※トラッキング対象のインターフェイスがダウンした時に、プライオリティ値から減算する値を明示的に設定しない場合は、デフォルトでプライオリティ値から−10される。

※減算されたプライオリティ値が、A系、B系で同等であった場合は、Active⇒Standbyの切り替わりは起こらない。

※vlan101はDSW2_3750がActiveに切り替わっており、SW2_2950のpvstにおいてvlan101のfa0/1(上位
DSW2_3750 Active)はブロッキング状態であるが、SW1_2950のvlan101のマシンに対するpingはOKであった。


■DSW1_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101-103
vlan 1
shutdown
!
spanning-tree vlan 101-103
spanning-tree vlan 102 priority 4096
spanning-tree vlan 101,103 priority 8192
!
int fa1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
int vlan1
shutdown
!
int vlan101
ip address 172.16.101.3 255.255.255.0
standby 1 ip 172.16.101.1
standby 1 preempt
standby 1 track fa1/0/4
standby 1 authentication CCNP_101
no shut
!
int vlan102
ip address 172.16.102.3 255.255.255.0
standby 2 ip 172.16.102.1
standby 2 priority 150
standby 2 preempt
standby 2 track fa1/0/4 60
standby 2 authentication CCNP_102
no shut
!
int vlan103
ip address 172.16.103.3 255.255.255.0
standby 3 ip 172.16.103.1
standby 3 preempt
standby 3 track fa1/0/4
standby 3 authentication CCNP_103
no shut
!
end


■DSW2_3750投入コンフィグ
conf t
!
ip routing
!
vlan 101-103
vlan 1
shutdown
!
spanning-tree vlan 101-103
spanning-tree vlan 102 priority 4096
spanning-tree vlan 101,103 priority 8192
!
int fa1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa1/0/4
switchport trunk encapsulation dot1q
switchport mode trunk
!
int vlan1
shutdown
!
int vlan101
ip address 172.16.101.3 255.255.255.0
standby 1 ip 172.16.101.1
standby 1 preempt
standby 1 track fa1/0/4
standby 1 authentication CCNP_101
no shut
!
int vlan102
ip address 172.16.102.3 255.255.255.0
standby 2 ip 172.16.102.1
standby 2 priority 150
standby 2 preempt
standby 2 track fa1/0/4 60
standby 2 authentication CCNP_102
no shut
!
int vlan103
ip address 172.16.103.3 255.255.255.0
standby 3 ip 172.16.103.1
standby 3 preempt
standby 3 track fa1/0/4
standby 3 authentication CCNP_103
no shut
!
end


■DSW3_3560投入コンフィグ
conf t
!
vlan 101-103
!
int fa0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
int fa0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
int vlan101
no shut
!
int vlan102
no shut
!
int vlan103
no shut
!
end


■SW1投入コンフィグ
conf t
!
vlan 101,102,103
!
int fa0/1
switchport mode trunk
!
int fa0/2
switchport mode trunk
!
int fa0/3
switchport mode access
switchport access vlan 101
!
end


■SW2投入コンフィグ
conf t
!
vlan 101,102,103
!
int fa0/1
switchport mode trunk
!
int fa0/2
switchport mode trunk
!
int fa0/3
switchport mode access
switchport access vlan 103
!
end


■検証1:DSW1_3750のfa1/0/4を抜線
■抜線前
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1 150 P Active local 172.16.101.3 172.16.101.1
Vl102 2 100 P Standby 172.16.102.3 local 172.16.102.1
Vl103 3 150 P Active local 172.16.103.3 172.16.103.1


■抜線後
⇒VLAN101のActiveがstandbyに切り替わる

DSW1_3750#
*Mar 1 00:59:46.574: %TRACKING-5-STATE: 1 interface Fa1/0/4 line-protocol Up->Down
*Mar 1 00:59:47.287: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to down
*Mar 1 00:59:48.310: %LINK-3-UPDOWN: Interface FastEthernet1/0/4, changed state to down
*Mar 1 00:59:49.258: %HSRP-5-STATECHANGE: Vlan101 Grp 1 state Active -> Speak
*Mar 1 00:59:59.442: %HSRP-5-STATECHANGE: Vlan101 Grp 1 state Speak -> Standby
DSW1_3750#
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1 95 P Standby 172.16.101.3 local 172.16.101.1
Vl102 2 90 P Standby 172.16.102.3 local 172.16.102.1
Vl103 3 100 P Active local 172.16.103.3 172.16.103.1


■検証2:DSW2_3750のfa1/0/4を抜線
■抜線後
⇒VLAN101のstandbyがActiveに切り替わる(戻り)

DSW1_3750#
*Mar 1 01:01:23.907: %HSRP-5-STATECHANGE: Vlan101 Grp 1 state Standby -> Active
*Mar 1 01:01:24.813: %HSRP-5-STATECHANGE: Vlan102 Grp 2 state Standby -> Active
*Mar 1 01:01:46.665: %HSRP-5-STATECHANGE: Vlan102 Grp 2 state Active -> Speak
*Mar 1 01:01:58.300: %HSRP-5-STATECHANGE: Vlan102 Grp 2 state Speak -> Standby
DSW1_3750#
DSW1_3750#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl101 1 95 P Active local 172.16.101.3 172.16.101.1
Vl102 2 90 P Standby 172.16.102.3 local 172.16.102.1
Vl103 3 100 P Active local 172.16.103.3 172.16.103.1
DSW1_3750#


SW1_2950#sh spanning-tree

VLAN0101
Spanning tree enabled protocol ieee
Root ID Priority 4197
Address 0013.6030.3a80
Cost 38
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32869 (priority 32768 sys-id-ext 101)
Address 000d.2903.e680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/2 Root FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 P2p


SW2_2950#sh spanning-tree

VLAN0101
Spanning tree enabled protocol ieee
Root ID Priority 4197
Address 0013.6030.3a80
Cost 19
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32869 (priority 32768 sys-id-ext 101)
Address 000a.8a84.6ec0
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Altn BLK 19 128.1 P2p
Fa0/2 Root FWD 19 128.2 P2p
Fa0/3 Desg FWD 19 128.3 Edge P2p

■GRE over IPsec

IPsec通信の対象となるのは、ユニキャストのトラフィックである。
GRE(generic routing encapsulation)プロトコルでパケットをカプセル化すると、そのパケットはユニキャストになる。
IPsecの対象トラフィックは、GREトラフィックを指定する。
 (access-list 150 permit gre host 192.168.2.1 host 192.168.2.2)
GREトンネルを通るすべてのトラフィック(ルーティング・アップデートや通常のユニキャストのトラフィック)がIPsecで暗号化される。

■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 192.168.2.2
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
!
interface tunnel0
ip address 192.168.4.1 255.255.255.0
tunnel source 192.168.2.1
tunnel destination 192.168.2.2
crypto map IPSecVPN
!
interface Serial1/0
ip address 192.168.2.1 255.255.255.0
clockrate 64000
crypto map IPSecVPN
no shut
!
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
access-list 150 permit gre host 192.168.2.1 host 192.168.2.2
!
end


■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
ip ospf network point-to-point
!
interface tunnel0
ip address 192.168.4.2 255.255.255.0
tunnel source 192.168.2.2
tunnel destination 192.168.2.1
crypto map IPSecVPN
!
interface Serial1/0
ip address 192.168.2.2 255.255.255.0
crypto map IPSecVPN
no shut
!
router ospf 1
network 192.168.3.0 0.0.0.255 area 0
network 192.168.4.0 0.0.0.255 area 0
!
access-list 150 permit gre host 192.168.2.2 host 192.168.2.1
!
end


■tunnel0インターフェイスの状態を確認する
R1_3620#sh int tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.4.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.2.1, destination 192.168.2.2
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:04, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
18 packets input, 1712 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
19 packets output, 1764 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out


■ISAKMP SAとIPsec SAの概要を確認する。
R1_3620#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 set HMAC_SHA+3DES_56_C 0 0
2000 Tunnel0 192.168.4.1 set HMAC_SHA+3DES_56_C 0 20
2001 Tunnel0 192.168.4.1 set HMAC_SHA+3DES_56_C 20 0


■R1のルーティングテーブルを確認する
 ・tunnel0インターフェイスの対向ルータから「192.168.3.0/24」の経路が周知されている。
R1_3620#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, Tunnel0
C 192.168.1.0/24 is directly connected, Loopback0
C 192.168.2.0/24 is directly connected, Serial1/0
O 192.168.3.0/24 [110/11112] via 192.168.4.2, 00:01:32, Tunnel0

■NATを使ったIPsec

IPsecとNATを併用する場合は、NATによる変換後のアドレスを指定してIPsec通信対象トラフィックを定義する。
 (access-list 150 permit ip host 1.1.1.1 10.1.2.0 0.0.0.255によるトリガー定義)
・シスコルーターでの動作
 (1)NATによるアドレス変換
 (2)変換後のアドレスに対してIPsecの処理開始

■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set IPSEC
match address 150
!
interface fastethernet 0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
no shut
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
clockrate 64000
crypto map IPSecVPN
no shut
!
exit
!
ip nat inside source list 1 interface Serial1/0 overload
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
access-list 1 permit any
access-list 150 permit ip host 1.1.1.1 10.1.2.0 0.0.0.255
!
end


■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 150 permit ip 10.1.2.0 0.0.0.255 host 1.1.1.1
!
end


■NATテーブルの情報を表示する
R1_3620#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.1.1.1:30476 10.1.1.1:30476 10.1.2.1:30476 10.1.2.1:30476


IPsec SAを確認する
R1_3620#sh crypto ipsec sa

interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1933, #pkts encrypt: 1933, #pkts digest 1933
#pkts decaps: 1933, #pkts decrypt: 1933, #pkts verify 1933
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: 4E9CAA3E

inbound esp sas:
spi: 0xF21A2B7C(4061801340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607743/1626)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x4E9CAA3E(1318890046)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607743/1625)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

■IPsecの基本設定

■R1_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.1 255.255.255.0
clockrate 64000
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.2
!
access-list 150 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
end


■R2_3620
conf t
!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map IPSecVPN 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC
match address 150
!
interface Loopback0
ip address 10.1.2.1 255.255.255.0
!
interface Serial1/0
ip address 1.1.1.2 255.255.255.0
crypto map IPSecVPN
no shut
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
access-list 150 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
end


■ISAKMPポリシーを確認する
R1_3620#show crypto isakmp policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit


IPsecトランスフォームセットを確認する
R1_3620#show crypto ipsec transform-set
Transform set IPSEC: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },


■ISAKMP SAを確認する
R1_3620#sh crypto isakmp sa
dst src state conn-id slot


IPsec SAを確認する
R1_3620#sh crypto ipsec sa

interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


IPsecの通信をスタート
destination-addressである10.1.2.1に対して拡張ping
・拡張pingのsource-addressを10.1.1.1に指定
access-list 150に引っかかりIpsec通信のトリガーとなる
R1_3620#ping
Protocol [ip]:
Target IP address: 10.1.2.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 52/52/52 ms


■ISAKMP SAを確認する
R1_3620#sh crypto isakmp sa
dst src state conn-id slot
1.1.1.2 1.1.1.1 QM_IDLE 1 0


IPsec SAを確認する
R1_3620#sh crypto ipsec sa

interface: Serial1/0
Crypto map tag: IPSecVPN, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu interface Serial1/0
current outbound spi: EBD281CD

inbound esp sas:
spi: 0xAB940552(2878604626)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607999/3558)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xEBD281CD(3956441549)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: IPSecVPN
sa timing: remaining key lifetime (k/sec): (4607999/3558)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:


■ISAKMP SAとIPsec SAの概要を確認する。
・一行目(ID1)がISAKMP SAの情報
・二行目(ID2000)がIPsec SA(受信用)
・二行目(ID2001)がIPsec SA(送信用)

R1_3620#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 set HMAC_SHA+3DES_56_C 0 0
2000 Serial1/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 4
2001 Serial1/0 1.1.1.1 set HMAC_SHA+3DES_56_C 4 0


■ISAKMP SAとIPsec SAの概要を確認する。
・一行目(ID1)がISAKMP SAの情報
・二行目(ID2000)がIPsec SA(受信用)
・二行目(ID2001)がIPsec SA(送信用)

R2_3620#sh crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 0 0
2000 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 0 4
2001 Serial1/0 1.1.1.2 set HMAC_SHA+3DES_56_C 4 0

■ipv6 Auto Tunnel


■R3_3640A
conf t
!
ipv6 unicast-routing
!
interface Tunnel1
tunnel source fa0/0
tunnel mode ipv6ip auto-tunnel
!
interface Loopback0
ipv6 address 2001:1:1:1::1/64
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no shut
!
ipv6 route 2001:2:2:2::/64 tunnel1 ::192.168.1.2
!
end


■R4_3640
conf t
!
ipv6 unicast-routing
!
interface Tunnel1
tunnel source fa0/0
tunnel mode ipv6ip auto-tunnel
!
interface Loopback0
ipv6 address 2001:2:2:2::2/64
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
no shut
!
ipv6 route 2001:1:1:1::/64 tunnel1 ::192.168.1.1
!
end


■Auto Tunnelのインターフェイス状態を見る
R3_3640A#sh ipv6 int tunnel1
Tunnel1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C0A8:101
Global unicast address(es):
::192.168.1.1, subnet is ::/96 [NEG]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFA8:101
MTU is 1480 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is not supported
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.


■R3のルーティングテーブルを確認する
R3_3640A#sh ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C ::/96 [0/0]
via ::, Tunnel1
L ::192.168.1.1/128 [0/0]
via ::, Tunnel1
C 2001:1:1:1::/64 [0/0]
via ::, Loopback0
L 2001:1:1:1::1/128 [0/0]
via ::, Loopback0
S 2001:2:2:2::/64 [1/0]
via ::192.168.1.2, Tunnel1
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0


■対向ルータ側のipv6プレフィクスに対してping
R3_3640A#ping 2001:2:2:2::2 source 2001:1:1:1::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:2:2:2::2, timeout is 2 seconds:
Packet sent with a source address of 2001:1:1:1::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/4 ms