1. GRE

1.1. 構成図

以下のような構成で動作確認を行います。 R1をSite A、R3, R4をSite Bと仮定し、Site AとSite Bを接続する方法を考えます。

         e0/1+--------+e0/0  e0/1+--------+e0/0  eth0+--------+eth1  e0/1+--------+e0/0
           .1| Cisco | .1      .2| Cisco | .2      .3| Vyatta| .3      .4| Cisco | .4
     --------+   R1   +----------+   R2   +----------+   R3   +----------+   R4   +--------
             | Site A|           |       |           | Site B|           | Site B| 
             +--------+          +--------+          +--------+          +--------+
192.168.1.0/24       155.1.12.0/24       155.1.23.0/24       192.168.34.0/24     192.168.4.0/24

             Loopback 0          Loopback 0          Loopback 0          Loopback 0
            10.1.1.1/32         150.1.2.2/32         10.3.3.3/32         10.4.4.4/32

Dynagenの設定ファイルは以下の通りです。

autostart = False
[localhost:7200]
  
  [[3640]]
    image = \Program Files (x86)\Dynamips\images\C3640-A3.bin
    #image = \Program Files (x86)\Dynamips\images\c3640-ik9o3s-mz.124-25.bin
    ghostios = True
    sparsemem = True
  
  [[ROUTER R1]]
    e0/0 = R2 e0/1
    model = 3640

  [[ROUTER R2]]
    # e0/0 connetct to the VMware Network Adapter8 and the Vyatta eth0
    e0/0 = NIO_gen_eth:\Device\NPF_{5560025C-69A7-4B85-A3B5-344E38BEF9F5}
    model = 3640

  [[ROUTER R4]]
    # e0/1 connetct to the VMware Network Adapter1 and the Vyatta eth1
    e0/1 = NIO_gen_eth:\Device\NPF_{7076E6CC-AAE0-4743-BC38-3A524C7F6787}
    model = 3640

IPアドレスやroutingの初期設定は以下の通りです。

 [R1]
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
!
interface Ethernet0/0
 ip address 155.1.12.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 half-duplex
 no keepalive
!
ip route 0.0.0.0 0.0.0.0 155.1.12.2

 [R2]
interface Loopback0
 ip address 150.1.2.2 255.255.255.255
!
interface Ethernet0/0
 ip address 155.1.23.2 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 155.1.12.2 255.255.255.0
 half-duplex

 [R3]
vyatta@R3:~$ show configuration
interfaces {
    ethernet eth0 {
        address 155.1.23.3/24
        duplex auto
        hw-id 00:0c:29:4b:ac:d3
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.34.3/24
        duplex auto
        hw-id 00:0c:29:4b:ac:dd
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 10.3.3.3/32
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 155.1.23.2 {
            }
        }
    }
}

 [R4]
interface Loopback0
 ip address 10.4.4.4 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.4.4 255.255.255.0
 half-duplex
 no keepalive
!
interface Ethernet0/1
 ip address 192.168.34.4 255.255.255.0
 half-duplex

1.2. GRE tunnel

以下のようなSite A, Site Bを接続するGRE tuneelを作成します。

         e0/1+--------+tun13                    tun13+--------+eth1  e0/1+--------+e0/0
           .1| Cisco | .1                          .3| Vyatta| .3      .4| Cisco | .4
     --------+   R1   +------------------------------+   R3   +----------+   R4   +--------
             | Site A|                               | Site B|           | Site B| 
             +--------+                              +--------+          +--------+
192.168.1.0/24                 192.168.13.0/24               192.168.34.0/24     192.168.4.0/24

             Loopback 0          Loopback 0          Loopback 0          Loopback 0
            10.1.1.1/32         150.1.2.2/32         10.3.3.3/32         10.4.4.4/32

R1, R3に以下のような設定を投入します。

 {R1]
interface Tunnel13
 ip address 192.168.13.1 255.255.255.0
 tunnel source 155.1.12.1
 tunnel destination 155.1.23.3
end

 [R3]
interfaces {

    <omitted>

    }
    tunnel tun13 {
        address 192.168.13.3/24
        encapsulation gre
        local-ip 155.1.23.3
        remote-ip 155.1.12.1
    }
}

R1, R3でtunnel経由の疎通が可能な事を確認します。

R1#ping 192.168.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/57/104 ms
R1#

1.3. GRE tunnel

tunnle越しのOSPFを設定します。各ルータに以下設定を投入します。

 [R1]
router ospf 1
 log-adjacency-changes
 passive-interface default
 no passive-interface Tunnel13
 network 10.1.1.1 0.0.0.0 area 0
 network 192.168.1.1 0.0.0.0 area 0
 network 192.168.13.1 0.0.0.0 area 0

 [R3]
protocols {
    ospf {
        area 0 {
            network 192.168.13.0/24
            network 10.3.3.3/32
            network 192.168.34.0/24
        }
    }
}

 [R4]
router ospf 1
 log-adjacency-changes
 passive-interface default
 no passive-interface Ethernet0/1
 network 10.4.4.4 0.0.0.0 area 0
 network 192.168.4.4 0.0.0.0 area 0
 network 192.168.34.4 0.0.0.0 area 0

確かにOSPFによる経路交換がなされた事を確認します。

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 155.1.12.2 to network 0.0.0.0

C    192.168.13.0/24 is directly connected, Tunnel13
     155.1.0.0/24 is subnetted, 1 subnets
C       155.1.12.0 is directly connected, Ethernet0/0
O    192.168.4.0/24 [110/11131] via 192.168.13.3, 00:00:00, Tunnel13
     10.0.0.0/32 is subnetted, 3 subnets
O       10.3.3.3 [110/11121] via 192.168.13.3, 00:00:00, Tunnel13
C       10.1.1.1 is directly connected, Loopback0
O       10.4.4.4 [110/11122] via 192.168.13.3, 00:00:00, Tunnel13
O    192.168.34.0/24 [110/11121] via 192.168.13.3, 00:00:00, Tunnel13
C    192.168.1.0/24 is directly connected, Ethernet0/1
S*   0.0.0.0/0 [1/0] via 155.1.12.2
R1#

1.4. firewall ACL

このような拠点間接続をする場合、セキュリティ向上のためにインターネットからのアクセスを拒否する事が多いです。 VyattaもACLが定義可能かどうかを動作確認しましょう。 以下のような設定を投入します。 なお、Cisco IOSのACLと異なり、Vyattaにはin, out, localの3種類の方向がある事に注意して下さい。

 [R1]
ip access-list extended UNTRUST
 10 permit gre any any
!
interface Ethernet 0/0
 ip access-group UNTRUST in

 [R3]
vyatta@R3:~$ configure
[edit]
vyatta@R3# show firewall
 name UNTRUST {
     default-action drop
     rule 10 {
         action accept
         protocol gre
     }
 }
[edit]
vyatta@R3#
vyatta@R3# show interfaces
 ethernet eth0 {
     address 155.1.23.3/24
     duplex auto
     firewall {
         in {
             name UNTRUST
         }
         local {
             name UNTRUST
         }
     }
     hw-id 00:0c:29:4b:ac:d3
     smp_affinity auto
     speed auto
 }
 ethernet eth1 {
     address 192.168.34.3/24
     duplex auto
     hw-id 00:0c:29:4b:ac:dd
     smp_affinity auto
     speed auto
 }
 loopback lo {
[edit]
vyatta@R3#

インターネット経由では疎通不能であるものの、tunnel経由では疎通可能である事を確認します。

 [R1]
R1#ping 155.1.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 155.1.23.3, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
R1#
R1#ping 192.168.13.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/66/108 ms
R1#