3Com Router User Manual
Have a look at the manual 3Com Router User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 19 3Com manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 636
632CHAPTER 43: CONFIGURING L2TP
[Router2-ipsec-proposal-l2tptrans] transform esp-new
[Router2-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des
[Router2-ipsec-proposal-l2tptrans] esp-new authentication-algorithm
sha1-hmac-96
[Router2-ipsec-proposal-l2tptrans] encapsulation-mode transport
fCreate the IPSec policy, use IKE negotiation mode and configure the IKE
pre-shared-key.
[Router2] ipsec policy l2tpmap 10 isakmp
[Router2-ipsec-policy-l2tpmap-10] ike pre-shared-key l2tp_ipsec
remote...](http://img.usermanuals.tech/thumb/92/102800/w64_index.html@nav=null&now=get&message=Downloading&file=3012-635.png "Page 636
632CHAPTER 43: CONFIGURING L2TP
[Router2-ipsec-proposal-l2tptrans] transform esp-new
[Router2-ipsec-proposal-l2tptrans] esp-new encryption-algorithm des
[Router2-ipsec-proposal-l2tptrans] esp-new authentication-algorithm
sha1-hmac-96
[Router2-ipsec-proposal-l2tptrans] encapsulation-mode transport
fCreate the IPSec policy, use IKE negotiation mode and configure the IKE
pre-shared-key.
[Router2] ipsec policy l2tpmap 10 isakmp
[Router2-ipsec-policy-l2tpmap-10] ike pre-shared-key l2tp_ipsec
remote...")
![Page 646
642CHAPTER 44: CONFIGURING GRE
bConfigure the IP address of Ethernet0 interface.
[RouterA-Serial0] exit
[RouterA] interface ethernet 0
[RouterA-Ethernet0] ip address 10.110.24.1 255.255.255.0
cCreate a virtual Tunnel interface and configure the IP address, source address
and destination address.
[RouterA-Ethernet0] exit
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ip address 1.1.1.1 255.255.255.0
[RouterA-Tunnel0] source 10.1.1.1
[RouterA-Tunnel0] destination 20.1.1.2
dConfigure the routes to...](http://img.usermanuals.tech/thumb/92/102800/w64_index.html@nav=null&now=get&message=Downloading&file=3012-645.png "Page 646
642CHAPTER 44: CONFIGURING GRE
bConfigure the IP address of Ethernet0 interface.
[RouterA-Serial0] exit
[RouterA] interface ethernet 0
[RouterA-Ethernet0] ip address 10.110.24.1 255.255.255.0
cCreate a virtual Tunnel interface and configure the IP address, source address
and destination address.
[RouterA-Ethernet0] exit
[RouterA] interface tunnel 0
[RouterA-Tunnel0] ip address 1.1.1.1 255.255.255.0
[RouterA-Tunnel0] source 10.1.1.1
[RouterA-Tunnel0] destination 20.1.1.2
dConfigure the routes to...")
GRE Protocol Overview637 GRE ServicesGRE can fulfill the following services: 1Implement the LAN protocol communication in WAN by encapsulating all kinds of LAN protocols into a WAN protocol. Figure 201 Multi-protocol local network transmitting via single-protocol backbone network In Figure 201, Group1 and Group2 are the local networks running the Novell IPX protocol. Term1 and Term2 is the local network running the IP protocol. The tunnel encapsulated by the GRE protocol is created between Router A and Router B. Thus Group1 and Group2 can communicate without affecting each other, as can Term1 and Term2. 2Enlarge the operating range of the hop-limited network, such as IPX. Figure 202 Enlarge network operating range When using RIP, if the hop count between two terminals in Figure 202 is more than 15, the two terminals cannot communicate with each other. If tunneling is used in the network, hop counts will not be incremented inside the tunnel, that is, hops can be hidden, which enlarges the operating range of the network. 3Connect some discontinuous sub-networks to establish a VPN. Figure 203 Tunnel connecting discontinuous sub-networks Internet Novell IPX Group1 IP Term 1 Novell IPX Group2 IP Term 2Tunnel Router B Router A Router r rTunnel Router RouterRouter IP networkIP network PCPCIP network Tunnel group2novel l Router Router group 1 novell IP network VLAN
638CHAPTER 44: CONFIGURING GRE The two sub-networks group1 and group2 that are running the Novell IPX protocol are in different cities. With the tunnel available, the trans-WAN VPN can be established. In addition, GRE also allows users to select and record an identification key word for the tunnel interface, a check of the encapsulated message, and the use of synchronous sequence numbers to ensure channel safety and correctness of transmission data. Encapsulation and de-encapsulation on the GRE receiving side and transmitting side increases overhead cost and the increase in data volume caused by encapsulation also increases bandwidth cost. for these reasons, GRE decreases the forwarding rate of router data to some extent. Configuring GREGRE configuration includes: ■Creating a Virtual Tunnel Interface ■Setting the Source Address of a Tunnel Interface ■Setting the Destination Address of a Tunnel Interface ■Setting the Network Address of the Tunnel Interface ■Setting the Identification Key Word of the Tunnel Interface ■Setting the Tunnel Interface to Check with Checksum ■Settng the Tunnel Interface to Synchronize the Datagram Sequence Number Creating a Virtual Tunnel InterfacePerform the following tasks in the system view. Ta b l e 687 Create Virtual Tunnel Interface By default, no virtual tunnel interface is created. Setting the Source Address of a Tunnel InterfaceAfter a tunnel interface is created, the source address of tunnel channel must be configured. The source address is the address of the physical interface where the GRE packets are transmitted. The source address and destination address of the tunnel interface uniquely identifies a channel. These configurations must be implemented at both tunnel ends, and furthermore, the source address of one end must be the destination address of another end. Perform the following settings in the tunnel interface view. Ta b l e 688 Set the Source Address of Tunnel Interface By default, no source address of the tunnel interface is configured. OperationCommand Create virtual tunnel interface and enter tunnel view.interface tunnel tunnel-number Cancel virtual tunnel interface.undo interface tunnel OperationCommand Set the source address of tunnel interface.source ip-address Delete the configured source address of tunnel the interface.undo source
Configuring GRE639
Setting the Destination
Address of a Tunnel
InterfaceAfter a tunnel interface is created, the destination address of the tunnel channel
must be configured
The destination address is the address of the physical interface where the GRE
packets are received. The source address and destination address of a tunnel
interface uniquely identifies a channel. These configurations must be done at both
tunnel ends. The source address of one end must be the destination address of the
other end.
Perform the following settings in the tunnel interface view.
Ta b l e 689 Designate the Destination Address of Tunnel Interface
By default, no destination address of the tunnel interface is configured.
Setting the Network
Address of the Tunne
l
Interface
Two private networks are interconnected by a GRE tunnel. This kind of connection
is like a virtual “direct” connection between two private networks. To establish a
direct route between these two networks, you must configure the network
address of the tunnel interface and make sure that the network addresses at both
ends of the channel are in the same network segment. Thus, the system can
produce a direct tunnel route automatically.
Perform the following settings in the tunnel interface view.
Ta b l e 690 Set the Network Address of Tunnel Interface
By default, no network address for the tunnel interface is configured.
Setting the
Identification Key Word
of the Tunnel InterfaceIt is stipulated in RFC 1701 that if the key field of the GRE header is set, the
receiving side and transmitting side check the identification key word of the
channel. Only when the set identification key words at both ends of the tunnel are
totally identical can the check pass, or the message will be discarded.
Perform the configurations in the tunnel interface view.
Ta b l e 691 Set the Identification Key Word of Tunnel Interface
OperationCommand
Designate the destination address of
tunnel interface.destination ip-address
Cancel the destination address of tunnel
interface.undo destination
OperationCommand
Set the IP address of tunnel interface.ip address { ip-address mask |
unnumbered interface-type
interface-number }
Delete the IP address of tunnel interface.undo ip address { ip-address mask |
unnumbered interface-type
interface-number }
Set the IPX address of tunnel interface.ipx network network-number
Delete the IPX address of tunnel interface.undo ipx network
OperationCommand
640CHAPTER 44: CONFIGURING GRE By default, no identification key word of the tunnel interface is configured. Setting the Tunnel Interface to Check with ChecksumIt is stipulated in RFC 1701 that if the checksum field of the GRE header is set, the checksum is valid. The transmitting side calculates the checksums of GRE header and payload. The receiving side calculates the checksum of the received message and compares it with the checksum field in the message. If the two checksums are identical, the message will be processed, otherwise it will be discarded. If only one end of the tunnel is configured to check with the checksum, the message will not be checked with checksum. Only when both ends of the tunnel are configured to check the checksum, the message will be checked with the checksum. Perform the following tasks in the tunnel interface view. Ta b l e 692 Set Tunnel Interface to Check with Checksum By default, the tunnel interface to check with the field of checksum is disabled. Settng the Tunnel Interface to Synchronize the Datagram Sequence NumberIt is stipulated in RFC 1701 that if the sequence-datagram in the GRE header is set, both the receiving side and the transmitting side will synchronize the sequence numbers. The synchronized message should be further processed, or it is discarded. With the sequence numbers, the message is unreliable but in order. The receiving end establishes sequence numbers for the message, which is received by the local end and successfully de-encapsulated. The sequence numbers are integers between 0 and 2 32–1 and the sequence number of the first packet is 0. After the channel is established, the sequence numbers is accumulated and cyclically counted. If the receiving end receives a message whose sequence number is less than or equal to that of the message received the last time, the packet will be considered illegal. If the receiving end receives an out-of-order message, the packet will be discarded automatically. Only when the synchronization mechanism to enable or disable sequence numbers is established at both ends of the tunnel, the channel can be established. Perform the following tasks in the tunnel interface view. Ta b l e 693 Set the Tunnel to Synchronize Datagram Sequence Numbers Set the identification key word of tunnel interface.gre key key-number Cancel the identification key word of tunnel interface.undo gre key OperationCommand Set tunnel interface to check with check sum.gre checksum Disable tunnel interface to check with check sum.undo gre checksum OperationCommand Set tunnel interface to synchronize sequence numbers.gre sequence-datagrams
Displaying and Debugging GRE 641 By default, the tunnel interface to synchronize datagram sequence numbers is disabled. Displaying and Debugging GRE To view the working status of the tunnel interface, use the display command in all views. Ta b l e 694 Display and Debug GRE GRE Configuration Example Application of IP-over-IP GRE VPN should be built across the WAN for the operation of Novell IPXs two subnets group1 and group2. It can be implemented by using GRE. PC A communicates with PC B in GRE tunneling mode in the Internet. Router A and Router B are two ends of the GRE tunnel, while Router C is located in the GRE tunnel. Figure 204 Networking diagram of GRE application 1Configure PC A and PC B: aConfigure the IP address of PC_A to 10.110.24.100, add a default gateway in the network attribute (i.e., default route), or use the following command in DOS mode. C:\WINDOWS> route add 0.0.0.0 mask 0.0.0.0 10.110.24.1 bConfigure the IP address of PC_B to 30.110.1.200, add a default gateway in the network attribute (i.e., default route), or use the following command in DOS mode. C:\WINDOWS> route add 0.0.0.0 mask 0.0.0.0 30.110.1.1 2Configure Router A: aConfigure the IP address of Serial0 interface. [RouterA] interface serial 0 [RouterA-Serial0] ip address 10.1.1.1 255.255.255.0 Disable tunnel interface to synchronize sequence numbers.undo gre sequence-datagrams OperationCommand Display the working status of tunnel interface.display interfaces tunnel [ tunnel-number ] Router B Router C PC APC B Router A 10.110.24.10030.110.1.200tunnel E0S0 S0 S1 S0 E0 Internet 10.110.24.1 10.1.1.220.1.1.120.1.1.210.1.1.1 30.110.1.1
642CHAPTER 44: CONFIGURING GRE bConfigure the IP address of Ethernet0 interface. [RouterA-Serial0] exit [RouterA] interface ethernet 0 [RouterA-Ethernet0] ip address 10.110.24.1 255.255.255.0 cCreate a virtual Tunnel interface and configure the IP address, source address and destination address. [RouterA-Ethernet0] exit [RouterA] interface tunnel 0 [RouterA-Tunnel0] ip address 1.1.1.1 255.255.255.0 [RouterA-Tunnel0] source 10.1.1.1 [RouterA-Tunnel0] destination 20.1.1.2 dConfigure the routes to 20.1.1.0 network and 30.110.1.0 network. [RouterA] ip route-static 20.1.1.0 255.255.255.0 serial 0 [RouterA] ip route-static 30.110.1.0 255.255.255.0 tunnel 0 3Configure Router B: aConfigure the IP address of Serial0. [RouterB] interface serial 0 [RouterB-Serial0] ip address 20.1.1.2 255.255.255.0 bConfigure the IP address of Ethernet0 interface. [RouterB-Serial0] exit [RouterB] interface ethernet 0 [RouterB-Ethernet0] ip address 30.110.1.1 255.255.255.0 cCreate a virtual Tunnel interface, and configure the IP address, source address and destination address. [RouterB-Ethernet0] exit [RouterB] interface tunnel 0 [RouterB-Tunnel0] ip address 1.1.1.2 255.255.255.0 [RouterB-Tunnel0] source 20.1.1.2 [RouterB-Tunnel0] destination 10.1.1.1 dConfigure the routes to 20.1.1.0 network and 30.110.1.0 network. [RouterB] ip route-static 10.1.1.0 255.255.255.0 Serial 0 [RouterB] ip route-static 10.110.24.0 255.255.255.0 tunnel 0 4Configure Router C: aConfigure the IP address of Serial0 interface. [RouterC] interface serial 0 [RouterC-Serial0] ip address 10.1.1.2 255.255.255.0 [RouterC-Serial0] interface serial 1 [RouterC-if-Serial1] ip address 20.1.1.1 255.255.255.0 Application of IPX-over-IP GREThe two subnets group1 and group2 that running Novell IPX protocol need to set up a virtual private network across a LAN using GRE technology.
GRE Configuration Example643 Figure 205 Networking of GRE 1Configure Router A: aActivate IPX. [RouterA] ipx enable node a.a.a bConfigure the IP address and IPX address of Ethernet0. [RouterA] interface ethernet 0 [RouterA-Ethernet0] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet0] ipx network 1e cConfigure the IP address of Serial0 interface. [RouterA] interface serial 0 [RouterA-Serial0] ip address 192.10.1.1 255.255.255.0 dCreate a virtual tunnel interface, and configure the IP address, source address and destination address. [RouterA] interface tunnel 0 [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0 [RouterA-Tunnel0] ipx network 1f [RouterA-Tunnel0] source 192.10.1.1 [RouterA-Tunnel0] destination 202.18.3.2 eConfigure the static route to Novell Group2. [RouterA] ipx route 31 1f.b.b.b tick 2000 hop 15 2Configure Router B: aActivate IPX. [RouterB] ipx enable node b.b.b bConfigure the IP address and IPX address of Ethernet0 interface. [RouterB] interface ethernet 0 [RouterB-Ethernet0] ip address 10.1.3.1 255.255.255.0 [RouterB-Ethernet0] ipx network 31 cConfigure the IP address of Serial0 interface. [RouterB] interface serial 0 [RouterB-Serial0] ip address 202.18.3.2 255.255.255.0 dCreate a virtual Tunnel interface, and configure the IP address, source address and destination address. [RouterB] interface tunnel 0 [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0 [RouterB-Tunnel0] ipx network 1f [RouterB-Tunnel0] source 202.18.3.2 [RouterB-Tunnel0] destination 192.10.1.1 eConfigure the static route to Novell Group. 202.18.3.2192.10.1.1 IPX Pr ot oc ol Group1IPX Pr ot oc ol Group2 InternetRouter A Router B tunnel 1e1f 1f31
644CHAPTER 44: CONFIGURING GRE [RouterB] ipx route 1e 1f.a.a.a tick 30000 hop 15 Troubleshooting GREThe two interfaces at both ends of the tunnel are correctly configured and the ping operation is successful, but the ping operation between PC A and PC B fails. Check whether there is a route passing through the Tunnel interface, that is, on Router A, the route to 10.2.0.0/16 passes through Tunnel0 interface; on Router B, the route to 10.1.0.0/16 passes through Tunnel0 interface (it is implemented by adding a static route). Figure 206 Networking of troubleshooting GRE Router B Router C PC APC B Router A 10.1.1.110.2.1.1tunnel
X RELIABILITY Chapter 45Configuring a Standby Center Chapter 46Configuring VRRP