Tài liệu học về Vyatta bridging 6 5r1 v01

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (504.72 KB, 96 trang )

Vyatta
Suite200
1301ShorewayRoad
Belmont,CA94002
vyatta.com
6504137200
1888VYATTA1(USandCanada)
VYATTA,INC. |  VyattaSystem
Bridging
REFERENCEGUIDE
COPYRIGHT
Copyright©2005–2012Vyatta,Inc.Allrightsreserved.
Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof
documentation,visittheVyattawebsiteatvyatta.com.
PROPRIETARYNOTICES
VyattaisaregisteredtrademarkofVyatta,Inc.
Hyper‐VisaregisteredtrademarkofMicrosoftCorporation.
VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc.
XenServer,andXenCenteraretrademarksofCitrixSystems,Inc.
Allothertrademarksarethepropertyoftheirrespectiveowners.
RELEASEDATE:October2012
DOCUMENTREVISION.6.5R1
v01
RELEASEDWITH:6.5.0R1
PARTNO.A0‐0247‐10‐0003
iii
Bridging 6.5R1v01 Vyatta
Contents
QuickListofCommands......................................................... v
ListofExamples ...............................................................vi
Preface. ..................................................................... vii

IntendedAudience ................. ................... ..........................................viii
OrganizationofThisGuide ........... .......
................................. .....................viii
DocumentConventions ............................................
............... ................ix
VyattaPublicati ons.................
................................ .. ................. ...........ix
Chapter1 BridgingOverview .................................................... 1
Layer2Bridging ............................................................................... ...2
RFC1483BridgedEthernet..............
...........................................................2
MTUforBridgeGroups ................... ................... 
................................ .. ....2
Chapter2 BridgingConfigurationExamples ........................................ 3
BasicBridgingConfiguration.......... ................... ................... .................... ....4
BridgingAcrossaWANUsingaGRETunnel...................
.................................... ....5
ConfigureWEST........
...................................................................... 5
ConfigureEAST...... ................... ....
............... ................... ................7
BridgingacrossaWANUsingaGRETunneloverIPsecVPN..............................................8
ConfigureWEST........................ ..................
................................. ...9
DefinetheBridge,Ethernet,andLoopbackInterfaceson“WEST”.....
............................9
DefinetheGRETunnelon“WEST”............... .
..........................................10
DefinetheIPsecTunnelon“WEST”..
.................................... ................. .. 11

ConfigureEAST...... ................... ...................
............... ................... 13
BridgingAcrossaWANUsingSite‐to‐SiteOpenVPN.......
............... ................... ..........15
ConfigureWEST....
............... ................... .................... ................... 16
DefinetheBridgeandEthernetInterfaceson“WEST” ..... ................
.....................16
DefinetheOpenVPNTunnelon“WEST” ..................... ..
..............................17
ConfigureEAST...... .............
................................. ..........................18
BridgingAcrossaWANUsingClient‐ServerOpenVPN..................................
................18
ConfigureV1............. ....................
............... ................... .............19
DefinetheBridge
Interfaceon“V1” ...................... ................... ................19
DefinetheEthernetInterfaceson“V1”....................................
..................20
DefinetheOpenVPNServeron“V1”..........................
..............................20
DefinetheDHCPServeron“V1”...............
.............................................21

iv
Bridging 6.5R1v01 Vyatta
CommitandDisplaytheConfigurationon“V1” ............................................... 22
ConfigureV2............. .................................
..................................23

DefinetheBridgeInterfaceon“V2” ...........
................................. .............23
DefinetheEthernetInterface
on“V2” .................... ................... ................23
DefinetheOpenVPNClienton“V2”....................... ................
............... ...24
CommitandDisplaytheConfigurationon“V2” .........................
............... .......25
Chapter3 BridgeGroupCommands.............................................. 26
interfacesbridge<brx>.......................................................................29
interfacesbridge<brx>address<address> .......................
................................30
interfacesbridge<brx>aging<age> .............
.................................... ...........32
interfacesbridge<brx>
description<desc>.......................................................34
interfacesbridge<brx>dhcpv6‐options ...................................... .
............... ...35
interfacesbridge<brx>disable.............................
............... ................... ..37
interfacesbridge<brx>disable‐link‐detect .........
............... ...............................38
interfacesbridge<brx>forwarding‐
delay<delay> ....................................... ..........39
interfacesbridge<brx>hello‐time<interval> .....................................................41
interfacesbridge<brx>ipv6address .................................... ...
.....................43
interfacesbridge<brx>ipv6disable‐forwarding ................... .. ..
...........................45
interfacesbridge<brx>ipv6dup‐addr‐detect‐transmits<num> ..............

.......................46
interfacesbridge<brx>ipv6router‐advert ......................
................................. 48
interfacesbridge<brx>mac<mac‐addr> ...........
.............................................53
interfacesbridge<brx>max‐age
<interval> ........................... ................... ........55
interfacesbridge<brx>priority<priority> ........................................
............... 57
interfacesbridge<brx>stp<state>..............................
............... ................59
showbridge .................
............... ................... .............................61
Chapter4 BridgeInterfaceCommands ........................................... 62
clearinterfacesbridgecounters ...... .. ........................................................64
interfacesadsl<adslx>pvc<pvc‐id>bridged‐ethernetbridge‐group .........................
.........65
interfacesbonding<bondx>bridge‐group .......... ..........................
...................67
interfacesbonding<bondx>vif<vlan‐id>bridge‐group........ ................
.....................69
interfacesethernet<ethx>bridge‐group ......... .. .............
................................71
interfacesethernet<ethx>vif<vlan‐id>bridge‐group...........
................................. ..73
interfacesopenvpn<vtunx>bridge‐group ..........
.............................................75
interfacestunnel<tunx>parametersip
bridge‐group .............................. ................77
interfaceswireless<wlanx>

bridge‐group........................................................79
showinterfacesbridge ........................................
............... ................81
GlossaryofAcronyms.......................................................... 82
v
Bridging 6.5R1v01 Vyatta
QuickListofCommands
Use this list to help you quickly locate commands.
clearinterfacesbridgecounters.................................... ................. .. .............64
interfacesadsl<adslx>pvc<pvc‐id>bridged‐ethernetbridge‐group ....................
.................65
interfacesbonding<bondx>bridge‐group............................
...............................67
interfacesbonding<bondx>vif<vlan‐id>bridge‐group ...........
.....................................69
interfacesbridge<brx>address<address>.........
..................................................30
interfacesbridge<brx>aging<age>........................... ..................
...................32
interfacesbridge<brx>description<desc> ........ ..................
................................34
interfacesbridge<brx>dhcpv6‐options.............
................................................35
interfacesbridge
<brx>disable ....................................................................37
interfacesbridge<brx>disable‐link‐detect..........................
................................. 38
interfacesbridge<brx>forwarding‐delay<delay>............
................................. ........39
interfacesbridge<brx>hello‐time<interval>....

.....................................................41
interfacesbridge<brx>ipv6address...................... ................... ..
.....................43
interfacesbridge<brx>ipv6disable‐forwarding .......................
............... ................45
interfacesbridge<brx>ipv6dup‐addr‐detect‐transmits<num>..........
............... ................46
interfacesbridge<brx>ipv6router‐advert..............
................................ .. ...........48
interfacesbridge<brx>mac<mac‐
addr>.. ....................................... ...................53
interfacesbridge<brx>max‐age<interval>................ .. ................
........................55
interfacesbridge<brx>priority<priority> .....................
................................. .....57
interfacesbridge<brx>stp<state> ........
................................. ........................59
interfacesbridge<brx> .... .....................................
............... ................... 29
interfacesethernet<ethx>bridge‐group...........
............... ................... ...............71
interfaces
ethernet<ethx>vif<vlan‐id>bridge‐group ...................................... ...........73
interfacesopenvpn<vtunx>bridge‐group.... ....................................
...................75
interfacestunnel<tunx>parametersipbridge‐group.........................
.........................77
interfaceswireless<wlanx>bridge‐group.....................
.................................... ...79
showbridge.........

................................. ..........................................61
showinterfacesbridge......................
................................ .. ................. ..81
vi
Bridging 6.5R1v01 Vyatta
ListofExamples
Use this list to help you locate examples you’d like to look at or try.
vii
Bridging 6.5R1v01 Vyatta
Preface
This document describes the various deployment, installation, and upgrade options
for Vyatta software.
This preface provides information about using this guide. The following topics are
presented:
• Intended Audience
• Organization of This Guide
• Document Conventions
• Vyatta Publications
 IntendedAudience
viii
Bridging 6.5R1v01 Vyatta
IntendedAudience
This guide is intended for experienced system and network administrators.
Depending on the functionality to be used, readers should have specific knowledge
in the following areas:
• Networking and data communications
• TCP/IP protocols
• General router configuration
• Routing protocols
• Network administration

• Network security
• IP services
OrganizationofThisGuide
This guide has the following aid to help you find the information you are looking for:
• Quick List of Commands
Use this list to help you quickly locate commands.
• List of Examples
Use this list to help you locate examples you’d like to try or look at.
This guide has the following chapters:
Chapter Description Page
Chapter 1:BridgingOverview ThischapterprovidesabriefintroductiontotheVyatta
system’ssupport forLayer2bridging.
1
Chapter 2:BridgingConfiguration
Examples
Thischapterprovidesconfigurationexamplesforbridging. 3
Chapter 3:BridgeGroupCommands Thischapterliststhecommandsusedtocreatethebridge
group(thebridgeinterface)anddefineitscharacteristics.
26
Chapter 4:BridgeInterface

Commands
Thischapterdescribescommandsforaddinginterfacestoa
bridgegroup.
62
GlossaryofAcronyms 82
 DocumentConventions
ix
Bridging 6.5R1v01 Vyatta
DocumentConventions

This guide uses the following advisory paragraphs, as follows.
NOTENotesprovideinformationyoumightneedtoavoidproblemsorconfigurationerrors.
This document uses the following typographic conventions.
VyattaPublications
WARNINGWarningsalertyoutosituationsthatmayposeathreattopersonalsafety.
CAUTIONCautionsalertyoutosituationsthatmightcauseharmtoyoursystemordamageto
equipment,orthatmayaffectservice.
Monospace
Examples, command-line output, and representations of
configuration nodes.
boldMonospace
Your input: something you type at a command line.
bold Commands, keywords, and file names, when mentioned
inline.
Objects in the user interface, such as tabs, buttons, screens,
and panes.
italics An argument or variable where you supply a value.
<key> A key on your keyboard, such as <Enter>. Combinations of
keys are joined by plus signs (“+”), as in <Ctrl>+c.
[ key1 | key2] Enumerated options for completing a syntax. An example is
[enable | disable].
num1–numN A inclusive range of numbers. An example is 1–65535, which
means 1 through 65535, inclusive.
arg1 argN A range of enumerated values. An example is eth0 eth3,
which means eth0, eth1, eth2, or eth3.
arg[ arg ]
arg[,arg ]
A value that can optionally represent a list of elements (a
space-separated list and a comma-separated list, respectively).
 VyattaPublications

x
Bridging 6.5R1v01 Vyatta
Full product documentation is provided in the Vyatta technical library. To see what
documentation is available for your release, see the Guide to Vyatta Documentation.
This guide is posted with every release of Vyatta software and provides a great
starting point for finding the information you need.
Additional information is available on www.vyatta.com and www.vyatta.org.
1
Bridging 6.5R1v01 Vyatta
Chapter1:BridgingOverview
This chapter provides a brief introduction to the Vyatta system’s support for Layer 2
bridging.
This chapter presents the following topics:
• Layer 2 Bridging
• RFC 1483 Bridged Ethernet
• MTU for Bridge Groups
Chapter1:BridgingOverview Layer2Bridging
2
Bridging 6.5R1v01 Vyatta
Layer2Bridging
Bridging allows you to connect multiple network segments (typically LAN segments)
at the Layer 2 level.
Since bridging occurs at Layer 2 (the data link layer) and IP addresses are relevant
only on Layer 3 (the network layer), IP addresses are not allowed on the interfaces
being bridged.
To create a bridge, use the following workflow:
1 Create the bridge group. You create a bridge group by defining a bridge interface
and setting its characteristics.
2 Add the interfaces to the bridge group. You do with within the configuration
node for the interface itself.

The following interface types can be added directly to bridge groups:
• Physical Ethernet interfaces
• Ethernet bonded links
• VLAN interfaces configured under physical Ethernet interfaces or Ethernet
bonded links
• OpenVPN interfaces
• Tunnel interfaces
• Wireless interfaces in access mode (not in station mode)
RFC1483BridgedEthernet
ADSL interfaces cannot be added to bridge groups, but the Vyatta system supports
the mechanisms described in RFC 1483 bridging ADSL traffic over an ATM
network. You can bridge ADSL traffic over Ethernet using the interfaces adsl <adslx>
pvc <pvc-id> bridged-ethernet bridge-group command.
MTUforBridgeGroups
The effective MTU (maximum transmission unit) size for a bridge group is the
minimum MTU of all the interfaces that belong to the bridge group. So, the
maximum frame size of frames transmitted by the bridged interfaces will be this
effective MTU size.
3
Bridging 6.5R1v01 Vyatta
Chapter2:BridgingConfiguration
Examples
This chapter provides configuration examples for bridging.
This chapter presents the following topics:
• Basic Bridging Configuration
• Bridging Across a WAN Using a GRE Tunnel
• Bridging across a WAN Using a GRE Tunnel over IPsec VPN
• Bridging Across a WAN Using Site-to-Site OpenVPN
• Bridging Across a WAN Using Client-Server OpenVPN
Chapter2:BridgingConfigurationExamples BasicBridgingConfiguration

4
Bridging 6.5R1v01 Vyatta
BasicBridgingConfiguration
This section presents a sample configuration for a basic bridge between two Ethernet
segments on a Vyatta system.
When you have finished, the system will be configured as shown in Figure 2-1.
Figure2‐1Basicbridging
In this example, you create a bridge interface and assign the Ethernet interfaces to
the bridge group.
Example 2-1 creates the bridge interface and adds the Ethernet interfaces to the
bridge group. To do this, perform the following steps on R1 in configuration mode.
eth0
R1
eth1
Example2‐1ConfiguringabridgebetweentwoEthernetinterfaces
Step Command
Createthebridgeinterface.
vyatta@R1#setinterfacesbridgebr0
Addeth0tothe bridgegroup.
vyatta@R1#setinterfacesetherneteth0bridge‐groupbridge
br0
Addeth1tothe bridgegroup.
vyatta@R1#setinterfacesetherneteth1bridge‐groupbridge
br0
Committheconfiguration.
vyatta@R1#commit
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
5
Bridging 6.5R1v01 Vyatta
BridgingAcrossaWANUsinga GRETunnel

This section presents a sample configuration for bridging remote network segments
using a GRE-bridge encapsulated tunnel between Vyatta systems WEST and EAST.
First WEST is configured, and then EAST.
This basic tunnel is not protected by a key: this means it is not secure.
When you have finished, these systems will be configured as shown in Figure 2-2
with bridged network segments connected to eth0 on each of the two systems.
Figure2‐2BridgingacrossaWANusingaGRE‐bridgeencapsulatedtunnel
ConfigureWEST
GRE tunnels are explained in detail in the Vyatta Tunnels Reference Guide. Please
see that guide for further details.
Viewtheconfiguration.
vyatta@R1#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
bridge‐group{
bridgebr0
}
}
Example2‐1ConfiguringabridgebetweentwoEthernetinterfaces
eth0 eth1
eth0
eth1
.1
.30 .62 .33

192.0.2.0/27
192.0.2.32/27
GRE-bridge Tunnel
EAST
WEST
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
6
Bridging 6.5R1v01 Vyatta
The GRE-bridge tunnel in the example configuration extends from eth1 on WEST
through the wide-area network to eth1 on EAST. In this example, you create the
bridge interface, add eth0 to the bridge group, and then create a tunnel interface and
add it to the bridge group.
• The source IP address of the tunnel endpoint (the local-ip) is the same as the
address associated with eth1 in this example.
• The destination IP address of the tunnel endpoint (the remote-ip) is 192.0.2.33
on EAST.
• The tunnel encapsulation is gre-bridge.
• The tunnel is added to the bridge group.
Example 2-2 creates the bridge and tunnel interfaces and adds eth0 and the tunnel
interface to the bridge group. To do this, perform the following steps on WEST in
configuration mode.
Example2‐2CreatingabasicGRE‐bridgetunnelendpointandbridgeonWEST
Step Command
Createthebridgeinterface.
vyatta@WEST#setinterfacesbridgebr0
Addeth0tothe bridgegroup.
vyatta@WEST#setinterfacesetherneteth0bridge‐groupbridge
br0
Configureanaddressoneth1.
vyatta@WEST#setinterfacesetherneteth1address

192.0.2.1/27
Createthetunnelinterfaceand
specifythesourceIPaddressfor
thetunnel.
vyatta@WEST#setinterfacestunneltun0local‐ip192.0.2.1
SpecifytheIPaddressofthe
otherendofthetunnel.
vyatta@WEST#setinterfacestunneltun0remote‐ip192.0.2.33
SpecifytheGRE‐bridge
encapsulationmodeforthe
tunnel.
vyatta@WEST#setinterfacestunneltun0encapsulation
gre‐bridge
Addtun0tothebridgegroup.
vyatta@WEST#setinterfacestunneltun0bridge‐groupbridge
br0
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingaGRETunnel
7
Bridging 6.5R1v01 Vyatta
ConfigureEAST
EAST is configured similarly to WEST. The differences are as follows:
• The address assigned to eth1 is 192.0.2.33/2.
• The local IP address (local-ip) is 192.0.2.33.
• The remote IP address (remote-ip) is 192.0.2.1.
Viewtheconfiguration.
vyatta@WEST#showinterfaces
bridgebr0{
}

etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.1/27
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip192.0.2.1
remote‐ip192.0.2.33
}
Example2‐2CreatingabasicGRE‐bridgetunnelendpointandbridgeonWEST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
8
Bridging 6.5R1v01 Vyatta
Example 2-3 shows the completed configuration.
BridgingacrossaWANUsingaGRETunnel
overIPsecVPN
This example configures a GRE-bridge tunnel between WEST and EAST and
protects it within an IPsec tunnel between the same endpoints.
When you have finished, WEST and EAST will be configured as shown in Figure 2-3.
Example2‐3ConfigurationforabasicGRE‐bridgetunnelendpointandbridgeonEAST
Step Command
Viewtheconfiguration.
vyatta@EAST#showinterfaces

bridgebr0{
}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.33/27
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip192.0.2.33
remote‐ip192.0.2.1
}
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
9
Bridging 6.5R1v01 Vyatta
Figure2‐3GRE‐bridgetunnelprotectedbyanIPsectunnel
ConfigureWEST
This section presents the following examples:
• Example 2-4 Defining the bridge, Ethernet, and loopback interfaces on WEST
• Example 2-5 Defining the GRE-bridge tunnel from WEST to EAST
• Example 2-6 Defining the IPsec tunnel from WEST to EAST
DefinetheBridge,Ethernet,andLoopback
Interfaceson“WEST”
Example 2-4 defines the bridge, Ethernet, and loopback interfaces on WEST. In this

example:
• The bridge interface br0 is created.
• Ethernet interface eth0 is added to the bridge group
• Ethernet interface eth1 is configured with IP address 192.0.2.1/27.
• Loopback interface lo is configured with IP address 172.16.0.1/32.
To create the bridge, Ethernet, and loopback interfaces on WEST, perform the
following steps in configuration mode.
eth0 eth1
eth0
eth1
.1
.30 .62 .33
192.0.2.0/27 192.0.2.32/27
IPsec Tunnel
EAST
WEST
GRE-bridge
Tunnello
172.16.0.1/32
lo
172.16.0.2/32
tun0
tun0
Example2‐4Definingthebridge,Ethernet,andloopbackinterfacesonWEST
Step Command
Createthebridgeinterface.
vyatta@WEST#setinterfacesbridgebr0
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
10
Bridging 6.5R1v01 Vyatta

DefinetheGRETunnelon“WEST”
NOTEThisexampledealswithGREtunnelsinthecontextofabridge.GREtunnelsthemselvesare
explainedindetailintheVyattaTunnelsReferenceGuide.
Example 2-5 defines WEST’s end of the GRE-bridge tunnel. In this example:
• The IP address on the local side of the GRE tunnel (local-ip) is assigned the local
loopback address 172.16.0.1.
• The IP address of the other end of the GRE tunnel (remote-ip) is assigned the
loopback address of the remote system 172.16.0.2.
• The tunnel encapsulation is gre-bridge.
• The tunnel is added to the bridge group.
To create the tunnel interface and the tunnel endpoint on WEST, perform the
following steps in configuration mode.
Addeth0tothe bridgegroup.
vyatta@WEST#setinterfacesetherneteth0bridge‐groupbridge
br0
Configureanaddressoneth1.
vyatta@WEST#setinterfacesetherneteth1address
192.0.2.1/27
Configureanaddressonlo.
vyatta@WEST#setinterfacesloopbackloaddress172.16.0.1/32
Committheconfiguration.
Verifytheconfiguration.
Example2‐4Definingthebridge,Ethernet,andloopbackinterfacesonWEST
Example2‐5DefiningtheGRE‐bridgetunnelfromWESTtoEAST
Step Command
SpecifythelocalIPaddressfor
theGREtunnel.
vyatta@WEST#setinterfacestunneltun0local‐ip172.16.0.1
SpecifytheremoteIPaddress
fortheGREtunnel.

vyatta@WEST#setinterfacestunneltun0remote‐ip172.16.0.2
Specifytheencapsulationmode
forthetunnel.
vyatta@WEST#setinterfacestunneltun0encapsulation
gre‐bridge
Addtun0tothebridgegroup.
vyatta@WEST#setinterfacestunneltun0bridge‐groupbridge
br0
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
11
Bridging 6.5R1v01 Vyatta
DefinetheIPsecTunnelon“WEST”
Example 2-6 creates the IPsec tunnel from WEST to EAST.
• WEST uses IP address 192.0.2.1 on eth1.
• EAST uses IP address 192.0.2.33 on eth1.
• The IKE group is IKE-1W
• The preshared secret is “test_key_1”.
• The IPsec tunnel is between subnet 172.16.0.1/32 on WEST and 172.16.0.2/32
on EAST, using ESP group ESP-1W.
This examples assumes that you have already configured the following:
• IKE group IKE-1W
• ESP group ESP-1W
NOTEIfyouneedmoreinformationaboutIKEandESPgroups,theyareexplainedindetailinthe
VyattaVPNReferenceGuide.
Viewthemodified
configuration.
vyatta@WEST#showinterfaces
bridgebr0{

}
etherneteth0{
bridge‐group{
bridgebr0
}
}
etherneteth1{
address192.0.2.1/27
}
loopbacklo{
address172.16.0.1/32
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip172.16.0.1
remote‐ip172.16.0.2
}
Example2‐5DefiningtheGRE‐bridgetunnelfromWESTtoEAST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
12
Bridging 6.5R1v01 Vyatta
To create the IPsec tunnel from WEST to EAST, perform the following steps on
WEST in configuration mode.
Example2‐6DefiningtheIPsectunnelfromWESTtoEAST
Step Command
EnableVPNoneth1.
vyatta@WEST#setvpnipsecipsec‐interfacesinterfaceeth1

Definethesite‐to‐site
connectiontoEAST.Setthe
authenticationmode.
vyatta@WEST#setvpnipsecsite‐to‐sitepeer192.0.2.33
authenticationmodepre‐shared‐secret
Navigatetothenodeforthe
peerforeasierediting.
vyatta@WEST#editvpnipsecsite‐to‐sitepeer192.0.2.33
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Providethestringthatwillbe
usedtoauthenticatethepeers.
vyatta@WEST#setauthenticationpre‐shared‐secrettest_key_1
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
SpecifytheIKEgroup.
vyatta@WEST#setike‐groupIKE‐1W
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
IdentifytheIPaddressonthis
systemtobeusedforthis
connection.
vyatta@WEST#setlocal‐ip192.0.2.1
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Createatunnelconfiguration,
andprovidethelocalsubnetfor
thistunnel.
vyatta@WEST#settunnel1localsubnet172.16.0.1/32
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Specifytheremotesubnetfor
thetunnel.
vyatta@WEST#settunnel1remotesubnet172.16.0.2/32
[editvpnipsecsite‐to‐sitepeer192.0.2.33]

SpecifytheESPgroupforthis
tunnel.
vyatta@WEST#settunnel1esp‐groupESP‐1W
[editvpnipsecsite‐to‐sitepeer192.0.2.33]
Returntothetopofthe
configurationhierarchy.
vyatta@WEST#top
Committheconfiguration.
vyatta@WEST#commit
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
13
Bridging 6.5R1v01 Vyatta
ConfigureEAST
EAST is configured similarly to WEST. The differences in the interface configuration
are as follows:
• The address assigned to eth1 is 192.0.2.33/27.
• The address assigned to the loopback interface is 172.16.0.2/32.
• The IP address on the local side is 172.16.0.2.
• The on the remote side is 172.16.0.1.
Example 2-7 shows the completed interfaces configuration.
Viewthemodified
configuration.
vyatta@WEST#showvpnipsecipsec‐interfaces
interfaceeth1
vyatta@WEST#showvpnipsecsite‐to‐sitepeer192.0.2.33
authentication
modepre‐shared‐secret
pre‐shared‐secrettest_key_1
}
ike‐groupIKE‐1W

local‐ip192.0.2.1
tunnel1{
esp‐groupESP‐1W
local{
subnet172.16.0.1/32
}
remote{
subnet172.16.0.2/32
}
}
Example2‐6DefiningtheIPsectunnelfromWESTtoEAST
Chapter2:BridgingConfigurationExamples BridgingacrossaWANUsingaGRETunn eloverIPsecVPN
14
Bridging 6.5R1v01 Vyatta
The differences in the IPsec VPN configuration are as follows:
• The peer address is 192.0.2.1.
• The IKE group is IKE-1E.
• The IP address on the local side is 192.0.2.33.
• The ESP group is ESP-1E.
• The local subnet is 172.16.0.2/32.
• The remote subnet is 172.16.0.1/32.
Example2‐7ConfigurationforinterfacesonEAST
Step Command
Viewthemodified
configuration.
vyatta@EAST#showinterfaces
bridgebr0{
}
etherneteth0{
bridge‐group{

bridgebr0
}
}
etherneteth1{
address192.0.2.33/27
}
loopbacklo{
address172.16.0.2/32
}
tunneltun0{
bridge‐group{
bridgebr0
}
encapsulationgre‐bridge
local‐ip172.16.0.2
remote‐ip172.16.0.1
}
Chapter2:BridgingConfigurationExamples BridgingAcrossaWANUsingSite ‐to ‐SiteOpenVPN
15
Bridging 6.5R1v01 Vyatta
Example 2-8 shows the completed IPsec VPN configuration.
BridgingAcrossaWANUsingSite‐to‐Site
OpenVPN
This example configures a bridge across a site-to-site OpenVPN tunnel between
WEST and EAST.
NOTEIfyouneedmoreinformationaboutOpenVPNtunnels,theyareexplainedindetailinthe
VyattaVPNReferenceGuide.
When you have finished, WEST and EAST will be configured as shown in Figure 2-4
and the LANs connected to WEST and EAST will be bridged.
Example2‐8ConfigurationforIPsecVPNonEAST

Step Command
Viewthemodified
configuration.
vyatta@EAST#showvpnipsecipsec‐interfaces
interfaceeth1
vyatta@EAST#showvpnipsecsite‐to‐sitepeer192.0.2.1
authentication
modepre‐shared‐secret
pre‐shared‐secrettest_key_1
}
ike‐groupIKE‐1E
local‐ip192.0.2.33
tunnel1{
esp‐groupESP‐1E
local{
subnet172.16.0.2/32
}
remote{
subnet172.16.0.1/32
}
}

Tài liệu học về Vyatta bridging 6 5r1 v01

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về