雲橋連接器(CloudBridge Connector)功能測試
雲橋連接器(CloudBridge Connector)功能測試
雲橋連接器簡介
雲橋連接器基本使用樣例:
設備ans-ha1(ANSIP: 192.168.11.11)的初始配置:
> show hostName
Hostname: ans-ha1
Done
> show ip
Ipaddress TD Type Mode Arp Icmp Vserver State
--------- -- ---- ---- --- ---- ------- ------
1) 192.168.11.11 0 HGANS IP Active Enabled Enabled NA Enabled
2) 192.168.11.1 0 SNIP|ADNS Active Enabled Enabled NA Enabled
3) 192.168.10.41 0 SNIP Active Enabled Enabled NA Enabled
Done
> show route
Network Netmask Gateway/OwnedIP State TD Type
------- ------- --------------- ----- -- ----
1) 0.0.0.0 0.0.0.0 192.168.10.1 UP 0 STATIC
2) 127.0.0.0 255.0.0.0 127.0.0.1 UP 0 PERMANENT
3) 192.168.10.0 255.255.255.0 192.168.10.41 UP 0 DIRECT
4) 192.168.11.0 255.255.255.0 192.168.11.11 UP 0 DIRECT
Done
> show acl
Done
> show pbr
Done
>
設備ans-one(ANSIP: 192.168.21.11)的初始配置:
> show hostName
Hostname: ans-one
Done
> show ip
Ipaddress TD Type Mode Arp Icmp Vserver State
--------- -- ---- ---- --- ---- ------- ------
1) 192.168.21.11 0 HGANS IP Active Enabled Enabled NA Enabled
2) 192.168.20.41 0 SNIP Active Enabled Enabled NA Enabled
3) 192.168.21.1 0 SNIP|ADNS Active Enabled Enabled NA Enabled
Done
> show route
Network Netmask Gateway/OwnedIP State TD Type
------- ------- --------------- ----- -- ----
1) 0.0.0.0 0.0.0.0 192.168.20.1 UP 0 STATIC
2) 127.0.0.0 255.0.0.0 127.0.0.1 UP 0 PERMANENT
3) 192.168.20.0 255.255.255.0 192.168.20.41 UP 0 DIRECT
4) 192.168.21.0 255.255.255.0 192.168.21.11 UP 0 DIRECT
Done
> show acl
Done
> show pbr
Done
>
驗證ms-websvr1(192.168.11.51)是否可以和rs-websvr1(192.168.21.51)網絡互通
測試預期結果: 不能網絡互通,100%數據包丟失。
在設備ans-ha1(ANSIP: 192.168.11.11)上進行如下配置:
> add ans ip 192.168.10.101 255.255.255.0 -type VIP
Done
> enable ans mode L3
Done
> add ipsec profile RemoteSite -encAlgo AES -psk "123456"
Done
> add ipTunnel RemoteSite 192.168.20.101 255.255.255.255 192.168.10.101 -protocol IPSEC -ipsecProfileName RemoteSite
Done
> add ans pbr RemoteSite ALLOW -td 0 -srcIP = 192.168.11.51 -destIP = 192.168.21.51 -ipTunnel RemoteSite
Done
> apply pbrs
Done
> show ipTunnel
1) Domain.......: 0
Name.........: RemoteSite
Remote.......: 192.168.20.101 Mask......: 255.255.255.255
Local........: 192.168.10.101 Encap.....: 192.168.10.101
Protocol.....: IPSEC Type......: C
IPSec Profile Name.......: RemoteSite
IPSec Tunnel Status......: DOWN
IPSec Tunnel PBR name....: RemoteSite
Done
> show pbr RemoteSite
1) Name: RemoteSite
Action: ALLOW Hits: 0
srcIP = 192.168.11.51
destIP = 192.168.21.51
srcMac: Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: APPLIED
Priority: 10
IpTunnel: RemoteSite
Done
在設備ans-one(ANSIP: 192.168.21.11)上進行如下配置:
> add ans ip 192.168.20.101 255.255.255.0 -type VIP
Done
> enable ans mode L3
Done
> add ipsec profile RemoteSite -encAlgo AES -psk "123456"
Done
> add ipTunnel RemoteSite 192.168.10.101 255.255.255.255 192.168.20.101 -protocol IPSEC -ipsecProfileName RemoteSite
Done
> add ans pbr RemoteSite ALLOW -td 0 -srcIP = 192.168.21.51 -destIP = 192.168.11.51 -ipTunnel RemoteSite
Done
> apply pbrs
Done
> show ipTunnel
1) Domain.......: 0
Name.........: RemoteSite
Remote.......: 192.168.10.101 Mask......: 255.255.255.255
Local........: 192.168.20.101 Encap.....: 192.168.20.101
Protocol.....: IPSEC Type......: C
IPSec Profile Name.......: RemoteSite
IPSec Tunnel Status......: DOWN
IPSec Tunnel PBR name....: RemoteSite
Done
> show pbr RemoteSite
1) Name: RemoteSite
Action: ALLOW Hits: 0
srcIP = 192.168.21.51
destIP = 192.168.11.51
srcMac: Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: APPLIED
Priority: 10
IpTunnel: RemoteSite
Done
驗證ms-websvr1(192.168.11.51)是否可以和rs-websvr1(192.168.21.51)網絡互通
測試預期結果: 可以網絡互通,0%數據包丟失。
在設備ans-one(ANSIP: 192.168.21.11)上查看統計信息:
> show pbr RemoteSite
1) Name: RemoteSite
Action: ALLOW Hits: 121
srcIP = 192.168.11.51
destIP = 192.168.21.51
srcMac: Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: APPLIED
Priority: 10
IpTunnel: RemoteSite
Done
> stat pbr
PBR Statistics
Rate (/s) Total
Allow PBR hits 0 200
Deny PBR hits 0 0
PBR hits 0 200
PBR misses 1 1818
Done
> stat ipsec counters
Secure tunnel(s) summary
Rate (/s) Total
Bytes Received 0 4704
Bytes Sent 0 7992
Packets Received 0 49
Packets Sent 0 74
Done
在設備ans-one(ANSIP: 192.168.21.11)上查看統計信息:
> show pbr RemoteSite
1) Name: RemoteSite
Action: ALLOW Hits: 94
srcIP = 192.168.21.51
destIP = 192.168.11.51
srcMac: Protocol:
Vlan: Interface:
Active Status: ENABLED Applied Status: APPLIED
Priority: 10
IpTunnel: RemoteSite
Done
> stat pbr
PBR Statistics
Rate (/s) Total
Allow PBR hits 0 110
Deny PBR hits 0 0
PBR hits 0 110
PBR misses 1 1108
Done
> stat ipsec counters
Secure tunnel(s) summary
Rate (/s) Total
Bytes Received 0 7104
Bytes Sent 0 5292
Packets Received 0 74
Packets Sent 0 49
Done
設備ipTunnel 功能支持的協議有三種:IPIP , GRE , IPSEC .
IPIP(IP over IP) : 第三層隧道協議- OSI模型的網絡層
用於連接兩個一般情況下無法直接通訊的IPv4網絡。
GRE(Generic Routing Encapsulation): 第三層隧道協議- OSI模型的網絡層
通用路由封裝(GRE:Generic Routing Encapsulation)在RFC1701/RFC1702中定義,它規定了怎樣用一種網絡層協議去封裝另一種網絡層協議的方法。GRE的隧道由兩端的源IP地址和目的IP地址來定義,它允許用戶使用IP封裝IP、IPX、AppleTalk,並支持全部的路由協議,如RIP、OSPF、IGRP、EIGRP。通過GRE,用戶可以利用公用IP網絡連接IPX網絡和AppleTalk網絡,還可以使用保留地址進行網絡互聯,或對公網隱藏企業網的IP地址。
GRE的包頭包含了協議類型(用於標明乘客協議的類型);校驗和包括了GRE的包頭和完整的乘客協議與數據;密鑰(用於接收端驗證接收的數據);序列號(用於接收端數據包的排序和差錯控制)和路由信息(用於本數據包的路由)。
GRE只提供了數據包的封裝,它沒有防止網絡偵聽和攻擊的加密功能。所以在實際環境中它常和IPsec一起使用,由IPsec為用戶數據的加密,給用戶提供更好的安全服務。
IPSEC(Internet Protocol Security): 第三層隧道協議- OSI模型的網絡層
IP安全協議(IPSec:IP Security)實際上是一套協議包而不是一個獨立的協議,這一點對於我們認識IPSec是很重要的。從1995年開始IPSec的研究以來,IETF IPSec工作組在它的主頁上發布了幾十個Internet草案文獻和12個RFC文件。其中,比較重要的有RFC2409 IKE(互連網密鑰交換)、RFC2401 IPSec協議、RFC2402 AH驗證包頭、RFC2406 ESP加密數據等文件。
IPSec安全體系包括3個基本協議:AH協議為IP包提供信息源驗證和完整性保證;ESP協議提供加密機制;密鑰管理協議(ISAKMP)提供雙方交流時的共享安全信息。ESP和AH協議都有相關的一系列支持文件,規定了加密和認證的算法。最後,解釋域(DOI)通過一系列命令、算法、屬性和參數連接所有的IPSec組文件。
測試存在的問題:
1: GRE協議的ip隧道,不能指定grepayload屬性為ETHERNETwithDOT1Q。
所以在該設備系統上GRE協議目前不支持封裝 dot1Q vlan id
由於GRE協議不支持封裝 dot1Q vlan id,導致設置PBR規則只能進行點對點(目標IP和源IP均為1個,無法使用範圍)的連接。
雲橋連接器(CloudBridge Connector)功能測試