[index] AT-AR2050V/AT-AR3050S/AT-AR4050S コマンドリファレンス 5.4.7

| CUG接続用ユーザー名 | userA@cug | userC@cug | ||
| CUG接続用パスワード | cugpasswdA | cugpasswdC | ||
| WAN側IPアドレス | 10.0.0.1/32 | 10.0.0.2/32 | ||
| ISP接続用ユーザー名 | user@ispA | user@ispC | ||
| ISP接続用パスワード | isppasswdA | isppasswdC | ||
| WAN側IPアドレス | 10.1.1.1/32 | 10.1.1.2/32 | ||
| WAN側物理インターフェース(1) | eth1 | eth1 | ||
| WAN側物理インターフェース(2) | eth2 | eth2 | ||
| WAN側(ppp1)IPアドレス(1) | 10.0.0.1/32 | 10.0.0.2/32 | ||
| WAN側(ppp2)IPアドレス(2) | 10.1.1.1/32 | 10.1.1.2/32 | ||
| LAN側(vlan1)IPアドレス(1) | 192.168.100.100/24 | 192.168.10.1/24 | 192.168.200.100/24 | 192.168.200.1/24 | 
| LAN側(vlan11)IPアドレス(2) | 192.168.11.1/24 | |||
| LAN側(eth1)IPアドレス(3) | 192.168.100.1/24 | 192.168.200.1/24 | ||
| GREトンネル(tunnel1)IPアドレス(1) | 172.16.0.1/30 | 172.16.0.2/30 | ||
| GRE over IPsecトンネル(tunnel2)IPアドレス(2) | 172.17.0.1/30 | 172.17.0.2/30 | ||
no spanning-tree rstp enable
interface eth1 encapsulation ppp 1
interface eth2 encapsulation ppp 2
interface ppp1 keepalive ppp username userA@cug ppp password cugpasswdA ip address 10.0.0.1/32 ip tcp adjust-mss pmtu
interface ppp2 keepalive ppp username user@ispA ppp password isppasswdA ip address 10.1.1.1/32 ip tcp adjust-mss pmtu
interface vlan1 ip address 192.168.100.100/24
zone private network lan ip subnet 192.168.10.0/24 ip subnet 192.168.11.0/24 ip subnet 192.168.100.0/24 host RouterB ip address 192.168.100.1 network tunnel ip subnet 172.16.0.0/30 ip subnet 172.17.0.0/30
zone public network eth1 ip subnet 0.0.0.0/0 interface ppp1 host ppp1 ip address 10.0.0.1 network eth2 ip subnet 0.0.0.0/0 interface ppp2 host ppp2 ip address 10.1.1.1
application gre protocol 47
application esp protocol 50
application isakmp protocol udp sport 500 dport 500
application nat-t protocol udp sport 4500 dport 4500
firewall rule 10 permit any from private to private no-state-enforcement rule 20 permit any from private to public rule 30 permit gre from public.eth1.ppp1 to public.eth1 rule 40 permit gre from public.eth1 to public.eth1.ppp1 rule 50 permit gre from public.eth1 to private.lan.RouterB rule 60 permit gre from public.eth2.ppp2 to public.eth2 rule 70 permit gre from public.eth2 to public.eth2.ppp2 rule 80 permit gre from public.eth2 to private.lan.RouterB rule 90 permit isakmp from public.eth2.ppp2 to public.eth2 rule 100 permit isakmp from public.eth2 to public.eth2.ppp2 rule 110 permit isakmp from public.eth2 to private.lan.RouterB rule 120 permit esp from public.eth2.ppp2 to public.eth2 rule 130 permit esp from public.eth2 to public.eth2.ppp2 rule 140 permit esp from public.eth2 to private.lan.RouterB rule 150 permit nat-t from public.eth2.ppp2 to public.eth2 rule 160 permit nat-t from public.eth2 to public.eth2.ppp2 rule 170 permit nat-t from public.eth2 to private.lan.RouterB protect
nat rule 10 portfwd gre from public.eth1 to public.eth1.ppp1 with dst private.lan.RouterB rule 20 portfwd gre from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 30 portfwd isakmp from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 40 portfwd nat-t from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 50 masq any from private to public enable
ip route 0.0.0.0/0 ppp2 ip route 10.0.0.2/32 ppp1 ip route 10.0.0.2/32 Null 254 ip route 10.1.1.2/32 ppp2 ip route 10.1.1.2/32 Null 254 ip route 192.168.10.0/24 192.168.100.1 ip route 192.168.11.0/24 192.168.100.1
end
no spanning-tree rstp enable
interface eth1 ip address 192.168.100.1/24
vlan database vlan 11 state enable interface port1.0.2 switchport switchport mode access switchport access vlan 11
interface vlan1 ip address 192.168.10.1/24
interface vlan11 ip address 192.168.11.1/24
crypto isakmp key secret hostname RouterD
interface tunnel1 mtu 1300 tunnel source 192.168.100.1 tunnel destination 10.0.0.2 tunnel mode gre ip address 172.16.0.1/30 ip tcp adjust-mss 1260
interface tunnel2 mtu 1300 tunnel source 192.168.100.1 tunnel destination 10.1.1.2 tunnel local name RouterB tunnel remote name RouterD tunnel protection ipsec tunnel mode gre ip address 172.17.0.1/30 ip tcp adjust-mss 1260
zone branch network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24
zone center network lan ip subnet 192.168.10.0/24 ip subnet 192.168.100.0/24
linkmon probe enable
linkmon probe name TUNNEL1 type ping destination 172.16.0.2 linkmon probe name TUNNEL2 type ping destination 172.17.0.2
linkmon profile tunnelquality latency bad-above 100 jitter bad-above 30 pktloss bad-above 1.0 preference pktloss
linkmon group GROUP1 member 10 destination 172.16.0.2 probe TUNNEL1 member 20 destination 172.17.0.2 probe TUNNEL2
policy-based-routing policy-based-routing enable ip policy-route 10 from center to branch linkmon-group GROUP1 linkmon-profile tunnelquality
ping-poll 1 ip 172.17.0.2 up-count 3 fail-count 3 sample-size 3 active
trigger 1 type ping-poll 1 down script 1 tunnel2_down.scp trigger 2 type ping-poll 1 up script 1 tunnel2_up.scp
ip route 0.0.0.0/0 192.168.100.100 ip route 192.168.20.0/24 tunnel2
end
no spanning-tree rstp enable
interface eth1 encapsulation ppp 1
interface eth2 encapsulation ppp 2
interface ppp1 keepalive ppp username userC@cug ppp password cugpasswdC ip address 10.0.0.2/32 ip tcp adjust-mss pmtu
interface ppp2 keepalive ppp username user@ispC ppp password isppasswdC ip address 10.1.1.2/32 ip tcp adjust-mss pmtu
interface vlan1 ip address 192.168.200.100/24
zone private network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24 host RouterD ip address 192.168.200.1 network tunnel ip subnet 172.16.0.0/30 ip subnet 172.17.0.0/30
zone public network eth1 ip subnet 0.0.0.0/0 interface ppp1 host ppp1 ip address 10.0.0.2 network eth2 ip subnet 0.0.0.0/0 interface ppp2 host ppp2 ip address 10.1.1.2
application gre protocol 47
application esp protocol 50
application isakmp protocol udp sport 500 dport 500
application nat-t protocol udp sport 4500 dport 4500
firewall rule 10 permit any from private to private no-state-enforcement rule 20 permit any from private to public rule 30 permit gre from public.eth1.ppp1 to public.eth1 rule 40 permit gre from public.eth1 to public.eth1.ppp1 rule 50 permit gre from public.eth1 to private.lan.RouterD rule 60 permit gre from public.eth2.ppp2 to public.eth2 rule 70 permit gre from public.eth2 to public.eth2.ppp2 rule 80 permit gre from public.eth2 to private.lan.RouterD rule 90 permit isakmp from public.eth2.ppp2 to public.eth2 rule 100 permit isakmp from public.eth2 to public.eth2.ppp2 rule 110 permit isakmp from public.eth2 to private.lan.RouterD rule 120 permit esp from public.eth2.ppp2 to public.eth2 rule 130 permit esp from public.eth2 to public.eth2.ppp2 rule 140 permit esp from public.eth2 to private.lan.RouterD rule 150 permit nat-t from public.eth2.ppp2 to public.eth2 rule 160 permit nat-t from public.eth2 to public.eth2.ppp2 rule 170 permit nat-t from public.eth2 to private.lan.RouterD protect
nat rule 10 portfwd gre from public.eth1 to public.eth1.ppp1 with dst private.lan.RouterD rule 20 portfwd gre from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 30 portfwd isakmp from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 40 portfwd nat-t from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 50 masq any from private to public enable
ip route 0.0.0.0/0 ppp2 ip route 10.0.0.1/32 ppp1 ip route 10.0.0.1/32 Null 254 ip route 10.1.1.1/32 ppp2 ip route 10.1.1.1/32 Null 254 ip route 192.168.20.0/24 192.168.200.1
end
no spanning-tree rstp enable
interface eth1 ip address 192.168.200.1/24
interface vlan1 ip address 192.168.20.1/24
crypto isakmp key secret hostname RouterB
interface tunnel1 mtu 1300 tunnel source 192.168.200.1 tunnel destination 10.0.0.1 tunnel mode gre ip address 172.16.0.2/30 ip tcp adjust-mss 1260
interface tunnel2 mtu 1300 tunnel source 192.168.200.1 tunnel destination 10.1.1.1 tunnel local name RouterD tunnel remote name RouterB tunnel protection ipsec tunnel mode gre ip address 172.17.0.2/30 ip tcp adjust-mss 1260
zone branch network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24
zone center network lan ip subnet 192.168.10.0/24 ip subnet 192.168.100.0/24
linkmon probe enable
linkmon probe name TUNNEL1 type ping destination 172.16.0.1 linkmon probe name TUNNEL2 type ping destination 172.17.0.1
linkmon profile tunnelquality latency bad-above 100 jitter bad-above 30 pktloss bad-above 1.0 preference pktloss
linkmon group GROUP1 member 10 destination 172.16.0.1 probe TUNNEL1 member 20 destination 172.17.0.1 probe TUNNEL2
policy-based-routing policy-based-routing enable ip policy-route 10 from branch to center linkmon-group GROUP1 linkmon-profile tunnelquality
ping-poll 1 ip 172.17.0.1 up-count 3 fail-count 3 sample-size 3 active
trigger 1 type ping-poll 1 down script 1 tunnel2_down.scp trigger 2 type ping-poll 1 up script 1 tunnel2_up.scp
ip route 0.0.0.0/0 192.168.200.100 ip route 192.168.11.0/24 tunnel2
end
copy running-config startup-config」の書式で実行します。awplus# copy running-config startup-config ↓ Building configuration... [OK]
awplus# write memory ↓ Building configuration... [OK]
awplus(config)# log buffered level informational facility kern msgtext Firewall ↓
awplus# show log | include Firewall ↓
! no spanning-tree rstp enable ! interface eth1 encapsulation ppp 1 ! interface eth2 encapsulation ppp 2 ! interface ppp1 keepalive ppp username userA@cug ppp password cugpasswdA ip address 10.0.0.1/32 ip tcp adjust-mss pmtu ! interface ppp2 keepalive ppp username user@ispA ppp password isppasswdA ip address 10.1.1.1/32 ip tcp adjust-mss pmtu ! interface vlan1 ip address 192.168.100.100/24 ! zone private network lan ip subnet 192.168.10.0/24 ip subnet 192.168.11.0/24 ip subnet 192.168.100.0/24 host RouterB ip address 192.168.100.1 network tunnel ip subnet 172.16.0.0/30 ip subnet 172.17.0.0/30 ! zone public network eth1 ip subnet 0.0.0.0/0 interface ppp1 host ppp1 ip address 10.0.0.1 network eth2 ip subnet 0.0.0.0/0 interface ppp2 host ppp2 ip address 10.1.1.1 ! application gre protocol 47 ! application esp protocol 50 ! application isakmp protocol udp sport 500 dport 500 ! application nat-t protocol udp sport 4500 dport 4500 ! firewall rule 10 permit any from private to private no-state-enforcement rule 20 permit any from private to public rule 30 permit gre from public.eth1.ppp1 to public.eth1 rule 40 permit gre from public.eth1 to public.eth1.ppp1 rule 50 permit gre from public.eth1 to private.lan.RouterB rule 60 permit gre from public.eth2.ppp2 to public.eth2 rule 70 permit gre from public.eth2 to public.eth2.ppp2 rule 80 permit gre from public.eth2 to private.lan.RouterB rule 90 permit isakmp from public.eth2.ppp2 to public.eth2 rule 100 permit isakmp from public.eth2 to public.eth2.ppp2 rule 110 permit isakmp from public.eth2 to private.lan.RouterB rule 120 permit esp from public.eth2.ppp2 to public.eth2 rule 130 permit esp from public.eth2 to public.eth2.ppp2 rule 140 permit esp from public.eth2 to private.lan.RouterB rule 150 permit nat-t from public.eth2.ppp2 to public.eth2 rule 160 permit nat-t from public.eth2 to public.eth2.ppp2 rule 170 permit nat-t from public.eth2 to private.lan.RouterB protect ! nat rule 10 portfwd gre from public.eth1 to public.eth1.ppp1 with dst private.lan.RouterB rule 20 portfwd gre from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 30 portfwd isakmp from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 40 portfwd nat-t from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterB rule 50 masq any from private to public enable ! ip route 0.0.0.0/0 ppp2 ip route 10.0.0.2/32 ppp1 ip route 10.0.0.2/32 Null 254 ip route 10.1.1.2/32 ppp2 ip route 10.1.1.2/32 Null 254 ip route 192.168.10.0/24 192.168.100.1 ip route 192.168.11.0/24 192.168.100.1 ! end
! no spanning-tree rstp enable ! interface eth1 ip address 192.168.100.1/24 ! vlan database vlan 11 state enable interface port1.0.2 switchport switchport mode access switchport access vlan 11 ! interface vlan1 ip address 192.168.10.1/24 ! interface vlan11 ip address 192.168.11.1/24 ! crypto isakmp key secret hostname RouterD ! interface tunnel1 mtu 1300 tunnel source 192.168.100.1 tunnel destination 10.0.0.2 tunnel mode gre ip address 172.16.0.1/30 ip tcp adjust-mss 1260 ! interface tunnel2 mtu 1300 tunnel source 192.168.100.1 tunnel destination 10.1.1.2 tunnel local name RouterB tunnel remote name RouterD tunnel protection ipsec tunnel mode gre ip address 172.17.0.1/30 ip tcp adjust-mss 1260 ! zone branch network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24 ! zone center network lan ip subnet 192.168.10.0/24 ip subnet 192.168.100.0/24 ! linkmon probe enable ! linkmon probe name TUNNEL1 type ping destination 172.16.0.2 linkmon probe name TUNNEL2 type ping destination 172.17.0.2 ! linkmon profile tunnelquality latency bad-above 100 jitter bad-above 30 pktloss bad-above 1.0 preference pktloss ! linkmon group GROUP1 member 10 destination 172.16.0.2 probe TUNNEL1 member 20 destination 172.17.0.2 probe TUNNEL2 ! policy-based-routing policy-based-routing enable ip policy-route 10 from center to branch linkmon-group GROUP1 linkmon-profile tunnelquality ! ping-poll 1 ip 172.17.0.2 up-count 3 fail-count 3 sample-size 3 active ! trigger 1 type ping-poll 1 down script 1 tunnel2_down.scp trigger 2 type ping-poll 1 up script 1 tunnel2_up.scp ! ip route 0.0.0.0/0 192.168.100.100 ip route 192.168.20.0/24 tunnel2 ! end
! no spanning-tree rstp enable ! interface eth1 encapsulation ppp 1 ! interface eth2 encapsulation ppp 2 ! interface ppp1 keepalive ppp username userC@cug ppp password cugpasswdC ip address 10.0.0.2/32 ip tcp adjust-mss pmtu ! interface ppp2 keepalive ppp username user@ispC ppp password isppasswdC ip address 10.1.1.2/32 ip tcp adjust-mss pmtu ! interface vlan1 ip address 192.168.200.100/24 ! zone private network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24 host RouterD ip address 192.168.200.1 network tunnel ip subnet 172.16.0.0/30 ip subnet 172.17.0.0/30 ! zone public network eth1 ip subnet 0.0.0.0/0 interface ppp1 host ppp1 ip address 10.0.0.2 network eth2 ip subnet 0.0.0.0/0 interface ppp2 host ppp2 ip address 10.1.1.2 ! application gre protocol 47 ! application esp protocol 50 ! application isakmp protocol udp sport 500 dport 500 ! application nat-t protocol udp sport 4500 dport 4500 ! firewall rule 10 permit any from private to private no-state-enforcement rule 20 permit any from private to public rule 30 permit gre from public.eth1.ppp1 to public.eth1 rule 40 permit gre from public.eth1 to public.eth1.ppp1 rule 50 permit gre from public.eth1 to private.lan.RouterD rule 60 permit gre from public.eth2.ppp2 to public.eth2 rule 70 permit gre from public.eth2 to public.eth2.ppp2 rule 80 permit gre from public.eth2 to private.lan.RouterD rule 90 permit isakmp from public.eth2.ppp2 to public.eth2 rule 100 permit isakmp from public.eth2 to public.eth2.ppp2 rule 110 permit isakmp from public.eth2 to private.lan.RouterD rule 120 permit esp from public.eth2.ppp2 to public.eth2 rule 130 permit esp from public.eth2 to public.eth2.ppp2 rule 140 permit esp from public.eth2 to private.lan.RouterD rule 150 permit nat-t from public.eth2.ppp2 to public.eth2 rule 160 permit nat-t from public.eth2 to public.eth2.ppp2 rule 170 permit nat-t from public.eth2 to private.lan.RouterD protect ! nat rule 10 portfwd gre from public.eth1 to public.eth1.ppp1 with dst private.lan.RouterD rule 20 portfwd gre from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 30 portfwd isakmp from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 40 portfwd nat-t from public.eth2 to public.eth2.ppp2 with dst private.lan.RouterD rule 50 masq any from private to public enable ! ip route 0.0.0.0/0 ppp2 ip route 10.0.0.1/32 ppp1 ip route 10.0.0.1/32 Null 254 ip route 10.1.1.1/32 ppp2 ip route 10.1.1.1/32 Null 254 ip route 192.168.20.0/24 192.168.200.1 ! end
! no spanning-tree rstp enable ! interface eth1 ip address 192.168.200.1/24 ! interface vlan1 ip address 192.168.20.1/24 ! crypto isakmp key secret hostname RouterB ! interface tunnel1 mtu 1300 tunnel source 192.168.200.1 tunnel destination 10.0.0.1 tunnel mode gre ip address 172.16.0.2/30 ip tcp adjust-mss 1260 ! interface tunnel2 mtu 1300 tunnel source 192.168.200.1 tunnel destination 10.1.1.1 tunnel local name RouterD tunnel remote name RouterB tunnel protection ipsec tunnel mode gre ip address 172.17.0.2/30 ip tcp adjust-mss 1260 ! zone branch network lan ip subnet 192.168.20.0/24 ip subnet 192.168.200.0/24 ! zone center network lan ip subnet 192.168.10.0/24 ip subnet 192.168.100.0/24 ! linkmon probe enable ! linkmon probe name TUNNEL1 type ping destination 172.16.0.1 linkmon probe name TUNNEL2 type ping destination 172.17.0.1 ! linkmon profile tunnelquality latency bad-above 100 jitter bad-above 30 pktloss bad-above 1.0 preference pktloss ! linkmon group GROUP1 member 10 destination 172.16.0.1 probe TUNNEL1 member 20 destination 172.17.0.1 probe TUNNEL2 ! policy-based-routing policy-based-routing enable ip policy-route 10 from branch to center linkmon-group GROUP1 linkmon-profile tunnelquality ! ping-poll 1 ip 172.17.0.1 up-count 3 fail-count 3 sample-size 3 active ! trigger 1 type ping-poll 1 down script 1 tunnel2_down.scp trigger 2 type ping-poll 1 up script 1 tunnel2_up.scp ! ip route 0.0.0.0/0 192.168.200.100 ip route 192.168.11.0/24 tunnel2 ! end
enable con t no ip route 192.168.20.0/24 tunnel2 ip route 192.168.20.0/24 tunnel1 end
enable con t no ip route 192.168.20.0/24 tunnel1 ip route 192.168.20.0/24 tunnel2 end
enable con t no ip route 192.168.11.0/24 tunnel2 ip route 192.168.11.0/24 tunnel1 end
enable con t no ip route 192.168.11.0/24 tunnel1 ip route 192.168.11.0/24 tunnel2 end
(C) 2015 - 2018 アライドテレシスホールディングス株式会社
PN: 613-002107 Rev.S