EdgeMAX - capa-2 puente sobre el túnel GRE

Resumen


Los lectores aprenderán cómo configurar un túnel GRE (encapsulación de enrutamiento genérica) de capa 2 entre dos routers independientes.

 

Muestra LANs tendido un puente sobre el túnel GRE con dos EdgeRouters.

 

El diagrama de arriba muestra el túnel GRE a través de Internet, pero GRE no proporciona cifrado así que si se va sobre una red pública es probable que desee proteger su túnel GRE con un túnel de IPsec. Para fines ilustrativos asumiremos las siguientes:

 

R1's WAN interface is eth1 and the address is 15.0.0.1/24 and the LAN interfaces is eth0 subnet being bridged is 100.0.0.0/24.
R2's WAN interface is eth1 and the address is 15.0.0.2/24 and the LAN interface is eth0

Primero vamos a crear el túnel GRE:

 

ubnt@R1:~$ configure 
[edit]
ubnt@R1# set interfaces tunnel tun0 encapsulation gre-bridge 
[edit]
ubnt@R1# set interfaces tunnel tun0 local-ip 15.0.0.1        
[edit]
ubnt@R1# set interfaces tunnel tun0 remote-ip 15.0.0.2
[edit]
ubnt@R1# commit
[edit]

Nota: es la encapsulación de túnel gre-puente no gre .

Luego crearemos un puente de interfaces y añadir eth0 y tun0 al puente-grupo.

 

ubnt@R1:~$ configure 
[edit]
ubnt@R1# set interfaces bridge br0 
[edit]
ubnt@R1# set interfaces ethernet eth0 bridge-group bridge br0
[edit]
ubnt@R1# set interfaces tunnel tun0 bridge-group bridge br0
[edit]
ubnt@R1# commit
[ interfaces ethernet eth0 bridge-group ]  
Adding interface eth0 to bridge br0
[edit]
ubnt@R1# exit; save 
Warning: configuration changes have not been saved.
exit

Ahora si tenemos ping desde una estación de trabajo en la LAN de R1 100.0.0.100 a una estación de trabajo en LAN de R2 100.0.0.100, veamos lo que el paquete parece sale de R2:

En un nivel alto el paquete tiene las siguientes tapas - eth: ip:gre:eth:ip:icmp:data.

Ethernet II, Src: dc:9f:db:17:12:35 (dc:9f:db:17:12:35), Dst: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
   Destination: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
       Address: dc:9f:db:29:05:f6 (dc:9f:db:29:05:f6)
   Source: dc:9f:db:17:12:35 (dc:9f:db:17:12:35)
   Type: IP (0x0800)
Internet Protocol, Src: 15.0.0.2 (15.0.0.2), Dst: 15.0.0.1 (15.0.0.1)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
   Total Length: 1500
   Identification: 0x0000 (0)
   Flags: 0x02 (Don't Fragment)
   Fragment offset: 0
   Time to live: 64
   Protocol: GRE (0x2f)
   Header checksum: 0x16f1 [correct]
   Source: 15.0.0.2 (15.0.0.2)
   Destination: 15.0.0.1 (15.0.0.1)
Generic Routing Encapsulation (Transparent Ethernet bridging)
   Flags and version: 0000
   Protocol Type: Transparent Ethernet bridging (0x6558)
Ethernet II, Src: Ubiquiti_07:07:21 (00:15:6d:07:07:21), Dst: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
   Destination: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
       Address: dc:9f:db:17:13:8e (dc:9f:db:17:13:8e)
   Source: Ubiquiti_07:07:21 (00:15:6d:07:07:21)
       Address: Ubiquiti_07:07:21 (00:15:6d:07:07:21)
   Type: IP (0x0800)
Internet Protocol, Src: 100.0.0.101 (100.0.0.101), Dst: 100.0.0.100 (100.0.0.100)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
   Total Length: 1462
   Identification: 0x0000 (0)
   Flags: 0x02 (Don't Fragment)
   Fragment offset: 0
   Time to live: 64
   Protocol: ICMP (0x01)
   Header checksum: 0x6c7e [correct]
   Source: 100.0.0.101 (100.0.0.101)
   Destination: 100.0.0.100 (100.0.0.100)
Internet Control Message Protocol
   Type: 8 (Echo (ping) request)
   Code: 0 ()
   Checksum: 0xe7da [correct]
   Identifier: 0x0e90
   Sequence number: 1 (0x0001)
   Data (1434 bytes)

La interfaz gre-puente sabe que va a añadir 38 bytes de cabeceras (gre 4, eth 14, ip 20), por lo que la interfaz de túnel automáticamente ha reducido mtu es de 1500 a 1462:

ubnt@R1:~$ show interfaces tunnel tun0   
tun0@NONE: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1462 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 12:5b:3a:c1:4a:f1 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::105b:3aff:fec1:4af1/64 scope link 
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
          3186         34          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
          3166         34          0          0          0          0

L2 Puente sobre Openvpn

El mismo concepto puede utilizarse un puente sobre un túnel de sitio a sitio de openvpn.

ubnt@R1:~$ configure 
[edit]
ubnt@R1# delete interfaces tunnel 
[edit]
ubnt@R1# commit
[edit]
ubnt@R1# set interfaces openvpn vtun0 mode site-to-site 
[edit]
ubnt@R1# set interfaces openvpn vtun0 remote-host 15.0.0.2
[edit]
ubnt@R1# set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
[edit]
ubnt@R1# set interfaces openvpn vtun0 bridge-group bridge br0  
[edit]
ubnt@R1# commit
[edit]
ubnt@R1# save  
Saving configuration to '/config/config.boot'...
Done
[edit]
ubnt@R1# exit
exit

Con openvpn mtu reducción depende de si usando openvpn con UDP (8 bytes), TCP (20 bytes) más éter 14 o ip 20.