9、什么是隧道?
A tunnel is a logical interface on a Cisco router that provides a way to encapsulate passenger packets inside a transport protocol. It is an architecture designed to provide the services to
implement a point-to-point encapsulation scheme. Tunneling has the following three primary components:
?Passenger protocol (AppleTalk, Banyan VINES, CLNS, DECnet, IP, or IPX)
?Carrier protocol - One of the following encapsulation protocols:
GRE - Cisco's multiprotocol carrier protocol. See RFC 2784 and RFC 1701 leavingcisco.com for more information.
IP in IP tunnels - See RFC 2003 for more information. ?Transport protocol - The protocol used to carry the encapsulated protocol
The packets below illustrate the IP tunneling concepts where GRE is the encapsulation protocol and IP is the transport protocol. The passenger protocol is also IP. In this case, IP is both the transport and the passenger protocol.
隧道是Cisco路由器上的一个逻辑接口,它提供了一种将乘客数据包封装在传输协议内的方法。设计此体系结构的目的是为了提供实现点对点封装方案的服务。隧道主要包含以下三个组件:
乘客协议:AppleTalk、Banyan VINES、CLNS、DECnet、IP或IPX 载体协议:以下封装协议之一:
? GRE - Cisco的多协议载体协议。有关详细信息,请参阅 RFC 2784
和 RFC 1701。
? IP中的IP隧道 - 有关详细信息,请参阅 RFC 2003。 传输协议:用于携带封装协议的协议
26
下面的数据包说明了IP隧道的概念,其中GRE是封装协议,IP是传输协议。此外,乘客协议也为IP。在本案例中,IP既是传输协议,也是乘客协议。
正常数据包
IP
TCP Telnet 隧道数据包
IP
GRE IP TCP Telnet
?IP is the transport protocol. ?GRE is the encapsulation protocol. ?IP is the passenger protocol.
IP是传输协议。GRE是封装协议。IP是乘客协议。
The next example shows the encapsulation of IP and DECnet as passenger protocols with GRE as the carrier. This illustrates the fact that the carrier protocol can encapsulate multiple passenger protocols.
A network administrator might consider tunneling in a situation where there are two discontiguous non-IP networks separated by an IP backbone. If the discontiguous networks are running DECnet, the administrator may not want to connect them together by configuring DECnet in the backbone. The administrator may not want to permit DECnet routing to consume backbone bandwidth because this could interfere with the performance of the IP network.
A viable alternative is to tunnel DECnet over the IP backbone. Tunneling encapsulates the DECnet packets inside IP, and sends them across the backbone to the tunnel endpoint where the encapsulation is removed and the DECnet packets can be routed it their destination via DECnet.
Encapsulating traffic inside another protocol provides the following
27
advantages:
?The endpoints are using private addresses (RFC 1918
leavingcisco.com) and the backbone does not support routing these addresses.
?Allow virtual private networks (VPNs) across WANs or the Internet.
?Join together discontiguous multiprotocol networks over a single-protocol backbone.
?Encrypt traffic over the backbone or Internet.
For the rest of the document we will use IP as the passenger protocol and IP as the transport protocol.
下一示例显示了IP的封装方式,该示例采用DECnet作为乘客协议,并采用GRE作为载体。这说明了载体协议可以封装多个乘客协议的事实。
在存在两个被IP骨干网分离的不连续非IP网络的情况下,网络管理员也许会考虑建立隧道。如果不连续网络正在运行DECnet,网络管理员可能不希望通过在骨干网中配置DECnet来将不连续网络连接起来。管理员可能不想允许DECnet路由使用骨干网带宽,因为这可能干涉IP网络的性能
一个可行的替代方法是在IP骨干网中对DECnet建立隧道。隧道操作会将 DECnet数据包封装在IP内,并通过骨干网将其发送到隧道端点,将在隧道端点中删除封装,DECnet数据包可以通过DECnet路由到其目标。
将流量封装在另一个协议内具有以下优点:端点使用专用地址(RFC1918,并且骨干网不支持路由这些地址。允许在WAN或Internet中建立虚拟专用网
28
络(VPN)。通过一个单一协议的骨干网将不连续多协议网络连接在一起。通过骨干网或Internet对流量进行加密。
在本文档其他部分中,我们将使用IP同时作为乘客协议和传输协议。
10、有关隧道接口的注意事项
The following are considerations when tunneling.
?Fast switching of GRE tunnels was introduced in Cisco IOS Release 11.1 and CEF switching was introduced in version 12.0. CEF switching for multipoint GRE tunnels was introduced in version 12.2(8)T. Encapsulation and de-capsulation at tunnel endpoints were slow operations in earlier versions of IOS when only process switching was supported.
?There are security and topology issues when tunneling packets. Tunnels can bypass access control lists (ACLs) and firewalls. If you tunnel through a firewall, you basically bypass the firewall for whatever passenger protocol you are tunneling. Therefore it is recommended to include firewall functionality at the tunnel endpoints to enforce any policy on the passenger protocols.
?Tunneling might create problems with transport protocols that have limited timers (for example, DECnet) because of increased latency
?Tunneling across environments with different speed links, like fast FDDI rings and through slow 9600-bps phone lines, may introduce packet reordering problems. Some passenger protocols function poorly in mixed media networks.
?Point-to-point tunnels can use up the bandwidth on a physical link. If you are running routing protocols over multiple point-to-point tunnels, keep in mind that each tunnel interface has a bandwidth and that the physical interface over which the tunnel runs has a bandwidth. For example, you would want to set the tunnel bandwidth to 100 Kb if there were 100 tunnels running over
29
a 10 Mb link. The default bandwidth for a tunnel is 9Kb.
?Routing protocols may prefer a tunnel over a \because the tunnel might deceptively appear to be a one-hop link with the lowest cost path, although it actually involves more hops and is really more costly than another path. This can be mitigated with proper configuration of the routing protocol. You might want to consider running a different routing protocol over the tunnel interface than the routing protocol running on the physical interface.
?Problems with recursive routing can be avoided by configuring appropriate static routes to the tunnel destination. A recursive route is when the best path to the \the tunnel itself. This situation will cause the tunnel interface to bounce up and down. You will see the following error when there is a recursive routing problem.
%TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing
建立隧道时,应注意以下事项。
? GRE隧道的快速交换功能是在Cisco IOS 版本11.1中引入的,CEF交换功能是在版本12.0 中引入的。多点GRE隧道的CEF交换功能是在版本 12.2(8)T中引入的。在仅支持进程交换功能的IOS早期版本中,隧道端点上的封装和解封装操作非常慢。
? 对数据包建立隧道时,存在安全和拓扑问题。隧道可以绕过访问控制列表(ACL)和防火墙。如果通过防火墙建立隧道,您基本上就绕过了防火墙,无论您封装什么乘客协议。因此,建议在隧道端点中包含防火墙功能,以对乘客协议强制执行任何策略。
? 对于具有有限计时器的传输协议(例如,DECnet),由于会延长等待时间,因此在建立隧道时可能会出现问题。 在具有不同速度链路的环境中(例如,快速FDDI环和通过速度较慢的9600bps电话线)建立隧道时,可能
30