More than 5 years have passed since last update.

NEC UNIVERGE IX2105 で EtherIP のオーバーヘッドをみてみた

Last updated at 2019-09-07Posted at 2019-09-07

背景

NEC のイケてる VPN ルータで IPSec で暗号化せずに素の EtherIP だけでどのくらいオーバーヘッドがあるのか知りたくなった。

構成

(Internet) <-> IX2015 <- IPv6/EtherIP -> IX2015 <--> (PC)

2台の IX2105 は同じL2スイッチに接続。
IPv6 で EtherIP トンネルを構成。

config

ip ufs-cache enable
ipv6 ufs-cache enable

bridge irb enable

ike proposal ike_proposal encryption aes hash sha group 1024-bit
ike policy ike_policy peer <対向のIPv6アドレス> key <共有パスフレーズ> ike_proposal
ike keepalive ike_policy 10 3
ipsec autokey-proposal ipsec_proposal esp-aes esp-sha
ipv6 access-list ipsec_acl permit ip src any dest any
ipsec autokey-map ipsec_map ipsec_acl peer <対向のIPv6アドレス> ipsec_proposal

ipv6 dhcp client-profile dhcpv6_client
  information-request
  option-request dns-servers
exit

device GigaEthernet1
  vlan-group 1 port 1
  vlan-group 2 port 2
exit

interface GigaEthernet0.0
  no ip address
  ipv6 enable
  ipv6 address autoconfig receive-default
  ipv6 dhcp client dhcpv6_client
  no shutdown
exit

interface GigaEthernet1.0
  no ip address
  no shutdown
exit

interface GigaEthernet1:1.0
  no ip address
  bridge-group 1
  no shutdown
exit

interface GigaEthernet1:2.0
  no ip address
  bridge-group 2
  no shutdown
exit

interface Tunnel0.0
  tunnel mode ether-ip ipv6
  tunnel destination <対向のIPv6アドレス>
  tunnel source GigaEthernet0.0
  no ip address
  bridge-group 1
  bridge ip tcp adjust-mss 1404
  no shutdown
exit

interface Tunnel1.0
  tunnel mode ether-ip ipsec
  no ip address
  ipsec policy tunnel ipsec_map df-bit ignore out
  bridge-group 2
  bridge ip tcp adjust-mss 1312
  no shutdown
exit