隧道设置选项卡
Orchestrator > Orchestrator Server > Tools > Tunnels Settings
使用此选项卡管理管弦乐手创建的隧道的属性。它为MPLS,Internet和LTE WAN接口标签提供通用,IKE,IPSEC的隧道设置。
一般的Tab
访问“常规”选项卡上的以下字段。
一般的
| Field | Description |
|---|---|
| 模式 | 指示隧道协议是否为ipsec,IPSEC UDP,UDP, 或者GRE。如果选择IPSEC,则可以在IKE选项卡上指定IKE版本。 |
| 汽车max BW enabled | 允许设备自动划分最大隧道带宽。 |
| 自动发现MTU启用 | 允许设备自动划分最大隧道带宽。 |
| MTU | 最大传输单元(MTU)是可以在给定的物理介质上发送的最大数据单元。例如,以太网的MTU为1500字节。支持高达9000个字节的mTU。 汽车allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. |
| UDP目标端口 | 在UDP模式下使用。接受默认值,除非端口被防火墙阻止。 |
| UDP flows | 在UDP模式下使用。Indicates the number of flows over which to distribute tunnel data. Accept the default. |
包
| Field | Description |
|---|---|
| Reorder wait | Maximum time the appliance holds an out-of-order packet when attempting to reorder. The packets can come from the same or a different path, or from the FEC correction engine.100msis the default value and should be adequate for most situations. If the reorder wait time exceeds 100ms (or the set value), the packet is delivered out of order. |
| FEC | Forward Error Correction (FEC) can be set toenable,禁用, 或者汽车。 |
| FEC ratio | When FEC is set to汽车,这指定最大比率。选项是1:2,1:5,1:10, 或者1:20。 |
隧道健康
| Field | Description |
|---|---|
| 重试计数 | Number of failed keep-alive messages allowed before the appliance brings the tunnel down. |
| DSCP | Determines the DSCP marking that the keep-alive messages should use. |
FastFail Thresholds
| Field | Description |
|---|---|
| Fastfail enabled | Fastfail thresholds determine how quickly to disqualify a tunnel from carrying data when multiple tunnels carry data between two appliances. The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring abrownoutis: Twait = Base + N * RTTavg在哪里 Baseis a value in milliseconds andN是过去一分钟平均往返时间的乘数。For example, if: Base = 200mSn = 2then, RTTavg = 50mS该设备宣布隧道进入brownoutif it does not see a reply packet from the remote end within 300mS of receiving the most recent packet. 在隧道高级选项中, Baseis expressed asFastFail等待时间基础偏移(ms), andNis expressed asFastfail RTT multiplication factor。Fastfail enabled- 当隧道的保持阳离子信号未收到答复时,将触发此选项。选项是禁用,enable, 和连续的。如果不合格的隧道随后收到远离答复,则其恢复是瞬时的。 If set to禁用, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost. If set toenable,每秒发送一次保留的词,而错过的答复将保留物从每秒发送到每秒十的速度。一秒钟后发生故障转移。 设置为连续的, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one-tenth of a second. |
| Latency | Amount of latency measure in MS. Thresholds forLatency,Loss, 或者抖动are checked once every second. Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100mS. Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout. |
| Loss | 丢失的数据量以百分比为单位。 |
| 抖动 | Amount of jitter measured in MS. |
| FastFail等待时间基础偏移 | Base time used when calculating the fastfail timeout. |
| Fastfail RTT multiplication factor | Multiplier in the formula used to calculate the fastfail timeout. |
IKE Tab
Access the following fields by clicking the IKE tab. This tab is displayed only if the Mode field on the General tab is set toipsec。
IKE
| Field | Description |
|---|---|
| Authentication algorithm | Sets tunnel authentication. SelectSHA-1,SHA2-256,SHA2-384, 或者SHA2-512。 |
| 加密演算法 | Specifies the encryption algorithm used for the Phase 1 negotiation. SelectAES-256,AES-128, 或者汽车。 |
| Diffie-Hellman group | Diffie-Hellman group used for IKE SA negotiation. |
| Rekey interval/lifetime | Rekey interval/lifetime of IKE SA. |
| Dead peer detection | 延迟时间: Amount of time, in seconds, to wait for traffic from the destination IKE peer. 重试计数:在确定连接死亡之前重试连接的次数。 NOTE:Dead Peer Detection is supported only on EdgeConnect appliances running VXOA software version 8.2.1 and higher. |
| Phase 1 mode | Defines the exchange mode for Phase 1. The options are主要的或者Aggressive。If IKEv2 is selected, the default mode is aggressive. |
| IKE version | IKE major version. Selectikev1或者IKEv2。 |
IPSEC选项卡
单击IPSEC选项卡,访问以下字段。仅当“常规”选项卡上的模式字段设置为ipsec或者IPSEC UDP。
ipsec
| Field | Description |
|---|---|
| Authentication algorithm | Authentication algorithm used by IPSec SA. SelectSHA-1,SHA2-256,SHA2-384, 或者SHA2-512。 |
| 加密演算法 | Specifies the encryption algorithm used for the Phase 1 negotiation. SelectAES-256,AES-128, 或者汽车。 |
| ipsecanti-replay window | 从下拉列表中选择一个大小或Disable禁用IPSEC反复制窗口。如果选择了尺寸,则通过为每个加密数据包分配一个唯一的序列编号来防止攻击者复制加密数据包。 |
| Relay interval/lifetime | Relay interval/lifetime of IPSec SA. |
| 完美的前锋保密小组 | 指定用于IPSEC SA谈判的Diffie-Hellman组指数。 |