Broadcast Network (Site-To-Site, Client, Server) - Brocade Communications Systems 5600 Reference Manual
Openvpn
Hide thumbs
Also See for 5600:
- Configuration manual (187 pages) ,
- Reference manual (96 pages) ,
- Quick start manual (48 pages)
Table of Contents
Advertisement
Broadcast network (site-to-site, client, server)
considered a security issue because, in such cases, the Internet traffic is not filtered or protected
according to a company policy.
To disable split tunneling, use the configuration shown in the following example.
Configuration options related to split tunneling
interfaces {
}
• replace-default-route: This argument tells OpenVPN that the default route should be replaced by a
route through the VPN tunnel, that is, split tunneling should be disabled. Note that, when set, this
option has different effects depending on the OpenVPN mode in which the endpoint operates.
‐ If the endpoint is in site-to-site mode or client mode, using replace-default-route replaces the
‐ If the endpoint is in server mode, using replace-default-route causes the clients connecting to
• local: This keyword under replace-default-route must be set if and only if the two tunnel endpoints
are directly connected, i.e., on the same subnet.
Of course, because the OpenVPN tunnel interface is routable, static routes can be added, with or
without split tunneling, to override the default behavior.
Broadcast network (site-to-site, client, server)
By default, an OpenVPN interface is configured as a "tun" device. A tun device is a virtual network
interface that operates on Layer 3 (network layer) traffic, such as IP packets. There are cases in which
the virtual interface needs to operate on Layer 2 (link layer) traffic. One example of this need is when
subnets on each end of a tunnel must reside on the same subnet. In this case, the two subnets must
be bridged across the tunnel. Bridging occurs on Layer 2. Another example is when a DHCP Relay
resides on one side of a tunnel and the DHCP Server or DHCP clients reside on the other side. Clients
must broadcast DHCP discovery messages and require a broadcast network to broadcast these
messages. Because of this necessity, DHCP Relay requires that all interfaces to which it binds are
broadcast interfaces.
A "tap" device is a virtual network interface that operates on Layer 2 (link layer) traffic and provides a
broadcast network. A tap device is automatically configured by the system if the OpenVPN tunnel is to
be used to bridge two subnets. If an OpenVPN tunnel is added to a bridge group then a tap device is
implied and does not need to be configured explicitly. For cases that do not involve bridging, a tap
device must be configured explicitly by using the interfaces openvpn vtunx device-type tap
command.
Client and server configuration
To configure an OpenVPN client or server as a tap device, use the configuration shown in the
following example.
Configuration options related to tap devices for client and server interfaces
interfaces {
32
openvpn if_name {
replace-default-route {
local
}
}
default route on this endpoint with a route through VPN tunnel. In other words, it disables split
tunneling on this endpoint.
this server to replace their default route. In other words, it disables split tunneling on the clients.
openvpn if_name{
device-type
Brocade 5600 vRouter OpenVPN Reference Guide
53-1003719-03
Advertisement
Table of Contents
