[AKIBA.AWS] VPN接続とルーティングの基礎
•
13 gostaram•14,212 visualizações
AKIBA.AWS 第6回 基礎編 基礎編 - VPNとDirectConnect -にて発表の資料です。 AWSのハードウェアVPN接続について、BPGの基礎からVPC、VGWのルーティング仕様まで網羅的に解説します。
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a [AKIBA.AWS] VPN接続とルーティングの基礎
Semelhante a [AKIBA.AWS] VPN接続とルーティングの基礎 (20)
Mais de Shuji Kikuchi
Mais de Shuji Kikuchi (20)
Último
Último (20)
[AKIBA.AWS] VPN接続とルーティングの基礎
- 1. # #
- 3. 3 4 2 3 A # 4GB . 1
- 4. 4 # .
- 5. 5AWS VPN • N • N 2 V 2 N • P • • # ##
- 9. 9AWS VPN • 2 # # 2 VPN VPN
- 10. 10AWS VPN • = # • # = # • # #
- 11. 11 . #
- 12. 12VPN # Virtual Private Gateway Customer Gateway
- 13. 13VPN a a • # # • V W k IS N • 2 # # • Pa c I V • eBib I • • # # C • B a eB • # G C a
- 15. 15VGW #
- 17. 17VPN # VGW CGW
- 18. 18 #
- 19. 19K G E BT • / BV • / / • # IE BV S IE BP • BN c B W A Wa B b
- 20. 20C G C 2 2 • # • C C VGW 10.10.10.0/24 2 AC VPCC C 10.10.10.0/24 2VGW
- 21. 21S S P C • • i S P W • S P # Ga AS P V • S P RS • SP W • 2 2 2 eg bBC S P V
- 22. 22 # .
- 23. 23BGP • # • ca S B • 1 1 r Cbmi ko G • Cn A Cbm T P • S S e l G Cbm d
- 26. 26 # VPC CIDR 172.16.0.0/24 CGW CIDR 10.10.10.0/24 [Route Propagation] VGW VPC 10.10.10.0/24172.16.0.0/24 BGP
- 27. 27BGP # #show ip bgp BGP table version is 5, local router ID is 192.168.1.253 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 0.0.0.0 0 32768 i *> 172.16.0.0/24 169.254.24.77 100 0 10124 i * 169.254.27.117 200 0 10124 i
- 28. 28BGP # #show ip bgp BGP table version is 5, local router ID is 192.168.1.253 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 0.0.0.0 0 32768 i *> 172.16.0.0/24 169.254.24.77 100 0 10124 i * 169.254.27.117 200 0 10124 i Metric C
- 29. • D H SOW_ Ww G BC ALi s SW S N AL • # # • 0 • W_ FE • 1 O PT MLw RbWa D F • isHRbWa F # 1 O PTALw N AL 29BGPHisk
- 30. 30 #
- 31. 31 • W N • G • G G A • # T • CG
- 33. 33iCGW CL DCCWS • 0JG L P OT G R TY 3CTGWCY ev y ron • 0 S P 0 S P - ev y ron • 0 S P 49 0 S P 49 ) ev y ron • 1GMM PO 66 PO 9 . hcfbm ev y ron • 2PRT OGT 2PRT ICTG ) t u 2PRT 9 ) ev y ron • 5 O GR 5# GR GS 5 O9 . ev y ron • 5 O GR 5 O9 hcfbm ev y ron • RGGO9 + f + hcfbm n al 5 O GR 3 • RGGO9 + f + hcfbm n al 5 O GR 4 3 • 9 hcfbm ev y ron al 8GTICTG GOSG • CMP MTP 8GTWPRLS 89 ) hcfbm v y ro • ACNCJC GZ Z Z Z ( Z kg w • 7 RPSP T OFPWS GRVGR - ev y ro • 7 RPSP T OFPWS GRVGR ev y ro • d xp s ml 8 e YXGM YWCMM t u ) hcfbm v y roZhcf d xp s ml 8 e ) ( hcfbm v y ro https://docs.aws.amazon.com/ja_jp/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
- 34. 34BGP router bgp 65000 neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx timers 10 30 30 address-family ipv4 unicast neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx timers 10 30 30 neighbor 169.254.27.xxx default-originate neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx soft-reconfiguration inbound ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 0.0.0.0 #
- 35. # 35 router bgp 65000 neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx timers 10 30 30 address-family ipv4 unicast neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx timers 10 30 30 neighbor 169.254.27.xxx default-originate neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx soft-reconfiguration inbound ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 192.168.1.0 mask 255.255.255.0 network 172.16.0.0 mask 255.255.255.0 O C I BGP C
- 36. 36CGW NATN G F C P # VGW CGW VPN FW
- 37. 37CGWFNATw KA i 4 b N l F K PCK S k • • • 5 0 c e e TW S cUa KsG DF • E M 0 Sr I
- 38. # 38 crypto keyring keyring-vpn-xxxxxxxx-0 local-address xxx.xxx.xxx.xxx pre-shared-key address yyy.yyy.yyy.yyy key xxxxxxxxxxxxxxxxxxxxxxxxxxx ~~~~~~~~ ~~~~~~~~ crypto isakmp profile isakmp-vpn-xxxxxxxx-0 local-address xxx.xxx.xxx.xxx match identity address yyy.yyy.yyy.yyy keyring keyring-vpn-xxxxxxxx ~~~~~~~~ ~~~~~~~~ interface Tunnel1 ip address 169.254.27.xxx 255.255.255.252 ip virtual-reassembly tunnel source xxx.xxx.xxx.xxx tunnel destination yyy.yyy.yyy.yyy tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-0 ! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ip tcp adjust-mss 1379 no shutdo CGW NAT
- 39. 39V / N e Fi GCIA C • SW FALB • # SW FALB a • V c FALB • b FALB • • P W
- 40. 40WT 5 4 N CE • D D ebCE A • / / 0 caCE A • 4 ISWU P K G A • 4 4
- 41. 41P GR A B • GSV • # P B • N B • A W
- 42. 42 #
- 43. 43C • I BPN c • # C B G W • A B b • a V S A # A
- 44. #
- 45. #
- 46. 46- W A 4 - K • P CA D 9 • P - 140/5 220/5 9 • 5 IB S # • P N 9 . /..32
- 47. . 4783 / 73 AKA 19:30 - 19:35 - 19:35 - 20:05 AWS Route 53 20:05 - 20:35 VGW 20:35 - 21:05 AWS VPN - - W 7/ 83 :2 : / :8 3 3 # B ST B I /6 //