Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[AKIBA.AWS] VPN接続とルーティングの基礎

5,206 views

Published on

AKIBA.AWS 第6回 基礎編 基礎編 - VPNとDirectConnect -にて発表の資料です。
AWSのハードウェアVPN接続について、BPGの基礎からVPC、VGWのルーティング仕様まで網羅的に解説します。

Published in: Technology
  • Be the first to comment

[AKIBA.AWS] VPN接続とルーティングの基礎

  1. 1. # #
  2. 2. 2S C I # C 8 A New!
  3. 3. 3 4 2 3 A # 4GB . 1
  4. 4. 4 # .
  5. 5. 5AWS VPN • N • N 2 V 2 N • P • • # ##
  6. 6. 6AWS VPN • # VPN VPN
  7. 7. 7AWS VPN • # VPN VPN
  8. 8. 8AWS VPN • # VPN VPN
  9. 9. 9AWS VPN • 2 # # 2 VPN VPN
  10. 10. 10AWS VPN • = # • # = # • # #
  11. 11. 11 . #
  12. 12. 12VPN # Virtual Private Gateway Customer Gateway
  13. 13. 13VPN a a • # # • V W k IS N • 2 # # • Pa c I V • eBib I • • # # C • B a eB • # G C a
  14. 14. 14VPN • # • # • +
  15. 15. 15VGW #
  16. 16. 16CGW # CGW IP or AS
  17. 17. 17VPN # VGW CGW
  18. 18. 18 #
  19. 19. 19K G E BT • / BV • / / • # IE BV S IE BP • BN c B W A Wa B b
  20. 20. 20C G C 2 2 • # • C C VGW 10.10.10.0/24 2 AC VPCC C 10.10.10.0/24 2VGW
  21. 21. 21S S P C • • i S P W • S P # Ga AS P V • S P RS • SP W • 2 2 2 eg bBC S P V
  22. 22. 22 # .
  23. 23. 23BGP • # • ca S B • 1 1 r Cbmi ko G • Cn A Cbm T P • S S e l G Cbm d
  24. 24. 24BGP # BGP BGP 10.10.10.0/24172.16.0.0/24
  25. 25. 25 # VGW 10.10.10.0/24172.16.0.0/24 VPC CIDR 172.16.0.0/24 CGW CIDR 10.10.10.0/24 BGP
  26. 26. 26 # VPC CIDR 172.16.0.0/24 CGW CIDR 10.10.10.0/24 [Route Propagation] VGW VPC 10.10.10.0/24172.16.0.0/24 BGP
  27. 27. 27BGP # #show ip bgp BGP table version is 5, local router ID is 192.168.1.253 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 0.0.0.0 0 32768 i *> 172.16.0.0/24 169.254.24.77 100 0 10124 i * 169.254.27.117 200 0 10124 i
  28. 28. 28BGP # #show ip bgp BGP table version is 5, local router ID is 192.168.1.253 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path *> 10.10.10.0/24 0.0.0.0 0 32768 i *> 172.16.0.0/24 169.254.24.77 100 0 10124 i * 169.254.27.117 200 0 10124 i Metric C
  29. 29. • D H SOW_ Ww G BC ALi s SW S N AL • # # • 0 • W_ FE • 1 O PT MLw RbWa D F • isHRbWa F # 1 O PTALw N AL 29BGPHisk
  30. 30. 30 #
  31. 31. 31 • W N • G • G G A • # T • CG
  32. 32. 32CGW G • • G C #
  33. 33. 33iCGW CL DCCWS • 0JG L P OT G R TY 3CTGWCY ev y ron • 0 S P 0 S P - ev y ron • 0 S P 49 0 S P 49 ) ev y ron • 1GMM PO 66 PO 9 . hcfbm ev y ron • 2PRT OGT 2PRT ICTG ) t u 2PRT 9 ) ev y ron • 5 O GR 5# GR GS 5 O9 . ev y ron • 5 O GR 5 O9 hcfbm ev y ron • RGGO9 + f + hcfbm n al 5 O GR 3 • RGGO9 + f + hcfbm n al 5 O GR 4 3 • 9 hcfbm ev y ron al 8GTICTG GOSG • CMP MTP 8GTWPRLS 89 ) hcfbm v y ro • ACNCJC GZ Z Z Z ( Z kg w • 7 RPSP T OFPWS GRVGR - ev y ro • 7 RPSP T OFPWS GRVGR ev y ro • d xp s ml 8 e YXGM YWCMM t u ) hcfbm v y roZhcf d xp s ml 8 e ) ( hcfbm v y ro https://docs.aws.amazon.com/ja_jp/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
  34. 34. 34BGP router bgp 65000 neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx timers 10 30 30 address-family ipv4 unicast neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx timers 10 30 30 neighbor 169.254.27.xxx default-originate neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx soft-reconfiguration inbound ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 0.0.0.0 #
  35. 35. # 35 router bgp 65000 neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx timers 10 30 30 address-family ipv4 unicast neighbor 169.254.27.xxx remote-as 10124 neighbor 169.254.27.xxx timers 10 30 30 neighbor 169.254.27.xxx default-originate neighbor 169.254.27.xxx activate neighbor 169.254.27.xxx soft-reconfiguration inbound ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 192.168.1.0 mask 255.255.255.0 network 172.16.0.0 mask 255.255.255.0 O C I BGP C
  36. 36. 36CGW NATN G F C P # VGW CGW VPN FW
  37. 37. 37CGWFNATw KA i 4 b N l F K PCK S k • • • 5 0 c e e TW S cUa KsG DF • E M 0 Sr I
  38. 38. # 38 crypto keyring keyring-vpn-xxxxxxxx-0 local-address xxx.xxx.xxx.xxx pre-shared-key address yyy.yyy.yyy.yyy key xxxxxxxxxxxxxxxxxxxxxxxxxxx ~~~~~~~~ ~~~~~~~~ crypto isakmp profile isakmp-vpn-xxxxxxxx-0 local-address xxx.xxx.xxx.xxx match identity address yyy.yyy.yyy.yyy keyring keyring-vpn-xxxxxxxx ~~~~~~~~ ~~~~~~~~ interface Tunnel1 ip address 169.254.27.xxx 255.255.255.252 ip virtual-reassembly tunnel source xxx.xxx.xxx.xxx tunnel destination yyy.yyy.yyy.yyy tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-0 ! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ip tcp adjust-mss 1379 no shutdo CGW NAT
  39. 39. 39V / N e Fi GCIA C • SW FALB • # SW FALB a • V c FALB • b FALB • • P W
  40. 40. 40WT 5 4 N CE • D D ebCE A • / / 0 caCE A • 4 ISWU P K G A • 4 4
  41. 41. 41P GR A B • GSV • # P B • N B • A W
  42. 42. 42 #
  43. 43. 43C • I BPN c • # C B G W • A B b • a V S A # A
  44. 44. #
  45. 45. #
  46. 46. 46- W A 4 - K • P CA D 9 • P - 140/5 220/5 9 • 5 IB S # • P N 9 . /..32
  47. 47. . 4783 / 73 AKA 19:30 - 19:35 - 19:35 - 20:05 AWS Route 53 20:05 - 20:35 VGW 20:35 - 21:05 AWS VPN - - W 7/ 83 :2 : / :8 3 3 # B ST B I /6 //

×