オンプレ側ルーター(Cisco 1812J, Juniper SRX210, YAMAHA RTX 1210)から Direct Connect へ BGP 設定

オンプレ側ルーター(Cisco 1812J, Juniper SRX210, YAMAHA RTX 1210)から Direct Connect へ BGP 設定

Direct Connect 側の設定

Direct Connect 設定内容

以下の内容で Direct Connect 側の共有型の接続設定

• 接続

  • DXtest

ポートスピード 1Gbps
接続 ID: dxcon-fh2ttlhf
場所: Equinix TY2, TY6 - TY8, Tokyo, JPN
AWS デバイス: EqTY2-nnpntj8jigol

• 仮想インターフェイス

  • test-vif

** 要約
ID: dxvif-fhaap5yn
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 972
Amazon 側の ASN: 10124

** Peerings
ID: dxpeer-fgsniovz
アドレスファミリー: ipv4
BGP: 65000
ルーターのピア IP: 169.254.252.86/30
Amazon ルーターのピア IP: 169.254.252.85/30

• test-vif2

** 要約
ID: dxvif-fhbbt12v
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 974
Amazon 側の ASN: 10124

** Peerings
ID: dxpeer-fgg802mv
アドレスファミリー: ipv4
BGP ASN: 65000
ルーターのピア IP: 169.254.252.90/30
Amazon ルーターのピア IP: 169.254.252.89/30

• test-vif3

** 要約
ID: dxvif-fgi1cm24
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 976
Amazon 側の ASN: 10124

** Peerings
ID: dxpeer-fh3vfyls
アドレスファミリー: ipv4
BGP ASN: 65000
ルーターのピア IP: 169.254.252.102/30
Amazon ルーターのピア IP: 169.254.252.101/30

ルーター設定

Cisco 1812J

• VLAN 設定

VLAN 972をトランクモードで設定

1812J-1#conf t
1812J-1(config)#vlan 972
1812J-1(config-vlan)#exit
1812J-1(config)#interface range fastEthernet 2
1812J-1(config-if-range)#switchport mode trunk
1812J-1(config-if-range)#switchport trunk allowed vlan add 1,864,913,972,991,1002-1005
1812J-1(config-vlan)#exit

1812J-1(config)#interface vlan 972
1812J-1(config-if)#ip address 169.254.252.86 255.255.255.252

Amazon ルーターのピア IP に ping が通ることを確認

1812J-1#ping 169.254.252.85

Type escape sequence to abort.
Sending 5, 
100-byte ICMP Echos to 169.254.252.85, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

• BGP の設定

AS 番号は、Amazon 側が10124、自分のルータ側が65000 設定ファイルをダウンロードして参考にする。

1812J-1#conf t
1812J-1(config)# no router bgp 65523
1812J-1(config)# router bgp 65000
1812J-1(config-router)# neighbor 169.254.252.85 remote-as 10124
1812J-1(config-router)# neighbor 169.254.252.85 password <マネジメントコンソールから確認できる BGP 認証キー>
1812J-1(config-router)# network 169.254.0.0/16
1812J-1(config-router)# exit
1812J-1(config)# exit

設定内容確認

• show running-config

!         
interface FastEthernet2
 switchport trunk allowed vlan 1,864,913,972,991,1002-1005
 switchport mode trunk
!
:
:
!         
interface Vlan972
 ip address 169.254.252.86 255.255.255.252
!
:
:
!         
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 169.254.0.0/16
 neighbor 169.254.252.85 remote-as 10124
 neighbor 169.254.252.85 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 no auto-summary
!  

• show ip bgp neighbors

BGP neighbor is 169.254.252.85,  remote AS 10124, external link
  BGP version 4, remote router ID 103.246.151.0
  BGP state = Established, up for 00:01:11
  Last read 00:00:14, last write 00:00:09, hold time is 90, keepalive interval is 30 seconds
  Neighbor capabilities:
    Route refresh: advertised and received(new)
    New ASN Capability: advertised and received
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0

                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                1          0
    Keepalives:             4          4
    Route Refresh:          0          0
    Total:                  6          5
  Default minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast

オンプレ側のルーターから、AWS の VPC 内の EC2 インスタンスへアクセス ### オンプレ側のルーターから、VPC 内の EC2 インスタンスへの疎通性開通

VGW を VPC にアタッチして、以下のルーティングを追加。また、ルート伝搬を有効にする。 ルート伝搬で追加されるルートは、Cisco 側で network で追加した CIDR 情報(169.254.0.0/16)。 169.254.0.0/16 vgw-9ac0729b アクティブ いいえ ping が通るように

1812J-1#ping 172.16.0.169                          

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.169, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

EC2 インスタンスからルーターへも ping が通る

[ec2-user@ip-172-16-0-169 ~]$ ping 169.254.252.86
PING 169.254.252.86 (169.254.252.86) 56(84) bytes of data.
64 bytes from 169.254.252.86: icmp_seq=1 ttl=246 time=4.72 ms
64 bytes from 169.254.252.86: icmp_seq=2 ttl=246 time=4.81 ms
^C
--- 169.254.252.86 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.722/4.767/4.813/0.082 ms

Juniper SRX210

• VLAN 設定 SRX では、セキュリティグループを開放しないといけないことに注意。

root> configure exclusive 
warning: uncommitted changes will be discarded on exit
Entering configuration mode

[edit]
root# delete interfaces ge-0/0/2  

[edit]
root# set interfaces ge-0/0/0 unit 974 vlan-id 974 

[edit]
root# set interfaces ge-0/0/0 unit 974 family inet mtu 1500        

[edit]
root# set interfaces ge-0/0/0 unit 974 family inet address 169.254.252.90/30                      

[edit]
root# set security zones security-zone trust interfaces ge-0/0/0.974 host-inbound-traffic system-services ping        

[edit]
root# commit check 
configuration check succeeds

[edit]
root# commit and-quit 
commit complete
Exiting configuration mode

インターフェイスの設定内容確認

root> show interfaces terse 
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up  
ge-0/0/0.911            up    up   inet     169.254.252.6/30
ge-0/0/0.32767          up    up  
gr-0/0/0                up    up  
ip-0/0/0                up    up  
lsq-0/0/0               up    up  
lt-0/0/0                up    up  
mt-0/0/0                up    up  
sp-0/0/0                up    up  
sp-0/0/0.0              up    up   inet    
                                   inet6   
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up  
ge-0/0/1.914            up    up   inet     169.254.252.66/30
ge-0/0/1.32767          up    up  
ge-0/0/2                up    down
ge-0/0/2.974            up    down inet     169.254.252.90/30
ge-0/0/2.32767          up    down
ge-0/0/3                up    down
ge-0/0/3.0              up    down eth-switch
ge-0/0/4                up    up        
ge-0/0/4.0              up    up   eth-switch
ge-0/0/5                up    down    

root# show interfaces 
ge-0/0/0 {
    flexible-vlan-tagging;
    mtu 1522;
    unit 911 {
        vlan-id 911;
        family inet {
            mtu 1500;
            address 169.254.252.6/30;
        }
    }
    unit 974 {
        vlan-id 974;
        family inet {
            mtu 1500;
            address 169.254.252.90/30;
        }
    }
}

Amazon ルーターのピア IP に ping が通ることを確認

root> ping 169.254.252.89    
PING 169.254.252.89 (169.254.252.89): 56 data bytes
64 bytes from 169.254.252.89: icmp_seq=0 ttl=64 time=2.386 ms
64 bytes from 169.254.252.89: icmp_seq=1 ttl=64 time=2.169 ms
64 bytes from 169.254.252.89: icmp_seq=2 ttl=64 time=37.421 ms
^C
--- 169.254.252.89 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.169/13.992/37.421/16.567 ms

• BGP の設定

root> configure exclusive

root# set policy-options policy-statement EXPORT-INTERNAL term INTERNAL from route-filter 169.254.0.0/16 exact

[edit]
root# set policy-options policy-statement EXPORT-INTERNAL term INTERNAL then accept

[edit]
root# set policy-options policy-statement EXPORT-INTERNAL term REJECT then reject

[edit]
root# set routing-options autonomous-system 65000

[edit]
root# set protocols bgp group EBGP type external

[edit]
root# set protocols bgp group EBGP peer-as 10124

[edit]
root# set protocols bgp group EBGP local-address 169.254.252.90

[edit]
root# set protocols bgp group EBGP neighbor 169.254.252.89

[edit]
root# set protocols bgp group EBGP export EXPORT-INTERNAL

[edit]
root# set protocols bgp group EBGP authentication-key "0xAjOvZxy3ldLFXcIvTvpCWf"

[edit]
root# commit check
configuration check succeeds

[edit]
root# commit and-quit
commit complete
Exiting configuration mode

root> 

show bgp neighbor

Peer: 169.254.252.89+179 AS 10124 Local: 169.254.252.90+62648 AS 65000
  Type: External    State: Established    Flags: <ImportEval Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None                      
  Export: [ EXPORT-INTERNAL ]           
  Options: <Preference LocalAddress AuthKey PeerAS Refresh>
  Authentication key is configured      
  Local Address: 169.254.252.90 Holdtime: 90 Preference: 170
  Number of flaps: 0                    
  Peer ID: 103.246.151.0   Local ID: 192.168.2.1       Active Holdtime: 90
  Keepalive Interval: 30         Peer index: 0   
  BFD: disabled, down                   
  Local Interface: ge-0/0/0.974                     
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast 
  NLRI for this session: inet-unicast   
  Peer supports Refresh capability (2)  
  Stale routes from peer are kept for: 300
  Peer does not support Restarter functionality
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer supports 4 byte AS extension (peer-as 10124)
  Peer does not support Addpath         
  Table inet.0 Bit: 10000               
    RIB State: BGP restart is complete  
    Send state: in sync                 
    Active prefixes:              1     
    Received prefixes:            1     
    Accepted prefixes:            1     
    Suppressed due to damping:    0     
    Advertised prefixes:          0     
  Last traffic (seconds): Received 8    Sent 3    Checked 4   
  Input messages:  Total 14     Updates 2       Refreshes 0     Octets 297
  Output messages: Total 16     Updates 0       Refreshes 0     Octets 367
  Output Queue[0]: 0  

YAMAHA RTX 1210

lan1/1はマネジメントポート、lan2/1はDirect Connectにつなぐ用のポート

rtx1210-1> administrator 
Password: 
rtx1210-1# ip lan1/1 address 192.168.1.2/24 
rtx1210-1# vlan lan1/1 802.1q vid=100 
rtx1210-1# ip lan2/1 address 169.254.252.102/30
rtx1210-1# vlan lan2/1 802.1q vid=976 
rtx1210-1# bgp use on
rtx1210-1# bgp autonomous-system 65000
rtx1210-1# bgp neighbor 1 10124 169.254.252.101 hold-time=30 rtx1210-1# local-address=169.254.252.102
rtx1210-1# bgp neighbor pre-shared-key 1 text <マネジメントコンソールから確認できる BGP 認証キー>
rtx1210-1# bgp import filter 1 include 0.0.0.0/0
rtx1210-1# bgp import 10124 static filter 1
rtx1210-1# save 

再起動

rtx1210-1# restart 
Restarting ...


RTX1210 BootROM Ver. 1.03
  Copyright (c) 2014 Yamaha Corporation

Press 'Enter' or 'Return' to select a firmware and a configuration.
Default settings :  exec0 and config0

Starting with default settings. 
Starting with exec0 and config0 ...
Loading configuration file... Done.

RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI
:
:
----- -----------------------------------
* 0   Rev.14.01.26
  1   Rev.14.01.14
----- -----------------------------------
Select the firmware [0 or 1] : 0
No.   Date       Time     Size    Sects   Comment
----- ---------- -------- ------- ------- ------------------------------------
* 0   2018/07/10 22:41:38    1428 208/208 
  0.1 2018/07/10 22:39:15    1454 209/209 
  0.2 2018/07/10 22:14:19    1336 210/210 
----- ---------- -------- ------- ------- ------------------------------------
Select the configuration
 [Number in upper list, or '-'(hyphen) to go back] : 0

Starting with exec0 and config0 ...
Loading configuration file... Done.

RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI

Password: 

RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI

pingが通るように

rtx1210-1> ping 169.254.252.101 
received from 169.254.252.101: icmp_seq=0 ttl=63 time=1.023ms
received from 169.254.252.101: icmp_seq=1 ttl=63 time=0.894ms
received from 169.254.252.101: icmp_seq=2 ttl=63 time=1.186ms

3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.894/1.034/1.186 ms

設定内容 L1

rtx1210-1# show status vlan 
LAN1
Link status:  Up
Virtual LAN lan1/1
    VLAN ID:  100
 IP address:  192.168.1.2/24
LAN2
Link status:  Up
Virtual LAN lan2/1
    VLAN ID:  976
 IP address:  169.254.252.102/30

L2

rtx1210-1# show arp 
Count: 3
Interface      IP address        MAC address       TTL(second)
LAN2/1         169.254.252.101   2c:21:72:bb:b2:ed  984
LAN3           203.152.196.113   00:1e:68:8e:31:e7 1199
LAN3           203.152.196.117   00:1b:d4:56:68:b0  259

L3

rtx1210-1# show ip route 
Destination         Gateway          Interface       Kind  Additional Info.
default             203.152.196.113        LAN3    static  
169.254.25.104/30   -                 TUNNEL[1]  implicit  
169.254.27.92/30    -                 TUNNEL[2]  implicit  
169.254.252.100/30  169.254.252.102      LAN2/1  implicit  
172.16.0.0/16       169.254.252.101      LAN2/1       BGP  path=10124
172.20.1.0/24       -                 TUNNEL[1]    static  k(1)
172.20.1.0/24       -                 TUNNEL[2]    static  w(0)
172.20.255.0/24     192.168.1.15         LAN1/1    static  
192.168.1.0/24      192.168.1.2          LAN1/1  implicit  
203.152.196.112/28  203.152.196.115        LAN3  implicit  

BGP

rtx1210-1# show status bgp neighbor 
BGP neighbor is 169.254.252.101, remote AS 10124, local AS 65000, external link
  BGP version 0, remote router ID 0.0.0.0
  BGP state = Active
  Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
  Received 0 messages, 0 notifications, 0 in queue
  Sent 0 messages, 0 notifications, 0 in queue
  Connection established 0; dropped 0
  Last reset never
Local host: unspecified
Foreign host: 169.254.252.101, Foreign port: 0

Config

rtx1210-1# show config 
# RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
# MAC Address : 00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
# Memory 256Mbytes, 3LAN, 1BRI
# main:  RTX1210 ver=00 serial=S4H021978 MAC-Address=00:a0:de:c9:66:ef MAC-Addr
ess=00:a0:de:c9:66:f0 MAC-Address=00:a0:de:c9:66:f1
# Reporting Date: Jul 11 17:05:49 2018
login password *
administrator password *
login user administrator *
timezone +09:00
console character en.ascii
console prompt jp-lab-rtx1210-1.lab.hjk.jp
login timer 3600
ip routing on
ip route default gateway 203.152.196.113
ip route 172.20.1.0/24 gateway tunnel 1 keepalive 1 gateway tunnel 2 weight 0
ip route 172.20.255.0/24 gateway 192.168.1.15
description lan1 lan
vlan lan1/1 802.1q vid=100
ip lan1/1 address 192.168.1.2/24
lan type lan2 1000-fdx
vlan lan2/1 802.1q vid=976
ip lan2/1 address 169.254.252.102/30
:

Command References

• Cisco IOS Master Command List, All Releases

  • https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html

• CLI User Guild - Technical Documentation - Support - Juniper Networks

  • https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html

• Yamaha ルーターシリーズ - コマンドリファレンス

  • http://www.rtpro.yamaha.co.jp/RT/manual/rt-common/index.html

References

• Amazon VPCとAWS Direct Connectで接続するルーターの設定 : コマンド設定

  • https://network.yamaha.com/setting/router_firewall/cloud/amazon_vpc/setup_direct_connect

• Network Study3 - Juniper JUNOS

  • http://www.infraeye.com/study/studyz2.html

• [図解]AWS Direct ConnectのShared Virtual Interfacesとは

  • https://dev.classmethod.jp/cloud/illustrate-direct-connect-shared-virtual-interfaces/

• BGP - Neighbor

  • http://www.infraexpert.com/study/bgpz02.html