オンプレ側ルーター(Cisco 1812J, Juniper SRX210, YAMAHA RTX 1210)から Direct Connect へ BGP 設定
Direct Connect 側の設定
Direct Connect 設定内容
以下の内容で Direct Connect 側の共有型の接続設定
- 接続
- DXtest
ポートスピード 1Gbps
接続 ID: dxcon-fh2ttlhf
場所: Equinix TY2, TY6 - TY8, Tokyo, JPN
AWS デバイス: EqTY2-nnpntj8jigol
- 仮想インターフェイス
- test-vif
** 要約
ID: dxvif-fhaap5yn
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 972
Amazon 側の ASN: 10124
** Peerings
ID: dxpeer-fgsniovz
アドレスファミリー: ipv4
BGP: 65000
ルーターのピア IP: 169.254.252.86/30
Amazon ルーターのピア IP: 169.254.252.85/30
- test-vif2
** 要約
ID: dxvif-fhbbt12v
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 974
Amazon 側の ASN: 10124
** Peerings
ID: dxpeer-fgg802mv
アドレスファミリー: ipv4
BGP ASN: 65000
ルーターのピア IP: 169.254.252.90/30
Amazon ルーターのピア IP: 169.254.252.89/30
- test-vif3
** 要約
ID: dxvif-fgi1cm24
AWS アカウント: 745403317212
タイプ: private
状態: available
接続: dxcon-fh2ttlhf
場所: EqTY2
仮想ゲートウェイ: vgw-9ac0729b
割り当て済み VLAN: 976
Amazon 側の ASN: 10124
** Peerings
ID: dxpeer-fh3vfyls
アドレスファミリー: ipv4
BGP ASN: 65000
ルーターのピア IP: 169.254.252.102/30
Amazon ルーターのピア IP: 169.254.252.101/30
ルーター設定
Cisco 1812J
- VLAN 設定
VLAN 972をトランクモードで設定
1812J-1#conf t
1812J-1(config)#vlan 972
1812J-1(config-vlan)#exit
1812J-1(config)#interface range fastEthernet 2
1812J-1(config-if-range)#switchport mode trunk
1812J-1(config-if-range)#switchport trunk allowed vlan add 1,864,913,972,991,1002-1005
1812J-1(config-vlan)#exit
1812J-1(config)#interface vlan 972
1812J-1(config-if)#ip address 169.254.252.86 255.255.255.252
Amazon ルーターのピア IP に ping が通ることを確認
1812J-1#ping 169.254.252.85
Type escape sequence to abort.
Sending 5,
100-byte ICMP Echos to 169.254.252.85, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
- BGP の設定
AS 番号は、Amazon 側が10124、自分のルータ側が65000 設定ファイルをダウンロードして参考にする。
1812J-1#conf t
1812J-1(config)# no router bgp 65523
1812J-1(config)# router bgp 65000
1812J-1(config-router)# neighbor 169.254.252.85 remote-as 10124
1812J-1(config-router)# neighbor 169.254.252.85 password <マネジメントコンソールから確認できる BGP 認証キー>
1812J-1(config-router)# network 169.254.0.0/16
1812J-1(config-router)# exit
1812J-1(config)# exit
設定内容確認
- show running-config
!
interface FastEthernet2
switchport trunk allowed vlan 1,864,913,972,991,1002-1005
switchport mode trunk
!
:
:
!
interface Vlan972
ip address 169.254.252.86 255.255.255.252
!
:
:
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 169.254.0.0/16
neighbor 169.254.252.85 remote-as 10124
neighbor 169.254.252.85 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no auto-summary
!
- show ip bgp neighbors
BGP neighbor is 169.254.252.85, remote AS 10124, external link
BGP version 4, remote router ID 103.246.151.0
BGP state = Established, up for 00:01:11
Last read 00:00:14, last write 00:00:09, hold time is 90, keepalive interval is 30 seconds
Neighbor capabilities:
Route refresh: advertised and received(new)
New ASN Capability: advertised and received
Address family IPv4 Unicast: advertised and received
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 1 1
Notifications: 0 0
Updates: 1 0
Keepalives: 4 4
Route Refresh: 0 0
Total: 6 5
Default minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
オンプレ側のルーターから、AWS の VPC 内の EC2 インスタンスへアクセス ### オンプレ側のルーターから、VPC 内の EC2 インスタンスへの疎通性開通
VGW を VPC にアタッチして、以下のルーティングを追加。また、ルート伝搬を有効にする。 ルート伝搬で追加されるルートは、Cisco 側で network で追加した CIDR 情報(169.254.0.0/16)。 169.254.0.0/16 vgw-9ac0729b アクティブ いいえ ping が通るように
1812J-1#ping 172.16.0.169
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.169, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
EC2 インスタンスからルーターへも ping が通る
[ec2-user@ip-172-16-0-169 ~]$ ping 169.254.252.86
PING 169.254.252.86 (169.254.252.86) 56(84) bytes of data.
64 bytes from 169.254.252.86: icmp_seq=1 ttl=246 time=4.72 ms
64 bytes from 169.254.252.86: icmp_seq=2 ttl=246 time=4.81 ms
^C
--- 169.254.252.86 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.722/4.767/4.813/0.082 ms
Juniper SRX210
- VLAN 設定 SRX では、セキュリティグループを開放しないといけないことに注意。
root> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode
[edit]
root# delete interfaces ge-0/0/2
[edit]
root# set interfaces ge-0/0/0 unit 974 vlan-id 974
[edit]
root# set interfaces ge-0/0/0 unit 974 family inet mtu 1500
[edit]
root# set interfaces ge-0/0/0 unit 974 family inet address 169.254.252.90/30
[edit]
root# set security zones security-zone trust interfaces ge-0/0/0.974 host-inbound-traffic system-services ping
[edit]
root# commit check
configuration check succeeds
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
インターフェイスの設定内容確認
root> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.911 up up inet 169.254.252.6/30
ge-0/0/0.32767 up up
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
10.0.0.6 --> 0/0
128.0.0.1 --> 128.0.1.16
128.0.0.6 --> 0/0
ge-0/0/1 up up
ge-0/0/1.914 up up inet 169.254.252.66/30
ge-0/0/1.32767 up up
ge-0/0/2 up down
ge-0/0/2.974 up down inet 169.254.252.90/30
ge-0/0/2.32767 up down
ge-0/0/3 up down
ge-0/0/3.0 up down eth-switch
ge-0/0/4 up up
ge-0/0/4.0 up up eth-switch
ge-0/0/5 up down
root# show interfaces
ge-0/0/0 {
flexible-vlan-tagging;
mtu 1522;
unit 911 {
vlan-id 911;
family inet {
mtu 1500;
address 169.254.252.6/30;
}
}
unit 974 {
vlan-id 974;
family inet {
mtu 1500;
address 169.254.252.90/30;
}
}
}
Amazon ルーターのピア IP に ping が通ることを確認
root> ping 169.254.252.89
PING 169.254.252.89 (169.254.252.89): 56 data bytes
64 bytes from 169.254.252.89: icmp_seq=0 ttl=64 time=2.386 ms
64 bytes from 169.254.252.89: icmp_seq=1 ttl=64 time=2.169 ms
64 bytes from 169.254.252.89: icmp_seq=2 ttl=64 time=37.421 ms
^C
--- 169.254.252.89 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.169/13.992/37.421/16.567 ms
- BGP の設定
root> configure exclusive
root# set policy-options policy-statement EXPORT-INTERNAL term INTERNAL from route-filter 169.254.0.0/16 exact
[edit]
root# set policy-options policy-statement EXPORT-INTERNAL term INTERNAL then accept
[edit]
root# set policy-options policy-statement EXPORT-INTERNAL term REJECT then reject
[edit]
root# set routing-options autonomous-system 65000
[edit]
root# set protocols bgp group EBGP type external
[edit]
root# set protocols bgp group EBGP peer-as 10124
[edit]
root# set protocols bgp group EBGP local-address 169.254.252.90
[edit]
root# set protocols bgp group EBGP neighbor 169.254.252.89
[edit]
root# set protocols bgp group EBGP export EXPORT-INTERNAL
[edit]
root# set protocols bgp group EBGP authentication-key "0xAjOvZxy3ldLFXcIvTvpCWf"
[edit]
root# commit check
configuration check succeeds
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root>
show bgp neighbor
Peer: 169.254.252.89+179 AS 10124 Local: 169.254.252.90+62648 AS 65000
Type: External State: Established Flags: <ImportEval Sync>
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ EXPORT-INTERNAL ]
Options: <Preference LocalAddress AuthKey PeerAS Refresh>
Authentication key is configured
Local Address: 169.254.252.90 Holdtime: 90 Preference: 170
Number of flaps: 0
Peer ID: 103.246.151.0 Local ID: 192.168.2.1 Active Holdtime: 90
Keepalive Interval: 30 Peer index: 0
BFD: disabled, down
Local Interface: ge-0/0/0.974
NLRI for restart configured on peer: inet-unicast
NLRI advertised by peer: inet-unicast
NLRI for this session: inet-unicast
Peer supports Refresh capability (2)
Stale routes from peer are kept for: 300
Peer does not support Restarter functionality
NLRI that restart is negotiated for: inet-unicast
NLRI of received end-of-rib markers: inet-unicast
NLRI of all end-of-rib markers sent: inet-unicast
Peer supports 4 byte AS extension (peer-as 10124)
Peer does not support Addpath
Table inet.0 Bit: 10000
RIB State: BGP restart is complete
Send state: in sync
Active prefixes: 1
Received prefixes: 1
Accepted prefixes: 1
Suppressed due to damping: 0
Advertised prefixes: 0
Last traffic (seconds): Received 8 Sent 3 Checked 4
Input messages: Total 14 Updates 2 Refreshes 0 Octets 297
Output messages: Total 16 Updates 0 Refreshes 0 Octets 367
Output Queue[0]: 0
YAMAHA RTX 1210
lan1/1はマネジメントポート、lan2/1はDirect Connectにつなぐ用のポート
rtx1210-1> administrator
Password:
rtx1210-1# ip lan1/1 address 192.168.1.2/24
rtx1210-1# vlan lan1/1 802.1q vid=100
rtx1210-1# ip lan2/1 address 169.254.252.102/30
rtx1210-1# vlan lan2/1 802.1q vid=976
rtx1210-1# bgp use on
rtx1210-1# bgp autonomous-system 65000
rtx1210-1# bgp neighbor 1 10124 169.254.252.101 hold-time=30 rtx1210-1# local-address=169.254.252.102
rtx1210-1# bgp neighbor pre-shared-key 1 text <マネジメントコンソールから確認できる BGP 認証キー>
rtx1210-1# bgp import filter 1 include 0.0.0.0/0
rtx1210-1# bgp import 10124 static filter 1
rtx1210-1# save
再起動
rtx1210-1# restart
Restarting ...
RTX1210 BootROM Ver. 1.03
Copyright (c) 2014 Yamaha Corporation
Press 'Enter' or 'Return' to select a firmware and a configuration.
Default settings : exec0 and config0
Starting with default settings.
Starting with exec0 and config0 ...
Loading configuration file... Done.
RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI
:
:
----- -----------------------------------
* 0 Rev.14.01.26
1 Rev.14.01.14
----- -----------------------------------
Select the firmware [0 or 1] : 0
No. Date Time Size Sects Comment
----- ---------- -------- ------- ------- ------------------------------------
* 0 2018/07/10 22:41:38 1428 208/208
0.1 2018/07/10 22:39:15 1454 209/209
0.2 2018/07/10 22:14:19 1336 210/210
----- ---------- -------- ------- ------- ------------------------------------
Select the configuration
[Number in upper list, or '-'(hyphen) to go back] : 0
Starting with exec0 and config0 ...
Loading configuration file... Done.
RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI
Password:
RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
Copyright (c) 1994-2018 Yamaha Corporation. All Rights Reserved.
To display the software copyright statement, use 'show copyright' command.
00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
Memory 256Mbytes, 3LAN, 1BRI
pingが通るように
rtx1210-1> ping 169.254.252.101
received from 169.254.252.101: icmp_seq=0 ttl=63 time=1.023ms
received from 169.254.252.101: icmp_seq=1 ttl=63 time=0.894ms
received from 169.254.252.101: icmp_seq=2 ttl=63 time=1.186ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max = 0.894/1.034/1.186 ms
設定内容 L1
rtx1210-1# show status vlan
LAN1
Link status: Up
Virtual LAN lan1/1
VLAN ID: 100
IP address: 192.168.1.2/24
LAN2
Link status: Up
Virtual LAN lan2/1
VLAN ID: 976
IP address: 169.254.252.102/30
L2
rtx1210-1# show arp
Count: 3
Interface IP address MAC address TTL(second)
LAN2/1 169.254.252.101 2c:21:72:bb:b2:ed 984
LAN3 203.152.196.113 00:1e:68:8e:31:e7 1199
LAN3 203.152.196.117 00:1b:d4:56:68:b0 259
L3
rtx1210-1# show ip route
Destination Gateway Interface Kind Additional Info.
default 203.152.196.113 LAN3 static
169.254.25.104/30 - TUNNEL[1] implicit
169.254.27.92/30 - TUNNEL[2] implicit
169.254.252.100/30 169.254.252.102 LAN2/1 implicit
172.16.0.0/16 169.254.252.101 LAN2/1 BGP path=10124
172.20.1.0/24 - TUNNEL[1] static k(1)
172.20.1.0/24 - TUNNEL[2] static w(0)
172.20.255.0/24 192.168.1.15 LAN1/1 static
192.168.1.0/24 192.168.1.2 LAN1/1 implicit
203.152.196.112/28 203.152.196.115 LAN3 implicit
BGP
rtx1210-1# show status bgp neighbor
BGP neighbor is 169.254.252.101, remote AS 10124, local AS 65000, external link
BGP version 0, remote router ID 0.0.0.0
BGP state = Active
Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Connection established 0; dropped 0
Last reset never
Local host: unspecified
Foreign host: 169.254.252.101, Foreign port: 0
Config
rtx1210-1# show config
# RTX1210 Rev.14.01.26 (Tue Mar 27 15:08:37 2018)
# MAC Address : 00:a0:de:c9:66:ef, 00:a0:de:c9:66:f0, 00:a0:de:c9:66:f1
# Memory 256Mbytes, 3LAN, 1BRI
# main: RTX1210 ver=00 serial=S4H021978 MAC-Address=00:a0:de:c9:66:ef MAC-Addr
ess=00:a0:de:c9:66:f0 MAC-Address=00:a0:de:c9:66:f1
# Reporting Date: Jul 11 17:05:49 2018
login password *
administrator password *
login user administrator *
timezone +09:00
console character en.ascii
console prompt jp-lab-rtx1210-1.lab.hjk.jp
login timer 3600
ip routing on
ip route default gateway 203.152.196.113
ip route 172.20.1.0/24 gateway tunnel 1 keepalive 1 gateway tunnel 2 weight 0
ip route 172.20.255.0/24 gateway 192.168.1.15
description lan1 lan
vlan lan1/1 802.1q vid=100
ip lan1/1 address 192.168.1.2/24
lan type lan2 1000-fdx
vlan lan2/1 802.1q vid=976
ip lan2/1 address 169.254.252.102/30
:
Command References
- Cisco IOS Master Command List, All Releases
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html
- CLI User Guild - Technical Documentation - Support - Juniper Networks
- https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html
- Yamaha ルーターシリーズ - コマンドリファレンス
- http://www.rtpro.yamaha.co.jp/RT/manual/rt-common/index.html
References
- Amazon VPCとAWS Direct Connectで接続するルーターの設定 : コマンド設定
- https://network.yamaha.com/setting/router_firewall/cloud/amazon_vpc/setup_direct_connect
- Network Study3 - Juniper JUNOS
- http://www.infraeye.com/study/studyz2.html
- [図解]AWS Direct ConnectのShared Virtual Interfacesとは
- https://dev.classmethod.jp/cloud/illustrate-direct-connect-shared-virtual-interfaces/
- BGP - Neighbor
- http://www.infraexpert.com/study/bgpz02.html
