VPN HUB and SPOKE - Dynamic VPN with BGP - Parte 2 - Securizando tus redes OT
- Iñaki Urrutxi
- 13 jun 2020
- 11 Min. de lectura
Actualizado: 3 nov 2020
Vamos darle una vuelta más al caso anterior. En el blog anterior ya vimos como conectar las máquinas o entornos OT conectados a la infraestructura del cliente de las cuales damos telemantenimiento predictivo o reactivo y además securizarlas.
Ahora vamos a jugar un poco con el BGP y vamos a ver como podemos tener HA de la conectividad contra estos entornos. El FW tendrá dos conexiones a Internet una principal y otra de respaldo, para ello jugaremos con uno de los atributos del BGP llamado MED( MULTI EXIT DISCRIMINATOR).
Como ya comentamos en el BLOG anterior, lo interessante de este sistema es que podemos trasladar el FW de una sede a otra y conectandolo a un router con salida a Internet sin hacer un solo cambio tendremos conectividad con nuestra sede central.
HUB
- Configuración de los interfaces
config system interfaces
edit "wan1"
set vdom "root"
set ip 212.181.209.10 255.255.255.248
set allowaccess ping https ssh
set vlanforward enable
set type physical
set alias "Internet"
set role wan
next
edit "lan1"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping https ssh
set vlanforward enable
set type physical
set alias "lan"
set role lan
next
edit "VPN-Spokes1"
set vdom "root"
set ip 10.30.30.1 255.255.255.255
set allowaccess ping https ssh
set type tunnel
set remote-ip 10.30.30.254 255.255.255.0
set interface "wan1"
next
edit "VPN-Spokes2"
set vdom "root"
set ip 10.60.60.1 255.255.255.255
set allowaccess ping https ssh
set type tunnel
set remote-ip 10.60.60.254 255.255.255.0
set interface "wan1"
next
end
- Configuración de la VPN
config vpn ipsec phase1-interface
edit "VPN-Spokes1"
set type dynamic
set interface "wan1"
set local-gw 212.181.209.10
set mode aggressive
set peertype one
set nattraversal enable
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set xauthtype auto
set authusrgrp "Grupo-Spokes1"
set peerid "SPOKES1.com"
set tunnel-search nexthop
set psksecret vpnpresharedkey
set dpd-retryinterval 60
next
edit "VPN-Spokes2"
set type dynamic
set interface "wan1"
set local-gw 212.181.209.10
set mode aggressive
set peertype one
set nattraversal enable
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set add-route disable
set dpd on-idle
set xauthtype auto
set authusrgrp "Grupo-Spokes2"
set peerid "SPOKES2.com"
set tunnel-search nexthop
set psksecret vpnpresharedkey
set dpd-retryinterval 60
next
end
config vpn ipsec phase2-interface
edit "VPN-Spokes1"
set phase1name "VPN-Spokes1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
next
edit "VPN-Spokes2"
set phase1name "VPN-Spokes2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set keepalive enable
next
end
- Configurar el BFD en el FW
config system settings
set bfd enable
end- Configuración de BGP
config router bgp
set as 61066
set router-id 10.30.1.1
set keepalive-timer 10
set holdtime-timer 30
config neighbor-group
edit "BGP-SPOKES1"
set next-hop-self enable
set soft-reconfiguration enable
set bfd enable
set route-map-in "SPOKE1-OT-in"
set route-map-out "SPOKE1-OT-out"
set remote-as 61066
next
edit "BGP-SPOKES2"
set next-hop-self enable
set soft-reconfiguration enable
set bfd enable
set route-map-in "SPOKE2-OT-in"
set route-map-out "SPOKE2-OT-out"
set remote-as 61066
next
end
config neighbor-range
edit 1
set prefix 10.30.30.0 255.255.255.0
set neighbor-group "BGP-SPOKES1"
next
edit 2
set prefix 10.60.60.0 255.255.255.0
set neighbor-group "BGP-SPOKES2"
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end- Configuración de los perfijos a intercambiar entre wl HUB y el Spoke
Aquí tenemos los prefijos que intercambiamos, el entrada solo permitimos la red donde vamos a tener todos los spokes (10.11.0.0/16) y nosotros exportaremos la ruta por defecto a los spokes para que el tráfico de toda la plataforma salga por los FWs de la central, es la opción más seguro, aunque puede ser que por diferentes razones como retardos, ancho de banda, etc podemos hacer que solo la red de central se mande por el túnel y el resto de servicios saldrá por la wan1 del FW, por lo que habrá que generar unas reglas para permitir la conectividad con estos.
config router prefix-list
edit "prefix-Spokes-OT-BGP-in"
config rule
edit 4
set prefix 10.11.0.0 255.255.0.0
set ge 17
set le 32
next
edit 10
set action deny
set prefix 0.0.0.0 0.0.0.0
set ge 1
set le 32
next
end
next
edit "prefix-Spokes-OT-BGP-default-out"
config rule
edit 1
set prefix 0.0.0.0 0.0.0.0
unset ge
unset le
next
end
next
end
- Configuración del route-map para a esos perfijos añadir el MED correspondiente.
config router route-map
edit "SPOKE2-OT-out"
config rule
edit 1
set match-ip-address "prefix-Spokes-OT-BGP-default-out"
set set-metric 300
next
edit 2
set action deny
next
end
next
edit "SPOKE2-OT-in"
config rule
edit 1
set match-ip-address "prefix-Spokes-OT-BGP-in"
set set-metric 300
next
edit 2
set action deny
next
end
next
edit "SPOKE1-OT-out"
config rule
edit 1
set match-ip-address "prefix-Spokes-OT-BGP-default-out"
set set-metric 100
next
edit 2
set action deny
next
end
next
edit "SPOKE1-OT-in"
config rule
edit 1
set match-ip-address "prefix-Spokes-OT-BGP-in"
set set-metric 100
next
edit 2
set action deny
next
end
next
end- Configuración de las rutas estáticas
config router static
edit 1
set gateway 212.181.209.9
set device "wan1"
next
end- Configuración de los usuarios de los spokes permitidos
config user local
edit "spoke1"
set type password
set passwd spoke1pass
next
edit "spoke2"
set type password
set passwd spoke12pass
next
edit "spoke2-1"
set type password
set passwd spoke1pass
next
edit "spoke2-2"
set type password
set passwd spoke12pass
next
end
config user group
edit "Grupo-Spokes1"
set member "spoke1" "spoke2"
next
edit "Grupo-Spokes2"
set member "spoke2-1" "spoke2-2"
next
end- Configuración de la zona para definir las políticas
config system zone
edit "Zone-SPOKEs"
set intrazone deny
set interface "VPN-spoke1" "VPN-spoke1"
next
end- Configuración de las políticas
config firewall policy
edit 1
set srcintf "Lan1"
set dstintf "Zone-SPOKEs"
set srcaddr "lan-support"
set dstaddr "lan-spokes"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set application-list "ot-scada-spokes-write"
set ips-sensor "high_security"
set logtraffic all
next
edit 2
set srcintf "Zone-SPOKEs"
set dstintf "Lan1"
set srcaddr "lan-spokes"
set dstaddr "lan-date"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set application-list "ot-scada-spokes-read"
set ips-sensor "high_security"
set logtraffic all
next
endSPOKE
- Configuración de los interfaces
El rango que se asigane por DHCP en el interface wan1 y wan2 tiene que ser diferente. Este es uno de los requisitos.
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set role wan
set defaultgw disable
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping
set type physical
set role wan
set defaultgw disable
next
edit "lan1"
set vdom "root"
set ip 10.11.1.1 255.255.255.0
set allowaccess ping https ssh http
set role lan
next
edit "VPN-Hub"
set vdom "root"
set ip 10.30.30.2 255.255.255.255
set allowaccess ping https telnet
set type tunnel
set remote-ip 10.30.30.1 255.255.255.0
set interface "wan1"
next
edit "VPN-Hub2"
set vdom "root"
set ip 10.60.60.2 255.255.255.255
set allowaccess ping https telnet
set type tunnel
set remote-ip 10.60.60.1 255.255.255.0
set interface "wan2"
next
end- Configuración de la VPN
config vpn ipsec phase1-interface
edit "VPN-Hub"
set interface "wan1"
set mode aggressive
set peertype any
set net-device enable
set nattraversal enable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "SPOKES1.com"
set xauthtype client
set dpd on-idle
set authusr "spoke1"
set authpasswd spoke1pass
set remote-gw 212.181.209.10
set psksecret ENC vpnpresharedkey
set dpd-retryinterval 60
next
edit "VPN-Hub2"
set interface "wan2"
set mode aggressive
set peertype any
set net-device enable
set nattraversal enable
set exchange-interface-ip enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "SPOKES2.com"
set xauthtype client
set dpd on-idle
set authusr "spoke2-1"
set authpasswd spoke1pass
set remote-gw 212.181.209.10
set psksecret ENC vpnpresharedkey
set dpd-retryinterval 60
next
endconfig vpn ipsec phase2-interface
edit "VPN-Hub"
set phase1name "VPN-Hub"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
next
edit "VPN-Hub2"
set phase1name "VPN-Hub2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set auto-negotiate enable
next
end- Configuración de las rutas estáticas
config router static
edit 1
set dst 212.181.209.10 255.255.255.255
set device "wan1"
set dynamic-gateway enable
next
edit 2
set dst 212.181.209.10 255.255.255.255
set device "wan2"
set dynamic-gateway enable
next
end- Configuración del BGP
config router bgp
set as 61066
set router-id 10.30.30.2
config neighbor
edit "10.30.30.1"
set next-hop-self enable
set bfd enable
set soft-reconfiguration enable
set remote-as 61066
next
edit "10.60.60.1"
set next-hop-self enable
set bfd enable
set soft-reconfiguration enable
set remote-as 61066
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end- Configuración de la zona
config system zone
edit "Zone-HUB"
set intrazone deny
set interface "VPN-Hub1" "VPN-Hub2"
next
end- Configuración de las políticas
config firewall policy
edit 1
set srcintf "lan1"
set dstintf "Zone-HUB"
set srcaddr "Lan-Spoke"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 2
set srcintf "Zone-HUB"
set dstintf "lan1"
set srcaddr "lan-support"
set dstaddr "Lan-spoke"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
endTROUBLESHOOTING
Vemos como ver si el esquema propuesto esta funcionando correctamente.
HUB
FW-HUB #diagnose vpn tunnel list
name=VPN-Spoke_0 ver=1 serial=324 212.181.209.10:4500->1.1.1.10:4500 dst_mtu=0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1
parent=VPN-Spoke index=0
proxyid_num=1 child_num=0 refcnt=5 ilast=25 olast=25 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=silent draft=0 interval=0 remote_port=4500
proxyid=VPN-Spoke proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=3 options=227 type=00 soft=0 mtu=1280 expire=43168/0B replaywin=1024
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=43191/43200
dec: spi=7577fb0a esp=aes key=16 e099e2b555480cec3b88479af7fe1a18
ah=sha1 key=20 684e599b359a3738498f181b5756e4ef5ab75078
enc: spi=5be5252b esp=aes key=16 22606995715497ef5381d836edd26ef1
ah=sha1 key=20 2fa3e05942921e556ddf72d9b2178119aca2415d
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=1.1.1.10 npu_lgwy=212.81.209.10 npu_selid=17 dec_npuid=0 enc_npuid=0
------------------------------------------------------
name=VPN-Spoke2_0 ver=1 serial=321 212.181.209.10:4500->1.1.1.11:4500 dst_mtu=1500
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/680 options[02a8]=npu search-nexthop rgwy-chg frag-rfc run_state=1 accept_traffic=1
parent=VPN-Spoke2 index=0
proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
stat: rxp=137858 txp=243243 rxb=18759778 txb=14381028
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0
natt: mode=silent draft=0 interval=0 remote_port=4500
proxyid=VPN-Spoke2 proto=0 sa=1 ref=5 serial=1
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=227 type=00 soft=0 mtu=1438 expire=16699/0B replaywin=1024
seqno=1de2d esn=0 replaywin_lastseq=00021a80 itn=0 qat=0
life: type=01 bytes=0/0 timeout=43190/43200
dec: spi=7577f795 esp=aes key=16 59b633befc3e5aae9808297b0b99c5cf
ah=sha1 key=20 dc3c0a25abb229a116088e64ba03547fe8127ee8
enc: spi=5be52528 esp=aes key=16 058dc2b07c6149b18598c639ac5e86b8
ah=sha1 key=20 ba096479166e2774094e4ad27d07669c301e3635
dec:pkts/bytes=137858/18759650, enc:pkts/bytes=243218/22623219
npu_flag=03 npu_rgwy=1.1.1.11 npu_lgwy=212.81.209.10 npu_selid=14 dec_npuid=1 enc_npuid=1FW-HUB# get router info bgp summary
BGP router identifier 10.30.30.2, local AS number 61066
BGP table version is 4
2 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 51 seconds
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.30.30.2 4 61066 99 97 3 0 00:08:53 1
10.60.60.2 4 61066 99 97 3 0 00:04:38 1
Total number of neighbors 2FW-HUB # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 212.181.209.9, wan1
B 10.11.4.0/24 [200/100] via 10.200.1.2, VPN-Spoke1, 00:02:03
C 10.30.30.0/24 is directly connected, VPN-Spoke1
C 10.30.30.1/32 is directly connected, VPN-Spoke1
C 10.60.60.0/24 is directly connected, VPN-Spoke2
C 10.60.60.1/32 is directly connected, VPN-Spoke2
C 192.168.1.0/24 is directly connected, Lan1
C 212.181.209.8/29 is directly connected, wan1
FW-HUB # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.30.30.1 10.30.30.2 UP VPN-Spoke1 17/5
10.60.60.1 10.60.60.2 UP VPN-Spoke2 13/1SPOKE
FW-SPOKE # fnsysctl ifconfig wan1
wan1 Link encap:Ethernet HWaddr 04:D5:90:6F:2A:4C
inet addr:10.1.1.2 Bcast:10.1.1.1
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4081 errors:0 dropped:0 overruns:0 frame:0
TX packets:5660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:642883 (627.8 KB) TX bytes:945538 (923.4 KB)
Interrupt:195
FW-SPOKE # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-HUB ver=1 serial=1 10.1.1.2:4500->212.81.209.10:4500 dst_mtu=1500
bound_if=14 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=18 ilast=0 olast=0 ad=/0
stat: rxp=4433 txp=5976 rxb=533800 txb=336154
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=4
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=VPN-HUB proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18203 type=00 soft=0 mtu=1422 expire=41858/0B replaywin=1024
seqno=175a esn=0 replaywin_lastseq=00001552 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=5be5252b esp=aes key=16 22606995715497ef5381d836edd26ef1
ah=sha1 key=20 2fa3e05942921e556ddf72d9b2178119aca2415d
enc: spi=7577fb0a esp=aes key=16 e099e2b555480cec3b88479af7fe1a18
ah=sha1 key=20 684e599b359a3738498f181b5756e4ef5ab75078
dec:pkts/bytes=4433/232700, enc:pkts/bytes=5977/742920
run_tally=1
------------------------------------------------------
name=VPN-HUB2 ver=1 serial=2 10.20.20.2:4500->212.81.209.10:4500 dst_mtu=1500
bound_if=21 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1
proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0
stat: rxp=126119 txp=143486 rxb=15184296 txb=7771793
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=0 remote_port=4500
proxyid=VPN-HUB2 proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=18203 type=00 soft=0 mtu=1438 expire=15389/0B replaywin=1024
seqno=2307f esn=0 replaywin_lastseq=0001f0a8 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=5be52528 esp=aes key=16 058dc2b07c6149b18598c639ac5e86b8
ah=sha1 key=20 ba096479166e2774094e4ad27d07669c301e3635
enc: spi=7577f795 esp=aes key=16 59b633befc3e5aae9808297b0b99c5cf
ah=sha1 key=20 dc3c0a25abb229a116088e64ba03547fe8127ee8
dec:pkts/bytes=126119/6617581, enc:pkts/bytes=143484/17522752
run_tally=1FW-SPOKE # get router info bgp summary
BGP router identifier 10.30.30.2, local AS number 61066
BGP table version is 3
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.30.30.1 4 61066 38 38 3 0 0 00:00:08 1
10.60.60.1 4 61066 38 38 3 0 0 00:00:04 1
Total number of neighbors 2FW-SPOKE # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B* 0.0.0.0/0 [200/100] via 10.30.30.1, VPN-HUB, 00:00:04
C 10.1.1.0/30 is directly connected, wan2
C 10.11.4.0/24 is directly connected, lan
C 10.20.20.0/30 is directly connected, wan1
C 10.30.30.0/24 is directly connected, VPN-HUB
C 10.30.30.2/32 is directly connected, VPN-HUB
C 10.60.60.0/24 is directly connected, VPN-HUB2
C 10.60.60.2/32 is directly connected, VPN-HUB2
S 212.81.209.10/32 [10/0] via 10.1.1.1, wan2
[10/0] via 10.20.20.1, wan1FW-SPOKE # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.30.30.2 10.30.30.1 UP VPN-HUB1 5/17
10.60.60.2 10.60.60.1 UP VPN-HUB2 1/13- VPN Principal DOWN
Si cae la VPN principal con MED 100 vemos que salta automaticamente el tráfico por la VPN de respaldo pero con MED 300.
HUB
FW-HUB# get router info bgp summary
BGP router identifier 10.30.30.2, local AS number 61066
BGP table version is 4
2 BGP AS-PATH entries
0 BGP community entries
Next peer check timer due in 51 seconds
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.60.60.2 4 61066 99 97 3 0 00:04:38 1
Total number of neighbors 1FW-HUB # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 212.181.209.9, wan1
B 10.11.4.0/24 [200/300] via 10.200.1.2, VPN-Spoke1, 00:02:03
C 10.60.60.0/24 is directly connected, VPN-Spoke2
C 10.60.60.1/32 is directly connected, VPN-Spoke2
C 192.168.1.0/24 is directly connected, Lan1
C 212.181.209.8/29 is directly connected, wan1FW-HUB # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.60.60.1 10.60.60.2 UP VPN-Spoke2 13/1SPOKE
FW-SPOKE # get router info bgp summary
BGP router identifier 10.30.30.2, local AS number 61066
BGP table version is 3
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.30.30.1 4 61066 338 338 3 0 0 never Active
10.60.60.1 4 61066 318 358 3 0 0 00:00:04 1
Total number of neighbors 2FW-SPOKE # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
B* 0.0.0.0/0 [200/300] via 10.30.30.1, VPN-HUB, 00:00:04
C 10.1.1.0/30 is directly connected, wan2
C 10.11.4.0/24 is directly connected, lan
C 10.20.20.0/30 is directly connected, wan1
C 10.60.60.0/24 is directly connected, VPN-HUB2
C 10.60.60.2/32 is directly connected, VPN-HUB2
S 212.81.209.10/32 [10/0] via 10.1.1.1, wan2
[10/0] via 10.20.20.1, wan1
FW-SPOKE # diagnose vpn tunnel list VPN-HUB
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-HUB ver=1 serial=1 212.81.206.197:0->212.81.209.10:0 dst_mtu=1500
bound_if=14 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=0
proxyid_num=1 child_num=0 refcnt=8 ilast=224 olast=224 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=4
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-HUB proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
run_tally=1
FW-SPOKE # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.60.60.2 10.60.60.1 UP VPN-HUB2 1/13En futuros blogs veremos como utilizar SD-WAN para poder tener tráfico por ambos interfaces, pudiendo hacer soporte por uno de ellos y por ejemplo envio de la sensorica para hacer mantenimiento predictivo por el otro.
Comentarios