為通過安全防火牆的站點到站點VPN配置SD-WAN

下載選項

  • PDF     (4.0 MB)
    在多種裝置上使用 Adobe Reader 檢視
已更新: 2025 年 10 月 1 日
文件 ID:225109

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。

    簡介

    本檔案介紹使用安全防火牆上的SD-WAN功能的BGP重疊路由的基於路由的VPN部署方案。

    必要條件

    所有集線器和輻條均運行FTD 7.6或更高版本軟體,並通過同樣運行7.6或更高版本軟體的同一FMC進行管理。

    需求

    思科建議您瞭解以下主題:

    • IKEv2
    • 路由型VPN
    • 虛擬通道介面(VTI)
    • IPsec
    • BGP

    採用元件

    本檔案中的資訊是根據: 

    • 思科安全防火牆威脅防禦7.7.10
    • 思科安全防火牆管理中心7.7.10

    本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。

    功能資訊

    通過使用新的SD-WAN嚮導,管理中心簡化了VPN隧道的配置以及中央總部(集線器)和遠端分支站點(分支)之間的路由。

    · 在集線器上利用DVTI(動態虛擬通道介面)在分支上利用SVTI(靜態虛擬通道介面),通過BGP啟用重疊路由,從而自動執行VPN配置。

    · 自動為分支分配SVTI IP地址並推送完整的VTI配置,包括加密引數。

    · 在同一嚮導內提供簡單的一步路由配置,以便為重疊路由啟用BGP。

    · 利用BGP的路由反射器屬性,實現可擴展的最佳路由。

    ·允許同時新增多個輪輻,只需最少的使用者干預。

    涵蓋的拓撲

    在本文中,涵蓋多個拓撲,以確保使用者瞭解各種部署方案。

    中心輻射型(單ISP)

    網路圖表

    Hub and Spoke Network Diagram

    組態

    • 導航到Devices > VPN > Site to Site > Add > SD-WAN Topology > > Create

    Hub and Spoke Configurations

    ·新增中心並在中心建立DVTI。作為DVTI配置的一部分,請確保根據拓撲選擇正確的隧道源介面。

    Add Hub

    • 建立分支通道IP地址池,然後點選Save,然後Add。ip地址池用於將VTI隧道IP地址分配給分支。

    Add IPv4 Pool

    Hub Spoke VPN Single ISP Added

    • 按一下下一步繼續並新增輻條。如果您有通用介面/區域名稱,則可以利用批次新增選項,也可以單獨新增分支。

    Add Spokes

    • 選擇裝置並指定WAN/外部介面的命名模式。如果裝置共用相同的介面名稱,使用首字母就足夠了。按一下Next,如果驗證成功,則按一下Add。對於批次新增,您也可以以相同的方式使用區域名稱。

    Add Bulk Spokes

    Add Devices

    • 驗證輻條和重疊介面詳細資訊以確保選擇了正確的介面,然後按一下下一步

    Verify Spokes and Overlay Details

    • 您可以保留IPsec配置的預設引數,也可以根據需要指定自定義密碼。按一下下一步繼續。在本檔案中,您使用的是預設引數。

    Retain Default Parameters or Specify Custom Ciphers

    • 最後,您可以通過指定適當的BGP引數(如用於字首過濾的AS編號、內部介面通告和社群標籤),在此拓撲的同一嚮導內配置重疊路由。安全區域可以通過訪問控制策略幫助流量過濾,同時還可以為介面建立一個對象,並在所連線的介面重分配中使用它們(如果名稱不同於拓撲中的內部名稱或跨裝置不對稱)。

    Configure Overlay Routing for the Same Wizard

    • 按一下「Next」,然後「Finish」,最後按一下「Deploy」完成整個程式。

    驗證

    • 您可以通過導航到Devices > VPN > Site to Site來驗證隧道狀態。

    Verify Tunnel Status

    • 可通過導航到概述>控制面板>站點到站點VPN來驗證其他詳細資訊。

    For Additional Details See Overview

    • 如需進一步的深入分析,請選擇通道,然後點選檢視完整資訊

    For Further Insights Select the Tunnel and Select View Full Information

    Overview Details

    Maximize View of Details

    • 輸出直接從FTD CLI顯示,並可以刷新以顯示更新的計數器和重要資訊,例如安全引數索引(SPI)詳細資訊。

    Tunnel Details

    • FTD CLI也可用於檢查路由資訊和BGP對等狀態。

    在HUB端

    HUB1# show bgp summary 
BGP router identifier 198.51.100.3, local AS number 65500
BGP table version is 7, main routing table version 7
2 network entries using 400 bytes of memory
2 path entries using 160 bytes of memory
1/1 BGP path/bestpath attribute entries using 208 bytes of memory
1 BGP community entries using 24 bytes of memory
1 BGP route-map cache entries using 64 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 856 total bytes of memory
BGP activity 2/0 prefixes, 4/2 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
198.51.100.10   4        65500 4       6              7    0    0 00:00:45  0 <<<<< spoke 1 bgp peering   
198.51.100.11   4        65500 5       5              7    0    0 00:00:44  1 <<<<< spoke 2 bgp peering     
198.51.100.12   4        65500 5       5              7    0    0 00:00:52  1 <<<<< spoke 3 bgp peering
    HUB1# show route bgp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set

B        192.0.2.0 255.255.255.248 [200/1] via 198.51.100.10, 00:00:18 <<<<<<<< spoke 1 inside network
B        192.0.2.8 255.255.255.248 [200/1] via 198.51.100.11, 00:08:08 <<<<<<<< spoke 2 inside network
B        192.0.2.16 255.255.255.248 [200/1] via 198.51.100.12, 00:08:16 <<<<<<<< spoke 3 inside network
    HUB1#show bgp ipv4 unicast neighbors 198.51.100.10 routes <<<<< to check only prefix receieved from specific peer

BGP table version is 14, local router ID is 198.51.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.0.2.0/29     198.51.100.10        1    100      0  ? <<<<<<<<<< routes received from spoke 1

Total number of prefixes 1
    HUB1#show bgp ipv4 unicast neighbors 198.51.100.11 routes <<<<< to check only prefix receieved from specific peer

    BGP table version is 14, local router ID is 198.51.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.0.2.8/29     198.51.100.11        1    100      0  ? <<<<<<<<<< routes received from spoke 2

Total number of prefixes 1 
    HUB1#show bgp ipv4 unicast neighbors 198.51.100.12 routes <<<<< to check only prefix receieved from specific peer

    BGP table version is 14, local router ID is 198.51.100.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.0.2.16/29    198.51.100.12        1    100      0  ? <<<<<<<<<< routes received from spoke 3

Total number of prefixes 1

    在輻條側 

    也可以在輻條裝置上執行相同的驗證。下面是一個輻條上的示例。

    Spoke1# show bgp summary 
BGP router identifier 198.51.100.4, local AS number 65500
BGP table version is 12, main routing table version 12
3 network entries using 600 bytes of memory
3 path entries using 240 bytes of memory
2/2 BGP path/bestpath attribute entries using 416 bytes of memory
2 BGP rrinfo entries using 80 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1360 total bytes of memory
BGP activity 5/2 prefixes, 7/4 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
198.51.100.1    4        65500 12      11            12    0    0 00:07:11  2    <<<<<<<<< BGP peering with HUB 
    Spoke1# show bgp ipv4 unicast neighbors 198.51.100.1 routes 

BGP table version is 12, local router ID is 198.51.100.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.0.2.8/29     198.51.100.1         1    100      0  ? <<<<<<< route received from HUB for spoke 2
*>i192.0.2.16/29    198.51.100.1         1    100      0  ? <<<<<<< route received from HUB for spoke 3

Total number of prefixes 2 
    Spoke1# show bgp ipv4 unicast neighbors 198.51.100.1 advertised-routes 

BGP table version is 12, local router ID is 198.51.100.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 192.0.2.0/29     0.0.0.0              0         32768  ? <<<<<<<< route advertised by this spoke into BGP

Total number of prefixes 1 
    Spoke1# show route bgp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set

B        192.0.2.8 255.255.255.248 [200/1] via 198.51.100.1, 00:13:42 <<<<<< spoke 2 inside network
B        192.0.2.16 255.255.255.248 [200/1] via 198.51.100.1, 00:13:42 <<<<<< spoke 3 inside network

    雙中心輻射型(通過輔助中心輻射和輻射之間的EBGP為冗餘中心提供單一ISP)

    網路圖表

    Dual Hub and Spoke Network Diagram Single ISP

    組態

    需要相同的嚮導,並在HUB新增視窗中進行細微修改。您只需關注必要的更改,即可快速推進該過程。

    ·新增第一個HUB後,使用以前用於HUB1的相同步驟繼續新增第二個HUB。

    Dual Hub and Spoke Single ISP Configurations

    • 繼續建立動態虛擬通道介面(DVTI)

    Create Dynamic Virtual Tunnel Interface

    • 分支端的HUB 2 VTI隧道需要新的IP地址池。建立和配置新池,然後儲存更改

    New IP Address Pool is Required

    List of Threat Defense Devices

    • 要在第二個HUB和輻條之間配置eBGP對等,請在最後一步中修改SD-WAN設定。啟用選項Secondary HUB is in a different Autonomous System,並指定輔助HUB的Autonomous System(AS)編號。如果通過取消選中Secondary HUB is in a different Autonomous System選項,不會對您的環境中使用不同的AS編號有任何限制,則也可使用IBGP。這也會推送輔助HUB的相同社群標籤和AS編號。本文重點介紹當前設定的eBGP。

    Configure eBGP Peering in Secondary Hub

    確保自治系統(AS)編號和社群標籤在此配置中是唯一的。

    驗證

    此圖說明重疊拓撲。

    Verification of Overlay Topology

    • 在FMC中,導覽至Devices > VPN > Site to Site

    Navigate to Devices, VPN, and Site to Site

    • 所有其他步驟保持不變。

    雙中心輻射型(雙ISP用於冗餘中心,ISP通過輔助中心輻射和輻射之間的EBGP)

    網路圖表

    Dual Hub and Spoke Network Diagram Dual ISP

    組態

    此場景中的唯一區別是配置了兩個獨立的SD-WAN拓撲,每個拓撲都使用各自的ISP介面作為基礎。

    ·使用第一個ISP跳過此拓撲的部署。因為此步驟在以前的拓撲中已經涉及。

    Dual Hub and Spoke Dual ISP Configurations

    • 接下來,繼續新增第二個拓撲,為每個集線器建立兩個額外的DVTI介面,每個介面都利用ISP 2的底層介面(VPN-OUT-2)。

    Add Second Topology

    • 專門為分支虛擬通道介面(VTI)地址調配了額外的VPN IP地址池。

    Additional VPN IP Address is Provisioned

    Threat Defense Device

    • 要新增輔助集線器,請使用輔助ISP介面(VPN-OUT-2)建立DVTI 2重複該過程,並為分支端VTI地址配置一個附加IP池。

    To Add a Secondary Hub, Repeat the Process

    Create Spoke Tunnel Address Pool

    • 新增輻條時,請確保為VTI隧道指定了正確的底層/WAN介面。此拓撲使用輔助ISP介面VPN-OUT-2

    When Adding a Spoke ensure the Correct Underlay

    VPN Interfaces

    • 配置路由時,請確保此拓撲中兩個HUB的團體標籤和AS編號與之前ISP1拓撲中使用的標籤和AS編號一致。拓撲使用不同的安全區域,但其他配置(如主和輔助HUB的AS編號以及社群標籤)是相同的。UI必須執行此操作才能完成拓撲驗證。

    Ensure Community Tags and AS Numbers for both Hubs in this Topology are Consistent with Those in Previous ISP 1 Topology

    • 所有其他設定保持不變。完成嚮導並繼續部署。

    驗證

    • 拓撲如圖所示。

    Verification of Topology

    • 導航到Devices > VPN > Site to Site以檢視拓撲。

    View Topologies

    此配置導致每台裝置有四個BGP對等點,並且每個分支都有到達其他分支的相應路由。例如,可以檢索其中一個分支的輸出。

    對於輻條1

    Spoke1#show bgp summary 
BGP router identifier 203.0.113.35, local AS number 65500
BGP table version is 4, main routing table version 4
2 network entries using 400 bytes of memory
7 path entries using 560 bytes of memory
1 multipath network entries and 2 multipath paths
3/2 BGP path/bestpath attribute entries using 624 bytes of memory
1 BGP rrinfo entries using 40 bytes of memory
1 BGP AS-PATH entries using 40 bytes of memory
2 BGP community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1712 total bytes of memory
BGP activity 2/0 prefixes, 7/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
198.51.100.1    4        65500 229     226            4    0    0 04:07:22  1 <<<<<<<<<< HUB 1 ISP 1 VTI  
198.51.100.2    4        65510 226     230            4    0    0 04:06:36  2 <<<<<<<<<< HUB 2 ISP 1 VTI      
198.51.100.3    4        65500 182     183            4    0    0 03:16:45  1 <<<<<<<<<< HUB 1 ISP 2 VTI
198.51.100.4    4        65510 183     183            4    0    0 03:16:30  2 <<<<<<<<<< HUB 2 ISP 2 VTI
    Spoke1#show bgp ipv4 unicast neighbors 198.51.100.1 routes <<<< check for specific prefixes received via HUB1 ISP1

BGP table version is 4, local router ID is 203.0.113.35
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.0.2.16/29    198.51.100.1         1    100      0  ? <<<<<<<< spoke 2 network received via HUB 1 ISP 1 tunnel

Total number of prefixes 1 
    Spoke1#show bgp ipv4 unicast neighbors 198.51.100.3 routes <<<< check for specific prefixes received via HUB1 ISP2

BGP table version is 4, local router ID is 203.0.113.35
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*mi192.0.2.16/29    198.51.100.3         1    100      0  ? <<<<<<<< spoke 2 network received via HUB 1 ISP 2 tunnel

Total number of prefixes 1 
    Spoke1# show bgp ipv4 unicast neighbors 198.51.100.2 routes <<<< check for specific prefixes received via HUB2 ISP1

    BGP table version is 4, local router ID is 203.0.113.35
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*  192.0.2.8/29     198.51.100.2       100             0  65510 65510 ? <<<<<<< inside network receieved cause we advertised it to HUB 1 from ISP 2 topology
*  192.0.2.16/29    198.51.100.2       100             0  65510 65510 ? <<<<<<<< spoke 2 network received via HUB 2 ISP 1 tunnel but not preferred

Total number of prefixes 2 
    Spoke1# show bgp ipv4 unicast neighbors 198.51.100.4 routes <<<< check for specific prefixes received via HUB2 ISP1
    BGP table version is 4, local router ID is 203.0.113.35
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*  192.0.2.8/29     198.51.100.4       100             0  65510 65510 ? <<<<<<< inside network receieved cause we advertised it to HUB 2 from ISP 1 topology
*  192.0.2.16/29    198.51.100.4       100             0  65510 65510 ? <<<<<<<< spoke 2 network received via HUB 2 ISP 2 tunnel but not preferred

Total number of prefixes 2

    路由表如圖所示,它確認分支端兩個鏈路之間的流量負載均衡。

    Spoke1#show route bgp 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
       SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set

B        192.0.2.16 255.255.255.248 [200/1] via 198.51.100.3, 03:23:53 <<<<< multipath for spoke 2 inside network
                                    [200/1] via 198.51.100.1, 03:23:53 <<<<< multipath for spoke 2 inside network
    Spoke1#show bgp 192.0.2.16
BGP routing table entry for 192.0.2.16/29, version 4
Paths: (4 available, best #4, table default)
Multipath: eBGP iBGP
  Advertised to update-groups:
              2          4
  65510 65510 
    198.51.100.4 from 198.51.100.4 (198.51.100.4) <<<< HUB2 ISP2 next-hop
      Origin incomplete, metric 100, localpref 100, valid, external
      Community: 10101
  Local
    198.51.100.3 from 198.51.100.3 (198.51.100.3) <<<< HUB1 ISP2 next-hop
      Origin incomplete, metric 1, localpref 100, valid, internal, multipath
      Community: 10101
      Originator: 203.0.113.36, Cluster list: 198.51.100.3
  65510 65510 
    198.51.100.2 from 198.51.100.2 (198.51.100.4) <<<< HUB2 ISP1 next-hop
      Origin incomplete, metric 100, localpref 100, valid, external
      Community: 10101
  Local
    198.51.100.1 from 198.51.100.1 (198.51.100.3) <<<< HUB1 ISP1 next-hop
      Origin incomplete, metric 1, localpref 100, valid, internal, multipath, best
      Community: 10101
      Originator: 203.0.113.36, Cluster list: 198.51.100.3

    結論

    本文的目的是解釋可以使用單個設定嚮導輕鬆實現的各種部署方案。

    相關資訊

    修訂記錄

    修訂 發佈日期 意見
    1.0
    01-Oct-2025
    初始版本
    TAC Authored

    由思科工程師貢獻

    • 達尼亞爾·阿赫塔爾
      技術諮詢工程師

    這份文件是否有所幫助?

    Feedback意見

    讓思科協助您

    本文件適用於這些產品