SD-WAN çµç±ã§å±ãå§ãã質åã®æ°ããå€æãããšããã®ãã¯ãããžãŒã¯ãã·ã¢ã«å®å šã«æ ¹ä»ãå§ããŠããŸãã åœç¶ã®ããšãªããããã³ããŒã¯ç ã£ãŠããããã§ã¯ãªãã³ã³ã»ãããæäŸããŠãããåæ¢ãªå é§è ã®äžã«ã¯ãã§ã«ãã®ã³ã³ã»ãããèªç€Ÿã®ãããã¯ãŒã¯ã«å®è£ ããŠãã人ãããŸãã
ç§ãã¡ã¯ã»ãŒãã¹ãŠã®ãã³ããŒãšååããŠãããç§ãã¡ã®ç 究宀ã§ã¯æ°å¹ŽãããŠããœãããŠã§ã¢ ããã¡ã€ã³ã ãœãªã¥ãŒã·ã§ã³ã®ãã¹ãŠã®äž»èŠãªéçºè ã®ã¢ãŒããã¯ãã£ãæãäžããããšã«æåããŸããã ããã§ã¯ãã©ãŒãã£ãããã® SD-WAN ãå°ãéç«ã£ãŠãããéä¿¡ãã£ãã«éã®ãã©ãã£ãã¯ã®ãã©ã³ã¹ãåãæ©èœããã¡ã€ã¢ãŠã©ãŒã« ãœãããŠã§ã¢ã«çµã¿èŸŒãã ã ãã§ãã ãã®ãœãªã¥ãŒã·ã§ã³ã¯ããªãæ°äž»çã§ãããããéåžžãäžççãªå€åã«ãŸã 察å¿ããæºåãã§ããŠããªããã®ã®ãã³ãã¥ãã±ãŒã·ã§ã³ ãã£ãã«ãããå¹æçã«äœ¿çšããããšèããŠããäŒæ¥ã«ãã£ãŠæ€èšãããŸãã
ãã®èšäºã§ã¯ããã©ãŒãã£ãããã® SD-WAN ãæ§æããã³æäœããæ¹æ³ããã®ãœãªã¥ãŒã·ã§ã³ãé©ããŠãã人ãããã³ããã§ééããå¯èœæ§ã®ããèœãšãç©Žã«ã€ããŠèª¬æããããšæããŸãã
SD-WAN åžå Žã®æãæåãªãã¬ãŒã€ãŒã¯ã次㮠XNUMX ã€ã®ã¿ã€ãã®ããããã«åé¡ã§ããŸãã
1. SD-WAN ãœãªã¥ãŒã·ã§ã³ããŒãããæ§ç¯ããã¹ã¿ãŒãã¢ããã ãããã®äžã§æãæåããäŒæ¥ã¯ã倧äŒæ¥ã«è²·åãããåŸãéçºã«å€§ããªæšé²åãäžããããŸãããã㯠Cisco/ViptelaãVMWare/VeloCloudãNuage/Nokia ã®ç©èªã§ãã
2. SD-WAN ãœãªã¥ãŒã·ã§ã³ãéçºããåŸæ¥ã®ã«ãŒã¿ãŒã®ããã°ã©ãããªãã£ãšç®¡ç容ææ§ãéçºãã倧æãããã¯ãŒã¯ ãã³ã㌠- ããã¯ãžã¥ãããŒãšãã¡ãŒãŠã§ã€ã®ç©èªã§ã
ãã©ãŒãã£ãããã¯ãªããšããã®éãèŠã€ããŸããã ãã¡ã€ã¢ãŠã©ãŒã« ãœãããŠã§ã¢ã«ã¯ãåŸæ¥ã®ã«ãŒãã£ã³ã°ãšæ¯èŒããŠè€éãªã¢ã«ãŽãªãºã ã䜿çšããŠã€ã³ã¿ãŒãã§ã€ã¹ãä»®æ³ãã£ãã«ã«çµåãããããã®éã§è² è·ã®ãã©ã³ã¹ããšãããšãå¯èœã«ããæ©èœãçµã¿èŸŒãŸããŠããŸããã ãã®æ©èœã¯ SD-WAN ãšåŒã°ããŠããŸããã ãã©ãŒãã£ããããè¡ã£ããã®ã SD-WAN ãšåŒã¶ããšãã§ããŸãã? åžå Žã¯ãSoftware-Defined ãããŒã¿ ãã¬ãŒã³ãå°çšã³ã³ãããŒã©ãŒãããã³ãªãŒã±ã¹ãã¬ãŒã¿ãŒããã³ã³ãããŒã« ãã¬ãŒã³ãåé¢ããããšãæå³ããããšãåŸã ã«ç解ããŠããŸãã ãã©ãŒãã£ãããã«ã¯ãã®ãããªãã®ã¯ãããŸããã äžå 管çã¯ãªãã·ã§ã³ã§ãããåŸæ¥ã® Fortimanager ããŒã«ãéããŠæäŸãããŸãã ããããç§ã®æèŠã§ã¯ãæœè±¡çãªçå®ãæ¢ããããçšèªã«ã€ããŠè°è«ãããããŠæéãç¡é§ã«ããã¹ãã§ã¯ãããŸããã çŸå®ã®äžçã§ã¯ãããããã®ã¢ãããŒãã«é·æãšçæããããŸãã æåã®è§£æ±ºçã¯ãããããç解ããã¿ã¹ã¯ã«å¯Ÿå¿ãããœãªã¥ãŒã·ã§ã³ãéžæã§ããããã«ãªãããšã§ãã
ãã©ãŒãã£ãããã® SD-WAN ãã©ã®ãããªãã®ã§ãäœãã§ããã®ããã¹ã¯ãªãŒã³ã·ã§ããã䜿ã£ãŠèª¬æããããšæããŸãã
ãã¹ãŠã®ä»çµã¿
XNUMX ã€ã®ãã©ã³ãã XNUMX ã€ã®ããŒã¿ ãã£ãã«ã§æ¥ç¶ãããŠãããšä»®å®ããŸãã ãããã®ããŒã¿ ãªã³ã¯ã¯ãéåžžã®ã€ãŒãµããã ã€ã³ã¿ãŒãã§ã€ã¹ã LACP ããŒã ãã£ãã«ã«çµåãããã®ãšåæ§ã«ãã°ã«ãŒãã«çµåãããŸãã æã®äººã¯ PPP ãã«ããªã³ã¯ãèŠããŠããã§ããã - ãããé©åãªäŸãã§ãã ãã£ãã«ã«ã¯ãç©çââããŒããVLAN SVIãVPN ãŸã㯠GRE ãã³ãã«ã䜿çšã§ããŸãã
VPN ãŸã㯠GRE ã¯éåžžãã€ã³ã¿ãŒãããçµç±ã§ãã©ã³ã ããŒã«ã« ãããã¯ãŒã¯ã«æ¥ç¶ããå Žåã«äœ¿çšãããŸãã ç©çããŒã - ãµã€ãéã« L2 æ¥ç¶ãããå ŽåããŸãã¯å°çšã® MPLS/VPN çµç±ã§æ¥ç¶ããå ŽåããªãŒããŒã¬ã€ãæå·åãªãã®æ¥ç¶ã«æºè¶³ããŠããå Žåã SD-WAN ã°ã«ãŒãã§ç©çããŒãã䜿çšããããã XNUMX ã€ã®ã·ããªãªã¯ãã€ã³ã¿ãŒããããžã®ãŠãŒã¶ãŒã®ããŒã«ã« ã¢ã¯ã»ã¹ã®ãã©ã³ã¹ããšãããšã§ãã
ç§ãã¡ã®ã¹ã¿ã³ãã«ã¯ XNUMX ã€ã®ãã¡ã€ã¢ãŠã©ãŒã«ãš XNUMX ã€ã® VPN ãã³ãã«ããããXNUMX ã€ã®ãéä¿¡äºæ¥è ããéããŠéçšãããŠããŸãã å³ã¯æ¬¡ã®ããã«ãªããŸãã
VPN ãã³ãã«ã¯ãP2P ã€ã³ã¿ãŒãã§ã€ã¹äžã® IP ã¢ãã¬ã¹ãæã€ããã€ã¹éã®ãã€ã³ãããŒãã€ã³ãæ¥ç¶ãšåæ§ã«ãªãããã«ã€ã³ã¿ãŒãã§ã€ã¹ ã¢ãŒãã§æ§æãããç¹å®ã®ãã³ãã«ãä»ããéä¿¡ãæ©èœããŠããããšã確èªããããã« ping ãéä¿¡ã§ããŸãã ãã©ãã£ãã¯ãæå·åããŠå察åŽã«éä¿¡ããã«ã¯ããã©ãã£ãã¯ããã³ãã«ã«ã«ãŒãã£ã³ã°ããã ãã§ååã§ãã å¥ã®æ¹æ³ã¯ããµããããã®ãªã¹ãã䜿çšããŠæå·åãããã©ãã£ãã¯ãéžæããããšã§ãããæ§æãããè€éã«ãªãããã管çè
ã¯éåžžã«æ··ä¹±ããŸãã 倧èŠæš¡ãªãããã¯ãŒã¯ã§ã¯ãADVPN ãã¯ãããžãŒã䜿çšã㊠VPN ãæ§ç¯ã§ããŸãããã㯠Cisco ã® DMVPN ã Huawei ã® DVPN ã«äŒŒãŠãããã»ããã¢ãããç°¡åã§ãã
äž¡åŽã« BGP ã«ãŒãã£ã³ã°ãåãã XNUMX å°ã®ããã€ã¹ã®ãµã€ãé VPN æ§æ
«ЊÐл (DC)
«ЀОлОал» (BRN)
config system interface
âedit "WAN1"
ââset vdom "Internet"
ââset ip 1.1.1.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "DC-BRD"
ââset vlanid 111
ânext
âedit "WAN2"
ââset vdom "Internet"
ââset ip 3.3.3.1 255.255.255.252
ââset allowaccess ping
ââset role lan
ââset interface "DC-BRD"
ââset vlanid 112
ânext
âedit "BRN-Ph1-1"
ââset vdom "Internet"
ââset ip 192.168.254.1 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.2 255.255.255.255
ââset interface "WAN1"
ânext
âedit "BRN-Ph1-2"
ââset vdom "Internet"
ââset ip 192.168.254.3 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.4 255.255.255.255
ââset interface "WAN2"
ânext
end
config vpn ipsec phase1-interface
âedit "BRN-Ph1-1"
ââset interface "WAN1"
ââset local-gw 1.1.1.1
ââset peertype any
ââset net-device disable
ââset proposal aes128-sha1
ââset dhgrp 2
ââset remote-gw 2.2.2.1
ââset psksecret ***
ânext
âedit "BRN-Ph1-2"
ââset interface "WAN2"
ââset local-gw 3.3.3.1
ââset peertype any
ââset net-device disable
ââset proposal aes128-sha1
ââset dhgrp 2
ââset remote-gw 4.4.4.1
ââset psksecret ***
ânext
end
config vpn ipsec phase2-interface
âedit "BRN-Ph2-1"
ââset phase1name "BRN-Ph1-1"
ââset proposal aes256-sha256
ââset dhgrp 2
ânext
âedit "BRN-Ph2-2"
ââset phase1name "BRN-Ph1-2"
ââset proposal aes256-sha256
ââset dhgrp 2
ânext
end
config router static
âedit 1
ââset gateway 1.1.1.2
ââset device "WAN1"
ânext
âedit 3
ââset gateway 3.3.3.2
ââset device "WAN2"
ânext
end
config router bgp
âset as 65002
âset router-id 10.1.7.1
âset ebgp-multipath enable
âconfig neighbor
ââedit "192.168.254.2"
âââset remote-as 65003
âânext
ââedit "192.168.254.4"
âââset remote-as 65003
âânext
âend
âconfig network
ââedit 1
âââset prefix 10.1.0.0 255.255.0.0
âânext
end
config system interface
âedit "WAN1"
ââset vdom "Internet"
ââset ip 2.2.2.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "BRN-BRD"
ââset vlanid 111
ânext
âedit "WAN2"
ââset vdom "Internet"
ââset ip 4.4.4.1 255.255.255.252
ââset allowaccess ping
ââset role wan
ââset interface "BRN-BRD"
ââset vlanid 114
ânext
âedit "DC-Ph1-1"
ââset vdom "Internet"
ââset ip 192.168.254.2 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.1 255.255.255.255
ââset interface "WAN1"
ânext
âedit "DC-Ph1-2"
ââset vdom "Internet"
ââset ip 192.168.254.4 255.255.255.255
ââset allowaccess ping
ââset type tunnel
ââset remote-ip 192.168.254.3 255.255.255.255
ââset interface "WAN2"
ânext
end
config vpn ipsec phase1-interface
â edit "DC-Ph1-1"
ââ set interface "WAN1"
ââ set local-gw 2.2.2.1
ââ set peertype any
ââ set net-device disable
ââ set proposal aes128-sha1
ââ set dhgrp 2
ââ set remote-gw 1.1.1.1
ââ set psksecret ***
â next
â edit "DC-Ph1-2"
ââ set interface "WAN2"
ââ set local-gw 4.4.4.1
ââ set peertype any
ââ set net-device disable
ââ set proposal aes128-sha1
ââ set dhgrp 2
ââ set remote-gw 3.3.3.1
ââ set psksecret ***
â next
end
config vpn ipsec phase2-interface
â edit "DC-Ph2-1"
ââ set phase1name "DC-Ph1-1"
ââ set proposal aes128-sha1
ââ set dhgrp 2
â next
â edit "DC2-Ph2-2"
ââ set phase1name "DC-Ph1-2"
ââ set proposal aes128-sha1
ââ set dhgrp 2
â next
end
config router static
âedit 1
ââset gateway 2.2.2.2
ââet device "WAN1"
ânext
âedit 3
ââset gateway 4.4.4.2
ââset device "WAN2"
ânext
end
config router bgp
â set as 65003
â set router-id 10.200.7.1
â set ebgp-multipath enable
â config neighbor
ââ edit "192.168.254.1"
âââ set remote-as 65002
ââ next
ââedit "192.168.254.3"
âââset remote-as 65002
ââ next
â end
â config network
ââ edit 1
âââ set prefix 10.200.0.0 255.255.0.0
â ânext
end
ç§ã®æèŠã§ã¯ããã®æ¹æ³ã§ VPN ãæ§æããæ¹ã䟿å©ã§ãããããæ§æãããã¹ã圢åŒã§æäŸããŠããŸãã ã»ãŒãã¹ãŠã®èšå®ã¯äž¡é¢ã§åããªã®ã§ãããã¹ã圢åŒã§ã¯ã³ããŒïŒããŒã¹ãã§äœæã§ããŸãã Web ã€ã³ã¿ãŒãã§ã€ã¹ã§åãããšãè¡ããšãã©ããã«ãã§ãã¯ããŒã¯ãä»ãå¿ããããééã£ãå€ãå ¥åããããããªã©ãééããç¯ãããããªããŸãã
ã€ã³ã¿ãŒãã§ã€ã¹ããã³ãã«ã«è¿œå ããåŸ
ãã¹ãŠã®ã«ãŒããšã»ãã¥ãªã㣠ããªã·ãŒã¯ãããåç
§ã§ããŸãããããã«å«ãŸããã€ã³ã¿ãŒãã§ã€ã¹ã¯åç
§ã§ããŸããã å°ãªããšããå
éšãããã¯ãŒã¯ãã SD-WAN ãžã®ãã©ãã£ãã¯ãèš±å¯ããå¿
èŠããããŸãã ã«ãŒã«ãäœæãããšãIPSããŠã€ã«ã¹å¯ŸçãHTTPS é瀺ãªã©ã®ä¿è·æªçœ®ãé©çšã§ããŸãã
SD-WAN ã«ãŒã«ããã³ãã«ã«å¯ŸããŠèšå®ãããŠããŸãã ãããã¯ãç¹å®ã®ãã©ãã£ãã¯ã®ãã©ã³ã·ã³ã° ã¢ã«ãŽãªãºã ãå®çŸ©ããã«ãŒã«ã§ãã ãããã¯ãããªã·ãŒããŒã¹ ã«ãŒãã£ã³ã°ã®ã«ãŒãã£ã³ã° ããªã·ãŒã«äŒŒãŠããŸãããããªã·ãŒã«è©²åœãããã©ãã£ãã¯ã®çµæãšããŠã®ã¿ãã€ã³ã¹ããŒã«ãããã®ã¯ãã¯ã¹ãããããéåžžã®éä¿¡ã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãªããSD-WAN ãã³ãã«ã«è¿œå ãããã€ã³ã¿ãŒãã§ã€ã¹ã§ãããããã®ã€ã³ã¿ãŒãã§ã€ã¹éã®ãã©ãã£ã㯠ãã©ã³ã·ã³ã° ã¢ã«ãŽãªãºã ã
ãã©ãã£ãã¯ã¯ãL3 ïœ L4 æ å ±ãèªèãããã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¿ãŒããã ãµãŒãã¹ (URL ããã³ IP)ãããã³ã¯ãŒã¯ã¹ããŒã·ã§ã³ãã©ãããããã®èªèããããŠãŒã¶ãŒã«ãã£ãŠãäžè¬çãªãããŒããåé¢ã§ããŸãã ãã®åŸã次ã®ããããã®ãã©ã³ã·ã³ã° ã¢ã«ãŽãªãºã ããå²ãåœãŠããããã©ãã£ãã¯ã«å²ãåœãŠãããšãã§ããŸãã
[ã€ã³ã¿ãŒãã§ã€ã¹èšå®] ãªã¹ãã§ã¯ããã³ãã«ã«æ¢ã«è¿œå ãããŠããã€ã³ã¿ãŒãã§ã€ã¹ã®ãã¡ããã®ã¿ã€ãã®ãã©ãã£ãã¯ãåŠçããã€ã³ã¿ãŒãã§ã€ã¹ãéžæãããŸãã ãã¹ãŠã®ã€ã³ã¿ãŒãã§ã€ã¹ãè¿œå ããããã§ã¯ãããŸããããé«äŸ¡ãªãã£ãã«ã«é«ã SLA ã®è² æ
ããããããªãå Žåã¯ã䜿çšãããã£ãã« (é»åã¡ãŒã«ãªã©) ãæ£ç¢ºã«å¶éã§ããŸãã FortiOS 6.4.1 ã§ã¯ãSD-WAN ãã³ãã«ã«è¿œå ãããã€ã³ã¿ãŒãã§ã€ã¹ããŸãŒã³ã«ã°ã«ãŒãåããããšãã°ããªã¢ãŒã ãµã€ããšã®éä¿¡çšã« XNUMX ã€ã®ãŸãŒã³ãäœæããNAT ã䜿çšããããŒã«ã« ã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹çšã«å¥ã®ãŸãŒã³ãäœæã§ããããã«ãªããŸããã ã¯ããã¯ããéåžžã®ã€ã³ã¿ãŒãããã«éä¿¡ããããã©ãã£ãã¯ããã©ã³ã¹ããšãããšãã§ããŸãã
ãã©ã³ã¹ã¢ã«ãŽãªãºã ã«ã€ããŠ
Fortigate (ãã©ãŒãã£ãããã®ãã¡ã€ã¢ãŠã©ãŒã«) ããã£ãã«éã§ãã©ãã£ãã¯ãåå²ããæ¹æ³ã«é¢ããŠã¯ãåžå Žã§ã¯ããŸãäžè¬çã§ã¯ãªã XNUMX ã€ã®èå³æ·±ããªãã·ã§ã³ããããŸãã
æäœã³ã¹ã (SLA) â çŸæç¹ã§ SLA ãæºãããã¹ãŠã®ã€ã³ã¿ãŒãã§ã€ã¹ã®ãã¡ã管çè ãæåã§èšå®ããéã¿ (ã³ã¹ã) ãäœãã€ã³ã¿ãŒãã§ã€ã¹ãéžæãããŸãã ãã®ã¢ãŒãã¯ãããã¯ã¢ããããã¡ã€ã«è»¢éãªã©ã®ã倧éã®ããã©ãã£ãã¯ã«é©ããŠããŸãã
æé«å質 (SLA) â ãã®ã¢ã«ãŽãªãºã ã¯ãFortigate ãã±ããã®éåžžã®é 延ããžãã¿ãŒãæ倱ã«å ããŠãçŸåšã®ãã£ãã«è² è·ã䜿çšããŠãã£ãã«ã®å質ãè©äŸ¡ããããšãã§ããŸãã ãã®ã¢ãŒãã¯ãVoIP ããããªäŒè°ãªã©ã®æ©å¯æ§ã®é«ããã©ãã£ãã¯ã«é©ããŠããŸãã
ãããã®ã¢ã«ãŽãªãºã ã§ã¯ãéä¿¡ãã£ãã« ããã©ãŒãã³ã¹ ã¡ãŒã¿ãŒ (ããã©ãŒãã³ã¹ SLA) ãèšå®ããå¿ èŠããããŸãã ãã®ã¡ãŒã¿ãŒã¯å®æçã« (ãã§ãã¯ééã§) SLA ãžã®æºæ ã«é¢ããæ å ± (ãã±ããæ倱ãé 延ãéä¿¡ãã£ãã«ã®ãžãã¿ãŒ) ãç£èŠããçŸåšå質ã®ãããå€ãæºãããŠããªããã£ãã« (ãã±ããæ倱ãå€ããããããã±ããæ倱ãå€ããããã£ãã«) ããæåŠãã§ããŸããåŸ ã¡æéãé·ãã ããã«ãã¡ãŒã¿ãŒã¯ãã£ãã«ã®ã¹ããŒã¿ã¹ãç£èŠããå¿çãç¹°ãè¿ã倱ããã (éã¢ã¯ãã£ãã«ãªãåã®é害) å Žåã«ã¯ããã³ãã«ãããã£ãã«ãäžæçã«åé€ã§ããŸãã 埩å ããããšãæ°åé£ç¶ããŠå¿çããåŸ (ãªã³ã¯ã®åŸ©å åŸã«)ãã¡ãŒã¿ãŒã¯èªåçã«ãã£ãã«ããã³ãã«ã«æ»ããåã³ãã®ãã£ãã«ãä»ããŠããŒã¿ã®éä¿¡ãéå§ããŸãã
ãã¡ãŒã¿ãŒãã®èšå®ã¯æ¬¡ã®ããã«ãªããŸãã
Web ã€ã³ã¿ãŒãã§ãŒã¹ã§ã¯ããã¹ããããã³ã«ãšã㊠ICMP-Echo-rââequestãHTTP-GETãDNS ãªã¯ãšã¹ããå©çšå¯èœã§ãã ã³ãã³ãã©ã€ã³ã«ã¯ããå°ããªãã·ã§ã³ããããŸããTCP-echo ããã³ UDP-echo ãªãã·ã§ã³ãå©çšã§ããã»ããç¹æ®ãªå質枬å®ãããã³ã« TWAMP ãå©çšã§ããŸãã
枬å®çµæ㯠Web ã€ã³ã¿ãŒãã§ãŒã¹ã§ã確èªã§ããŸãã
ã³ãã³ãã©ã€ã³ã§ã¯æ¬¡ã®ããã«ãªããŸãã
ãã©ãã«ã·ã¥ãŒãã£ã³ã°
ã«ãŒã«ãäœæãããã®ã®ããã¹ãŠãæåŸ ã©ããã«æ©èœããªãå Žåã¯ãSD-WAN ã«ãŒã« ãªã¹ãã®ããã ã«ãŠã³ãã®å€ã確èªããå¿ èŠããããŸãã ãã©ãã£ãã¯ããã®ã«ãŒã«ã«è©²åœãããã©ããã衚瀺ãããŸãã
ã¡ãŒã¿ãŒèªäœã®èšå®ããŒãžã§ã¯ãæéã®çµéã«äŒŽããã£ã³ãã«ãã©ã¡ãŒã¿ãŒã®å€åã確èªã§ããŸãã ç¹ç·ã¯ãã©ã¡ãŒã¿ã®ãããå€ã瀺ããŸã
Web ã€ã³ã¿ãŒãã§ã€ã¹ã§ã¯ãéåä¿¡ãããããŒã¿éãšã»ãã·ã§ã³æ°ã«ãã£ãŠãã©ãã£ãã¯ãã©ã®ããã«åæ£ããããã確èªã§ããŸãã
ããããã¹ãŠã«å ããŠããã±ããã®ééãæ倧éã®è©³çŽ°ã§è¿œè·¡ãã絶奜ã®æ©äŒããããŸãã å®éã®ãããã¯ãŒã¯ã§åäœããå Žåãããã€ã¹æ§æã«ã¯å€ãã®ã«ãŒãã£ã³ã° ããªã·ãŒããã¡ã€ã¢ãŠã©ãŒã«ãSD-WAN ããŒãå
šäœã®ãã©ãã£ãã¯åæ£ãèç©ãããŸãã ããããã¹ãŠãè€éãªæ¹æ³ã§çžäºã«äœçšãããã³ããŒã¯ãã±ããåŠçã¢ã«ãŽãªãºã ã®è©³çŽ°ãªãããã¯å³ãæäŸããŠããŸãããçè«ãæ§ç¯ããŠãã¹ãããã®ã§ã¯ãªãããã©ãã£ãã¯ãå®éã«ã©ãã«è¡ãã®ãã確èªã§ããããšãéåžžã«éèŠã§ãã
ããšãã°ã次ã®ã³ãã³ãã»ããã¯
diagnose debug flow filter saddr 10.200.64.15
diagnose debug flow filter daddr 10.1.7.2
diagnose debug flow show function-name
diagnose debug enable
diagnose debug trace 2
éä¿¡å
ã¢ãã¬ã¹ 10.200.64.15 ãšå®å
ã¢ãã¬ã¹ 10.1.7.2 ãæ〠XNUMX ã€ã®ãã±ããã远跡ã§ããŸãã
10.7.1.2 ãã 10.200.64.15 ã« XNUMX å ping ãå®è¡ããã³ã³ãœãŒã«äžã®åºåã確èªããŸãã
æåã®ããã±ãŒãž:
XNUMXçªç®ã®ããã±ãŒãž:
ãã¡ã€ã¢ãŠã©ãŒã«ãåä¿¡ããæåã®ãã±ããã¯æ¬¡ã®ãšããã§ãã
id=20085 trace_id=475 func=print_pkt_detail line=5605 msg="vd-Internet:0 received a packet(proto=1, 10.200.64.15:42->10.1.7.2:2048) from DMZ-Office. type=8, code=0, id=42, seq=0."
VDOM â Internet, Proto=1 (ICMP), DMZ-Office â МазваМОе L3-ОМÑеÑÑейÑа. Type=8 â Echo.
æ°ããã»ãã·ã§ã³ã圌ã®ããã«äœæãããŸããã
msg="allocate a new session-0006a627"
ã«ãŒãã£ã³ã° ããªã·ãŒèšå®ã§äžèŽãèŠã€ãããŸãã
msg="Match policy routing id=2136539137: to 10.1.7.2 via ifindex-110"
ãã±ãã㯠VPN ãã³ãã«ã® XNUMX ã€ã«éä¿¡ããå¿
èŠãããããšãããããŸãã
"find a route: flag=04000000 gw-192.168.254.1 via DC-Ph1-1"
次ã®èš±å¯ã«ãŒã«ããã¡ã€ã¢ãŠã©ãŒã« ããªã·ãŒã§æ€åºãããŸããã
msg="Allowed by Policy-3:"
ãã±ããã¯æå·åãã㊠VPN ãã³ãã«ã«éä¿¡ãããŸãã
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-1"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-1"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
æå·åããããã±ããã¯ããã® WAN ã€ã³ã¿ãŒãã§ã€ã¹ã®ã²ãŒããŠã§ã€ ã¢ãã¬ã¹ã«éä¿¡ãããŸãã
msg="send to 2.2.2.2 via intf-WAN1"
XNUMX çªç®ã®ãã±ããã§ã¯ããã¹ãŠãåæ§ã«è¡ãããŸãããå¥ã® VPN ãã³ãã«ã«éä¿¡ãããå¥ã®ãã¡ã€ã¢ãŠã©ãŒã« ããŒããçµç±ããŠéä¿¡ãããŸãã
func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-DC-Ph1-2"
func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-DC-Ph1-2"
func=esp_output4 line=905 msg="IPsec encrypt/auth"
func=ipsec_output_finish line=622 msg="send to 4.4.4.2 via intf-WAN2"
ãœãªã¥ãŒã·ã§ã³ã®é·æ
ä¿¡é Œã§ããæ©èœãšãŠãŒã¶ãŒãã¬ã³ããªãŒãªã€ã³ã¿ãŒãã§ã€ã¹ã SD-WAN ã®åºçŸåã« FortiOS ã§å©çšå¯èœã§ãã£ãæ©èœã»ããã¯å®å šã«ä¿æãããŠããŸãã ã€ãŸããæ°ããéçºããããœãããŠã§ã¢ã¯ãªããå®çžŸã®ãããã¡ã€ã¢ãŠã©ãŒã« ãã³ããŒãæäŸããæçããã·ã¹ãã ã䜿çšããŠããŸãã åŸæ¥ã®äžé£ã®ãããã¯ãŒã¯æ©èœãšã䟿å©ã§ç¿åŸãããã Web ã€ã³ã¿ãŒãã§ã€ã¹ãåããŠããŸãã ããšãã°ããšã³ã ããã€ã¹ã«ãªã¢ãŒã ã¢ã¯ã»ã¹ VPN æ©èœãåããŠãã SD-WAN ãã³ããŒã¯äœç€Ÿããã§ãããã?
ã»ãã¥ãªãã£ã¬ãã«80ã FortiGate ã¯ããããã¯ã©ã¹ã®ãã¡ã€ã¢ãŠã©ãŒã« ãœãªã¥ãŒã·ã§ã³ã® XNUMX ã€ã§ãã ã€ã³ã¿ãŒãããäžã«ã¯ãã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ãšç®¡çã«é¢ããè³æããããããããåŽååžå Žã«ã¯ãã³ããŒã®ãœãªã¥ãŒã·ã§ã³ããã§ã«ç¿åŸããŠããã»ãã¥ãªãã£å°é家ãããããããŸãã
SD-WAN æ©èœã®æéã¯ãŒãã§ãã SD-WAN æ©èœãå®è£ ããããã«è¿œå ã®ã©ã€ã»ã³ã¹ã¯å¿ èŠãªããããFortiGate äžã« SD-WAN ãããã¯ãŒã¯ãæ§ç¯ããå Žåãéåžžã® WAN ãããã¯ãŒã¯ãæ§ç¯ããå Žåãšåãã³ã¹ããããããŸãã
åå ¥éå£ãäœãã Fortigate ã«ã¯ãããŸããŸãªããã©ãŒãã³ã¹ ã¬ãã«ã«åãããŠé©åãªããã€ã¹ãçšæãããŠããŸãã æãæ°ãããæãå®äŸ¡ãªã¢ãã«ã¯ãããšãã°åŸæ¥å¡ 3 ïœ 5 人ã«ãããªãã£ã¹ã POS ã®æ¡åŒµã«éåžžã«é©ããŠããŸãã å€ãã®ãã³ããŒã¯ããã®ãããªäœããã©ãŒãã³ã¹ã§æé ãªäŸ¡æ Œã®ã¢ãã«ãæã£ãŠããŸããã
ãã€ããã©ãŒãã³ã¹ã SD-WAN ã®æ©èœããã©ãã£ã㯠ãã©ã³ã·ã³ã°ã«åæžããããšã§ãå瀟ã¯å°çšã® SD-WAN ASIC ããªãªãŒã¹ããããšãã§ããŸããããã®ãããã§ãSD-WAN ã®åäœã«ãã£ãŠãã¡ã€ã¢ãŠã©ãŒã«å šäœã®ããã©ãŒãã³ã¹ãäœäžããããšã¯ãããŸããã
ãªãã£ã¹å šäœããã©ãŒãã£ãããã®æ©åšã«å®è£ ããæ©èœã ãããã¯ããã¡ã€ã¢ãŠã©ãŒã«ãã¹ã€ãããWi-Fi ã¢ã¯ã»ã¹ ãã€ã³ãã®ãã¢ã§ãã ãã®ãããªãªãã£ã¹ã¯ç®¡çãç°¡åã§äŸ¿å©ã§ããã¹ã€ãããšã¢ã¯ã»ã¹ ãã€ã³ãã¯ãã¡ã€ã¢ãŠã©ãŒã«ã«ç»é²ããããã¡ã€ã¢ãŠã©ãŒã«ãã管çãããŸãã ããšãã°ããã®ã¹ã€ãããå¶åŸ¡ãããã¡ã€ã¢ãŠã©ãŒã« ã€ã³ã¿ãŒãã§ã€ã¹ããèŠãã¹ã€ãã ããŒãã¯æ¬¡ã®ããã«ãªããŸãã
åäžé害ç¹ãšããŠã®ã³ã³ãããŒã©ãŒã®æ¬ åŠã ãã³ããŒèªèº«ãããã«éç¹ã眮ããŠããŸãããã³ã³ãããŒã©ãŒãåãããã³ããŒã«ãšã£ãŠããã©ãŒã«ã ãã¬ã©ã³ã¹ã®ç¢ºä¿ã¯å®äŸ¡ã§ãããã»ãšãã©ã®å Žåãä»®æ³åç°å¢ã®å°éã®ã³ã³ãã¥ãŒãã£ã³ã° ãªãœãŒã¹ãç ç²ã«ããŠè¡ããããããããã¯äžéšã®å©ç¹ãšããèšããŸããã
äœãæ¢ãã
ã³ã³ãããŒã« ãã¬ãŒã³ãšããŒã¿ ãã¬ãŒã³ã®éã«åé¢ããªãã ããã¯ããããã¯ãŒã¯ãæåã§æ§æãããããã§ã«å©çšå¯èœãªåŸæ¥ã®ç®¡çããŒã«ã§ãã FortiManager ã䜿çšããŠæ§æããå¿ èŠãããããšãæå³ããŸãã ãã®ãããªåé¢ãå®è£ ããŠãããã³ããŒã®å Žåããããã¯ãŒã¯ã¯èªåçã«çµã¿ç«ãŠãããŸãã 管çè ã¯ããããžã調æŽããã©ããã§äœããçŠæ¢ããã ãã§æžã¿ããã以äžã¯å¿ èŠãããŸããã ããããFortiManagerã®åãæã¯ããã¡ã€ã¢ãŠã©ãŒã«ã ãã§ãªãã¹ã€ãããWi-Fiã¢ã¯ã»ã¹ãã€ã³ããã€ãŸããããã¯ãŒã¯ã®ã»ãŒå šäœã管çã§ããããšã ã
æ¡ä»¶ä»ãã®å¶åŸ¡æ§ã®åäžã åŸæ¥ã®ããŒã«ã䜿çšããŠãããã¯ãŒã¯æ§æãèªååãããããSD-WAN ã®å°å ¥ã«ãããããã¯ãŒã¯ã®ç®¡çæ§ããããã«åäžããŸãã äžæ¹ããã³ããŒã¯æåã«ãã¡ã€ã¢ãŠã©ãŒã« ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã çšã«ã®ã¿æ°æ©èœããªãªãŒã¹ã (ããã«äœ¿çšã§ããããã«ãªããŸã)ããã®åŸåããŠå¿ èŠãªã€ã³ã¿ãŒãã§ã€ã¹ã管çã·ã¹ãã ã«è¿œå ãããããæ°ããæ©èœãããæ©ãå©çšå¯èœã«ãªããŸãã
äžéšã®æ©èœã¯ã³ãã³ã ã©ã€ã³ããå©çšã§ããå ŽåããããŸãããWeb ã€ã³ã¿ãŒãã§ã€ã¹ããã¯å©çšã§ããŸããã å Žåã«ãã£ãŠã¯ãã³ãã³ã ã©ã€ã³ã«ã¢ã¯ã»ã¹ããŠäœããèšå®ããã®ã¯ããã»ã©æããªãããšããããŸããã誰ãããã§ã«ã³ãã³ã ã©ã€ã³ããäœããèšå®ããŠããããšã Web ã€ã³ã¿ãŒãã§ã€ã¹ã§è¡šç€ºãããªãã®ã¯æãã§ãã ãã ããããã¯éåžžãææ°ã®æ©èœã«é©çšãããFortiOS ã®ã¢ããããŒãã«ãããWeb ã€ã³ã¿ãŒãã§ã€ã¹ã®æ©èœãåŸã ã«æ¹åãããŸãã
åãããŠ
æ¯åºãããŸããªãæ¹åãã 8 ïœ 10 ã®ãã©ã³ããããªããããã¯ãŒã¯äžã«è€éãªäžå€®ã³ã³ããŒãã³ããåãã SD-WAN ãœãªã¥ãŒã·ã§ã³ãå®è£ ããå Žåãããããã®è²»çšã¯ããããŸãããäžå€®ã³ã³ããŒãã³ãããã¹ãããããã® SD-WAN ããã€ã¹ãšä»®æ³åã·ã¹ãã ãªãœãŒã¹ã®ã©ã€ã»ã³ã¹ã«ãéãè²»ããå¿ èŠããããŸãã éåžžãå°èŠæš¡äŒæ¥ã§ã¯ç¡æã®ã³ã³ãã¥ãŒãã£ã³ã° ãªãœãŒã¹ãéãããŠããŸãã Fortinet ã®å Žåããã¡ã€ã¢ãŠã©ãŒã«ãè³Œå ¥ããã ãã§ååã§ãã
现ããæãå€ãæ¹åãã å€ãã®ãã³ããŒã«ãšã£ãŠããã©ã³ããããã®ãœãªã¥ãŒã·ã§ã³ã®æäœäŸ¡æ Œã¯éåžžã«é«é¡ã§ããããšã³ãã«ã¹ã¿ããŒã®ããžãã¹ã®èŠ³ç¹ããã¯èå³ããããããªãå¯èœæ§ããããŸãã ãã©ãŒãã£ãããã¯å°åããã€ã¹ãéåžžã«é åçãªäŸ¡æ Œã§æäŸããŠããŸãã
ãŸã äžæ©ãèžã¿åºãæºåãã§ããŠããªã人ãžã ã³ã³ãããŒã©ãŒãç¬èªã®ã«ãŒãã£ã³ã°ããããã¯ãŒã¯èšç»ãšç®¡çãžã®æ°ããã¢ãããŒããåãã SD-WAN ã®å®è£
ã¯ãäžéšã®ã客æ§ã«ãšã£ãŠã¯å€§ããããã¹ãããã§ããå¯èœæ§ããããŸãã ã¯ãããã®ãããªå®è£
ã¯æçµçã«ã¯éä¿¡ãã£ãã«ã®äœ¿çšãšç®¡çè
ã®äœæ¥ãæé©åããã®ã«åœ¹ç«ã¡ãŸãããæåã«å€ãã®æ°ããããšãåŠã¶å¿
èŠããããŸãã ãã©ãã€ã ã·ãããžã®æºåããŸã æŽã£ãŠããªãããã³ãã¥ãã±ãŒã·ã§ã³ ãã£ãã«ãããã«æŽ»çšããããšèããŠãã人ã«ãšã£ãŠããã©ãŒãã£ãããã®ãœãªã¥ãŒã·ã§ã³ã¯ãŸãã«æé©ã§ãã
åºæïŒ habr.com