在 SDN 基礎結構中於網路之間進行流量路由Route traffic across networks in the SDN infrastructure

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

本文說明如何在 System Center Virtual Machine Manager (VMM) 網狀架構所設定的軟體定義網路 (SDN) 基礎結構中跨網路路由流量。This article describes how to route traffic across networks in a software-defined network (SDN) infrastructure set up in the System Center Virtual Machine Manager (VMM) fabric.

無論資源位於何處,您皆可透過 SDN RAS 閘道,在實體和虛擬網路之間進行網路流量的路由。An SDN RAS gateway enables you to route network traffic between physical and virtual networks, regardless of where the resources are located. SDN RAS 閘道支援多重租用戶、邊界閘道協定 (BGP),及使用 IPsec 或 Generic Routing Encapsulation (GRE) 或 Layer 3 轉送的站對站虛擬私人網路 (VPN) 連線。SDN RAS gateway is multitenant, Boarder Gateway Protocol (BGP) capable and supports connectivity using Site-to-Site virtual private network (VPN) using IPsec or Generic Routing Encapsulation (GRE) or Layer 3 Forwarding. 深入了解Learn more.

注意

  • 從 VMM 2019 UR1 起,單一連線網路類型已變更為連線的網路From VMM 2019 UR1, One Connected network type is changed as Connected Network.
  • VMM 2019 UR2 和更新版本支援 IPv6。VMM 2019 UR2 and later supports IPv6.

開始之前Before you start

確認下列事項:Ensure the following:

使用 VMM 設定站對站 VPN 連線Configure Site-to-Site VPN connections using VMM

您可利用站對站 VPN 連線,安全地使用網際網路連接兩個位於不同實體位置的網路。A site-to-site VPN connection allows you to securely connect two networks at different physical locations by using Internet.

對於在其 Datacenter 中代管許多租用戶的雲端服務提供者 (CSP) 來說,SDN RAS 閘道提供一項多重租用戶閘道解決方案,讓您的租用戶能從遠端站台透過站對站 VPN 連線,存取及管理其資源,因而讓您 Datacenter 中虛擬資源與其實體網路之間能進行網路流量。For Cloud Service Providers (CSPs) that host many tenants in their datacenter, SDN RAS gateway provides a multi-tenant gateway solution that allows your tenants to access and manage their resources over Site-to-Site VPN connections from remote sites, which in turn allows network traffic between virtual resources in your datacenter and their physical network.

若要啟用站對站 VPN 連線的 IPv6,路由子網路必須同時為 IPv4 和 IPv6。To enable IPv6 for site-to-site VPN connection, routing subnet must be both IPv4 and IPv6. 若要讓閘道在 IPv6 中正常運作,請提供以分號 ( ; ) 分隔的 IPv4 和 IPv6 位址,並在遠端端點中提供 IPv6 位址。For gateway to work in IPv6, provide IPv4 and IPv6 addresses separated by semicolon (;) and provide IPv6 address in the remote endpoint. 例如,192.0.2.1/23;2001:0db8:85a3:0000:0000:8a2e:0370::/64。For example, 192.0.2.1/23;2001:0db8:85a3:0000:0000:8a2e:0370::/64.

啟用 IPv6

設定 IPSec 連線Configure IPSec connection

使用下列程序Use the following procedure:

  1. 選取希望設定站對站 IPSec 連線的 VM 網路,然後按一下 [連線]****。Select the VM Network that you want to configure a Site-to-Site IPSec connection, and click Connectivity.
  2. 選取 [透過 VPN 通道連線至其他網路]****。Select Connect to another network through a VPN tunnel. 或者,若要在資料中心啟用 BGP 對等互連,請選取 [啟用邊界閘道協定 (BGP)]****。Optionally, to enable BGP peering in your datacenter, select Enable Border Gateway Protocol (BGP).
  3. 選取閘道裝置的網路控制卡服務。Select the network controller service for the gateway device.
  4. 選取 [VPN 連線] > [新增] > [新增 IPSec 通道]。Select the VPN Connections > Add > Add IPSec Tunnel.
  5. 輸入子網路,如下圖所示。Type a subnet as shown in the following diagram. 這個子網路用來將封包路由傳送到 VM 網路外部。This subnet is used to route packets out of the VM Network. 您不必在資料中心預先設定這個子網路。You do not need to pre-configure this subnet in your datacenter. 站台對站台 VPNsite to site VPN
  6. 鍵入連線的名稱,以及遠端端點的 IP 位址。Type a name for the connection, and the IP address of the remote endpoint. 選擇性地設定頻寬。Optionally, configure the bandwidth.
  7. 在 [驗證]**** 中,選取您要使用的驗證類型。In Authentication, select the type of authentication you want to use. 如果您選擇使用執行身分帳戶進行驗證,請建立一個具有使用者名稱的使用者帳戶,並使用 IPSec 金鑰作為帳戶的密碼。If you choose to authenticate by using a Run as account, create a user account with a user name, and the IPSec key as the password for the account.
  8. 在 [路由]**** 中,輸入您要連線的所有遠端子網路。In Routes, type all the remote subnets that you want to connect to. 若在 [連線]**** 頁面上已選取 [啟用邊界閘道協定 (BGP)]****,即不需要路由。If you have selected Enable Border Gateway Protocol (BGP) in the Connectivity page, routes are not required.
  9. 在 [進階]**** 索引標籤上,接受預設設定。On the Advanced tab, accept the default settings.
  10. 若在 [連線] 頁面上已選取 [啟用邊界閘道協定 (BGP)],即可於 [邊界閘道協定精靈] 頁面上,填入您的 ASN、對等 BGP IP 及其 ASN,如下所示︰站對站 VPNIf you have selected Enable Border Gateway Protocol (BGP) in the Connectivity page, then you can fill out your ASN, peer BGP IP, and its ASN on the Border Gateway Protocol wizard page as shown below: site to site VPN
  11. 若要驗證連線,請嘗試從 VM 網路的其中一部虛擬機器,Ping 遠端端點 IP 位址。To validate the connection, try to ping the remote endpoint IP address from one of the virtual machines on your VM network.

設定 GRE 通道Configure GRE tunneling

GRE 通道能讓租用戶虛擬網路與外部網路之間能有連線。GRE tunnels enable connectivity between tenant virtual networks and external networks. 因為 GRE 通訊協定是輕量型的通訊協定,且在大部分的網路裝置上皆提供 GRE 的支援,因而成為不需要加密資料之通道的理想選擇。Since the GRE protocol is lightweight and support for GRE is available on most of the network devices, it becomes an ideal choice for tunneling where encryption of data is not required. 站對站 (S2S) 通道中的 GRE 支援,有助於在租用戶虛擬網路與租用戶外部網路之間,傳遞流量。GRE support in Sit-to-Site (S2S) tunnels facilitates traffic forwarding between tenant virtual networks and tenant external networks.

使用下列程序Use the following procedure:

  1. 選取您要設定 S2S GRE 連線的 VM 網路,然後按一下 [連線]****。Select the VM network where you want to configure a S2S GRE connection, and click Connectivity.
  2. 選取 [透過 VPN 通道連線至其他網路]****。Select Connect to another network through a VPN tunnel. 或者,若要在資料中心啟用 BGP 對等互連,請選取 [啟用邊界閘道協定 (BGP)]****。Optionally, to enable BGP peering in your datacenter, select Enable Border Gateway Protocol (BGP).
  3. 選取閘道裝置的網路控制站服務。Select the Network Controller Service for the Gateway Device.
  4. 選取 [VPN 連線] > [新增] > [新增 GRE 通道]。Select VPN Connections > Add > Add GRE Tunnel.
  5. 輸入子網路,如下圖所示。Type a subnet as shown in the following diagram. 這個子網路用來將封包路由傳送到 VM 網路外部。This subnet is used to route packets out of the VM network. 您不需要在資料中心預先設定這個子網路。This subnet doesn't need to be preconfigured in your datacenter. GRE 通道GRE tunneling
  6. 輸入連線名稱,並且指定遠端端點的 IP 位址。Type a connection name, and specify the IP address of the remote endpoint.
  7. 鍵入 GRE 金鑰Type the GRE key.
  8. 您也可以選擇完成此畫面上的其他欄位,但設定連線時不需要這些值。Optionally, you can complete the other fields on this screen, these values aren't needed to set up a connection.
  9. 在 [路由]**** 中,新增您要連線的所有遠端子網路。In Routes, add all the remote subnets that you want to connect to. 如果您在 [連線] 中選取 [啟用邊界閘道協定 (BGP)],則可以將此畫面保留空白,並改為在 [邊界閘道協定] 索引標籤上完成您的 ASN、對等 BGP IP 及 ASN 欄位。If you selected Enable Border Gateway Protocol (BGP) in Connectivity, you can leave this screen blank and instead complete your ASN, peer BGP IP, and ASN fields on the Border Gateway Protocol tab.
  10. 其餘的設定可以使用預設值。You can use the defaults for the remaining settings.
  11. 若要驗證連線,請嘗試從 VM 網路上的其中一部虛擬機器來 Ping 遠端端點的 IP 位址。To validate the connection, try to ping the remote endpoint IP address from one of the virtual machines on the VM network.

設定遠端站台上的 IPsec 與 GRE 連線Configure IPsec and GRE connections on the remote site

在遠端對等裝置上,使用來自 VMM UI 的 [VM 網路端點 IP 位址]**** 作為設定 IPSec\GRE 連線時之目的地位址。On the remote peer device, use the VM network endpoint IP address from the VMM UI as destination Address while setting up the IPSec\GRE connection.

遠端站台

設定 L3 轉寄Configure L3 forwarding

L3 轉送閘道能在 Datacenter 內的實體基礎結構與 Hyper-V 網路虛擬雲端中的虛擬基礎結構之間建立連線。L3 forwarding enables connectivity between the physical infrastructure in the datacenter and the virtualized infrastructure in the Hyper-V network virtualization cloud.

租用戶網路虛擬機器可以使用 L3 轉送,透過已在 SDN 環境中設定完成的 Windows Server 2016 SDN 閘道來連線到實體網路。Using L3 forwarding, tenant network virtual machines can connect to a physical network through the Windows Server 2016 SDN Gateway, which is already configured in an SDN environment. 在這種情況下,SDN 閘道的作用是虛擬網路和實體網路之間的路由器。In this case, the SDN gateway acts as a router between the virtualized network and the physical network.

若要深入了解,請參閱這些文章︰使用 Windows Server 閘道作為私人雲端環境的轉送閘道RAS Gateway High Availability (RAS 閘道高可用性)。To learn more, check these articles: Windows server gateway as a forwarding gateway and RAS gateway high availability.

在嘗試設定 L3 之前,請確認下列事項Ensure the following before you attempt to configure L3:

  • 請確保您是以 VMM 伺服器的系統管理員身分登入。Ensure you're logged on as an administrator on the VMM server.
  • 您必須為需要設定 L3 轉送的各個租用戶 VM 網路,設定具有唯一 VLAN 識別碼的唯一下一個躍點邏輯網路。You must configure a unique next-hop logical network, with unique VLAN ID, for each Tenant VM network for which L3 forwarding needs to be set up. 租用戶網路和對應的實體網路之間必須有 1:1 的對應 (具有唯一的 VLAN 識別碼)。There must be 1:1 mapping between a tenant network and corresponding physical network (with unique VLAN ID).

請使用下列步驟在 SCVMM 中建立下一個躍點邏輯網路:Use the following steps to create the next-hop logical network in SCVMM:

  1. 在 VMM 主控台,選取 [邏輯網路]****,以滑鼠右鍵按一下,然後選取 [建立邏輯網路]****。On the VMM console, select Logical Networks, right-click, and select Create Logical Network.

  2. 在 [設定]**** 頁面中,選擇 [一個連線網路]**** 並選取 [使用相同名稱建立 VM 網路以允許虛擬機器直接存取此邏輯網路]**** 及 [由 Microsoft 網路控制卡管理]****In the Settings page, choose One connected network and select the checkbox for Create a VM network with the same name to allow virtual machines to access this logical network directly and Managed by Microsoft Network Controller

  3. 為這個新的邏輯網路建立 IP 集區。Create an IP Pool for this new logical network.

    用於設定 L3 轉送的指令碼會需要來自這個集區的 IP 位址。IP address from this pool is required in the script for setting up L3 forwarding.

下表提供動態和靜態 L3 連線的範例。The following table provides examples of dynamic and static L3 connections.

參數Parameter 詳細資料/範例值Details/example values
L3VPNConnectionNameL3VPNConnectionName L3 轉送網路連線的使用者定義名稱。User-defined name for the L3 forwarding network connection. 範例:Contoso_L3_GWExample: Contoso_L3_GW
VmNetworkNameVmNetworkName 可透過 L3 網路連線到達的租用戶虛擬網路名稱。Name of the tenant virtual network that's reachable over L3 network connection. 執行指令碼時,此網路必須存在。This network must exist when running the script. 範例:ContosoVMNetworkExample: ContosoVMNetwork
NextHopVMNetworkNameNextHopVMNetworkName 下一個躍點 VM 網路的使用者定義名稱,依必要條件而建立。User-defined name for the next hop VM network, which was created as a prerequisite. 這代表想要與租用戶 VM 網路通訊的實體網路。This represents the physical network that wants to communicate with the tenant VM network. 執行此指令碼時,此網路必須存在。This network must exist when running this script. 範例:Contoso_L3_NetworkExample: Contoso_L3_Network
LocalIPAddressesLocalIPAddresses 要在 SDN 閘道 L3 網路介面上設定的 IP 位址。IP addresses to be configured on the SDN gateway L3 network interface. 此 IP 位址必須屬於您建立的下一個躍點邏輯網路。This IP address must belong to the next hop logical network you created. 您也必須提供子網路遮罩。You must also provide the subnet mask. 範例:10.127.134.55/25Example: 10.127.134.55/25
PeerIPAddressesPeerIPAddresses 可透過 L3 邏輯網路到達的實體網路閘道的 IP 位址。IP address of the physical network gateway, reachable over L3 logical network. 此 IP 位址必須屬於您在必要條件中建立的下一個躍點邏輯網路。This IP address must belong to the next hop logical network you created in the prerequisites. 當指定要流向實體網路的租用戶 VM 網路流量到達 SDN 閘道時,此 IP 就會充任下一個躍點。This IP will serve as the next hop once traffic destined to the physical network from the tenant VM network reaches the SDN gateway. 範例:10.127.134.65Example: 10.127.134.65
GatewaySubnetGatewaySubnet 用於在 HVN 閘道與租用戶虛擬網路之間進行路由的子網路。Subnet to be used for routing between HNV gateway and tenant virtual network. 您可以使用任何子網路,但請確認子網路不會與下一個躍點邏輯網路重疊。You can use any subnet, ensure that it does not overlap with the next hop logical network. 範例:192.168.2.0/24Example:192.168.2.0/24
RoutingSubnetsRoutingSubnets 必須位於 HNV 閘道 L3 介面上的靜態路由。Static routes that need to be on the L3 interface of the HNV gateway. 這些路由適用於實體網路子網路,應該要能透過 L3 連線從租用戶 VM 網路抵達。These routes are for the physical network subnets, which should be reachable from the tenant VM network over the L3 connection.
EnableBGPEnableBGP 啟用 BGP 的選項。Option to enable BGP. 預設:false。Default: false.
TenantASNRoutingSubnetsTenantASNRoutingSubnets 租用戶閘道的 ASN 號碼 (僅限啟用 BGP 時)。ASN number of the tenant gateway, only if BGP is enabled.

請執行下列指令碼以設定 L3 轉送。Run the following script to set up L3 forwarding. 並參閱上表,了解各個指令碼參數的意義。Refer to the table above to check what each script parameter identifies.

```powershell
param (
    [Parameter(Mandatory=$true)]
    # Name of the L3 VPN connection
    $L3VPNConnectionName,
    [Parameter(Mandatory=$true)]
    # Name of the VM network to create gateway
    $VmNetworkName,
    [Parameter(Mandatory=$true)]
    # Name of the Next Hop one connected VM network
    # used for forwarding
    $NextHopVmNetworkName,
    [Parameter(Mandatory=$true)]
    # IPAddresses on the local side that will be used
    # for forwarding
    # Format should be @("10.10.10.100/24")
    $LocalIPAddresses,
    [Parameter(Mandatory=$true)]
    # IPAddresses on the remote side that will be used
    # for forwarding
    # Format should be @("10.10.10.200")
    $PeerIPAddresses,
    [Parameter(Mandatory=$false)]
    # Subnet for the L3 gateway
    # default value 10.254.254.0/29
    $GatewaySubnet = "10.254.254.0/29",
    [Parameter(Mandatory=$false)]
    # List of subnets for remote tenants to add routes for static routing
    # Format should be @("14.1.20.0/24","14.1.20.0/24");
    $RoutingSubnets = @(),
    [Parameter(Mandatory=$false)]
    # Enable BGP in the tenant space
    $EnableBGP = $false,
    [Parameter(Mandatory=$false)]
    # ASN number for the tenant gateway
    # Only applicable when EnableBGP is true
    $TenantASN = "0"
)

# Import SC-VMM PowerShell module
Import-Module virtualmachinemanager

# Retrieve Tenant VNET info and exit if VM Network not available
$vmNetwork = Get-SCVMNetwork -Name $VmNetworkName;
if ($vmNetwork -eq $null)
{
    Write-Verbose "VM Network $VmNetworkName not found, quitting"
    return
}

# Retrieve L3 Network info and exit if VM Network not available
$nextHopVmNetwork = Get-SCVMNetwork -Name $NextHopVmNetworkName;
if ($nextHopVmNetwork -eq $null)
{
    Write-Verbose "Next Hop L3 VM Network $NextHopVmNetworkName not found, quitting"
    return
}

# Retrieve gateway Service and exit if not available
$gatewayDevice = Get-SCNetworkGateway | Where {$_.Model -Match "Microsoft Network Controller"};
if ($gatewayDevice -eq $null)
{
    Write-Verbose "Gateway Service not found, quitting"
    return
}

# Retrieve Tenant Virtual Gateway info
$vmNetworkGatewayName = $VmNetwork.Name + "_Gateway";
$VmNetworkGateway = Get-SCVMNetworkGateway -Name $vmNetworkGatewayName -VMNetwork $vmNetwork

# Create a new Tenant Virtual Gateway if not configured
if($VmNetworkGateway -eq $null)
{
    if($EnableBGP -eq $false)
    {
        # Create a new Virtual Gateway for tenant
        $VmNetworkGateway = Add-SCVMNetworkGateway -Name $vmNetworkGatewayName -EnableBGP $false -NetworkGateway $gatewayDevice -VMNetwork $vmNetwork -RoutingIPSubnet $GatewaySubnet;
    }
    else
    {
        if($TenantASN -eq "0")
        {
            Write-Verbose "Please specify valid ASN when using BGP"
            return
        }

        # Create a new Virtual Gateway for tenant
        $VmNetworkGateway = Add-SCVMNetworkGateway -Name $vmNetworkGatewayName -EnableBGP $true -NetworkGateway $gatewayDevice -VMNetwork $vmNetwork -RoutingIPSubnet $GatewaySubnet -AutonomousSystemNumber $TenantASN;
    }

}

if ($VmNetworkGateway -eq $null)
{
    Write-Verbose "Could not Find / Create Virtual Gateway for $($VmNetwork.Name), quitting"
    return
}

# Check if the network connection already exists
$vpnConnection = Get-SCVPNConnection -VMNetworkGateway $VmNetworkGateway -Name $L3VPNConnectionName
if ($vpnConnection -ne $null)
{
    Write-Verbose "L3 Network Connection for $($VmNetwork.Name) already configured, skipping"
}
else
{
    # Create a new L3 Network connection for tenant
    $vpnConnection = Add-SCVPNConnection  -NextHopNetwork $nexthopvmNetwork  -Name $L3VPNConnectionName -IPAddresses $LocalIPAddresses -PeerIPAddresses $PeerIPAddresses -VMNetworkGateway $VmNetworkGateway -protocol L3;

    if ($vpnConnection -eq $null)
    {
        Write-Verbose "Could not add network connection for $($VmNetwork.Name), quitting"
        return
    }
    Write-Output "Created VPN Connection " $vpnConnection;
}

# Add all the required static routes to the newly created network connection interface
foreach($route in $RoutingSubnets)
{
    Add-SCNetworkRoute -IPSubnet $route -RunAsynchronously -VPNConnection $vpnConnection -VMNetworkGateway $VmNetworkGateway
}
```

設定 L3 轉寄Configure L3 forwarding

L3 轉送閘道能在 Datacenter 內的實體基礎結構與 Hyper-V 網路虛擬雲端中的虛擬基礎結構之間建立連線。L3 forwarding enables connectivity between the physical infrastructure in the datacenter and the virtualized infrastructure in the Hyper-V network virtualization cloud.

租用戶網路虛擬機器可以使用 L3 轉送連線,透過已在 SDN 環境中設定完成的 Windows Server 2016/2019 SDN 閘道來連線到實體網路。Using L3 forwarding connection, tenant network virtual machines can connect to a physical network through the Windows Server 2016/2019 SDN Gateway, which is already configured in an SDN environment. 在這種情況下,SDN 閘道的作用是虛擬網路和實體網路之間的路由器。In this case, the SDN gateway acts as a router between the virtualized network and the physical network.

若要深入了解,請參閱這些文章︰使用 Windows Server 閘道作為私人雲端環境的轉送閘道RAS Gateway High Availability (RAS 閘道高可用性)。To learn more, check these articles: Windows server gateway as a forwarding gateway and RAS gateway high availability.

在嘗試設定 L3 連線之前,請確認下列事項Ensure the following before you attempt to configure L3 connection:

  • 請確保您是以 VMM 伺服器的系統管理員身分登入。Ensure you're logged on as an administrator on the VMM server.
  • 您必須為需要設定 L3 轉送的各個租用戶 VM 網路,設定具有唯一 VLAN 識別碼的唯一下一個躍點邏輯網路。You must configure a unique next-hop logical network, with unique VLAN ID, for each Tenant VM network for which L3 forwarding needs to be set up. 租用戶網路和對應的實體網路之間必須有 1:1 的對應 (具有唯一的 VLAN 識別碼)。There must be 1:1 mapping between a tenant network and corresponding physical network (with unique VLAN ID).

請使用下列步驟在 VMM 中建立下一個躍點邏輯網路:Use the following steps to create the next-hop logical network in VMM:

  1. 在 VMM 主控台,選取 [邏輯網路]****,以滑鼠右鍵按一下,然後選取 [建立邏輯網路]****。On the VMM console, select Logical Networks, right-click, and select Create Logical Network.

  2. 在 [設定]**** 頁面中,選擇 [一個連線網路]**** 並選取 [使用相同名稱建立 VM 網路以允許虛擬機器直接存取此邏輯網路]**** 及 [由 Microsoft 網路控制卡管理]****。In the Settings page, choose One connected network and select Create a VM network with the same name to allow virtual machines to access this logical network directly and Managed by Microsoft Network Controller.

    一個連線網路

    注意

    從 VMM 2019 UR1 起,單一連線網路類型已變更為連線的網路From VMM 2019 UR1, One Connected network type is changed as Connected Network.

  3. 為這個新的邏輯網路建立 IP 集區。Create an IP Pool for this new logical network. 設定 L3 轉送時會需要來自這個集區的 IP 位址。IP address from this pool is required for setting up L3 forwarding.

請使用下列步驟來設定 L3 轉送Use the following steps to configure L3 forwarding:

注意

您無法限制在 L3 VPN 連線的頻寬。You cannot limit bandwidth in L3 VPN connection.

  1. 在 VMM 主控台中,選取您想要透過 L3 閘道,連線至實體網路的租用戶虛擬網路。In the VMM console, select the tenant virtual network that you want to connect to the physical network, through L3 gateway.

  2. 以滑鼠右鍵按一下所選的租用戶虛擬網路,選取 [屬性] ** [連線]** > ****。Right-click the selected tenant virtual network, select Properties > Connectivity.

  3. 選取 [透過 VPN 通道連線至其他網路] ****。Select Connect to another network through a VPN tunnel. 或者,若要在資料中心啟用 BGP 對等互連,請選取 [啟用邊界閘道協定 (BGP)] ****。Optionally, to enable BGP peering in your datacenter, select Enable Border Gateway Protocol (BGP). 來自 ui 的 L3 設定L3 configuration from ui

  4. 選取閘道裝置的網路控制卡服務。Select the network controller service for the gateway device.

  5. 在 [VPN 連線]**** 頁面上,按一下 [新增] **** [新增第 3 層通道]> ****。In the VPN Connections page, click Add> Add Layer 3 tunnel.

    來自 ui 的 L3 設定

  6. 路由子網路提供 CIDR 標記法格式的子網路。Provide a subnet in the CIDR notation format for Routing Subnet. 這個子網路用來將封包路由傳送到 VM 網路外部。This subnet is used to route packets out of the VM network. 您不必在資料中心預先設定這個子網路。You do not need to pre-configure this subnet in your datacenter.

    L3 子網路

  7. 使用下列資訊,並設定 L3 連線:Use the following information and configure the L3 connection:

參數Parameter 詳細資料Details
名稱Name L3 轉送網路連線的使用者定義名稱。User-defined name for the L3 forwarding network connection.
VMNetwork (NextHop)VMNetwork (NextHop) 下一個躍點 VM 網路的使用者定義名稱,依必要條件而建立。User-defined name for the next hop VM network, which was created as a prerequisite. 這代表想要與租用戶 VM 網路通訊的實體網路。This represents the physical network that wants to communicate with the tenant VM network. 當您按一下 [瀏覽],僅網路服務管理的 [一個連線的 VM 網路] 可供選擇。When you click Browse, only the One Connected VM Networks managed by Network service will be available for selection.
對等 IP 位址Peer IP Address 可透過 L3 邏輯網路到達的實體網路閘道的 IP 位址。IP address of the physical network gateway, reachable over L3 logical network. 此 IP 位址必須屬於您在必要條件中建立的下一個躍點邏輯網路。This IP address must belong to the next hop logical network that you created as the prerequisite. 當指定要流向實體網路的租用戶 VM 網路流量到達 SDN 閘道時,此 IP 就會充任下一個躍點。This IP will serve as the next hop, once the traffic destined to the physical network from the tenant VM network reaches the SDN gateway. 此值必須是 IPv4 位址。This must be an IPv4 address. 可以有多個對等 IP 位址,必須以逗號分隔。There can be multiple peer IP addresses, must be separated by comma.
本機 IP 位址Local IP Addresses 要在 SDN 閘道 L3 網路介面上設定的 IP 位址。IP addresses to be configured on the SDN gateway L3 network interface. 這些 IP 位址必須屬於您在必要條件中建立的下一個躍點邏輯網路。These IP addresses must belong to the next hop logical network that you created as prerequisite. 您也必須提供子網路遮罩。You must also provide the subnet mask. 範例:10.127.134.55/25.Example: 10.127.134.55/25. 這必須是 IPv4 位址,且應是 CIDR 標記法格式。This must be an IPv4 address and should be in CIDR notation format. 對等 IP 位址和本機 IP 位址應是來自相同的集區。Peer IP address and Local IP addresses should be from the same Pool. 這些 IP 位址應屬於 VM 網路的邏輯網路定義中定義的子網路。These IP addresses should belong to the subnet defined in Logical Network Definition of VM Network.
  • 如果您使用的是靜態路由,請在 [路由]**** 中,輸入您要連線的所有遠端子網路。If you are using static routes, type all the remote subnets that you want to connect to, in Routes.

    遠端子網路

    注意

    您必須使用與 SDN 閘道上 L3 介面 IP 位址 (在建立 L3 連線時所用的本機 IP 位址) 相同的下一個躍點,在實體網路中為租用戶虛擬網路子網路設定路由。You must configure routes in your physical network, for the tenant virtual network subnets, with the next hop as the IP address of the L3 interface on the SDN gateway (Local IP address used in the creation of L3 connection). 這是為了確保傳回租用戶虛擬網路的流量會正確地透過 SDN 閘道路由。This is to ensure that the return traffic to the tenant virtual network is routed correctly through the SDN gateway.

  • 如果您使用的是 BGP,就必須在 SDN 閘道內部介面 IP 位址 (出現於閘道 VM 上的不同區間,而非預設區間) 與實體網路上的對等裝置之間建立 BGP 對等互連。If you are using BGP, ensure that BGP peering is established between the SDN gateway internal interface IP address, (which is present in a different compartment on the gateway VM, not the default compartment) and the peer device on the physical network.

    為了讓 BGP 運作,您必須執行下列步驟For BGP to work, you must do the following steps:

    1. 新增 L3 連線的 BGP 對等體。Add BGP peer for the L3 connection. 在 [邊界閘道協定] ****   頁面上輸入您的 ASN、對等 BGP IP 及其 ASN。Enter your ASN, peer BGP IP, and its ASN on the Border Gateway Protocol  page.

      遠端子網路

    2. 依照下一節的說明,判斷 SDN 閘道內部位址。Determine the SDN gateway internal address as detailed in the following section.

    3. 在遠端 (實體網路閘道) 建立 BGP 對等。Create BGP peer on the remote end (physical network gateway). 在建立 BGP 對等體時,使用 SDN 閘道內部位址 (於先前步驟判斷而來) 作為對等 IP 位址。While creating the BGP peer, use the SDN gateway internal address (as determined in the previous step ) as the peer IP address.

    4. 在實體網路上設定路由,其目的地為 SDN 閘道內部位址,下一個躍點為 L3 介面 IP 位址 (建立 L3 連線時所用的本機 IP 地址值)。Configure a route on the physical network with the destination as the SDN gateway internal address and the next hop as the L3 interface IP address (Local IP address value used when creating L3 connection).

注意

在設定 L3 連線後,您必須使用與 SDN 閘道上 L3 介面 IP 位址 (指令碼中的 LocalIpAddresses) 相同的下一個躍點,在實體網路中為租用戶虛擬網路子網路設定路由。After configuring the L3 connection, you must configure routes in your physical network for the tenant virtual network subnets, with the next hop as the IP address of the L3 interface on the SDN gateway (parameter LocalIpAddresses in the script). 這是為了確保傳回租用戶虛擬網路的流量會正確地透過 SDN 閘道路由。This is to ensure that the return traffic to the tenant virtual network is routed correctly through the SDN gateway.

您可以選擇設定靜態路由或搭配 L3 連線的動態路由 (透過 BGP)。You can choose to configure static routes or dynamic routes (over BGP) with the L3 connection. 如果您使用靜態路由,可以使用 Add-SCNetworkRoute 加以新增,如下方指令碼所述。If you are using static routes, you can add them using Add-SCNetworkRoute as described in the script below.

如果您搭配 L3 通道連線使用 BGP,就必須在 SDN 閘道內部介面 IP 位址 (出現於閘道 VM 上的不同區間,而非預設區間) 與實體網路上的對等裝置之間建立 BGP 對等互連。If you use BGP with L3 tunnel connection, BGP peering must be established between the SDN gateway internal interface IP address, which is present in a different compartment on the gateway VM (not the default compartment) and the peer device on the physical network.

為了讓 BGP 運作,您必須執行下列步驟:For BGP to work, you must do the following steps:

  1. 使用 Add-SCBGPPeer Cmdlet,為 L3 連線新增 BGP 對等。Add BGP peer for the L3 connection using the Add-SCBGPPeer cmdlet.

    範例:Add-SCBGPPeer -Name "peer1" -PeerIPAddress "12.13.14.15" -PeerASN 15 -VMNetworkGateway $VmNetworkGatewayExample: Add-SCBGPPeer -Name "peer1" -PeerIPAddress "12.13.14.15" -PeerASN 15 -VMNetworkGateway $VmNetworkGateway

  2. 依照下一節的說明,判斷 SDN 閘道內部位址。Determine the SDN gateway internal address as detailed in the following section.

  3. 在遠端 (實體網路閘道) 建立 BGP 對等。Create BGP peer on the remote end (physical network gateway). 在建立 BGP 對等時,使用 SDN 閘道內部位址 (於上方步驟 2 中判斷而來) 作為對等 IP 位址。While creating the BGP peer, use the SDN gateway internal address (determined in Step 2 above) as the peer IP address.

  4. 在實體網路上設定路由,其目的地為 SDN 閘道內部位址,下一個躍點為 L3 介面 IP 位址 (指令碼中的 LocalIPAddresses)。Configure a route on the physical network with the destination as the SDN gateway internal address and the next hop as the L3 interface IP address (LocalIPAddresses parameter in the script).

判斷 SDN 閘道內部位址Determine the SDN gateway internal address

請使用下列程序:Use the following procedure:

在已安裝網路控制卡的電腦或已設為網路控制卡用戶端的電腦上,執行下列 PowerShell Cmdlet:Run the following PowerShell cmdlets on a network controller installed computer or a computer that was configured as a network controller client:

$gateway = Get-NetworkControllerVirtualGateway -ConnectionUri <REST uri of your deployment>
$gateway.Properties.NetworkConnections.Properties.IPAddresses

此命令的結果可能會顯示多個虛擬閘道,這取決於有幾個租用戶設定了閘道連線。The results of this command can display multiple virtual gateways, depending on how many tenants have configured gateway connections. 每個虛擬閘道都可以有多個連線 (IPSec、GRE、L3)。Each virtual gateway can have multiple connections (IPSec, GRE, L3).

由於您已經知道連線的 L3 介面 IP 位址 (LocalIPAddresses),因此可以依據該 IP 位址找出正確的連線。As you already know the L3 interface IP address (LocalIPAddresses) of the connection, you can identify the correct connection based on that IP address. 在您有正確的網路連線後,請執行下列命令 (於對應的虛擬閘道) 以取得虛擬閘道的 BGP 路由器 IP 位址After you have the correct network connection, run the following command (on the corresponding virtual gateway) to get the BGP router IP address of the virtual gateway

$gateway.Properties.BgpRouters.Properties.RouterIp

此命令的結果會提供您必須在遠端路由器設為對等 IP 位址的 IP 位址。The result of this command provides the IP address that you must configure on the remote router as the peer IP Address.

從 VMM PowerShell 設定流量選取器Set up the traffic selector from VMM PowerShell

使用下列程序Use the following procedure:

注意

使用的值僅為範例。Values used are examples only.

  1. 使用下列參數建立流量選取器。Create the traffic selector by using the following parameters.

    $t= new-object Microsoft.VirtualManager.Remoting.TrafficSelector
    
    $t.Type=7 // IPV4=7, IPV6=8
    
    $t.ProtocolId=6 // TCP =6, reference: https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
    
    $t.PortEnd=5090
    
    $t.PortStart=5080
    
    $t.IpAddressStart=10.100.101.10
    
    $t.IpAddressEnd=10.100.101.100
    
  2. 使用 Add-SCVPNConnectionSet-SCVPNConnection-LocalTrafficSelectors 參數設定上述流量選取器。Configure the above traffic selector by using -LocalTrafficSelectors parameter of Add-SCVPNConnection or Set-SCVPNConnection.