All posts by admin

Refreshing my memory on cisco ACI

Almost been a year that i was trained on ACI, hence, would like to refresh my memory before its completely ¬†wiped off ūüôā

My first impression, i felt the product was quite interesting because simplification of networking configuration/application ¬†driven policy/Micro segmentation/Multi-tenancy/automation…

My view,  takes little time to understand for core networking folks but the person who is from Core Network + virtualization  cloud able to understand the concepts well and able to integrate ACI with different hypervisors with ease(VMvamre vSwitch/Hyper-v,Xen,Openstack(Neutron Component as well)

What is ACI??? 

Application Centric Infrastructure (ACI) in the data center is a holistic architecture with centralized automation and policy-driven application profiles. ACI delivers software flexibility with the scalability of hardware performance.

Key characteristics of ACI include:

  • Simplified automation by an application-driven policy model
  • Centralized visibility with real-time, application health monitoring
  • Scalable performance and multi-tenancy in hardware

Works on eVxlan, it extension of Vxlan

In simple, what is Vxlan:

VXLAN enables you to create a logical network for your virtual machines across different networks. You can create a layer 2 network on top of your layer 3 networks. This is why VXLAN is called an overlay technology. Normally if you want a virtual machine to ‚Äútalk‚ÄĚ to a virtual machine in a different subnet you need to use a layer 3 router to bridge the gap between networks.

  1. Each VXLAN(Virtual extension lan) is LAN extension over L3 and  segment has unique  24-bit Virtual Network Identifier(VNI) enables up to 16 Million  unique virtual LAN segments.
  2. VXLAN uses MAC over IP/UDP.
  3. VXLAN is first host based overlays means,VXLAN  encap and decap starts from physical server and virtual switch sitting on physical server.
  4. Enables VM mobility at layer 2 across layer 3 boundaries

For more information on Layer2 over Layer 3 protocols, please go through Massive data center design book which covers(TRILL,Fabric path, VXLAN,NVGRE)

Overview:

VXLAN

ACI infrastructure essentially has 3 components:

  • Spine Switches (SPINE -> 9500 series, Baby Spine -> 9336PQ)
  • Leaf Switches (LEAF -> 9396 (2U) & 93128 (3U))
  • Application Policy Infrastructure Controller – APIC Cluster (min 3 devices in a cluster)
  • As of now 6 Spines and 18 leaves are supported in an ACI fabric. The ratio of Spine to Leaf is 1:3
  • Support upto 1000 tenants and 128K End point
  • North bound ports on the Spine are always 40 Gig while South bound ports on the Leaf for Access layer are 1/10 Gig
  • ACI also comes with a different line card which is other than the conventional Nexus line cards
  • Leaf and Spine switches communicate with each other through IS-IS protocol
  • Please refer below link for more information
  • NFE -> Switching (Broadcom T2), ALE -> Routing (Cisco)

Hardware information:

ACI-Hardware

Partner Ecosystem(stale data): uses oplex protocol(Cisco ) for integration, as per my knowledge, ACI does not support openflow protocol.

L4-L7 Compatibility List:

Vendor Products Software First Certified APIC Release Link to the Device Package
Cisco ASA 5585 and ASAv ASA 5585 – 8.4 and later

ASAv – 9.2.1 and later

1.0(1x) ASA Device Packages
A10 Thunder Appliances – Hardware, Hybrid Virtual, Virtual 1.0 and later 1.0(1x) A10 Networks Device Package
AVI Networks 15.1 and later 1.0(2x) AVI Device Package
Citrix NetScaler MPX, SDX, VPX 10.1 and later 1.0(1x) Citrix Device Package
F5 BIG-IP LTM Physical and Virtual 11.4.1 and later 1.0(1x) F5 Device Packages
Radware Alteon VX 30.0.4.0 and later 1.0(2x) Radware Device Package
As we all are aware of that ACI works on Declarative  model but what is the difference between imperative and Declarative model
Imperative-Model
Declarative:
Declerative-Model
ACI terminology(Depicted in different format for better understanding):
Tenant
Teneant – Can be customer/BU/Environment(prod/Dev/Test)
Context/Private Network – Nothing but VRF in networking terminology
Bridge domain – SVI, a container for subnets
EPG(End point group) –¬†EPG`s are used to group end points (such as physical hosts or VMs together with similar policy requirements.
Contract – Policies between EPG`s,we can call it as ACL also.
¬† ¬† ¬† ¬† -Consumer –> Outgoing
¬† ¬† ¬† ¬†– Provided ¬†–> Incoming
¬†Contd……

AWS limitations

Good to know the limitations of AWS, will be handy when you architect  solution on AWS and also very useful for AWS solution architect preparation.

  1. Two hundred subnets per Amazon VPC
  2. One Internet Gateway per VPC
  3. Five Virtual Private Gateways per AWS account per Region
  4. Fifty Customer Gateways per AWS account per Region
  5. Ten IPsec VPN Connections per Virtual Private Gateway
  6. EC2 Instance ‚Äď Default Limit: 20 per region
  7. EBS Volume ‚Äď Default Limit: 5000 volumes or an aggregate size of 20 TiB
  8. Elastic IP ‚Äď Default Limit: 5 per region
  9. Elastic Load Balancer ‚Äď Default Limit: 10
  10. High I/O Instance ‚Äď Default Limit: 2
  11. Virtual Private Cloud ‚Äď Default Limit: 5
  12. EC2 Security Groups (EC2 Classic)- Max: 500 in each region for each account, and each Security Group can have a maximum of 100 rules/permissions.
  13. EC2 Security Groups (EC2-VPC) ‚Äď Up to 100 security groups per VPC

Source :¬†http://www.logicworks.net/blog/2014/09/understanding-limits-aws/ ¬†—> Added Missed stuff.

 

 

 

AWS vs AZURE Networking – Mapped to Networking terminology

When I was going thorough AWS and AZURE Networking, collected the network terminology used in public cloud and tried to map to physical/logical networking terminology, will be handy when you are  configuring networking stuff on public clouds.

S.No AWS AZURE Explanation in Networking terminology Remarks
1 VPC (Virtual Private cloud) VNET your own data center  
2 NACL(Network ACL) РStateless NACL Perimeter security  
3 S/w Router   works as a router  
4 Route table(static routes to be added) Through power shell need to add static routes Static routes  
5 Private/Public subnet Private/Public subnet Private/Public subnet  
¬† Elastic IP Reserved IP N/A Public IP gets changed once you reboot the instance, but elastic/reserved IP doesn’t change after stop/start the instance.
6 NAT instance NA Static/Dynamic NAT   
7 ELB(Elastic Load balancing) РPublic Availability Set Load balancer for public facing  
8 ILB(Internal Load balancing) РPrivate Availability Set Load balancer for private facing  
9 Internet gateway Gateway For internet access (default routed to be added towards internet GW)  
10 VPN gateway VPN gateway To build VPN tunnel(AWS to ON-PREM)  
11 Secuirty group(Staefull) End points More secure to instance/server  
12 Route 53 Traffic Manager Nothing but Global site load balancer  

Below is the sample  diagram of Network connectivity flow in AWS.

AWS Networking

 

How to deploy barracuda Web Application firewall on Azure

  1 WAF virtual Appliance functionality

¬†¬†¬†¬†¬†¬† 1.1 Barracuda Web Application Firewall ‚Äď Overview

          The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content

       1.2 Key Future

  • Protection from common, high-visibility attacks¬†‚Äď SQL injection, Cross Site Scripting, Command injection, CSRF,XML¬†attacks,¬†Antivirus Protection,¬†Adaptive Profiling
  • Protection from attacks based on session state¬†‚Äď Session Hijacking,¬†Cookie Tampering,¬†Clickjacking Brute Force Attack Prevention
  • Application denial of service (DoS) protection¬†‚ÄstSlow Client Attack,¬†DDoS Prevention¬†using CAPTCHA,¬†IP Reputation Filter
  • Data Theft Protection¬†‚Äď Deep inspects all server responses to prevent leakage of sensitive information using provided default patterns (credit card data, social security numbers, etc.) or¬†User Defined Patterns¬†(Custom Patterns).
  • Website Cloaking¬†‚Äď Strips identifying banners and version numbers from web server software and provides customizable HTTP error handling to defeat server fingerprinting attacks (suppressing error codes and filtering headers).
  • Access Control¬†‚Äď Form and Basic Authentication and Single Sign On with integrations into LDAP, RADIUS, CA SiteMinder, RSA SecurID, Kerberos, SMS Passcode
  • Application Delivery¬†‚ÄstLoad Balancing,¬†Caching and Compression, SSL Offloading,¬†Rate Control
  • Logging, Reporting and Monitoring¬†‚Äď Inbuilt reporting module, Web Firewall Logs, Access Logs, Audit Logs, Configuring Syslog

       1.3 Azure Limitations to Barracuda Web Application Firewall

  • Only one VIP address can be use.
  • Only one WAN Port can be used for all incoming and outgoing traffic.
  • VIP Port can be unique like http/https/8080.
  • Barracuda web application firewall can be used as active and active mode in Azure Cloud.

       1.4 Installing the Barracuda Web Application Firewall.

The Barracuda Web Application Firewall is available on Microsoft Azure with   the Bring    Your Own License (BYOL) and Hourly / Metered options. For BYOL, Barracuda offers four models. The table below lists each model, the    corresponding Instance Type to be used in Microsoft Azure, the default CPU and Memory for the instance.

    Barracuda WAF  Instance Type in Azure Default vCPU Default Memory
Level 1 A1 1 1.7 GB
Level 5 A2 2 3.5 GB
Level 10 A3 4 7 GB
Level 15 A4 8 14 GB

If you want to increase the performance of a license that you have already purchased, you can buy additional cores from Barracuda and reconfigure for a larger instance type and Hourly /Metered model and instance Type( on supported instance types, Default vCPU, Default Memory and Hourly pricing)

  1. Log into the Microsoft Azure Management Portal
  2. Click Marketplaceat the bottom of the screen

mkt ppla-1

In the Marketplace window, select Virtual Machines and enter Barracuda Web Application Firewall in the text field.mkt place-2

  1. Mouse over the search result and select Barracuda Web Application Firewall
  2. (BYOLor Hourly/Metered as per your requirement). Read the product overview and click Create.

mkt place-3

On the Create VMpagepic-1

  1. Enter the host name in the wafprd02 field.
  2. Enter a username in the¬†‚Äúmind‚ÄĚ field. This entry is not used by the Barracuda Web Application Firewall.
  3. Under Authentication Type, choose SSH Public Key or Password (mind@123) based on your selection. Note that this entry will not be used by the Barracuda Web Application Firewall.
  4. Select the PRICING TIER based on your requirement.
  5. In the OPTIONAL CONFIGURATION section, do the following:
    1. AVAILABILITY SET РWAFAVSET.
    2. NETWORK¬†‚Äď Customer01

Note:  It is recommended to assign a Static IP address to the Barracuda Web Application Firewall.

    1. STORAGE ACCOUNT РSelect an existing storage account or create a storage account
    2. ENDPOINTS РBy default, port 8000 (TCP) and port 443 (TCP) will be opened as endpoints to access the web interface of the Barracuda Web Application Firewall.  Configure additional endpoints which you want to use for creating services on the Barracuda Web Application Firewall.
    3. EXTENSIONS РDo not add any extension, as the Barracuda Web Application Firewall does not support extensions.
  1. Select a group in RESOURCE GROUP.
  2. Choose the subscription for the instance and click Create.mkt place-4mkt place-5

Note: it will take 15-20 mints for installed the WAF in Azure Virtual network and deploy the secondary wafprd03 same as wafprd02.

        1.5 Set up a High Availability Environment with the Barracuda Web Application Firewall

  1. Install each system and ensure that each Barracuda Web Application Firewall is running the same firmware version. Each Barracuda Web Application Firewall in a cluster must have the same model number and firmware version.
  2. Make a backup of each Barracuda Web Application Firewall configuration.
  3. No processes should be running on any virtual machine when you link them together. To be sure, go to the ADVANCED > Task Manager page of each Barracuda Web Application Firewall and verify that no processes are running.
  4. From the¬†ADVANCED > High Availability¬†page of wafprd02, enter a¬†Cluster Shared Secret¬†password (‚Äúadmin‚ÄĚ), and click¬†Save.
  5. From the ADVANCED > High Availability page of wafprd03, do the following:
    1. Enter the same¬†Cluster Shared Secret¬†password (‚Äúadmin‚ÄĚ), and click¬†Save. Both units in a cluster must have the same Cluster Shared Secret to communicate with each other.
    2. In the Clustered Systems section, enter the WAN IP address of wafprdo02 (10.135.0.8), and click Join Cluster. Make sure that the join cluster task is not cancelled when the join is in progress.
  6. On each Barracuda Web Application Firewall, refresh the ADVANCED > High Availability page, and verify the following:
    1. Each system’s Hostname, serial number and WAN IP address appears in the¬†Clustered Systems¬†list.
    2. The identity of the system (Self or Peer) displays in the Type field.
    3. The Status is green for all virtual machines in the cluster.

Wafprd02

pic-3

Wafprd03

pic-4

Cluster Status in both WAFsCLUSTER STATUS

       1.6 Set up Load Balancing on the First Barracuda Web Application Firewall Instance

  1. Log into the Microsoft Azure Portal.
  2. On the Microsoft Azure Home page, click Browse and select Virtual Machines.
  3. In the Essentials section, click All Settings, and select Load balanced sets.
  4. On the Load balanced sets page, click Join and specify values for the following fields in theJoin a load balanced set page:
  5. Set the Load balanced set type to Public
  6. Endpoint Name: HTTP
  7. Private Port: Enter the internal port that should listen to traffic on the endpoint. Example: 80.
  8. Click LOAD-BALANCED-SET Configure required settings, and select create a load balanced set.
  9. On the Create a load balanced setpage, specify values for the following fields:
  10. Name: Enter a name for the load-balanced set. Example: HTTP
  11. Protocol: Select TCP from the list.
  12. Public Port: Enter the port number of the service you are load balancing. Example: Port 80 for HTTP traffic.
  13. Set Floating IP to Disabled.
  14. Select the Protocol to be used for probing, enter values for Port, Interval (seconds) and Number of retries as required, and click OK.END POINT

       1.7 Add Other Barracuda Web Application Firewall Instances to the Load-Balanced Set

After you create the load-balanced set for wafprd02, add other Barracuda Web Application Firewall virtual machines to the set. Example: wafprd03

  1. Log into the Microsoft Azure Portal.
  2. On the Microsoft Azure Home page, click Browse and select Virtual Machines.
  3. On the Virtual Machines page, select wafprd03.
  4. In the Essentials section, click All Settings, and select Load balanced sets.
  5. On the Load balanced sets page, click Add and specify values for the following fields in the Join a load balanced set page:
    1. Set the Load balanced set type to Public.
    2. Click LOAD-BALANCED-SET Configure required settings.
  6. On the Choose a load balanced set page, select the load balanced set you created in step 6under Step 3. Set Up Load Balancing on the First Barracuda Web Application Firewall Instance.
  1. Under Join a load balanced set, you will see the load balanced set associated with the wafprd03
  2. Click OKto add the wafprd03 instance to the load balanced set.
  3. Repeat the process to add more Barracuda Web Application Firewall virtual machines to the load-balanced set and different ports like Https.END POINT

       1.8 Creating Services

   Creating an HTTP Service: An HTTP service is a controlled entry point for an HTTP web application on the server. To create an HTTP service, select HTTP as the type of service.Rules added to the Service allow content-aware processing decisions for Web traffic coming into that Service. Rules can use HTTP request headers to make load balancing and caching policy decisions. To add a content rule to a Service:Services

pic-4

  1.  From the BASIC > Services page in the Services section find the Service to which you want to add a content rule.
  2. Click Rule next to the Service. The Add Content Rule window appears.
  3. Specify values for the following fields:
    1. Rule Group Name¬†‚Äď Name to identify this rule group ‚ÄúPROD-SC-DUR01″
    2. Status¬†–¬†Set to¬†On¬†to make this rule group part of the rule match.
    3. Host Match¬†‚Äst‚Äú/*‚ÄĚ
    4. Extended Match¬†‚Äď Not required
    5. Extended Match Sequence¬†‚ÄstNot Required
  4. Click Add.pic-5

      1.9 How to Add a Real Server

  1.  From the BASIC > Services page in the Services section, identify the Service to which you want to add a real server.
  2. Click the Server option next to the Service to add the server. The Add Real Server window appears.
  3. Specify values for the following:
    1. Server Name¬†‚Äď Enter a name to identify this server.‚ÄĚSC-PRDCD01‚ÄĚ & ‚ÄĚSC-PRDCD02‚ÄĚ
    2. IP Version¬†‚Äď Select the Internet Protocol Version from the drop-down list.‚ÄĚ IP4/IPV6‚ÄĚ
    3. IP Address¬†‚Äď Enter the IP address of the server.‚ÄĚ 10.135.2.4 ‚Äú ‚Äú10.135.2.5‚ÄĚ
    4. Port¬†‚Äď Enter the port number of the server. *80‚ÄĚ
    5. Backup Server¬†‚Äď Set to¬†Yes¬†if you want this server to be used when all other servers fail, or are out of service.
    6. Weight¬†‚Äď Set the load balancing weight for the server.
  4. Click Add.pic-6pic-7

      1.10 Backing up and restoring your System Configuration

 The ADVANCED > Backup page lets you backup and restore the configuration of your Barracuda Webpic-8

Application Firewall. You should backup your system on a regular basis in case you need to restore this information on a replacement Barracuda Web Application Firewall or in the event your current system data becomes corrupt.

If you are restoring a backup file on a new Barracuda Web Application Firewall that is not configured, you need to assign your new system an IP address and DNS information.

      1.11 Updating the Firmware of your Barracuda Web Application Firewall 

The ADVANCED > Firmware Update page allows you to manually update the firmware version of the system or revert to a previous version. The only time you should revert back to an old firmware version is if you recently downloaded a new version that is causing unexpected problems. In this case,call Barracuda Networks Technical Support before reverting back to a previous firmware version.

If you have the latest firmware version already installed, the Download Now button will be disabled.

 1.12 Updating the Attack, Virus and Security Definitions 

The ADVANCED > Energize Updates page allows you to manually update the attack, virus and Security definition, as well as change the interval at which the Barracuda Web Application Firewall Checks for updates. Energize Updates provide the Barracuda Web Application Firewall with the latest Definitions.

Recommend that the Automatically Update setting be set to Hourly so you’re Barracuda Web Application Firewall receives the latest definitions as soon as new threats are identified by Barracuda Central.

The following table describes the common fields for Attack, Virus and Security Definition Updates.

Click Save Changes after making any changes

Field Description
Current Installed Version Starts the Barracuda Web Application Firewall in the normal (default) mode. This option is automatically selected if no other option is specified within the first three (3) seconds of the splash screen appearing
Latest General Release Displays the latest version that is available. If the current version running on the Barracuda Web Application Firewall is not the latest, click Update to download the latest version.The Update button is disabled if the system already has the latest version.
Previously Installed Version Displays the previously installed version that was running on the system. To go back to this version of the definitions, click Revert
Automatically Update Determines the frequency at which the Barracuda Web Application Firewall checks for updates. To disable automatic updates, select Off.Hourly updates occur at the beginning of each hour. Daily updates occur at 12:20am (twenty after midnight) based on the system time
zone. The recommended setting is Hourly.
  1. Click download Option

Initial IOS is 7.9.0.021 and upgrade to 7.9.10.010

pic-9

  1. Click Apply Now buttonPIC-14
  2. Rebootingpic-11PIC-15
  3. After 15-20 mints, login into WAF device and check device in cluster or not.pic-12
  1. Check current IOS is upgrade or notpic-13
  2. Check traffic is load balancing or not and active and active.
  3. Same procedure for the other WAF and followed same steps also.

How to address dynamic routing issue in Azure with ASA

When we are trying to build the tunnel from Azure to cisco  ASA with dynamic routing (IKEV1 & IKEV2) , tunnel is not coming up later found that ASA does n`t support azure dynamic routing(IKEV2 doesn`t support ASA 8.0)  and looked at couple of options viz express route and installing virtual firewall etc..

Here are supported links..

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/118743-configure-asa-00.html –> 8.4 and above supports IKE v2

Finally we have come up with different approach to fix this…

Created to two VNET`s,  one VNET used for creating dynamic routing gateway and build the VPN tunnel`s on supported vendors(checkpoint and juniper ) .

Second VNET used to create static gateway and build the tunnel between Azure and enabled communication between VNET`s over public IP~s with restrictions.

One more thing that  Vnet to Vnet  Latency is less than 10ms ( Azure Public IP address traffic will not traverse through internet ) and it looks like LAN

Step-by-step configuration:

http://blog.kloud.com.au/2014/06/10/microsoft-azure-multi-site-vpn/

For troubleshoot we require PowerShell scripting s/w which can be downloaded from below link

http://www.microsoft.com/en-in/download/details.aspx?id=2560

Here is the troubleshooting commands through PowerShell but before that we have to connect to Azure account with couple of commands.

Add-Azureaccount –> pop`s up the user credentials window there you have to¬† type the azure account details.

Pre share creation
Set-AzureVNetGatewayKey -VNetName -LocalNetworkSiteName “xxxx” -SharedKey Cisco123

Initiating the traffic from VPN tunnel
Set-AzureVNetGateway -Connect ‚ÄďLocalNetworkSiteName ‚Äútest‚ÄĚ ‚ÄďVNetName ‚Äúcustomer01‚ÄĚ

PS C:\> Get-AzureVnetConnection -VNetName “test”

ConnectivityState : NotConnected
EgressBytesTransferred : 0
IngressBytesTransferred : 0
LastConnectionEstablished : 1/1/1601 5:30:00 AM
LastEventID : 21601
LastEventMessage : Unable to establish the cross-premise tunnel for site ‘MT-NOC-BLR’. Previous state:
Initializing. Current state: Not Connected.
LastEventTimeStamp : 8/23/2015 12:54:53 PM
LocalNetworkSiteName : test
OperationDescription :
OperationId :
OperationStatus :

http://blogs.technet.com/b/keithmayer/archive/2014/12/18/diagnose-azure-virtual-network-vpn-connectivity-issues-with-powershell.aspx

Duracell - sateesh-jpeg

Even we can configure VPN wit Azure PowerShell script:

<VirtualNetworkConfiguration>
<Dns />
<LocalNetworkSites>
<LocalNetworkSite name=”Site-01″>
<AddressSpace>
<AddressPrefix>10.20.3.0/24</AddressPrefix> —> In azure,localnetworks called as remote networks in networking language.
</AddressSpace>
<VPNGatewayAddress>1.1.1.1</VPNGatewayAddress> —> Site01- VPN Peer IP(Public IP add)
</LocalNetworkSite>
<LocalNetworkSite name=”Site-02>
<AddressSpace>
<AddressPrefix>172.20.3.0/24</AddressPrefix> –> Remote Network
</AddressSpace>
<VPNGatewayAddress>2.2.2.2</VPNGatewayAddress> —> Site02- VPN Peer gateway address (Public Address)
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name=”VNET-01″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>10.10.0.0/21</AddressPrefix> —-> Local Supernet for Site01(Azure end)
</AddressSpace>
<Subnets>
<Subnet name=”mgmtsubnet”> —-> Local Subnet(Azure end)
<AddressPrefix>10.10.1.0/24</AddressPrefix>
</Subnet>
<Subnet name=”proddbsubnet”> —-> Local Subnet (Azure End)
<AddressPrefix>10.10.2.0/24</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”> —-> VNET-01 VPN Gateway
<AddressPrefix>10.10.4.0/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name=”VENT-02″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>172.16.0.0/23</AddressPrefix> —> Local Subpernet for site02(Azure End)
</AddressSpace>
<Subnets>
<Subnet name=”Mgmt-VNET02″>
<AddressPrefix>172.16.0.0/26</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”>
<AddressPrefix>172.16.0.64/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork> —-> Global Configuration
<LocalNetworkSiteRef name=”Site-01″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name=”Site-02″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>