一、组网需求:
某客户网络使用SR6602路由器作为出口网关,通过三条运营商链路连接至公网。本例中使用MSR30-20路由器模拟运营商网关设备。
目前客户欲实现以下需求:
1、将内网用户划分为3个网段。本例中使用3台PC(PC1:40.1.1.2;PC2:40.1.1.3;PC3:40.1.1.4)模拟。
2、3个网段均可以访问公网。本例中使用IP地址1.1.1.1模拟公网服务器。
3、对3个网段的流量,实现如下所示的负载分担以及链路备份:
(1)网段1使用Link1访问公网。Link1故障时,使用Link2;Link1与Link2同时发生故障时,使用Link3。
(2)网段2使用Link2访问公网。Link2故障时,使用Link3;Link2与Link3同时发生故障时,使用Link1。
(3)网段3使用Link3访问公网。Link3故障时,使用Link1;Link3与Link1同时发生故障时,使用Link2。
(4)当运营商传输设备(使用SW模拟)或者传输链路发生故障时,即使SR6602连接运营商的端口仍然UP,流量仍然可以按照上述需求切换。
经分析,本需求可以通过配置策略路由与BFD联动实现。
设备及版本:SR6602路由器1台(版本R3103P08)、MSR30-20路由器3台、SW 4台。
二、组网图:
三、配置步骤:
SR6602 配置 |
# acl number 3001 rule 0 permit ip source 40.1.1.2 0 destination
1.1.1.1 0 acl number 3002 rule 0 permit ip source 40.1.1.3 0 destination
1.1.1.1 0 acl number 3003 rule 0 permit ip source 40.1.1.4 0 destination
1.1.1.1 0 # //定义三条ACL分别匹配PC1、PC2、PC3到1.1.1.1的数据流 # policy-based-route h3c permit node 10 //新建一个策略路由h3c策略节点10 if-match acl
3001
//如果匹配ACL 3001 apply ip-address next-hop 10.1.1.2 track 1 //设置转发报文的下一跳为10.1.1.2 并指定track 1 apply fail-action
continue //当前节点处理失败后继续进行下一节点的处理 policy-based-route h3c permit node 20 //策略节点20 if-match acl
3002 //如果匹配ACL 3002 apply ip-address next-hop 20.1.1.2 track 2 //设置转发报文的下一跳为20.1.1.2 并指定track 2 apply fail-action continue policy-based-route h3c permit node 30 //策略节点30 if-match acl
3003
//如果匹配ACL 3003 apply ip-address next-hop 30.1.1.2 track 3 //设置转发报文的下一跳为30.1.1.2 并指定track 3 apply fail-action continue policy-based-route h3c permit node 40 //策略节点40 if-match acl
3001 //如果匹配ACL 3001 apply ip-address next-hop 20.1.1.2 track
2
//设置转发报文的下一跳为20.1.1.2 并指定track 2 apply fail-action continue policy-based-route h3c permit node 50 //策略节点50 if-match acl
3002
//如果匹配ACL 3002 apply ip-address next-hop 30.1.1.2 track
3
//设置转发报文的下一跳为30.1.1.2 并指定track 3 apply fail-action continue policy-based-route h3c permit node 60 //策略节点60 if-match acl
3003 //如果匹配ACL 3003 apply ip-address next-hop 10.1.1.2 track 1
//设置转发报文的下一跳为10.1.1.2 并指定track 1 apply fail-action continue policy-based-route h3c permit node 70 //策略节点70 if-match acl
3001 //如果匹配ACL 3001 apply ip-address next-hop 30.1.1.2 track 3
//设置转发报文的下一跳为30.1.1.2 并指定track 3 apply fail-action continue policy-based-route h3c permit node 80 //策略节点80 if-match acl
3002 //如果匹配ACL 3002 apply ip-address next-hop 10.1.1.2 track 1 //设置转发报文的下一跳为10.1.1.2 并指定track 1 apply fail-action continue policy-based-route h3c permit node 90 //策略节点90 if-match acl
3003
//如果匹配ACL 3003 apply ip-address next-hop 20.1.1.2 track
2
//设置转发报文的下一跳为20.1.1.2 并指定track 2 apply fail-action continue # interface
GigabitEthernet0/0 //配置相关接口地址 ip address 10.1.1.1 255.255.255.0 # interface GigabitEthernet0/1 ip address 20.1.1.1 255.255.255.0 # interface GigabitEthernet0/2 ip address 30.1.1.1 255.255.255.0 # interface GigabitEthernet0/3 ip address 40.1.1.1 255.255.255.0 ip policy-based-route
h3c //在G0/3上应用转发策略路由h3c # track 1 bfd echo interface GigabitEthernet0/0
remote ip 10.1.1.2 local ip 10.1.1.1 //创建与BFD相关的track 1 在G0/0口进行探测,远端地址为MSR 1 的地址,本地地址为G0/0接口地址 track 2 bfd echo interface GigabitEthernet0/1 remote
ip 20.1.1.2 local ip
20.1.1.1 //创建与BFD相关的track 2 在G0/1口进行探测,远端地址为MSR 2 的地址,本地地址为G0/1接口地址 track
3 bfd echo interface GigabitEthernet0/2 remote ip 30.1.1.2 local ip
30.1.1.1 //创建与BFD相关的track 3 在G0/2口进行探测,远端地址为MSR 3 的地址,本地地址为G0/2接口地址 # |
MSR1 配置 |
# interface
LoopBack0 //创建环回口1.1.1.1 模拟公网服务器 ip address 1.1.1.1 255.255.255.255 # interface GigabitEthernet0/1 port link-mode route ip address 10.1.1.2
255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 //配置回程默认路由 # |
MSR2 配置 |
# interface
LoopBack0 //创建环回口1.1.1.1 模拟公网服务器 ip address 1.1.1.1 255.255.255.255 # interface GigabitEthernet0/1 port link-mode route ip address 20.1.1.2
255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 20.1.1.1 //配置回程默认路由 # |
MSR3 配置 |
# interface
LoopBack0 //创建环回口1.1.1.1 模拟公网服务器 ip address 1.1.1.1 255.255.255.255 # interface GigabitEthernet0/1 port link-mode route ip address 30.1.1.2
255.255.255.0 # ip route-static 0.0.0.0 0.0.0.0 30.1.1.1 //配置回程默认路由 # |
四、功能测试:
1、 配置完成后,查看SR6602路由器策略路由的匹配信息:
dis ip policy-based-route statistics interface g0/3
Interface GigabitEthernet0/3 policy based routing statistics information:
policy-based-route: h3c
permit node 10:
if-match acl 3001
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 20:
if-match acl 3002
apply ip-address next-hop 11.1.1.2
apply fail-action continue
matched: 0
permit node 30:
if-match acl 3003
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 40:
if-match acl 3001
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
permit node 50:
if-match acl 3002
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 60:
if-match acl 3003
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 70:
if-match acl 3001
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 80:
if-match acl 3002
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 90:
if-match acl 3003
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
Total matched: 0
没有报文经由策略路由转发的时候,所有的策略节点的匹配次数为0。如果不为0,可以使用reset policy-based-route statistics 清空统计信息,以便后续实验统计。
2、 统计信息清零后,使用PC1 ping 1.1.1.1 (默认ping 4 个包),然后查看统计信息:
dis ip policy-based-route statistics interface g0/3
Interface GigabitEthernet0/3 policy based routing statistics information:
policy-based-route: h3c
permit node 10:
if-match acl 3001
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 4
permit node 20:
if-match acl 3002
apply ip-address next-hop 11.1.1.2
apply fail-action continue
matched: 0
permit node 30:
if-match acl 3003
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 40:
if-match acl 3001
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
permit node 50:
if-match acl 3002
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 60:
if-match acl 3003
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 70:
if-match acl 3001
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 80:
if-match acl 3002
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 90:
if-match acl 3003
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
Total matched: 4
由统计信息可知,策略节点10匹配了4次,将从PC1去往1.1.1.1的报文的下一跳指定为10.1.1.2 ,经由LINK1访问1.1.1.1。
3、 这时我们将MSR1 G0/1口的线拔掉,配置的策略路由与BFD联动会检测到MSR1不可达,并通知SR6602路由器。这时报文就会匹配策略路由下一个节点。
在PC1上再次ping 1.1.1.1(默认ping 4个包),然后查看统计信息:
dis ip policy-based-route statistics interface g0/3
Interface GigabitEthernet0/3 policy based routing statistics information:
policy-based-route: h3c
permit node 10:
if-match acl 3001
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 5
permit node 20:
if-match acl 3002
apply ip-address next-hop 11.1.1.2
apply fail-action continue
matched: 0
permit node 30:
if-match acl 3003
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 40:
if-match acl 3001
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 4
permit node 50:
if-match acl 3002
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 60:
if-match acl 3003
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 70:
if-match acl 3001
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 80:
if-match acl 3002
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 90:
if-match acl 3003
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
Total matched: 9
观察以上信息,可知node 10匹配了5次(其中上一次ping匹配了4次,本次ping匹配了1次)。当策略路由发现Node10中的下一跳10.1.1.2不可达后,执行apply fail-action continue ,报文匹配Node 40,经由LINK2访问1.1.1.1。
4、 将MSR2 G0/1口的线拔掉,再次ping 1.1.1.1(默认ping 4个包),查看统计信息:
dis ip policy-based-route statistics interface g0/3
Interface GigabitEthernet0/3 policy based routing statistics information:
policy-based-route: h3c
permit node 10:
if-match acl 3001
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 6
permit node 20:
if-match acl 3002
apply ip-address next-hop 11.1.1.2
apply fail-action continue
matched: 0
permit node 30:
if-match acl 3003
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 40:
if-match acl 3001
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 5
permit node 50:
if-match acl 3002
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 60:
if-match acl 3003
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 70:
if-match acl 3001
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 4
permit node 80:
if-match acl 3002
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 90:
if-match acl 3003
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
Total matched: 15
由以上信息可知,发现报文通过LINK3链路到达1.1.1.1。
5、 这时我们将MSR1 G0/1口的线插回去,再ping 1.1.1.1(默认ping 4个包),查看统计信息:
dis ip policy-based-route statistics interface g0/3
Interface GigabitEthernet0/3 policy based routing statistics information:
policy-based-route: h3c
permit node 10:
if-match acl 3001
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 10
permit node 20:
if-match acl 3002
apply ip-address next-hop 11.1.1.2
apply fail-action continue
matched: 0
permit node 30:
if-match acl 3003
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 40:
if-match acl 3001
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 5
permit node 50:
if-match acl 3002
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 0
permit node 60:
if-match acl 3003
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 70:
if-match acl 3001
apply ip-address next-hop 30.1.1.2
apply fail-action continue
matched: 4
permit node 80:
if-match acl 3002
apply ip-address next-hop 10.1.1.2
apply fail-action continue
matched: 0
permit node 90:
if-match acl 3003
apply ip-address next-hop 20.1.1.2
apply fail-action continue
matched: 0
Total matched: 19
这时,由统计信息观察发现,报文由LINK1到达1.1.1.1。
PC2与PC3的报文匹配情况与PC1类似,在此不再赘述。
五、总结:
1. 配置策略路由报文转发规则时,如果报文转发出口的类型是以太网链路,在apply规则内不能指定出接口,而是要指定下一跳地址;如果是串行链路则可指定出接口。原理与静态路由类似,以太网链路属于广播型链路,必须指定下一跳地址,而串行则可以指定出接口。
2. 在SR6602路由器上需要配置策略路由与BFD联动,因为SR6602路由器不一定直接与运营商设备直接相连,如果链路有故障或者地址变化,SR6602路由器侧接口会依旧UP且认为目标网段可达,从而导致报文丢失。
3. 必须在每个策略节点配置apply fail-action continue命令,这样当前节点处理失败后会下一匹配节点会继续处理,这是实现链路备份功能的核心所在。
4. 策略路由配置完成后,应该应用在G0/3口,也就是数据流的进接口,指导接口接收的所有报文该怎么转发。
5. 在MSR路由器上,都应该配置回程的默认或静态路由。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作