本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本檔案介紹如何在FDM管理的FTD上設定ECMP以及IP SLA。
思科建議您瞭解以下主題:
本檔案中的資訊是根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
本檔案介紹如何在由Cisco FDM管理的Cisco FTD上設定等價多重路徑(ECMP)以及網際網路通訊協定服務等級協定(IP SLA)。 ECMP允許您在FTD上將介面組合在一起,並在多個介面之間平衡流量負載。 IP SLA是一種通過交換常規資料包來監控端到端連線的機制。可以與ECMP一起實施IP SLA以確保下一跳的可用性。 在此範例中,ECMP用於在兩個網際網路服務供應商(ISP)電路上平均分配封包。同時,IP SLA會跟蹤連線情況,確保在發生故障時無縫過渡至任何可用電路。
本文檔的具體要求包括:
在本範例中,Cisco FTD有兩個外部介面: outside1和outside2。每個連線至ISP網關,outside1和outside2屬於名為outside的同一ECMP區域。
來自內部網路的流量會透過FTD路由,並透過兩個ISP取得網際網路的負載平衡。
同時,FTD使用IP SLA來監控與每個ISP閘道的連線。在任何ISP電路發生故障時,FTD會故障切換到另一個ISP網關,以保持業務連續性。
登入到FDM Web GUI,按一下Device,然後按一下Interfaces摘要中的連結。 Interfaces清單顯示可用介面、其名稱、地址和狀態。
點選編輯圖示()(對於要編輯的物理介面)。 在本例中, GigabitEthernet0/1。
在Edit Physical Interface視窗中:
注意:只有路由介面才能與ECMP區域關聯。
重複類似的步驟,為輔助ISP連線配置介面,在本例中物理介面為GigabitEthernet0/2。在Edit Physical Interface視窗中:
重複類似步驟,為內部連線配置介面,在此示例中,物理介面為GigabitEthernet0/3。在Edit Physical Interface視窗中:
導航到對象>對象型別>網路,按一下新增圖示( ),以新增新對象。
在Add Network Object 視窗中,配置第一個ISP網關:
重複類似步驟,為第二個ISP網關配置另一個網路對象:
註:您必須在FTD上設定存取控制原則才能允許流量,本檔案沒有包含此部分。
導航到Device,然後按一下Routing摘要中的連結。
如果啟用了虛擬路由器,請點選檢視圖示()配置靜態路由的路由器。在這種情況下,虛擬路由器未啟用。
按一下ECMP Traffic Zones頁籤,然後按一下新增圖示( ),以新增新區域。
在Add ECMP Traffic Zone 視窗中:
outside1 和outside2 兩個介面均已成功新增到ECMP區域outside 。
註:ECMP路由流量區域與安全區域無關。建立包含outside1和outside2介面的安全區域不會為ECMP路由實現流量區域。
要定義用於監控到每個網關連線的SLA對象,請導航到對象>對象型別> SLA監控器,按一下新增圖示( ),為第一個ISP連線新增新的SLA監控器。
在Add SLA Monitor Object視窗中:
重複類似步驟,在新增SLA監控器對象視窗中為第二個ISP連線配置另一個SLA監控器對象:
導航到Device,然後按一下Routing摘要中的連結。
如果啟用了虛擬路由器,請點選檢視圖示()配置靜態路由的路由器。在這種情況下,虛擬路由器未啟用。
在Static Routing頁面上,點選新增圖示(),為第一個ISP鏈路新增新的靜態路由。
在Add Static Route 視窗中:
在Add Static Route 視窗中重複類似步驟,為第二個ISP連線配置另一個靜態路由:
您有2條路由,通過outside1和outside2介面進行路由。
將變更部署到FTD。
登入FTD的CLI,執行命令 show zone
以檢查有關ECMP流量區域的資訊,包括每個區域部分的介面。
> show zone
Zone: Outside ecmp
Security-level: 0
Zone member(s): 2
outside2 GigabitEthernet0/2
outside1 GigabitEthernet0/1
運行命令 show running-config route
檢查路由配置的運行配置,在這種情況下,有兩條具有路由跟蹤的靜態路由。
> show running-config route
route outside1 0.0.0.0 0.0.0.0 10.1.1.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 10.1.2.2 1 track 2
運行命令 show route
檢查路由表,如果有兩個預設路由通過介面outside1和outside2,開銷相等,則流量可以在兩個ISP電路之間分配。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
[1/0] via 10.1.1.2, outside1
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
運行命令 show sla monitor configuration
以檢查SLA監控器的配置。
> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1037119999
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.1.2
Interface: outside1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Entry number: 1631063762
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.2.2
Interface: outside2
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
運行命令 show sla monitor operational-state
,確認SLA監控器的狀態。在這種情況下,您可以在命令輸出中找到「Timeout occurred: FALSE」,這表示對網關的ICMP回應正在應答,因此通過目標介面的預設路由處於活動狀態並安裝在路由表中。
> show sla monitor operational-state
Entry number: 1037119999
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 79
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 05:32:32.791 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
Entry number: 1631063762
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 79
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 05:32:32.791 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
通過FTD的初始流量,以驗證ECMP是否在ECMP區域中的網關之間平衡流量。 show conn
在這種情況下,從Test-PC-1(10.1.3.2)和Test-PC-2(10.1.3.4)向Internet主機(10.1.5.2)啟動SSH連線,運行命令以確認流量在兩個ISP鏈路之間實現了負載均衡,Test-PC-1(10.1.3.2)通過interface outside1,Test-PC-2(10.1.3.4)通過interface outside2。
> show conn
4 in use, 14 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 12 most enabled, 0 most in effect
TCP inside 10.1.3.4:41652 outside2 10.1.5.2:22, idle 0:02:10, bytes 5276, flags UIO N1
TCP inside 10.1.3.2:57484 outside1 10.1.5.2:22, idle 0:00:04, bytes 5276, flags UIO N1
註意:根據雜湊源和目標IP地址、傳入介面、協定、源和目標埠的演算法,在指定的網關之間對流量進行負載均衡。運行測試時,由於雜湊演算法,可以路由您模擬的流量到同一網關,這是預期的,它會更改6個元組(源IP、目標IP、傳入介面、協定、源埠、目標埠)中的任何值,以便對雜湊結果進行更改。
如果到第一個ISP網關的鏈路關閉(在本例中),請關閉第一個網關路由器進行模擬。 如果FTD在SLA Monitor對象中指定的閾值計時器內沒有收到來自第一個ISP網關的回應應答,則認為主機無法連線且標籤為關閉。指向第一個網關的跟蹤路由也會從路由表中刪除。
運行命令 show sla monitor operational-state
以確認SLA監控器的當前狀態。在這種情況下,您可以在命令輸出中找到「Timeout occurred: True」,表示到第一個ISP網關的ICMP響應沒有響應。
> show sla monitor operational-state
Entry number: 1037119999
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 121
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 06:14:32.801 UTC Tue Jan 30 2024
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Entry number: 1631063762
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 121
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 06:14:32.802 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
運行命令檢查當前路由表,刪除通過介面outside1到第一個ISP網關的路 show route
由,只有一條通過介面outside2到第二個ISP網關的活動預設路由。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
運行命令 show conn
,您會發現兩個連線仍處於運行狀態。SSH會話在Test-PC-1(10.1.3.2)和Test-PC-2(10.1.3.4)上也是活動的,沒有任何中斷。
> show conn
4 in use, 14 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 12 most enabled, 0 most in effect
TCP inside 10.1.3.4:41652 outside2 10.1.5.2:22, idle 0:19:29, bytes 5276, flags UIO N1
TCP inside 10.1.3.2:57484 outside1 10.1.5.2:22, idle 0:17:22, bytes 5276, flags UIO N1
註:您可以注意到,在的輸出中,來自show conn
Test-PC-1(10.1.3.2)的SSH會話仍然通過interface outside1,儘管通過介面outside1的預設路由已從路由表中刪除。這是預期的,而且根據設計,實際流量流經介面outside2。如果從Test-PC-1(10.1.3.2)到Internet主機(10.1.5.2)發起新連線,您可以找到所有流量都通過interface outside2。
要驗證路由表更改,請運行命令 debug ip routing
。
在本示例中,當通向第一個ISP網關的鏈路斷開時,通過介面outside1的路由將從路由表中刪除。
> debug ip routing
IP routing debugging is on
RT: ip_route_delete 0.0.0.0 0.0.0.0 via 10.1.1.2, outside1
ha_cluster_synced 0 routetype 0
RT: del 0.0.0.0 via 10.1.1.2, static metric [1/0]NP-route: Delete-Output 0.0.0.0/0 hop_count:1 , via 0.0.0.0, outside1
RT(mgmt-only):
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:1 Distance:1 Flags:0X0 , via 10.1.2.2, outside2
運行命令 show route
,確認當前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
當通向第一個ISP網關的鏈路再次開啟時,通過介面outside1的路由將重新新增到路由表中。
> debug ip routing
IP routing debugging is on
RT(mgmt-only):
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, outside2
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.1.2, outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:2 Distance:1 Flags:0X0 , via 10.1.2.2, outside2
via 10.1.1.2, outside1
運行命令 show route
,確認當前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
[1/0] via 10.1.1.2, outside1
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
02-Feb-2024 |
初始版本 |