此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍如何在FDM管理的FTD上配置ECMP和IP SLA。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
本文档介绍如何在由Cisco FDM管理的Cisco FTD上配置等价多路径(ECMP)以及互联网协议服务级别协议(IP SLA)。 ECMP允许您在FTD上将接口组合在一起,并在多个接口之间实现流量负载均衡。 IP SLA是一种通过交换常规数据包来监控端到端连接的机制。与ECMP一起,可以实施IP SLA以确保下一跳的可用性。 在本示例中,ECMP用于在两个Internet服务提供商(ISP)电路上平均分配数据包。同时,IP SLA会跟踪连接情况,确保在发生故障时无缝转换到任何可用电路。
本文档的具体要求包括:
在本示例中,Cisco FTD有两个外部接口:outside1和outside2。每个连接至ISP网关,outside1和outside2属于名为outside的相同ECMP区域。
来自内部网络的流量通过FTD路由,并通过两个ISP实现到Internet的负载均衡。
同时,FTD使用IP SLA来监控与每个ISP网关的连接。如果任一ISP电路出现故障,FTD会故障切换到另一个ISP网关以保持业务连续性。
登录到FDM Web GUI,单击Device,然后单击Interfaces摘要中的链接。 Interfaces列表显示可用接口、其名称、地址和状态。
点击编辑图标(),用于要编辑的物理接口。 在本示例中GigabitEthernet0/1。
在Edit Physical Interface窗口中:
注意:只有路由接口才能与ECMP区域关联。
重复类似步骤,为辅助ISP连接配置接口,本示例中的物理接口为GigabitEthernet0/2。在Edit Physical Interface窗口中:
重复类似步骤,为内部连接配置接口,本示例中的物理接口为GigabitEthernet0/3。在Edit Physical Interface窗口中:
导航到对象>对象类型>网络,点击添加图标( )添加新对象。
在Add Network Object窗口中,配置第一个ISP网关:
重复类似步骤,为第二个ISP网关配置另一个网络对象:
注:您必须在FTD上配置访问控制策略才能允许流量,此部分不包含在本文档中。
导航到Device,然后单击Routing摘要中的链接。
如果启用了虚拟路由器,请点击视图图标()来配置静态路由。在这种情况下,虚拟路由器未启用。
点击ECMP Traffic Zones选项卡,然后点击添加图标( ),以添加新区域。
在Add ECMP Traffic Zone窗口中:
outside1和outside2接口均已成功添加到ECMP区域外部。
注意:ECMP路由流量区域与安全区域无关。创建包含outside1和outside2接口的安全区域不会为ECMP路由实现流量区域。
要定义用于监控每个网关连接的SLA对象,请导航到对象>对象类型> SLA监控器,点击添加图标( )为第一个ISP连接添加新的SLA监控器。
在Add SLA Monitor Object窗口中:
在Add SLA Monitor Object窗口中,重复类似步骤,为第二个ISP连接配置另一个SLA Monitor Object:
导航到Device,然后单击Routing摘要中的链接。
如果启用了虚拟路由器,请点击视图图标()来配置静态路由。在这种情况下,虚拟路由器未启用。
在Static Routing页面上,点击添加图标()来为第一个ISP链路添加新的静态路由。
在Add Static Route窗口中:
在Add Static Route 窗口中重复类似步骤,为第二个ISP连接配置另一个静态路由:
您有2条路由,通过outside1和outside2接口以及路由路径。
将更改部署到FTD。
登录FTD的CLI,运行命令 show zone
以检查有关ECMP流量区域的信息,包括属于每个区域的接口。
> show zone
Zone: Outside ecmp
Security-level: 0
Zone member(s): 2
outside2 GigabitEthernet0/2
outside1 GigabitEthernet0/1
运行命令 show running-config route
检查路由配置的运行配置,在这种情况下,有两条静态路由带有路由路径。
> show running-config route
route outside1 0.0.0.0 0.0.0.0 10.1.1.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 10.1.2.2 1 track 2
运行命令 show route
检查路由表,如果有两个默认路由通过接口outside1和outside2,开销相等,流量可以在两个ISP电路之间分配。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
[1/0] via 10.1.1.2, outside1
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
运行命令 show sla monitor configuration
以检查SLA监控器的配置。
> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1037119999
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.1.2
Interface: outside1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Entry number: 1631063762
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.2.2
Interface: outside2
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
运行命令 show sla monitor operational-state
,确认SLA监控器的状态。在这种情况下,您可以在命令输出中找到“Timeout occurred: FALSE”,表示网关的ICMP回应正在应答,因此通过目标接口的默认路由处于活动状态并安装在路由表中。
> show sla monitor operational-state
Entry number: 1037119999
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 79
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 05:32:32.791 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
Entry number: 1631063762
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 79
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 05:32:32.791 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
通过FTD的初始流量,以验证ECMP是否在ECMP区域中的网关之间对流量进行负载均衡。 show conn
在本例中,从Test-PC-1(10.1.3.2)和Test-PC-2(10.1.3.4)发起SSH连接以访问Internet主机(10.1.5.2),运行命令确认流量在两个ISP链路之间实现了负载均衡,Test-PC-1(10.1.3.2)通过interface outside1,Test-PC-2(10.1.3.4)通过interface outside2。
> show conn
4 in use, 14 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 12 most enabled, 0 most in effect
TCP inside 10.1.3.4:41652 outside2 10.1.5.2:22, idle 0:02:10, bytes 5276, flags UIO N1
TCP inside 10.1.3.2:57484 outside1 10.1.5.2:22, idle 0:00:04, bytes 5276, flags UIO N1
注:根据散列源和目标IP地址、传入接口、协议、源和目标端口的算法,流量在指定网关之间进行负载均衡。运行测试时,由于散列算法,可以将模拟的流量路由到同一网关,这是预期的,它会更改6个元组(源IP、目标IP、传入接口、协议、源端口、目标端口)中的任何值以对散列结果进行更改。
如果通向第一个ISP网关的链路已关闭(在本例中),请关闭第一个网关路由器进行模拟。 如果FTD在SLA监控器对象中指定的阈值计时器内没有收到来自第一个ISP网关的回应应答,则认为主机不可达,并标记为关闭。到达第一个网关的跟踪路由也会从路由表中删除。
运行命令 show sla monitor operational-state
以确认SLA监控器的当前状态。在这种情况下,您可以在命令输出中找到“Timeout occurred: True”,表示发往第一个ISP网关的ICMP回应没有响应。
> show sla monitor operational-state
Entry number: 1037119999
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 121
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 06:14:32.801 UTC Tue Jan 30 2024
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Entry number: 1631063762
Modification time: 04:14:32.771 UTC Tue Jan 30 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 121
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 06:14:32.802 UTC Tue Jan 30 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
运行命令检查当前路由表,删除了通过接口outside1到第一个ISP网关的路 show route
由,只有一条活动默认路由通过接口outside2到第二个ISP网关。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
运行命令 show conn
,您会发现两个连接仍处于运行状态。在Test-PC-1(10.1.3.2)和Test-PC-2(10.1.3.4)上,SSH会话也处于活动状态,不会出现任何中断。
> show conn
4 in use, 14 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 12 most enabled, 0 most in effect
TCP inside 10.1.3.4:41652 outside2 10.1.5.2:22, idle 0:19:29, bytes 5276, flags UIO N1
TCP inside 10.1.3.2:57484 outside1 10.1.5.2:22, idle 0:17:22, bytes 5276, flags UIO N1
注意:在的输出中可以注意到,来自show conn
Test-PC-1(10.1.3.2)的SSH会话仍通过interface outside1,尽管通过interface outside1的默认路由已从路由表中删除。这是预期结果,而且根据设计,实际流量流经interface outside2。如果从Test-PC-1(10.1.3.2)到Internet主机(10.1.5.2)发起新连接,则可以找到所有流量都通过interface outside2到达。
要验证路由表更改,请运行命令 debug ip routing
。
在本例中,当通向第一个ISP网关的链路断开时,通过接口outside1的路由将从路由表中删除。
> debug ip routing
IP routing debugging is on
RT: ip_route_delete 0.0.0.0 0.0.0.0 via 10.1.1.2, outside1
ha_cluster_synced 0 routetype 0
RT: del 0.0.0.0 via 10.1.1.2, static metric [1/0]NP-route: Delete-Output 0.0.0.0/0 hop_count:1 , via 0.0.0.0, outside1
RT(mgmt-only):
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:1 Distance:1 Flags:0X0 , via 10.1.2.2, outside2
运行命令 show route
,确认当前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
当通向第一个ISP网关的链路重新打开时,通过接口outside1的路由将添加回路由表中。
> debug ip routing
IP routing debugging is on
RT(mgmt-only):
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, outside2
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.1.2, outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:2 Distance:1 Flags:0X0 , via 10.1.2.2, outside2
via 10.1.1.2, outside1
运行命令 show route
,确认当前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, outside2
[1/0] via 10.1.1.2, outside1
C 10.1.1.0 255.255.255.0 is directly connected, outside1
L 10.1.1.1 255.255.255.255 is directly connected, outside1
C 10.1.2.0 255.255.255.0 is directly connected, outside2
L 10.1.2.1 255.255.255.255 is directly connected, outside2
C 10.1.3.0 255.255.255.0 is directly connected, inside
L 10.1.3.1 255.255.255.255 is directly connected, inside
版本 | 发布日期 | 备注 |
---|---|---|
1.0 |
02-Feb-2024 |
初始版本 |