本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本檔案介紹如何在由FMC管理的FTD上設定ECMP以及IP SLA。
思科建議您瞭解以下主題:
本檔案中的資訊是根據以下軟體和硬體版本:
Cisco FTD版本7.4.1
Cisco FMC版本7.4.1
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
本檔案介紹如何在由Cisco FMC管理的Cisco FTD上設定等價多重路徑(ECMP)以及網際網路通訊協定服務等級協定(IP SLA)。 ECMP允許您在FTD上將介面組合在一起,並在多個介面之間平衡流量負載。 IP SLA是一種通過交換常規資料包來監控端到端連線的機制。可以與ECMP一起實施IP SLA以確保下一跳的可用性。 在此範例中,ECMP用於在兩個網際網路服務供應商(ISP)電路上平均分配封包。同時,IP SLA會跟蹤連線情況,確保在發生故障時無縫過渡至任何可用電路。
本文檔的具體要求包括:
在本範例中,Cisco FTD有兩個外部介面:outside1和outside2。每個連線至ISP網關,outside1和outside2屬於名為outside的同一ECMP區域。
來自內部網路的流量會透過FTD路由,並透過兩個ISP取得網際網路的負載平衡。
同時,FTD使用IP SLA來監控與每個ISP閘道的連線。在任何ISP電路發生故障時,FTD會故障切換到另一個ISP網關,以保持業務連續性。
登入FMC Web GUI,選擇Devices>Device Management,然後按一下threat defense裝置的Edit按鈕。預設情況下會選擇Interfaces頁。按一下要編輯的介面的Edit按鈕(在本例中為GigabitEthernet0/0)。
在Edit Physical Interface視窗的General頁籤下:
在IPv4頁籤下:
在Edit Physical Interface視窗的General頁籤下重複類似步驟配置介面GigabitEthernet0/1:
在IPv4頁籤下:
在Edit Physical Interface視窗的General頁籤下重複類似步驟配置介面GigabitEthernet0/2:
在IPv4頁籤下:
按一下「Save」和「Deploy」組態。
導航到Objects > Object Management,從對象型別清單中選擇Network,從Add Network下拉選單中選擇Add Object,為第一個ISP網關建立對象。
在New Network Object視窗中:
重複類似步驟,為第二個ISP網關建立另一個對象。在New Network Object視窗中:
導覽至Devices > Device Management,然後編輯威脅防禦裝置,然後按一下Routing。從virtual router下拉選單中,選擇要在其中建立ECMP區域的虛擬路由器。您可以在全域性虛擬路由器和使用者定義的虛擬路由器中建立ECMP區域。在本例中,選擇Global。
按一下ECMP,然後按一下Add。
在Add ECMP視窗中:
按一下「Save」和「Deploy」組態。
導航到Objects > Object Management,從對象型別清單中選擇SLA Monitor,按一下Add SLA Monitor為第一個ISP網關新增新的SLA監視器。
在「新建SLA監控對象」窗口中:
重複類似步驟,為第二個ISP網關建立另一個SLA監控器。
在「新建SLA監控對象」窗口中:
導覽至Devices > Device Management,然後編輯威脅防禦裝置,按一下Routing,從virtual routers下拉選單中,選擇為其配置靜態路由的虛擬路由器。在本例中, Global。
選擇Static Route,按一下Add Route,將預設路由新增到第一個ISP網關。
在Add Static Route Configuration視窗中:
重複類似步驟,將預設路由新增到第二個ISP網關。在Add Static Route Configuration視窗中:
按一下「Save」和「Deploy」組態。
登入FTD的CLI,執行命令以檢查ECMP流量區域的資訊,包括每個區域部分的介show zone
面。
> show zone
Zone: Outside ecmp
Security-level: 0
Zone member(s): 2
Outside2 GigabitEthernet0/1
Outside1 GigabitEthernet0/0
運行命令show running-config route
,檢查路由配置的運行配置,在這種情況下,有兩條具有路由跟蹤的靜態路由。
> show running-config route
route Outside1 0.0.0.0 0.0.0.0 10.1.1.2 1 track 1
route Outside2 0.0.0.0 0.0.0.0 10.1.2.2 1 track 2
運行命令show route
,檢查路由表,如果有兩個預設路由通過介面outside1和outside2,開銷相等,流量可以在兩個ISP電路之間分配。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, Outside2
[1/0] via 10.1.1.2, Outside1
C 10.1.1.0 255.255.255.0 is directly connected, Outside1
L 10.1.1.1 255.255.255.255 is directly connected, Outside1
C 10.1.2.0 255.255.255.0 is directly connected, Outside2
L 10.1.2.1 255.255.255.255 is directly connected, Outside2
C 10.1.3.0 255.255.255.0 is directly connected, Inside
L 10.1.3.1 255.255.255.255 is directly connected, Inside
運行命令show sla monitor configuration
以檢查SLA監控器的配置。
> show sla monitor configuration
SA Agent, Infrastructure Engine-II
Entry number: 1
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.1.2
Interface: Outside1
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
Entry number: 2
Owner:
Tag:
Type of operation to perform: echo
Target address: 10.1.2.2
Interface: Outside2
Number of packets: 1
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:
運行命令show sla monitor operational-state
,確認SLA監控器的狀態。在這種情況下,您可以在命令輸出中找到「Timeout occurred: FALSE」,這表示對網關的ICMP回應正在應答,因此通過目標介面的預設路由處於活動狀態並安裝在路由表中。
> show sla monitor operational-state
Entry number: 1
Modification time: 09:31:28.785 UTC Thu Feb 15 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 82
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 10:52:28.785 UTC Thu Feb 15 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
Entry number: 2
Modification time: 09:31:28.785 UTC Thu Feb 15 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 82
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 10:52:28.785 UTC Thu Feb 15 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
通過FTD的初始流量,以驗證ECMP是否在ECMP區域中的網關之間平衡流量。show conn
在這種情況下,從Inside-Host1(10.1.3.2)和Inside-Host2(10.1.3.4)向Internet-Host(10.1.5.2)發起telnet連線,運行命令以確認流量在兩個ISP鏈路之間實現了負載均衡,Inside-Host1(10.1.3.2)通過interface outside1,Inside-Host2(10.1.3.4)通過interface outside2。
> show conn
2 in use, 3 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 2 most enabled, 0 most in effect
TCP Inside 10.1.3.2:46069 Outside1 10.1.5.2:23, idle 0:00:24, bytes 1329, flags UIO N1
TCP Inside 10.1.3.4:61915 Outside2 10.1.5.2:23, idle 0:00:04, bytes 1329, flags UIO N1
註意:根據雜湊源和目標IP地址、傳入介面、協定、源和目標埠的演算法,在指定的網關之間對流量進行負載均衡。運行測試時,由於雜湊演算法,可以路由您模擬的流量到同一網關,這是預期的,它會更改6個元組(源IP、目標IP、傳入介面、協定、源埠、目標埠)中的任何值,以便對雜湊結果進行更改。
如果到第一個ISP網關的鏈路關閉(在本例中),請關閉第一個網關路由器進行模擬。如果FTD在SLA Monitor對象中指定的閾值計時器內沒有收到來自第一個ISP網關的回應應答,則認為主機無法連線且標籤為關閉。指向第一個網關的跟蹤路由也會從路由表中刪除。
運行命令show sla monitor operational-state
,確認SLA監控器的當前狀態。在這種情況下,您可以在命令輸出中找到「Timeout occurred: True」,表示到第一個ISP網關的ICMP響應沒有響應。
> show sla monitor operational-state
Entry number: 1
Modification time: 09:31:28.783 UTC Thu Feb 15 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 104
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 11:14:28.813 UTC Thu Feb 15 2024
Latest operation return code: Timeout
RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0
NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
Entry number: 2
Modification time: 09:31:28.783 UTC Thu Feb 15 2024
Number of Octets Used by this Entry: 2056
Number of operations attempted: 104
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 1
Latest operation start time: 11:14:28.813 UTC Thu Feb 15 2024
Latest operation return code: OK
RTT Values:
RTTAvg: 1 RTTMin: 1 RTTMax: 1
NumOfRTT: 1 RTTSum: 1 RTTSum2: 1
運行命令檢查當前路由表,刪除通過介面outside1到第一個ISP網關的路由,只有一條通過介面outside2到第二個ISP網關的活動預設路由show route
。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, Outside2
C 10.1.1.0 255.255.255.0 is directly connected, Outside1
L 10.1.1.1 255.255.255.255 is directly connected, Outside1
C 10.1.2.0 255.255.255.0 is directly connected, Outside2
L 10.1.2.1 255.255.255.255 is directly connected, Outside2
C 10.1.3.0 255.255.255.0 is directly connected, Inside
L 10.1.3.1 255.255.255.255 is directly connected, Inside
運行命令show conn
,您會發現兩個連線仍然處於運行狀態。Telnet會話在Inside-Host1(10.1.3.2)和Inside-Host2(10.1.3.4)上也處於活動狀態,並且沒有任何中斷。
> show conn
2 in use, 3 most used
Inspect Snort:
preserve-connection: 2 enabled, 0 in effect, 2 most enabled, 0 most in effect
TCP Inside 10.1.3.2:46069 Outside1 10.1.5.2:23, idle 0:00:22, bytes 1329, flags UIO N1
TCP Inside 10.1.3.4:61915 Outside2 10.1.5.2:23, idle 0:00:02, bytes 1329, flags UIO N1
註:在的輸出中,可以注意到,雖然通過介面outside1的預設路由已從路由表中刪除,但來自show conn
Inside-Host1(10.1.3.2)的telnet會話仍通過interface outside1。這是預期的,而且根據設計,實際流量流經interface outside2。如果啟動從Inside-Host1(10.1.3.2)到Internet-Host(10.1.5.2)的新連線,可以發現所有流量都通過interface outside2。
要驗證路由表更改,請運行命令debug ip routing
。
在本示例中,當通向第一個ISP網關的鏈路斷開時,通過介面outside1的路由將從路由表中刪除。
> debug ip routing
IP routing debugging is on
RT: ip_route_delete 0.0.0.0 0.0.0.0 via 10.1.1.2, Outside1
ha_cluster_synced 0 routetype 0
RT: del 0.0.0.0 via 10.1.1.2, static metric [1/0]NP-route: Delete-Output 0.0.0.0/0 hop_count:1 , via 0.0.0.0, Outside1
RT(mgmt-only): NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, Outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:1 Distance:1 Flags:0X0 , via 10.1.2.2, Outside2
運行命令show route
,確認當前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, Outside2
C 10.1.1.0 255.255.255.0 is directly connected, Outside1
L 10.1.1.1 255.255.255.255 is directly connected, Outside1
C 10.1.2.0 255.255.255.0 is directly connected, Outside2
L 10.1.2.1 255.255.255.255 is directly connected, Outside2
C 10.1.3.0 255.255.255.0 is directly connected, Inside
L 10.1.3.1 255.255.255.255 is directly connected, Inside
當通向第一個ISP網關的鏈路再次開啟時,通過介面outside1的路由將重新新增到路由表中。
> debug ip routing
IP routing debugging is on
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.2.2, Outside2
NP-route: Update-Output 0.0.0.0/0 hop_count:1 , via 10.1.1.2, Outside2
NP-route: Update-Input 0.0.0.0/0 hop_count:2 Distance:1 Flags:0X0 , via 10.1.2.2, Outside2
via 10.1.1.2, Outside1
運行命令show route
,確認當前路由表。
> show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is 10.1.2.2 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 10.1.2.2, Outside2
[1/0] via 10.1.1.2, Outside1
C 10.1.1.0 255.255.255.0 is directly connected, Outside1
L 10.1.1.1 255.255.255.255 is directly connected, Outside1
C 10.1.2.0 255.255.255.0 is directly connected, Outside2
L 10.1.2.1 255.255.255.255 is directly connected, Outside2
C 10.1.3.0 255.255.255.0 is directly connected, Inside
L 10.1.3.1 255.255.255.255 is directly connected, Inside
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
16-Feb-2024 |
初始版本 |