HCL_路由器双出口策略配置实验

路由器出口策略配置说明

NQA

# 配置探测电信DNS的NQA
nqa entry admin isp_telecom_test
 type icmp-echo
  destination ip 202.103.224.68 //探测远端DNS地址
  frequency 2000 //每间隔2秒探测一次
  history-record enable //开启NQA历史记录保存功能
  history-record number 5 //保存的最大历史记录个数为5条
  next-hop ip 101.1.1.2 //探测报文经过的下一跳
  probe count 5 //每次探测检测5次
  probe timeout 1000 //检测超时时间1秒
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only //连续探测失败5次,触发其他模块联动
  source ip 101.1.1.1 //探测报文源地址

# 配置探测联通DNS的NQA
nqa entry admin isp_unicom_test
 type icmp-echo
  destination ip 211.138.240.100
  frequency 2000
  history-record enable
  history-record number 5
  next-hop ip 202.1.1.2
  probe count 5
  probe timeout 1000
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
  source ip 202.1.1.1

# 当前时间起永久启用NQA监测
 nqa schedule admin isp_telecom_test start-time now lifetime forever
 nqa schedule admin isp_unicom_test start-time now lifetime forever

track 关联 NQA

#  
track 100 nqa entry admin isp_telecom_test reaction 1
#
track 200 nqa entry admin isp_unicom_test reaction 1    

策略路由配置,联动

#
acl advanced 3002
 rule 0 permit ip source 192.168.20.0 0.0.0.255

# 指定下一跳时与track 200联动,当NQA监测失败结果时,策略路由失效,流量根据路由表转发流量
policy-based-route to_isp_policy permit node 10
 if-match acl 3002
 apply next-hop 202.1.1.2 track 200
#
# 默认路由与track 100联动,当NQA监测失败结果时,该条默认路由失效,优先级为80的默认路由加载路由表,流量根据路由表转发流量
 ip route-static 0.0.0.0 0 101.1.1.2 track 100
 ip route-static 0.0.0.0 0 202.1.1.2 preference 80

# 内网流量入接口下调用策略路由
interface GigabitEthernet0/0
ip policy-based-route to_isp_policy

测试说明:

外网网络正常情况,查看 nqa 监测结果,探测发出的数据包和收到的数据包数量一致

通过 debug 查看 NAT 转换信息,vlan10 去往互联网 DNS 地址的流量走101.1.1.2下一跳地址,vlan20 去往互联网 DNS 地址的流量走 202.1.1.2 下一跳地址

当电信网络不可用时

当电信网络不可用时,路由器日志提示 prob-fail,此时 NQA 探测收到的 icmp-reply 数据包为 0

路由表中,默认路由的下一跳为 202.1.1.2

查看 NAT 会话表,有 vlan10,vlan20 的流量会话

通过 debug 查看 NAT 转换信息,所有流量走联通网络出口

当联通网络不可用时

当联通网络不可用时,路由器日志提示 prob-fail,此时 NQA 探测收到的 icmp-reply 数据包为0

查看 NAT 会话表,有 vlan10,vlan20 的流量会话

通过 debug 查看 NAT 转换信息,所有流量走电信网络出口

路由器配置:

#
 sysname Router
#
track 100 nqa entry admin isp_telecom_test reaction 1
#
track 200 nqa entry admin isp_unicom_test reaction 1
#
 system-working-mode standard
 xbar load-single
 password-recovery enable
 lpu-type f-series
#
vlan 1
#
policy-based-route to_isp_policy permit node 10
 if-match acl 3002
 apply next-hop 202.1.1.2 track 200
#
nqa entry admin isp_telecom_test
 type icmp-echo
  destination ip 202.103.224.68
  frequency 2000
  history-record enable
  history-record number 5
  next-hop ip 101.1.1.2
  probe count 5
  probe timeout 1000
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
  source ip 101.1.1.1
#
nqa entry admin isp_unicom_test
 type icmp-echo
  destination ip 211.138.240.100
  frequency 2000
  history-record enable
  history-record number 5
  next-hop ip 202.1.1.2
  probe count 5
  probe timeout 1000
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
  source ip 202.1.1.1
#
 nqa schedule admin isp_telecom_test start-time now lifetime forever
 nqa schedule admin isp_unicom_test start-time now lifetime forever
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 1.1.1.1 255.255.255.252
 ip policy-based-route to_isp_policy
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 101.1.1.1 255.255.255.252
 nat outbound 3001
#
interface GigabitEthernet0/2
 port link-mode route
 combo enable copper
 ip address 202.1.1.1 255.255.255.252
 nat outbound 3001
#
interface GigabitEthernet5/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet5/1
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/0
 port link-mode route
 combo enable copper
#
interface GigabitEthernet6/1
 port link-mode route
 combo enable copper
#
 scheduler logfile size 16
#
line class aux 
 user-role network-operator
#
line class console
 user-role network-admin
#
line class tty
 user-role network-operator
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-operator
#
line con 0
 user-role network-admin
#
line vty 0 63
 user-role network-operator
#
 ip route-static 0.0.0.0 0 101.1.1.2 track 100
 ip route-static 0.0.0.0 0 202.1.1.2 preference 80
 ip route-static 192.168.10.0 24 1.1.1.2
 ip route-static 192.168.20.0 24 1.1.1.2
#
acl advanced 3001
 rule 0 permit ip
#
acl advanced 3002
 rule 0 permit ip source 192.168.20.0 0.0.0.255
#
domain name system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
return
<Router>