路由器出口策略配置说明
NQA
# 配置探测电信DNS的NQA
nqa entry admin isp_telecom_test
type icmp-echo
destination ip 202.103.224.68 //探测远端DNS地址
frequency 2000 //每间隔2秒探测一次
history-record enable //开启NQA历史记录保存功能
history-record number 5 //保存的最大历史记录个数为5条
next-hop ip 101.1.1.2 //探测报文经过的下一跳
probe count 5 //每次探测检测5次
probe timeout 1000 //检测超时时间1秒
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only //连续探测失败5次,触发其他模块联动
source ip 101.1.1.1 //探测报文源地址
# 配置探测联通DNS的NQA
nqa entry admin isp_unicom_test
type icmp-echo
destination ip 211.138.240.100
frequency 2000
history-record enable
history-record number 5
next-hop ip 202.1.1.2
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
source ip 202.1.1.1
# 当前时间起永久启用NQA监测
nqa schedule admin isp_telecom_test start-time now lifetime forever
nqa schedule admin isp_unicom_test start-time now lifetime forever
track 关联 NQA
#
track 100 nqa entry admin isp_telecom_test reaction 1
#
track 200 nqa entry admin isp_unicom_test reaction 1
策略路由配置,联动
#
acl advanced 3002
rule 0 permit ip source 192.168.20.0 0.0.0.255
# 指定下一跳时与track 200联动,当NQA监测失败结果时,策略路由失效,流量根据路由表转发流量
policy-based-route to_isp_policy permit node 10
if-match acl 3002
apply next-hop 202.1.1.2 track 200
#
# 默认路由与track 100联动,当NQA监测失败结果时,该条默认路由失效,优先级为80的默认路由加载路由表,流量根据路由表转发流量
ip route-static 0.0.0.0 0 101.1.1.2 track 100
ip route-static 0.0.0.0 0 202.1.1.2 preference 80
# 内网流量入接口下调用策略路由
interface GigabitEthernet0/0
ip policy-based-route to_isp_policy
测试说明:
外网网络正常情况,查看 nqa 监测结果,探测发出的数据包和收到的数据包数量一致
通过 debug 查看 NAT 转换信息,vlan10 去往互联网 DNS 地址的流量走101.1.1.2下一跳地址,vlan20 去往互联网 DNS 地址的流量走 202.1.1.2 下一跳地址
当电信网络不可用时
当电信网络不可用时,路由器日志提示 prob-fail,此时 NQA 探测收到的 icmp-reply 数据包为 0
路由表中,默认路由的下一跳为 202.1.1.2
查看 NAT 会话表,有 vlan10,vlan20 的流量会话
通过 debug 查看 NAT 转换信息,所有流量走联通网络出口
当联通网络不可用时
当联通网络不可用时,路由器日志提示 prob-fail,此时 NQA 探测收到的 icmp-reply 数据包为0
查看 NAT 会话表,有 vlan10,vlan20 的流量会话
通过 debug 查看 NAT 转换信息,所有流量走电信网络出口
路由器配置:
#
sysname Router
#
track 100 nqa entry admin isp_telecom_test reaction 1
#
track 200 nqa entry admin isp_unicom_test reaction 1
#
system-working-mode standard
xbar load-single
password-recovery enable
lpu-type f-series
#
vlan 1
#
policy-based-route to_isp_policy permit node 10
if-match acl 3002
apply next-hop 202.1.1.2 track 200
#
nqa entry admin isp_telecom_test
type icmp-echo
destination ip 202.103.224.68
frequency 2000
history-record enable
history-record number 5
next-hop ip 101.1.1.2
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
source ip 101.1.1.1
#
nqa entry admin isp_unicom_test
type icmp-echo
destination ip 211.138.240.100
frequency 2000
history-record enable
history-record number 5
next-hop ip 202.1.1.2
probe count 5
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
source ip 202.1.1.1
#
nqa schedule admin isp_telecom_test start-time now lifetime forever
nqa schedule admin isp_unicom_test start-time now lifetime forever
#
interface Serial1/0
#
interface Serial2/0
#
interface Serial3/0
#
interface Serial4/0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.1.1.1 255.255.255.252
ip policy-based-route to_isp_policy
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 101.1.1.1 255.255.255.252
nat outbound 3001
#
interface GigabitEthernet0/2
port link-mode route
combo enable copper
ip address 202.1.1.1 255.255.255.252
nat outbound 3001
#
interface GigabitEthernet5/0
port link-mode route
combo enable copper
#
interface GigabitEthernet5/1
port link-mode route
combo enable copper
#
interface GigabitEthernet6/0
port link-mode route
combo enable copper
#
interface GigabitEthernet6/1
port link-mode route
combo enable copper
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
user-role network-operator
#
ip route-static 0.0.0.0 0 101.1.1.2 track 100
ip route-static 0.0.0.0 0 202.1.1.2 preference 80
ip route-static 192.168.10.0 24 1.1.1.2
ip route-static 192.168.20.0 24 1.1.1.2
#
acl advanced 3001
rule 0 permit ip
#
acl advanced 3002
rule 0 permit ip source 192.168.20.0 0.0.0.255
#
domain name system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
return
<Router>