c5915 DMVPN Spoke ISP 故障转移 - 单集线器

网络工程 eigrp 故障转移
2022-03-04 23:26:45

我有一个移动应用程序,它利用蜂窝和卫星通信服务与我们的集线器建立 VPN 连接。在当前配置中,故障转移基于隧道内的ip hello-interval eigrp 1 15,工作。ip hold-time eigrp 1 60问题是,当我们移动到蜂窝覆盖较差或不存在的区域时,数据需要 60-100 秒才能流经我们的辅助 ISP。当我们在蜂窝覆盖范围内过渡时,观察到相同的延迟。我希望这是因为我们的 EIGRP 计时器。我们经常在白天多次在服务之间跳来跳去。

有没有更好的方法来实现有限中断服务的故障转移?我已经看到了 IP SLA 和小程序的使用,但我在将其用于此配置时遇到了麻烦。

创建此配置的个人已离开公司,我正在寻找您可以提供的任何帮助。我愿意接受实现此操作所需的几乎所有配置更改,以及您在改进配置方面可能提出的任何建议。

下面的配置片段(为安全起见更改了 IP 地址、密码和加密)。

hostname Spoke 1
!
vlan 2
 name VLAN
!
boot-start-marker
boot-end-marker
ntp server 172.1.1.2
!
!
vrf definition CELL
 rd 100:1
 !
 address-family ipv4
 exit-address-family
!
vrf definition SAT
 rd 100:2
 !
 address-family ipv4
 exit-address-family

加密部分

crypto keyring KEY-CELL vrf CELL
 pre-shared-key address 192.168.2.1 key cisco
crypto keyring KEY-SAT vrf SAT
 pre-shared-key address 192.168.2.1 key cisco
!
crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp keepalive 30
crypto isakmp nat keepalive 30
!
crypto isakmp key cisco address 0.0.0.0
crypto isakmp profile PROF-SAT
 vrf SAT
 keyring KEY-SAT
 match identity address 192.168.2.1 255.255.255.255
crypto isakmp profile PROF-CELL
 vrf CELL
 keyring KEY-CELL
 match identity address 192.168.2.1 255.255.255.255
!
crypto ipsec transform-set ESP-AES256-TRANSPORT-SET esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC-PROFILE
 set security-association lifetime seconds 86400
 set transform-set ESP-AES256-TRANSPORT-SET
 set pfs group5
 set isakmp-profile PROF-CELL
!
crypto ipsec profile IPSEC-SATCOM-PROFILE
 set security-association lifetime seconds 86400
 set transform-set ESP-AES256-TRANSPORT-SET 
 set pfs group5
 set isakmp-profile PROF-SAT
!

接口

interface Loopback1
 ip address 172.1.1.255 255.255.255.255
 ip pim sparse-mode
!
interface Tunnel1
 description DMVPN Profile 1
 ip address 10.202.1.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 1 15
 no ip split-horizon eigrp 1
 ip hold-time eigrp 1 60
 ip pim dr-priority 0
 ip pim nbma-mode
 ip pim sparse-mode
 ip nat outside
 ip nhrp authentication 123456
 ip nhrp map multicast 192.168.2.1
 ip nhrp map 10.202.1.254 192.168.2.1
 ip nhrp network-id 123456
 ip nhrp holdtime 300
 ip nhrp nhs 10.202.1.254
 ip virtual-reassembly in
 ip tcp adjust-mss 1360
 qos pre-classify
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 123456
 tunnel vrf CELL
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface Tunnel2
 description DMVPN Profile 2
 bandwidth 56
 ip address 10.202.2.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 1 15
 ip hold-time eigrp 1 60
 no ip split-horizon eigrp 1
 ip pim dr-priority 2
 ip pim nbma-mode
 ip pim sparse-mode
 ip nat outside
 ip nhrp authentication 789123
 ip nhrp map multicast 192.168.2.1
 ip nhrp map 10.202.2.254 192.168.2.1
 ip nhrp network-id 789123
 ip nhrp holdtime 300
 ip nhrp nhs 10.202.2.254
 ip virtual-reassembly in
 ip tcp adjust-mss 1350
 load-interval 30
 delay 20100
 qos pre-classify
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 789123
 tunnel vrf SAT
 tunnel protection ipsec profile IPSEC-SATCOM-PROFILE
!
interface FastEthernet0/0
 description CradlePoint
 vrf forwarding CELL
 ip address dhcp
 ip virtual-reassembly in
 duplex full
 speed 100
no shutdown
!
interface FastEthernet0/1
 description SATCOM BACKUP
 vrf forwarding SAT
 ip address dhcp
 ip virtual-reassembly in
 duplex full
 speed 100
no shutdown
!
interface range fa0/2 - 4
 switchport mode access
 switchport access vlan 2
 no shut
!
!
interface Vlan2
 description Vlan2
 ip address 172.2.63.254 255.255.192.0 secondary
 ip address 172.1.1.1 255.255.255.252
 ip pim state-refresh origination-interval 60
 ip pim sparse-mode
 ip nat inside
 ip virtual-reassembly in
 ip igmp query-max-response-time 1
 ip igmp version 3
 ip igmp query-interval 2
!

路由

ip forward-protocol nd
no ip http server
no ip http secure-server
!
router eigrp 1
 network 10.0.0.0
 redistribute connected route-map redist-connected
 redistribute static route-map redist-static
 passive-interface default
 no passive-interface Tunnel1
 no passive-interface Tunnel2
!
ip pim rp-address 10.50.254.254
ip pim spt-threshold infinity
ip pim register-source tunnel1
ip nat pool MCAST-NAT-POOL 172.1.1.5 172.1.1.250 netmask 55.255.255.0
ip nat inside source route-map INTERNET-PNAT-MAP interface FastEthernet0/0 overload
ip nat inside source route-map MCAST-NAT-MAP pool MCAST-NAT-POOL
ip route 172.1.1.0 255.255.255.0 Null0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
ip access-list standard redist-connected
permit 172.2.0.0 0.0.63.255
permit 192.168.0.0 0.0.255.255
!
ip access-list standard redist-static
 permit 172.1.1.0 0.0.0.255
!
ip access-list extended INTERNET-PNAT-LIST
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.0.0.0 0.31.255.255
 deny ip any 192.168.0.0 0.0.255.255
 deny ip any 224.0.0.0 15.255.255.255
 permit ip 172.2.0.0 0.0.255.255 any
!
ip access-list extended MCAST-NAT-LIST
 permit ip 172.2.0.0 0.0.63.255 224.0.0.0 15.255.255.255
route-map redist-static permit 10
match ip address redist-static
!
route-map MCAST-NAT-MAP permit 10
 match ip address MCAST-NAT-LIST
!
route-map INTERNET-PNAT-MAP permit 10
 match ip address INTERNET-PNAT-LIST
!
route-map redist-connected permit 10
 match ip address redist-connected
!
1个回答

调整需要一些尝试和错误,因为所有情况都是独一无二的。我建议以下几点作为起点:

  1. 检查您的可行继任者。EIGRP 的一大优势是使用可行的后继路由,这基本上是一条备用路由,EIGRP 知道它是无环路的,如果主路由丢失,它可以立即开始使用。由于您使用的是默认指标,因此您需要调整接口的带宽和延迟设置,以确保有一个可行的后继可用。你可以检查他们show ip eigrp topology

思科 EIGRP

  1. 研究启用 BFD。BFD 是 EIGRP 可以订阅以进行故障检测的单独协议。它可以在 LAN 环境中提供亚秒级故障检测,但您不希望通过互联网等有损 WAN 连接进行检测。您将为 WAN 调高计时器,但 BFD 的优势在于您可以配置 BFD 阻尼。当您处于小区/卫星连接的边界时,使用低定时器时可能会来回摆动很多,如果您配置阻尼,它将检测到摆动并停止收敛一段时间以稳定连接。

BFD 概述

用于 EIGRP 的 BFD

BFD 阻尼

在配置所有生产设备之前,您需要获得一些备用设备并对其进行测试和调整。

其它你可能感兴趣的问题
上一篇ASA 更新 OpenConnect 致命 SSL 错误 下一篇AAA 半径权限级别