使用接口而不是下一跳的 Cisco PBR 验证可用性

网络工程 思科 路由 路由器 cisco-ios-15 pppoe
2021-07-19 01:54:24

我们有许多配置了双 WAN 链接的 Cisco 891 路由器。所有这些路由器都运行 Cisco IOS 15.x 在某些情况下,我们使用基于策略的路由来强制特定流量沿一条链路传输。

我在双 WAN 设置中经常使用 PBR,因为客户通常希望某些流量通过特定链接。例如,我经常需要让实时流量(如 VOIP)通过一个链接,然后通用互联网通过另一个链接,并且通常会使用 PBR 根据源/目标 IP、VLAN 或任何适合的方式路由流量.

显然,如果专用语音链路脱机,最好仍然提供降级服务。我倾向于set next-hop verify-availability与 IP SLA 跟踪对象一起使用,以便在需要时允许流量仍然故障转移到另一个 WAN。

我的问题是:在使用 PBR 设置接口而不是下一跳时,是否有可能进行相同的配置(使用跟踪对象来验证可用性)?

这有几个原因:

  • 我们在所有 PPPoE Dialer 接口中自动协商 IP 和路由设置。我们的第三方 ISP 之一继续更改了所有 DSL 连接的默认路由。这意味着,由于我已将下一跳硬编码到 PBR 配置中,因此它停止工作。幸运的是,PBR 故障转移到了另一个广域网,但无论如何,我一直在寻找尽可能避免对 IP 进行硬编码的依赖,类似于我执行默认路由的方式:ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 1

  • 今天,我被要求在一些新的 CPE 上配置双 WAN,并打算使用 PBR 来强制我们的 VOIP 流量沿着一条专用线路传输,如果需要的话,故障返回到 Internet 链接。问题是该客户使用来自同一 ISP 的两条 DSL 线路,因此在这两种情况下,下一跳将相同。所以很明显我接下来要做的是设置接口,但这意味着我失去了验证可用性。

希望有人知道在设置接口时我可以使用什么 PBR 配置来实现这一点。

作为参考,这是我目前的做法,包括next-hop

编辑:包括更详细的例子。

track 1 ip sla 1
 delay down 20 up 10
!
track 2 ip sla 2
 delay down 20 up 10
!

interface FastEthernet8
 description PPPoE ADSL2+ VOIP
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1

interface GigabitEthernet0
 description PPPoE ADSL2+ All Internet Traffic
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 2

interface Vlan1
 description $ETH_LAN$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip policy route-map PBR-LAN

interface Dialer0
 description VOIP ADSL2+ Dialer Interface
 bandwidth 1024
 bandwidth receive 20480
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxx@cust.example.com
 ppp chap password 0 yyyy
 ppp pap sent-username xxxx@cust.example.com password 0 yyyy
 no cdp enable

interface Dialer1
 description Internet ADSL2+ Dialer Interface
 bandwidth 1024
 bandwidth receive 20480
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 2
 dialer-group 2
 ppp authentication chap pap callin
 ppp chap hostname zzz@cust2.example.com
 ppp chap password 0 aaa
 ppp pap sent-username zzz@cust2.example.com password 0 aaa
 no cdp enable

ip local policy route-map PBR-LOCAL
ip nat inside source route-map DSL2-DATA-NAT interface Dialer1 overload
ip nat inside source route-map DSL2-VOIP-NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2


ip access-list extended NAT-POOL
 remark Be sure to exclude remote LANs in this ACL
 deny   ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended PBR-DSL-DATA
 remark Match local traffic with DSL DATA src IP
 permit ip host 89.123.45.67 any
ip access-list extended PBR-DSL-VOIP
 remark Match local traffic with DSL VOIP src IP
 permit ip host 89.123.45.70 any
ip access-list extended VOIP-PBX
 remark Match traffic to/from our VOIP PBX so it can use dedicated link.
 permit ip host 89.123.45.10 any
 permit ip any host 89.123.45.10

! For the IP SLAs I simply ping the gateway of the circuit
! In this case, we have two DSL links from the same ISP
! So I simply ping the same gateway for both, with different source interfaces.
ip sla 1
 icmp-echo 89.123.45.1 source-interface Dialer0
 threshold 4000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 89.123.45.1 source-interface Dialer1
 threshold 4000
 frequency 5
ip sla schedule 2 life forever start-time now

! These PBR-LOCAL route-maps are used for traffic coming from
! The router itself. (eg. ICMP, IPSec) Allows it to correctly
! Respond on both links, no matter which is the primary/active link.
route-map PBR-LOCAL permit 10
 description Route traffic with src IP VOIP DSL
 match ip address PBR-DSL-VOIP
 set interface Dialer0
!
route-map PBR-LOCAL permit 20
 description Route traffic with src IP DATA DSL
 match ip address PBR-DSL-DATA
 set interface Dialer1
!

route-map PBR-LAN permit 1
 description This route map is to match all VOIP traffic and force it over the correct ADSL line
 match ip address VOIP-PBX
 ! Using next-hop is how I would typically do this sort of thing.
 ! However - in this case since both links are from the same ISP, the next-hop is the same in both cases.
 ! So, although I haven't tried it, I am sure the router would have no way to know exactly which link I mean.
 !
 ! In this example, I've used 89.123.45.1 as the gateway IP for both DSL links.
 !
 !
 ! Try using VOIP Link
 ! set ip next-hop verify-availability 89.123.45.1 1 track 1
 ! If that fails, try the DATA link
 ! set ip next-hop verify-availability 89.123.45.1 2 track 2
 !
 !
 ! Because of this, my work-around has been to simply specify the Dialer interface
 ! of the link I want to use. But this also means no failover to the data link.
 ! Hope this makes sense.
 !
 !
 set interface Dialer0


route-map DSL2-VOIP-NAT permit 10
 description This route match is to match NAT traffic for the VOIP ADSL2+ Connection
 match ip address NAT-POOL
 match interface Dialer0
!
route-map DSL2-DATA-NAT permit 10
 description This route match is to match NAT traffic for the DATA ADSL2+ Connection
 match ip address NAT-POOL
 match interface Dialer1
!
1个回答

正如聊天中所讨论的,在您的情况下,PBX / SIP 流量对于 IP 主机路由是唯一的。因此,可以去掉策略路由,在重叠的静态路由上使用跟踪对象,走出不同的dialer接口来解决问题。

ip route 89.123.45.10 255.255.255.255 Dial0 track 1 1 name PBX_Pri
ip route 89.123.45.10 255.255.255.255 Dial1 track 2 10 name PBX_Bak
ip route 0.0.0.0 0.0.0.0 Dial 1 track 2 1 name Data_Pri
ip route 0.0.0.0 0.0.0.0 Dial 0 track 1 10 name Data_Bak
其它你可能感兴趣的问题
上一篇基于动态路由属性创建 JunOS 防火墙过​​滤器 下一篇HP Procurve 3500 with K.14 - 奇怪的 MAC 搜索问题