这是当前设置,一切正常!!!在这里,现在我想要 AWS 的备份链接,所以我请求再创建一个辅助链接并Cisco ASA在Port-channel1.8接口上终止。
asa/pri/act# sh run int po1.8
!
interface Port-channel1.8
description ### AWS-DX-2 ###
vlan 8
nameif aws_dx_2
security-level 0
ip address 169.254.8.1 255.255.255.248 standby 169.254.8.3
asa/pri/act# sh run int po1.9
!
interface Port-channel1.9
description ### AWS-DX-1 ###
vlan 9
nameif aws_dx
security-level 0
ip address 169.254.9.1 255.255.255.248 standby 169.254.9.3
这是我的 BGP 配置
router bgp 65501
bgp log-neighbor-changes
timers bgp 10 30 0
address-family ipv4 unicast
neighbor 169.254.8.2 remote-as 7224
neighbor 169.254.8.2 password *****
neighbor 169.254.8.2 activate
neighbor 169.254.8.2 route-map BGP-LOCAL-PREF in
neighbor 169.254.8.2 route-map BGP-AS-PREPEND out
neighbor 169.254.9.2 remote-as 7224
neighbor 169.254.9.2 password *****
neighbor 169.254.9.2 activate
network 10.10.0.0 mask 255.255.0.0
network 10.20.0.0 mask 255.255.0.0
network 10.30.0.0 mask 255.255.0.0
distribute-list ACL-BGP-IN in
no auto-summary
no synchronization
exit-address-family
!
我的路线图
asa/pri/act# sh run route-map
!
route-map BGP-LOCAL-PREF permit 10
set local-preference 90
!
route-map BGP-AS-PREPEND permit 10
set as-path prepend 65501 65501 65501
!
到目前为止一切顺利,直到这里在 BGP 总结
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.8.2 4 7224 76 61 15 0 0 00:10:49 4
169.254.9.2 4 7224 286 225 15 0 0 00:41:45 4
现在问题从这里开始,从我的局域网我无法 ping AWS 任何实例。
如果我继续关闭其中一个链接,那么我的 LAN 主机可以 ping AWS 实例,我正在尝试在此处创建 redendency,但不知何故它不起作用,我在这里错过了什么吗?
只要我按照它的工作..
neighbor 169.254.8.2 shutdown
我听说我们不应该169.254/16在本地链接中使用,您认为这可能是这里的问题吗?
更新-1
Gateway of last resort is 74.XX.XX.107 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 74.XX.XX.107, outside
S 10.0.10.0 255.255.255.0 [1/0] via 10.5.0.1, site1
C 10.5.0.0 255.255.248.0 is directly connected, site1
L 10.5.3.1 255.255.255.255 is directly connected, site1
S 10.5.8.0 255.255.248.0 [1/0] via 10.5.0.1, site1
S 10.5.16.0 255.255.248.0 [1/0] via 10.5.0.1, site1
S 10.5.255.0 255.255.255.0 [1/0] via 10.5.0.1, site1
C 10.10.0.0 255.255.0.0 is directly connected, dmz_ext
L 10.10.0.1 255.255.255.255 is directly connected, dmz_ext
C 10.20.0.0 255.255.0.0 is directly connected, dmz_int
L 10.20.0.1 255.255.255.255 is directly connected, dmz_int
C 10.30.0.0 255.255.0.0 is directly connected, inside
L 10.30.0.1 255.255.255.255 is directly connected, inside
C 10.40.0.0 255.255.0.0 is directly connected, pxe
L 10.40.0.1 255.255.255.255 is directly connected, pxe
B 10.100.4.0 255.255.252.0 [20/0] via 169.254.9.2, 00:50:35
C 74.XX.XX.0 255.255.254.0 is directly connected, public
L 74.XX.XX.10 255.255.255.255 is directly connected, public
C 74.XX.XX.104 255.255.255.248 is directly connected, outside
L 74.XX.XX.110 255.255.255.255 is directly connected, outside
C 169.254.8.0 255.255.255.248 is directly connected, aws_dx_2
L 169.254.8.1 255.255.255.255 is directly connected, aws_dx_2
C 169.254.9.0 255.255.255.248 is directly connected, aws_dx
L 169.254.9.1 255.255.255.255 is directly connected, aws_dx
C 172.29.0.0 255.255.0.0 is directly connected, ilo
L 172.29.0.1 255.255.255.255 is directly connected, ilo
C 192.168.100.0 255.255.255.0 is directly connected, FailoverLink
L 192.168.100.1 255.255.255.255 is directly connected, FailoverLink
如果您注意到我的表中只有一个 BGP 路由。
B 10.100.4.0 255.255.252.0 [20/0] via 169.254.9.2, 00:58:40
更新-2
我确实清除了 asp drop,现在看到了这个。
Frame drop:
No valid adjacency (no-adjacency) 12
Flow is denied by configured rule (acl-drop) 133
First TCP packet not SYN (tcp-not-syn) 54
TCP RST/FIN out of order (tcp-rstfin-ooo) 4
Slowpath security checks failed (sp-security-failed) 1
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 31
FP L2 rule drop (l2_acl) 270