H3C 双互联网接入负载分担及备份【解决方案及配置实例】
#
version , Alpha 1011
#
sysname H3C
#
bfd echo-source-ip
acl number 3000
rule 0 permit ip source number 3001
rule 0 permit ip source Ethernet0/1/0
port link-mode route
ip address ip policy-based-route internet
#
interface Ethernet0/1/1
port link-mode route
ip address Ethernet0/1/2
port link-mode route
ip address internet permit node 1
if-match acl 3000
apply ip-address next-hop track 1
policy-based-route internet permit node 2
if-match acl 3001
apply ip-address next-hop track 2
#
ip route-static track 1
ip route-static track 2
ip route-static track 1 bfd echo interface Ethernet0/1/1 remote ip local ip track 2 bfd echo interface Ethernet0/1/2 remote ip local ip
配置案例
双WAN接入路由配置
目前越来越多的企业和网吧采用双WAN上行接入的方式,这种组网方式既可以实现链路的负载分担又可以实现链路的动态备份,受到用户的普遍欢迎。下面分别介绍不同双WAN接入方式下路由的优化配置方法。
同运营商双WAN接入
1. 双以太网链路接入
1) MSR配置方法
对于MSR网关,可以使用策略路由和自动侦测实现负载分担和链路备份功能。同样
以其中一条WAN连接地址为,网关为,另外一条WAN连接地址为,网关为,使用MSR2010做为网关设备为例,配置方法如下::
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip
[H3C-nqa-wan1-1-icmp-echo]next-hop
[H3C-nqa-wan1-1-icmp-echo]probe count 3
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa entry wan2 1
[H3C-nqa-wan2-1]type icmp-echo
[H3C-nqa-wan2-1-icmp-echo]destination ip
[H3C-nqa-wan2-1-icmp-echo]next-hop
[H3C-nqa-wan2-1-icmp-echo]frequency 10000
[H3C-nqa-wan2-1-icmp-echo]probe count 3
[H3C-nqa-wan2-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan2-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C-nqa-wan2-1-icmp-echo]quit
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]nqa schedule wan2 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
[H3C]track 2 nqa entry wan2 1 reaction 1
2、 配置ACL,对业务流量进行划分,以根据内网主机单双号进行划分为例:
[H3C]acl number 3200
[H3C-acl-adv-3200] rule 0 permit ip source
[H3C-acl-adv-3200]rule 1000 deny ip
[H3C-acl-adv-3200]quit
[H3C]acl number 3201
[H3C-acl-adv-3201]rule 0 permit ip source
[H3C-acl-adv-3201]rule 1000 deny ip
3、 配置策略路由,定义流量转发规则,以双号主机走WAN1,单号主机走WAN2为例:
[H3C]policy-based-route wan permit node 1
[H3C-pbr-wan-1]if-match acl 3200
[H3C-pbr-wan-1]apply ip-address next-hop track 1
[H3C-pbr-wan-1]quit
[H3C]policy-based-route wan permit node 2
[H3C-pbr-wan-2]if-match acl 3201
[H3C-pbr-wan-2]apply ip-address next-hop track 2
4、 在LAN口启用策略路由转发:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ip policy-based-route wan
5、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static track 1 preference 60
[H3C]ip route-static track 2 preference 100
2) 基于用户负载分担配置方法
MSR5006支持基于用户负载分担特性,可以根据接口带宽将流量动态进行负载分担。配合自动侦测特性可同时实现链路备份的功能,当一条链路出现故障时,流量自动转发到另外一条链路上。以其中一条WAN连接地址为,网关为,另外一条WAN连接地址为,网关为为例,配置方法如下:
1、自动侦测的配置请参考上述说明:
2、配置到两个WAN接口的静态默认路由,并管理自动侦测组:
3、启用基于用户负载分担功能:
ip user-based-sharing enable
ip user-based-sharing route
4、配置WAN口的负载分担带宽(两个WAN接口负载分担带宽配置符合一定比例即可,不需要与实际申请的物理带宽一致):
#
interface Ethernet0/0
port link-mode route
nat outbound
ip address
load-bandwidth 1000
#
2. 以太网链路+PPPoE链路接入
1) MSR配置方法
与以太网链路接入方式配置相似,只有部分地方需要进行调整。同样以其中一条WAN连接地址为,网关为,另外一条WAN连接为PPPoE链路,使用MSR2010做为网关设备为例,配置方法如下:
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip
[H3C-nqa-wan1-1-icmp-echo]next-hop
[H3C-nqa-wan1-1-icmp-echo]probe count 5
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
2、 配置ACL,对业务流量进行划分,以根据内网主机单双号进行划分为例:
[H3C]acl number 3200
[H3C-acl-adv-3200] rule 0 permit ip source
[H3C-acl-adv-3200]rule 1000 deny ip
[H3C-acl-adv-3200]quit
[H3C]acl number 3201
[H3C-acl-adv-3201]rule 0 permit ip source
[H3C-acl-adv-3201]rule 1000 deny ip
3、 配置策略路由,定义流量转发规则,以双号主机走WAN1,单号主机走WAN2为例:
[H3C]policy-based-route wan permit node 1
[H3C-pbr-wan-1]if-match acl 3200
[H3C-pbr-wan-1]apply ip-address next-hop track 1
[H3C-pbr-wan-1]quit
[H3C]policy-based-route wan permit node 2
[H3C-pbr-wan-2]if-match acl 3201
[H3C-pbr-wan-2]apply output-interface dialer0
4、 在LAN口启用策略路由转发:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1]ip policy-based-route wan
5、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static track 1 preference 60
[H3C]ip route-static dialer0 preference 100
注:由于早期版本MSR系列网关策略路由、快速转发和PPPoE拨号结合存在问题(此问题在R1618P11和E1711后的版本解决),当WAN连接为PPPoE连接时,使用策略路由需要关闭vlan接口的快转功能,如下操作:
[H3C]interface Vlan-interface 1
[H3C-Vlan-interface1] undo ip fast-forwarding
电信网通双WAN接入
这是目前新建网络中最流行的组网方式,用户分别向电信和网通各申请一条接入链路,配置路由使客户机访问电信服务器走电信链路,访问网通的服务器走网通链路,可以大大提高很多网络应用的访问速度,同时两条链路互为备份,也提高了网络的可靠性。配置方法如下:
1) MSR配置方法
以其中电信WAN连接地址为,网关为,另外网通WAN连接地址为,网关为为例,配置方法如下:
1、 配置自动侦测组,对WAN连接状态进行侦测:
[H3C]nqa agent enable
[H3C]nqa entry wan1 1
[H3C-nqa-wan1-1]type icmp-echo
[H3C-nqa-wan1-1-icmp-echo]destination ip
[H3C-nqa-wan1-1-icmp-echo]next-hop
[H3C-nqa-wan1-1-icmp-echo]probe count 5
[H3C-nqa-wan1-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan1-1-icmp-echo]frequency 10000
[H3C-nqa-wan1-1-icmp-echo]reaction 1 checked-element probe-fail threshold-type consecutive 6 action-type trigger-only
[H3C]nqa entry wan2 1
[H3C-nqa-wan2-1]type icmp-echo
[H3C-nqa-wan2-1-icmp-echo]destination ip
[H3C-nqa-wan2-1-icmp-echo]next-hop
[H3C-nqa-wan2-1-icmp-echo]frequency 10000
[H3C-nqa-wan2-1-icmp-echo]probe count 3
[H3C-nqa-wan2-1-icmp-echo]probe timeout 1000
[H3C-nqa-wan2-1-icmp-echo]reaction 1 checked-element probe-fail threshol
d-type consecutive 6 action-type trigger-only
[H3C-nqa-wan2-1-icmp-echo]quit
[H3C]nqa schedule wan1 1 start-time now lifetime forever
[H3C]nqa schedule wan2 1 start-time now lifetime forever
[H3C]track 1 nqa entry wan1 1 reaction 1
[H3C]track 2 nqa entry wan2 1 reaction 1
2、 配置默认路由,当任意WAN链路出现故障时,流量可以在另外一条链路上进行转发:
[H3C]ip route-static track 1 preference 60
[H3C]ip route-static track 2 preference 100
3、 配置网通路由表(由于网通路由表有500条左右,以附件的形式给出):
注:如果电信或者网通链路为PPPoE链路的话,只需要修改路由相应的下一跳为Dialer0即可,此时不需要与自动侦测关联。
因篇幅问题不能全部显示,请点此查看更多更全内容