配置需求
总部和分支之间VPN主备连接,同时实现BGP路由学习和主备快速切换。
拓扑信息
详细信息说明:
总部和分支都拥有固定的公网IP地址:
总部 HUB 信息:
外网有一个NAT设备,会做一个DNAT映射将公网IP 111.100.1.100 端口 UDP 500和UDP 4500 <-> 192.168.1.10 端口 UDP 500和UDP 4500 (FGT的Port1接口IP地址),此映射用于HUB的FGT用来做IPsec VPN使用。
HUB内网的网段为Port3:10.1.1.0/24
分支Edge 信息:
Edge拥有两个互联网出口:
Port1(WAN1):202.100.1.10 将会是主VPN_Master
Port2(WAN2):101.100.1.10 将会是备VPN_Slave
Edge内网的网段为Port3:172.16.1.0/24
HUB # get system status
Version: FortiGate-VM64-KVM v5.6.8,build1672,190130 (GA)
Edge # get system status
Version: FortiGate-VM64-KVM v6.0.9,build0335,200121 (GA)
需求:
需要分支和总部建立IPsec VPN,通过BGP学习到彼此的路由,同时VPN主备方式运行,当主VPN挂了BGP路由以及业务流量都可以顺利的切换到备VPN上。
配置大致思路:
1.Edge和HUB建立两条静态的IPsec VPN隧道 VPN_Master和VPN_Slave
策略、调整DPD参数:set dpd on-idle/set dpd-retryinterval 3
2.为隧道 VPN_Master和VPN_Slave分配IP地址,并且用来建立起BGP邻居
Edge_VPN_Master隧道IP 10.255.254.1 HUB_VPN_Master隧道IP 10.255.254.2
Edge_VPN_Slave隧道IP 10.255.255.1 HUB_VPN_Slave隧道IP 10.255.255.2
BGP AS 64512 建立两组IBGP邻居即可。
BGP参数调整:set keepalive-timer 3/set holdtime-timer 9
3.配置BGP-Router-Map(修改AS_Path和LP属性),实现BGP路由的主备
config router route-map
edit "To_Slave"
config rule
edit 1
set set-aspath "64511"
next
end
next
edit "To_Master"
config rule
edit 1
set set-local-preference 200
next
end
next
end
...
4.配置BGP的BDF实现BGP的快速切换
config system settings
set bfd enable
end
config system interface
edit "Edge_VPN_Master"
set bfd enable
next
edit "Edge_VPN_Slave"
set bfd enable
next
end
...
详细配置步骤:
首先搞定HUB_NAT_Router:
HUB_NAT_Router#show running-config
interface Ethernet0/0
ip address 111.100.1.11 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat inside source static udp 192.168.1.10 500 111.100.1.10 500 extendable
ip nat inside source static udp 192.168.1.10 4500 111.100.1.10 4500 extendable
ip route 0.0.0.0 0.0.0.0 111.100.1.1
ip route 10.1.1.0 255.255.255.0 192.168.1.10
!
!
access-list 101 permit ip any any
HUB_NAT_Router#
HUB侧防火墙的配置:
HUB # config system interface
HUB (interface) # edit port1
HUB (port1) # show
config system interface
edit "port1"
set vdom "root"
set ip 192.168.1.10 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "WAN1"
set role wan
set snmp-index 1
next
end
HUB (port1) # next
HUB (interface) # edit port3
HUB (port3) # show
config system interface
edit "port3"
set vdom "root"
set ip 10.1.1.10 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "LAN"
set role lan
set snmp-index 3
next
end
HUB (port3) # end
HUB # config router static
HUB (static) # show
config router static
edit 1
set gateway 192.168.1.1
set device "port1"
next
end
HUB (static) # end
HUB #
手工配置VPN(不要使用模板,选择自定义配置VPN):
VPN的命令行脚本:
HUB # config vpn ipsec phase1-interface
HUB (phase1-interface) #
HUB (phase1-interface) # show
config vpn ipsec phase1-interface
edit "HUB_VPN_Master"
set interface "port1"
set peertype any
set passive-mode enable
set dpd on-idle
set remote-gw 202.100.1.10
set psksecret ENC nr9XuE11b2foiSjyj34rrMsmNSUekNqMdpeOIKlWszOSNapjQdkTUPg9Z50WSn3auJ+UXaVFd0vHZmajV0yXhtu8fGes2+gWqBsDKk2iSty6tB57pNzPNbf4sXZ/jhUGnfuHfGsXKdxP4QWirKMGo18uNzA+GPK+aA7fDfvyD1GYNIw/qD99tD5+H4BRzpZhLlqjRQ==
set dpd-retryinterval 3
next
edit "HUB_VPN_Slave"
set interface "port1"
set peertype any
set passive-mode enable
set dpd on-idle
set remote-gw 101.100.1.10
set psksecret ENC Noe9BuTg+ar4aRMmxbG2E6/gqAYu0zsaqWtb3I02EmdtsKuF2PWN7dTGNUaBMPBX+J16MVA5cQHQXVlWOeOITZaUv/2jI6HbAFJ2K5e/dtHGjLwP/NakuOaEQXiP04pcw/hTUIrQto8BAqPgRZdisVP64eEmWb46Cu+j8p8d8sjD3gzmMy4zRSmkuYlcqmiHpac43Q==
set dpd-retryinterval 3
next
end
HUB (phase1-interface) # end
HUB # config vpn ipsec phase2-interface
HUB (phase2-interface) #
HUB (phase2-interface) # show
config vpn ipsec phase2-interface
edit "HUB_VPN_Master"
set phase1name "HUB_VPN_Master"
set replay disable
next
edit "HUB_VPN_Slave"
set phase1name "HUB_VPN_Slave"
set replay disable
next
end
HUB (phase2-interface) # end
HUB #
注意红色部分的小细节命令行调整:
config vpn ipsec phase1-interface
edit "HUB_VPN_X"
set passive-mode enable // 被动接受VPN的请求,让Edge主动发起VPN的请求,HUB不要发起请求,因为在NAT设备之后,为了避免OUT方向的会话和IN方向的会话可能在外网的NAT设备上冲突,因此敲此命令,避免NAT设备的会话冲突。
set dpd on-idle // 开启DPD定期检测,避免假死现象
set dpd-retryinterval 3 // 调整DPD的检测周期,让DPD快速检测到对方VPN故障
next
end
以上参数必须调整和优化。
配置VPN的区域和策略,以及上网策略:
这样策略配置完毕,VPN就可以正常的UP起来了,这时候检查VPN的状态(如果分支也配置完毕了话):
然后配置HUB_VPN_Master和HUB_VPN_Slave两个隧道接口的IP地址,用于建立BGP使用:
Edge如果也配置好了的话,10.255.255.1和10.255.255.2 以及 10.255.254.1 和 10.255.254.2 是可以相互ping通的。
配置BGP:
注意命令行下调至一下BGP的时间参数:
config router bgp
set keepalive-timer 3
set holdtime-timer 9
end
配置HUB这一侧的BFD:
config system settings
set bfd enable
end
config system interface
edit "HUB_VPN_Master"
set bfd enable
next
edit "HUB_VPN_Slave"
set bfd enable
next
end
config router bgp
config neighbor
edit "10.255.255.1"
set bfd enable
next
edit "10.255.254.1"
set bfd enable
next
end
end
HUB大致的命令行show:
HUB # config system settings
HUB (settings) #
HUB (settings) # show
config system settings
set inspection-mode flow
set bfd enable
end
HUB (settings) # end
HUB # config system interface
HUB (interface) # edit HUB_VPN_Master
HUB (HUB_VPN_Master) # show
config system interface
edit "HUB_VPN_Master"
set vdom "root"
set ip 10.255.254.2 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.255.254.1 255.255.255.0
set snmp-index 6
set interface "port1"
next
end
HUB (HUB_VPN_Master) # next
HUB (interface) # edit HUB_VPN_Slave
HUB (HUB_VPN_Slave) # show
config system interface
edit "HUB_VPN_Slave"
set vdom "root"
set ip 10.255.255.2 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.255.255.1 255.255.255.0
set snmp-index 7
set interface "port1"
next
end
HUB (HUB_VPN_Slave) # end
HUB # config router bgp
HUB (bgp) #
HUB (bgp) # show
config router bgp
set as 64512
set router-id 10.255.255.2
set keepalive-timer 3
set holdtime-timer 9
config neighbor
edit "10.255.255.1"
set bfd enable
set remote-as 64512
next
edit "10.255.254.1"
set bfd enable
set remote-as 64512
next
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
HUB (bgp) # end
HUB #
HUB这一侧所有配置完毕!!!
接下来配置最为关键的Edge FGT:
Edge # config system interface
Edge (interface) # edit port1
Edge (port1) # show
config system interface
edit "port1"
set vdom "root"
set ip 202.100.1.10 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "WAN1"
set role wan
set snmp-index 1
next
end
Edge (port1) # next
Edge (interface) # edit port2
Edge (port2) # show
config system interface
edit "port2"
set vdom "root"
set ip 101.100.1.10 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "WAN2"
set role wan
set snmp-index 2
next
end
Edge (port2) # next
Edge (interface) # edit port3
Edge (port3) # show
config system interface
edit "port3"
set vdom "root"
set ip 172.16.1.10 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "LAN"
set device-identification enable
set role lan
set snmp-index 3
next
end
Edge (port3) # end
Edge # config router static
Edge (static) # show
config router static
edit 1
set gateway 202.100.1.1
set device "port1"
next
edit 2
set gateway 101.100.1.1
set device "port2"
next
end
Edge (static) # end
Edge #
手工配置VPN(不要使用模板,选择自定义配置VPN):
VPN的命令行脚本:
Edge # config vpn ipsec phase1-interface
Edge (phase1-interface) # show
config vpn ipsec phase1-interface
edit "Edge_VPN_Master"
set interface "port1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 111.100.1.10
set psksecret ENC 50ekYDtol+xMZkp39uCAeJvevP1DZkwjXV5IY0+Gj4ni5QyEesS1QuEIjaL0bdKbVg4caHKFJBiw+KwYG3iNaT4rFwea/L6k1qeC9oKpSR4RR3O4xEMo2tId/Tqz0kLQn6ATqikZLzMpcJicOfJS370D+qL0xfzG2cBWyg8L9TvLZ1OM+gLtq38HgjIHXkr4bvbJ8Q==
set dpd-retryinterval 3
next
edit "Edge_VPN_Slave"
set interface "port2"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set remote-gw 111.100.1.10
set psksecret ENC lnOCX1W+T4D8yjLvP2tGn10Z34ko34cKkpgXPHStv42pQqvAakf0vWj2GASQx0AK8tgn2iWOKohVdILpturghHLZ6E17J3LkKzDMcBE8oyfKAK24DQsx9E3xFGXxblCFo9x5nLxeVONSAtfEOz+Wmv9jfk66eztKwueHy6qxV9boay/foavZonWwHJRUhwk6xjxNrg==
set dpd-retryinterval 3
next
end
Edge (phase1-interface) # end
Edge # config vpn ipsec phase2-interface
Edge (phase2-interface) # show
config vpn ipsec phase2-interface
edit "Edge_VPN_Master"
set phase1name "Edge_VPN_Master"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set replay disable
set auto-negotiate enable
next
edit "Edge_VPN_Slave"
set phase1name "Edge_VPN_Slave"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set replay disable
set auto-negotiate enable
next
end
Edge (phase2-interface) # end
Edge #
注意红色部分的小细节命令行调整:
config vpn ipsec phase1-interface
edit "Edge_VPN_X"
set dpd on-idle // 开启DPD定期检测,避免假死现象
set dpd-retryinterval 3 // 调整DPD的检测周期,让DPD快速检测到对方VPN故障
next
end
config vpn ipsec phase2-interface
edit "Edge_VPN_X"
set auto-negotiate enable // 由于HUB那一侧开启passive-mode,因此,Edge这一侧一定要开启自动协商,让Edge主动去协商HUB
next
end
以上参数必须调整和优化。
配置VPN的区域和策略,以及上网策略:
这样策略配置完毕,VPN就可以正常的UP起来了,这时候检查VPN的状态:
然后配置Edge_VPN_Master和Edge_VPN_Slave两个隧道接口的IP地址,用于建立BGP使用:
10.255.255.1和10.255.255.2 以及 10.255.254.1 和 10.255.254.2 是可以相互ping通的:
Edge # diagnose ip address list
IP=202.100.1.10->202.100.1.10/255.255.255.0 index=3 devname=port1
IP=101.100.1.10->101.100.1.10/255.255.255.0 index=4 devname=port2
IP=172.16.1.10->172.16.1.10/255.255.255.0 index=5 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=7 devname=root
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=9 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=11 devname=vsys_fgfm
IP=10.255.254.1->10.255.254.2/255.255.255.0 index=12 devname=Edge_VPN_Master
IP=10.255.255.1->10.255.255.2/255.255.255.0 index=13 devname=Edge_VPN_Slave
Edge # execute ping 10.255.255.2
PING 10.255.255.2 (10.255.255.2): 56 data bytes
64 bytes from 10.255.255.2: icmp_seq=0 ttl=255 time=1.2 ms
64 bytes from 10.255.255.2: icmp_seq=1 ttl=255 time=1.1 ms
64 bytes from 10.255.255.2: icmp_seq=2 ttl=255 time=0.9 ms
64 bytes from 10.255.255.2: icmp_seq=3 ttl=255 time=0.9 ms
64 bytes from 10.255.255.2: icmp_seq=4 ttl=255 time=0.8 ms
--- 10.255.255.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/0.9/1.2 ms
Edge # execute ping 10.255.254.2
PING 10.255.254.2 (10.255.254.2): 56 data bytes
64 bytes from 10.255.254.2: icmp_seq=0 ttl=255 time=1.0 ms
64 bytes from 10.255.254.2: icmp_seq=1 ttl=255 time=0.9 ms
64 bytes from 10.255.254.2: icmp_seq=2 ttl=255 time=1.0 ms
64 bytes from 10.255.254.2: icmp_seq=3 ttl=255 time=0.8 ms
64 bytes from 10.255.254.2: icmp_seq=4 ttl=255 time=0.7 ms
--- 10.255.254.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.8/1.0 ms
Edge #
配置BGP:
注意命令行下调至一下BGP的时间参数:
config router bgp
set keepalive-timer 3
set holdtime-timer 9
end
Edge需要配置路由策略,完成主备BGP路由的选路,HUB侧可以不用配置,路由策略仅仅需要在Edge设备上完成即可(当然这个有多种选择,本举例就选择在Edge上实现BGP属性的修改,从而影响BGP的路由选路):
config router route-map
edit "To_Slave"
config rule
edit 1
set set-aspath "64511"
next
end
next
edit "To_Master"
config rule
edit 1
set set-local-preference 200
next
end
next
end
config router bgp
config neighbor
edit "10.255.254.2"
set route-map-in "To_Master" // IN方向用LP属性200,大于默认的100,这样会优先选择此邻居的路由
next
edit "10.255.255.2"
set route-map-out "To_Slave" // OUT方向使用多个AP_PATH,影响到HUB侧的路由选择,让备份的VPN BGP邻居AP_Path多一些,这样这个邻居的路由将不会被优选
next
end
end
配置完毕需要重启BGP的路由进程(soft重启即可):
Edge # execute router clear bgp all soft
Edge #
然后查看具体的BGP选路效果:
Edge # get router info bgp network
BGP table version is 6, local router ID is 10.255.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight RouteTag Path
*>i10.1.1.0/24 10.255.254.2 0 200 0 0 i // 对方过来的路由打上了LP属性为200,优选此路由
* i 10.255.255.2 0 100 0 0 i // LP为默认的100,不优选
*> 172.16.1.0/24 0.0.0.0 100 32768 0 i
Total number of prefixes 2
Edge # get router info routing-table bgp
Routing table for VRF=0
B 10.1.1.0/24 [200/0] via 10.255.254.2, Edge_VPN_Master, 01:03:13
Edge # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 101.100.1.1, port2
[10/0] via 202.100.1.1, port1
B 10.1.1.0/24 [200/0] via 10.255.254.2, Edge_VPN_Master, 01:03:15
C 10.255.254.0/24 is directly connected, Edge_VPN_Master
C 10.255.254.1/32 is directly connected, Edge_VPN_Master
C 10.255.255.0/24 is directly connected, Edge_VPN_Slave
C 10.255.255.1/32 is directly connected, Edge_VPN_Slave
C 101.100.1.0/24 is directly connected, port2
C 172.16.1.0/24 is directly connected, port3
C 202.100.1.0/24 is directly connected, port1
Edge #
HUB # get router info bgp network
BGP table version is 6, local router ID is 10.255.255.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 0.0.0.0 100 32768 i
*>i172.16.1.0/24 10.255.254.1 0 100 0 i //AP_Path短,因此优选Master过来的路由
* i 10.255.255.1 0 100 0 64511 i // 对方Slave过来的路由由于AP_PATH多一跳,因此不会被优选
Total number of prefixes 2
HUB # get router info routing-table bgp
B 172.16.1.0/24 [200/0] via 10.255.254.1, HUB_VPN_Master, 01:03:33
HUB # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.1.1, port1
C 10.1.1.0/24 is directly connected, port3
C 10.255.254.0/24 is directly connected, HUB_VPN_Master
is directly connected, HUB_VPN_Master
C 10.255.255.0/24 is directly connected, HUB_VPN_Slave
is directly connected, HUB_VPN_Slave
B 172.16.1.0/24 [200/0] via 10.255.254.1, HUB_VPN_Master, 01:03:38
C 192.168.1.0/24 is directly connected, port1
HUB #
这样就实现了BGP路由的主备关系。
最后一步将Edge的BFD给配置上,以便让BGP可以快速的切换(1秒切换):
config system settings
set bfd enable
end
config system interface
edit "Edge_VPN_Master"
set bfd enable
next
edit "Edge_VPN_Slave"
set bfd enable
next
end
config router bgp
config neighbor
edit "10.255.254.2"
set bfd enable
next
edit "10.255.255.2"
set bfd enable
next
end
end
BGP/BFD结果协商结果:
Edge # get router info bgp summary
BGP router identifier 10.255.255.1, local AS number 64512
BGP table version is 6
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.254.2 4 64512 242 270 5 0 0 01:11:29 1
10.255.255.2 4 64512 853 868 1 0 0 01:22:01 1
Total number of neighbors 2
Edge # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.255.254.1 10.255.254.2 UP Edge_VPN_Master 9/9
10.255.255.1 10.255.255.2 UP Edge_VPN_Slave 5/5
Edge #
HUB # get router info bgp summary
BGP router identifier 10.255.255.2, local AS number 64512
BGP table version is 6
2 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.255.254.1 4 64512 273 297 5 0 0 01:11:35 1
10.255.255.1 4 64512 900 898 1 0 0 01:22:05 1
Total number of neighbors 2
HUB #
HUB # get router info bfd neighbor
OurAddress NeighAddress State Interface LDesc/RDesc
10.255.255.2 10.255.255.1 UP HUB_VPN_Slave 5/5
10.255.254.2 10.255.254.1 UP HUB_VPN_Master 9/9
HUB #
Edge大致的命令行show:
Edge # config system settings
Edge (settings) # show
config system settings
set inspection-mode flow
set bfd enable
end
Edge (settings) # end
Edge # config system interface
Edge (interface) # edit Edge_VPN_Master
Edge (Edge_VPN_Master) # show
config system interface
edit "Edge_VPN_Master"
set vdom "root"
set ip 10.255.254.1 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.255.254.2 255.255.255.0
set snmp-index 6
set interface "port1"
next
end
Edge (Edge_VPN_Master) # next
Edge (interface) # edit Edge_VPN_Slave
Edge (Edge_VPN_Slave) # show
config system interface
edit "Edge_VPN_Slave"
set vdom "root"
set ip 10.255.255.1 255.255.255.255
set allowaccess ping
set bfd enable
set type tunnel
set remote-ip 10.255.255.2 255.255.255.0
set snmp-index 7
set interface "port2"
next
end
Edge (Edge_VPN_Slave) # end
Edge # config router bgp
Edge (bgp) # show
config router bgp
set as 64512
set router-id 10.255.255.1
set keepalive-timer 3
set holdtime-timer 9
config neighbor
edit "10.255.254.2"
set bfd enable
set remote-as 64512
set route-map-in "To_Master"
next
edit "10.255.255.2"
set bfd enable
set remote-as 64512
set route-map-out "To_Slave"
next
end
config network
edit 1
set prefix 172.16.1.0 255.255.255.0
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
Edge (bgp) # end
Edge #
Edge # config router route-map
Edge (route-map) # show
config router route-map
edit "To_Slave"
config rule
edit 1
set set-aspath "64511"
next
end
next
edit "To_Master"
config rule
edit 1
set set-local-preference 200
next
end
next
end
Edge (route-map) # end
Edge #
Edge这一侧配置也完毕。
效果校验:
以上为正常状态的时候,流量走的VPN_Master。
下面演示当主链路故障时刻,业务的切换情况(开启BFD之后,丢一个包即可实现切换):
此时:
主VPN的BGP邻居DOWN,流量全部走向了备VPN,由于BFD的启用,因此切换的时间缩短到1秒钟。
再恢复VPN的话,10~20秒左右即可恢复主VPN的BGP邻居和主VPN的路由,恢复过程业务不丢包。
测试完毕!可以满足主备需求!
