SLA
service-level agreement 服务品质协议
是服务提供者和客户之间的一个协议,用来保证可计量的网络性能达到所定义的服务品质。SD-WAN的选路基于这个SLA品质标准来判断,SD-WAN规则保障让流量一直走符合SLA品质的链路出去。从而达到业务/客户的SLA品质要求。
SLA-Target
SD-WAN可定义SLA-Targets设置最低保障的延迟、抖动和丢包率,一旦超过SLA-Targets提供的保障最低值,则立即切换另外一条线路,以确保持续提供SLA-Targets品质级别的服务。
SLA Target 有三种类型的判断阈值:
“Latency (ms)”
“Jitter (ms)”
“Packet Loss (%)”
“Packet Loss (%)”
FGT100E_Master # config system virtual-wan-link
FGT100E_Master (virtual-wan-link) # config health-check
FGT100E_Master (health-check) # edit 114_Check
FGT100E_Master (114_Check) # show
config health-check
edit "114_Check"
set server "114.114.114.114" "114.114.119.119"
set sla-fail-log-period 300
set sla-pass-log-period 120
set members 3 1 2 4
config sla
edit 1 // 标准1
set latency-threshold 200
set packetloss-threshold 2
next
edit 2 // 标准2
set latency-threshold 250
set jitter-threshold 10
set packetloss-threshold 5
next
edit 3 // 标准3
set latency-threshold 300
set jitter-threshold 15
set packetloss-threshold 8
next
end
next
end
Lowest Cost (SLA) 和 Maximize Bandwidth (SLA) 都需要调用 SLA Target,基于SLA Target进行相关的判断和选路:
Lowest Cost (SLA)
Lowest Cost (SLA) 选路原则:
* 只有满足 SLA-Targets的出接口才有机会被选中,如果低于SLA-Targets的接口将会被移除选中列表中。
* 如果有多个接口满足SLA-Targets,那么就选择SD-WAN规则配置接口顺序靠前的接口用于转发SD-WAN流量。
* 同时只能一个出接口被优选,用于SD-WAN流量的转发。
Lowest Cost (SLA)完全基于 SLA-Targets 进行工作,因此首先需要在SD-WAN状态检查里面配置具体的SLA-Targets标准,然后再SD-WAN规则中选择相应的SLA-Targets,只有符合选择的SLA-Targets标准的出口,才会被SD-WAN规则所计算并用于出口数据的转发,将选择符合SLA-Targets且接口顺序靠前的出口用于数据转发,同时只有一个接口用于数据的转发。
Maximize Bandwidth (SLA)
Maximize Bandwidth (SLA) 选路原则:
* 只有满足 SLA-Targets的出接口才有机会被选中,如果低于SLA-Targets的接口将会被移除选中列表中。
* 如果有多个接口满足SLA-Targets,这些接口将按照会话的方式进行负载均衡来转发SD-WAN的流量,以便达到带宽最大利用率的效果。
* 按照会话的方式负载均衡的转发SD-WAN数据流量。
Maximize Bandwidth (SLA) 完全基于 SLA-Targets 进行工作,因此首先需要在SD-WAN状态检查里面配置具体的SLA-Targets标准,然后再SD-WAN规则中选择相应的SLA-Targets,只有符合选择的SLA-Targets标准的出口,才会被SD-WAN规则所计算并用于出口数据的转发,符合SLA-Targets的接口都会被用于数据的转发,多个接口按照会话的方式进行负载均衡处理。
SD-WAN Lowest Cost (SLA)选路规则配置举例:
SD-WAN接口成员定义:
SD-WAN路由:
健康检查:
SD-WAN规则:
策略:
命令行:
config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 202.100.1.192
set cost 0
next
edit 2
set interface "wan2"
set gateway 101.100.1.192
set cost 0
next
edit 3
set interface "port13"
set gateway 111.100.1.192
set cost 0
next
edit 4
set interface "PPPOE1_DR_PENG"
set cost 0
next
end
config health-check
edit "Aliyun"
set server "cn.aliyun.com"
set members 3 1 2
config sla
edit 1
set link-cost-factor latency packet-loss
set latency-threshold 120
set packetloss-threshold 2
next
end
end
config service
edit 5
set name "TO_Aliyun"
set mode sla
set src "LAN_Network_192.168.10.0"
set internet-service enable
set internet-service-id 6881402 6881283 6881288 6881286 6881281
config sla
edit "Aliyun"
set id 1
next
end
set priority-members 1 2 3 // 默认接口的cost都是0,因此接口会按照顺序选择 wan1、wan2、port13
next
end
end
config router static
edit 1
set distance 1
set virtual-wan-link enable
next
end
config firewall policy
edit 1
set name "TO_Internet"
set srcintf "port1"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set application-list "default"
set logtraffic all
set fsso disable
set tcp-mss-sender 1000
set tcp-mss-receiver 1000
set nat enable
next
end
Diagnostics查看:
FGT100E_Master # diagnose sys virtual-wan-link member
Member(1): interface: wan1, gateway: 202.100.1.192, priority: 0, weight: 0
Member(2): interface: wan2, gateway: 101.100.1.192, priority: 0, weight: 0
Member(3): interface: port13, gateway: 111.100.1.192, priority: 0, weight: 0
Member(4): interface: PPPOE1_DR_PENG, gateway: 114.100.1.196, priority: 0, weight: 0
FGT100E_Master # diagnose sys virtual-wan-link health-check
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(96.602), jitter(0.654) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(86.479), jitter(0.659) sla_map=0x1
Seq(2): state(alive), packet-loss(0.000%) latency(91.458), jitter(0.647) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(0), selected
2: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected
3: Seq_num(3), alive, sla(0x1), cfg_order(2), cost(0), selected
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diag firewall proute list
list route policy info(vf=root):
id=2136080389 vwl_service=5(TO_Aliyun) vwl_mbr_seq=1 2 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=7 oif=8 oif=23
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
FGT100E_Master # diagnose ip address list
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=5 devname=dmz
IP=192.168.91.13->192.168.91.13/255.255.255.0 index=6 devname=mgmt
IP=202.100.1.10->202.100.1.10/255.255.255.0 index=7 devname=wan1
IP=101.100.1.10->101.100.1.10/255.255.255.0 index=8 devname=wan2
IP=192.168.10.1->192.168.10.1/255.255.255.0 index=11 devname=port1
IP=111.100.1.10->111.100.1.10/255.255.255.0 index=23 devname=port13
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=169.254.1.1->169.254.1.1/255.255.255.0 index=33 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=35 devname=port_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=36 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=37 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=38 devname=havdlink1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=39 devname=vsys_hamgmt
IP=114.100.1.203->114.100.1.196/255.255.255.255 index=47 devname=PPPOE1_DR_PENG
FGT100E_Master # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 101.100.1.192, wan2
[1/0] via 111.100.1.192, port13
[1/0] via 114.100.1.196, PPPOE1_DR_PENG
[1/0] via 202.100.1.192, wan1
C 101.100.1.0/24 is directly connected, wan2
C 111.100.1.0/24 is directly connected, port13
C 114.100.1.196/32 is directly connected, PPPOE1_DR_PENG
C 114.100.1.203/32 is directly connected, PPPOE1_DR_PENG
C 192.168.10.0/24 is directly connected, port1
C 202.100.1.0/24 is directly connected, wan1
测试效果:
让WAN1的延迟超过SLA-Target:
FGT100E_Master # diagnose sys virtual-wan-link health-check Aliyun
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(97.599), jitter(0.681) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(187.502), jitter(0.570) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(92.450), jitter(0.680) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(0), selected // wan2 将会优先选择wan2进行转发
2: Seq_num(3), alive, sla(0x1), cfg_order(2), cost(0), selected // port 13
3: Seq_num(1), alive, sla(0x0), cfg_order(0), cost(0), selected // wan1 (不满足的SLA的wan1,顺序置于最后面了)
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136080389 vwl_service=5(TO_Aliyun) vwl_mbr_seq=2 3 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=8 oif=23 oif=7 // 由于WAN1已经不符合SLA目标,因此会选择符合目标且顺序靠前的WAN2进行转发
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
流量切换到了:wan2
如果需要SD-WAN规则在流量切换之后立即生效,想要这些旧的会话立即生效需要清除旧的会话和路由缓存信息,而新建的会话则不需要此操作,具体命令行:
FGT100E_Master # diagnose sys session filter src 192.168.10.100
FGT100E_Master # diagnose sys session clear //清除测试机器的会话,让其重新匹配新的SD-WAN规则(有skype的IP数据库更新)
FGT100E_Master # diagnose ip rtcache flush // 清除路由缓存
SD-WAN接口成员的接口Cost值:
SD-WAN接口成员的接口Cost值将影响Lowest Cost(SLA)的接口选择顺序,Cost值越小越优先,这将打破配置顺序而进行用户自定义的SD-WAN接口优先级。
比如自定义:
WAN1 Cost 222
WAN2 Cost 111
Port13 Cost 333
此时Lowest Cost(SLA)将会优选 Cost较小的WAN2,而忽略配置接口的顺序,Cost值优先进行比较。
FGT100E_Master # diagnose sys virtual-wan-link health-check Aliyun
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(89.289), jitter(0.840) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(89.331), jitter(0.786) sla_map=0x1
Seq(2): state(alive), packet-loss(0.000%) latency(89.309), jitter(0.783) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, sla(0x1), cfg_order(1), cost(111), selected // Cost小的WAN2优先
2: Seq_num(1), alive, sla(0x1), cfg_order(0), cost(222), selected
3: Seq_num(3), alive, sla(0x1), cfg_order(2), cost(333), selected
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136473605 vwl_service=5(TO_Aliyun) vwl_mbr_seq=2 1 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=8 oif=7 oif=23 // Cost 小的WAN2优先
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
最后一个问题,如果WAN1、WAN2、Port13 三者都无法满足SLA目标了,那么SD-WAN规则如何选择出接口呢?
答案是:如果三者都无法满足SLA 目标值了,那么将会按照SD-WAN规则配置的接口顺序选择出接口,也就是以WAN1、WAN2、Port13这样的顺序选择,WAN1将会优先转发数据。此时顺序优先。
FGT100E_Master # diagnose sys virtual-wan-link health-check Aliyun
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(156.008), jitter(0.756) sla_map=0x0
Seq(1): state(alive), packet-loss(0.000%) latency(186.951), jitter(0.780) sla_map=0x0
Seq(2): state(alive), packet-loss(0.000%) latency(176.968), jitter(0.721) sla_map=0x0
FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(1), alive, sla(0x0), cfg_order(0), cost(0), selected // 全部不符合的时候,按照配置的接口顺序进行选择出接口
2: Seq_num(2), alive, sla(0x0), cfg_order(1), cost(0), selected
3: Seq_num(3), alive, sla(0x0), cfg_order(2), cost(0), selected
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136080389 vwl_service=5(TO_Aliyun) vwl_mbr_seq=1 2 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=7 oif=8 oif=23 // 全部不符合的时候,按照配置的接口顺序进行选择出接口
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
上述情况的一个补充命令:如果全部不符合则相对于没有SLA Target了,这显然不够合理,还有优化的空间,这时候就引出了另外一个参数:set sla-compare-method number,SD-WAN规则可以调用多个SLA Target,然后优化计算的方法。
FGT100E_Master # config system virtual-wan-link
FGT100E_Master (virtual-wan-link) # config service
FGT100E_Master (service) # edit 5
FGT100E_Master (5) # show full-configuration
config service
edit 5
set name "TO_Aliyun"
set addr-mode ipv4
set input-device-negate disable
set mode sla
set role standalone
set standalone-action disable
set tos 0x00
set tos-mask 0x00
set src "LAN_Network_192.168.10.0"
set src-negate disable
set internet-service enable
set internet-service-id 6881402 6881283 6881288 6881286 6881281
set hold-down-time 0
set dscp-forward disable
set dscp-reverse disable
config sla
edit "Aliyun"
set id 1
next
edit "114_Check"
set id 1
next
edit "Default_AWS"
set id 1
next
edit "Default_Office_365"
set id 1
next
end
set priority-members 1 2 3
set status enable
set gateway disable
set default disable
set sla-compare-method order // 默认值,如果按此设置,多个SLA目标之间的逻辑关系是and,只要有其中一个SLA目标不符合,则将该接口剔除SD-WAN规则的选择,如果SLA全部失效,则按照配置的接口顺序进行选择出接口
next
end
FGT100E_Master (5) # set sla-compare-method
order Compare SLA value based on the order of health-check.
number Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.
FGT100E_Master (5) # set sla-compare-method number // 而此参数是SLA目标全部失效的一个补充,如果全部失效,则选择失败数较小的接口进行SD-WAN流量的转发,比如WAN1失败2个,WAN2失败3个,Port13失败一个,则会选择Port13进行数据的转发
FGT100E_Master (5) # end
我们配置多个服务器的SLA Target,在SD-WAN规则里面也调用多个SLA Target,然后虽然全部都失败了,但是可以选择符合SLA Target条件更多的接口作为SD-WAN规则的出接口,在全部失败的矮子中选择一个最优的出接口:
当然我们需要设置不同的目的IP进行健康检查,同时配置不同的SLA条目,在SD-WAN规则调用的时候也只能调用不同服务器的SLA目标,才可以进行这样的进一步比较。
Maximize Bandwidth (SLA) 选路规则配置举例:
SD-WAN接口成员定义:
SD-WAN路由:
健康检查:
SD-WAN规则:
策略:
命令行:
config system virtual-wan-link
set status enable
config members
edit 1
set interface "wan1"
set gateway 202.100.1.192
next
edit 2
set interface "wan2"
set gateway 101.100.1.192
next
edit 3
set interface "port13"
set gateway 111.100.1.192
next
edit 4
set interface "PPPOE1_DR_PENG"
next
end
config health-check
edit "Aliyun"
set server "cn.aliyun.com"
set members 3 1 2
config sla
edit 1
set link-cost-factor latency packet-loss
set latency-threshold 120
set packetloss-threshold 2
next
end
end
config service
edit 5
set name "TO_Aliyun"
set mode load-balance
set src "LAN_Network_192.168.10.0"
set internet-service enable
set internet-service-id 6881402 6881283 6881288 6881286 6881281
config sla
edit "Aliyun"
set id 1
next
end
set priority-members 1 2 3 // 用于负载均衡的接口 wan1、wan2、port13
next
end
end
config router static
edit 1
set distance 1
set virtual-wan-link enable
next
end
config firewall policy
edit 1
set name "TO_Internet"
set srcintf "port1"
set dstintf "virtual-wan-link"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set application-list "default"
set logtraffic all
set fsso disable
set tcp-mss-sender 1000
set tcp-mss-receiver 1000
set nat enable
next
end
Diagnostics查看:
FGT100E_Master # diagnose sys virtual-wan-link member
Member(1): interface: wan1, gateway: 202.100.1.192, priority: 0, weight: 0
Member(2): interface: wan2, gateway: 101.100.1.192, priority: 0, weight: 0
Member(3): interface: port13, gateway: 111.100.1.192, priority: 0, weight: 0
Member(4): interface: PPPOE1_DR_PENG, gateway: 114.100.1.196, priority: 0, weight: 0
FGT100E_Master # diagnose sys virtual-wan-link health-check
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(87.120), jitter(0.893) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(87.046), jitter(0.926) sla_map=0x1
Seq(2): state(alive), packet-loss(1.000%) latency(87.072), jitter(0.996) sla_map=0x1
FGT100E_Master # FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(1), alive, sla(0x1), num of pass(1), selected
2: Seq_num(2), alive, sla(0x1), num of pass(1), selected
3: Seq_num(3), alive, sla(0x1), num of pass(1), selected
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136276997 vwl_service=5(TO_Aliyun) vwl_mbr_seq=1 2 3 dscp_tag=0xff 0xff flags=0x10 load-balance tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=7 num_pass=1 oif=8 num_pass=1 oif=23 num_pass=1 // 符合SLA目标的接口就会用于基于会话的负载均衡
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
FGT100E_Master # diagnose ip address list
IP=10.10.10.1->10.10.10.1/255.255.255.0 index=5 devname=dmz
IP=192.168.91.13->192.168.91.13/255.255.255.0 index=6 devname=mgmt
IP=202.100.1.10->202.100.1.10/255.255.255.0 index=7 devname=wan1
IP=101.100.1.10->101.100.1.10/255.255.255.0 index=8 devname=wan2
IP=192.168.10.1->192.168.10.1/255.255.255.0 index=11 devname=port1
IP=111.100.1.10->111.100.1.10/255.255.255.0 index=23 devname=port13
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=30 devname=root
IP=169.254.1.1->169.254.1.1/255.255.255.0 index=33 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=34 devname=vsys_ha
IP=169.254.0.1->169.254.0.1/255.255.255.192 index=35 devname=port_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=36 devname=vsys_fgfm
IP=169.254.0.65->169.254.0.65/255.255.255.192 index=37 devname=havdlink0
IP=169.254.0.66->169.254.0.66/255.255.255.192 index=38 devname=havdlink1
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=39 devname=vsys_hamgmt
IP=114.100.1.203->114.100.1.196/255.255.255.255 index=47 devname=PPPOE1_DR_PENG
FGT100E_Master # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [1/0] via 101.100.1.192, wan2
[1/0] via 111.100.1.192, port13
[1/0] via 114.100.1.196, PPPOE1_DR_PENG
[1/0] via 202.100.1.192, wan1
C 101.100.1.0/24 is directly connected, wan2
C 111.100.1.0/24 is directly connected, port13
C 114.100.1.196/32 is directly connected, PPPOE1_DR_PENG
C 114.100.1.203/32 is directly connected, PPPOE1_DR_PENG
C 192.168.10.0/24 is directly connected, port1
C 202.100.1.0/24 is directly connected, wan1
测试效果:
基于会话的负载均衡处理流量。
让WAN1的延迟超过SLA-Target:
FGT100E_Master # diagnose sys virtual-wan-link health-check Aliyun
Health Check(Aliyun):
Seq(3): state(alive), packet-loss(0.000%) latency(86.504), jitter(0.628) sla_map=0x1
Seq(1): state(alive), packet-loss(0.000%) latency(187.104), jitter(0.804) sla_map=0x0 // 超过SLA的目标值
Seq(2): state(alive), packet-loss(0.000%) latency(84.932), jitter(0.783) sla_map=0x1
FGT100E_Master # diagnose sys virtual-wan-link service 5
FGT100E_Master # FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(2), alive, sla(0x1), num of pass(1), selected
2: Seq_num(3), alive, sla(0x1), num of pass(1), selected
3: Seq_num(1), alive, sla(0x0), num of pass(0), selected // 不符合SLA目标,从接口列表中剔除,SLA置位为0x0
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136276997 vwl_service=5(TO_Aliyun) vwl_mbr_seq=2 3 1 dscp_tag=0xff 0xff flags=0x10 load-balance tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=8 num_pass=1 oif=23 num_pass=1 oif=7 num_pass=0 //WAN1 不用于数据转发
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
流量负载均衡到WAN2和Port13上:
如果需要SD-WAN规则在流量切换之后立即生效,想要这些旧的会话立即生效需要清除旧的会话和路由缓存信息,而新建的会话则不需要此操作,具体命令行:
FGT100E_Master # diagnose sys session filter src 192.168.10.100
FGT100E_Master # diagnose sys session clear //清除测试机器的会话,让其重新匹配新的SD-WAN规则(有skype的IP数据库更新)
FGT100E_Master # diagnose ip rtcache flush // 清除路由缓存
最后一个问题,如果WAN1、WAN2、Port13 三者都无法满足SLA目标了,那么SD-WAN规则如何选择出接口呢?
答案是:如果三者都无法满足SLA 目标值了,那么还是将会以WAN1、WAN2、Port13进行基于会话的负载均衡转发。
FGT100E_Master # diagnose sys virtual-wan-link service 5
Service(5): Address Mode(IPV4) flags=0x0
TOS(0x0/0x0), Protocol(0: 1->65535), Mode(load-balance)
Service role: standalone
Member sub interface:
Members:
1: Seq_num(3), alive, sla(0x0), num of pass(0), selected
2: Seq_num(2), alive, sla(0x0), num of pass(0), selected
3: Seq_num(1), alive, sla(0x0), num of pass(0), selected
Internet Service: Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
Src address:
192.168.10.0-192.168.10.255
FGT100E_Master # diagnose firewall proute list
list route policy info(vf=root):
id=2136276997 vwl_service=5(TO_Aliyun) vwl_mbr_seq=3 2 1 dscp_tag=0xff 0xff flags=0x10 load-balance tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=23 num_pass=0 oif=8 num_pass=0 oif=7 num_pass=0
source(1): 192.168.10.0-192.168.10.255
destination wildcard(1): 0.0.0.0/0.0.0.0
internet service(5): Alibaba-Alibaba.Cloud(6881402) Alibaba-DNS(6881283) Alibaba-NTP(6881288) Alibaba-SSH(6881286) Alibaba-Web(6881281)
依旧基于会话的负载均衡:
