华为AR路由器策略路由根据源地址筛选分流+ACL
1 方案背景
- 公司接入两条宽带,一条为5口一条为9口;
- 公司内网有103、106、107三个c的网段需要访问外网
- 现希望源地址为192.168.103.0/24 和192.168.106.0/24两个网段的数据包统一走9口;源地址为192.168.107.0/24网段的数据包可以走5口和9口,优先走5口。
2 配置方案
策略路由分流参考链接:https://forum.huawei.com/enterprise/zh/thread/580912190884560896
NQA示例配置参考链接:https://support.huawei.com/hedex/hdx.do?docid=EDOC1100021764&id=destination-address
策略路由绑定NQA参考链接:https://support.huawei.com/hedex/hdx.do?docid=EDOC1100021764&id=redirect_ip-nexthop
2.1 原配置查询
2.1.1、查询原配置默认路由
现环境两条宽带都是可以正常上网的
<luyou>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 221.219.208.241 GigabitEthernet0/0/5
10.10.11.0/24 Direct 0 0 D 10.10.11.1 GigabitEthernet0/0/6 //注意回指6口的路由
10.10.11.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/6
10.10.11.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/6
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.99.0/24 Direct 0 0 D 192.168.99.2 GigabitEthernet0/0/9
192.168.99.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/9
192.168.99.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/9
221.219.208.240/30 Direct 0 0 D 221.219.208.242 GigabitEthernet0/0/5
221.219.208.242/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/5
221.219.208.243/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/5
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
<luyou>
<luyou>
<luyou>display current-configuration
...
ip route-static 0.0.0.0 0.0.0.0 221.219.208.241 #华为AR设备默认preference为60,优先级数字越小优先级越高
ip route-static 0.0.0.0 0.0.0.0 192.168.99.1 preference 101
...
##注释:
#1、221.219.208.242为GigabitEthernet0/0/5口的IP地址。
#2、192.168.99.2为GigabitEthernet0/0/9口的IP地址,9口对端链接的是光猫。
2.2 变更配置方案
2.2.1 创建ACL指定匹配规则
<luyou>
<luyou>system-view
Enter system view, return user view with Ctrl+Z.
[luyou]acl number 3999
[luyou-acl-adv-3999]rule 5 permit ip source 192.168.103.0 0.0.0.255
[luyou-acl-adv-3999]rule 10 permit ip source 192.168.106.0 0.0.0.255
[luyou-acl-adv-3999]quit
[luyou]
[luyou]display acl all
Total quantity of nonempty ACL number is 1
Advanced ACL 3999, 2 rules
Acl's step is 5
rule 5 permit ip source 192.168.103.0 0.0.0.255
rule 10 permit ip source 192.168.106.0 0.0.0.255
[luyou]
2.2.2 配置流量分类
[luyou]
[luyou]traffic classifier fenliu1
[luyou-classifier-fenliu1]if-match acl 3999
[luyou-classifier-fenliu1]quit
[luyou]
[luyou]
[luyou]display traffic classifier user-defined
User Defined Classifier Information:
Classifier: fenliu1
Operator: OR
Rule(s) :
if-match acl 3999
[luyou]
[luyou]
2.2.3 配置nqa
[luyou]
[luyou]nqa test-instance fenliu fenliu1
[luyou-nqa-fenliu-fenliu1]test-type icmp
[luyou-nqa-fenliu-fenliu1]destination-address ipv4 192.168.99.1
[luyou-nqa-fenliu-fenliu1]frequency 15
[luyou-nqa-fenliu-fenliu1]
[luyou-nqa-fenliu-fenliu1]display this
[V200R009C00SPC500]
#
nqa test-instance fenliu fenliu1
test-type icmp
destination-address ipv4 192.168.99.1
frequency 15
#
return
[luyou-nqa-fenliu-fenliu1]start now
[luyou-nqa-fenliu-fenliu1]
[luyou-nqa-fenliu-fenliu1]quit
[luyou]
##注意:
# frequency 15 测试例连续两次执行的时间间隔,整数形式,单位是秒。缺省情况下,没有配置自动测试间隔,即只进行一次测试。
# start now 启动测试;如果没有配置结束时间,测试不能自动停止,必须通过手动停止(stop)。不能更改正在运行的测试例的测试周期。
2.2.4 配置流行为
[luyou]
[luyou]traffic behavior fenliu1
[luyou-behavior-fenliu1]redirect ip-nexthop 192.168.99.1 track nqa fenliu fenliu1
[luyou-behavior-fenliu1]quit
[luyou]
[luyou]display traffic behavior user-defined
User Defined Behavior Information:
Behavior: fenliu1
Redirect:
Redirect ip-nexthop 192.168.99.1 track nqa fenliu fenliu1
[luyou]
[luyou]
2.2.5 配置流策略
[luyou]
[luyou]traffic policy fenliu
[luyou-trafficpolicy-fenliu]
[luyou-trafficpolicy-fenliu]classifier fenliu1 behavior fenliu1
[luyou-trafficpolicy-fenliu]quit
[luyou]
[luyou]display traffic policy user-defined
User Defined Traffic Policy Information:
Policy: fenliu
Classifier: fenliu1
Operator: OR
Behavior: fenliu1
Redirect:
Redirect ip-nexthop 192.168.99.1 track nqa fenliu fenliu1
Precedence: 5
[luyou]
2.2.6 应用流策略
[luyou]
[luyou]interface GigabitEthernet 0/0/6
[luyou-GigabitEthernet0/0/6]display this
[V200R009C00SPC500]
#
interface GigabitEthernet0/0/6
ip address 10.10.11.1 255.255.255.0
#
return
[luyou-GigabitEthernet0/0/6]traffic-policy fenliu inbound
[luyou-GigabitEthernet0/0/6]display this
[V200R009C00SPC500]
#
interface GigabitEthernet0/0/6
ip address 10.10.11.1 255.255.255.0
traffic-policy fenliu inbound
#
return
[luyou-GigabitEthernet0/0/6]
2.2.7 保存配置
save
2.2.8 问题排查配置流行为包统计
[luyou]traffic behavior fenliu1
[luyou-behavior-fenliu1]disp
[luyou-behavior-fenliu1]display this
[V200R009C00SPC500]
#
traffic behavior fenliu1
redirect ip-nexthop 192.168.99.1 track nqa fenliu fenliu1
statistic enable //做统计用的配置
#
return
[luyou-behavior-fenliu1]
[luyou-behavior-fenliu1]quit
[luyou]
[luyou]display traffic policy statistics interface GigabitEthernet0/0/6 inbound verbose rule-base
Interface: GigabitEthernet0/0/6
Traffic policy inbound: fenliu
Rule number: 2
Current status: OK!
Classifier: fenliu1 operator or
Behavior: fenliu1
rule 5 permit ip source 192.168.103.0 0.0.0.255
Passed Packet 1,201,Passed Bytes 139,027
Dropped Packet 0,Dropped Bytes 0
rule 10 permit ip source 192.168.106.0 0.0.0.255
Passed Packet 4,289,Passed Bytes 691,169
Dropped Packet 0,Dropped Bytes 0
[luyou]
2.2.9查看NQA(Network Quality Analyzer,网络质量分析器)的测试结果
[luyou]display nqa results test-instance fenliu fenliu1
NQA entry(fenliu, fenliu1) :testflag is active ,testtype is icmp
1 . Test 5864 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.99.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2024-03-05 11:20:24.4
Lost packet ratio: 0 %
2 . Test 5865 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.99.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2024-03-05 11:20:39.4
Lost packet ratio: 0 %
3 . Test 5866 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.99.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2024-03-05 11:20:54.4
Lost packet ratio: 0 %
4 . Test 5867 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.99.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2024-03-05 11:21:09.4
Lost packet ratio: 0 %
5 . Test 5868 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:192.168.99.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2024-03-05 11:21:24.4
Lost packet ratio: 0 %
[luyou]
##这里有三个测试实例(Test 5864, Test 5865, Test 5866),每个测试实例都执行了三次操作(Send operation times: 3),并且每次操作都成功接收到了响应(Receive response times: 3)。测试结果显示所有操作都成功完成(Completion:success),没有数据包丢失(Lost packet ratio: 0 %),并且没有超时、连接失败或其他错误。
2.3 结果
- 配置是成功的,这个方法是可用的;
- 但是我们在测试的时候会发现,我们还是走5口;
- 因为我们查看路由可以看到,我们回指6口的路由中只有10.10.11.0/24 是走向6口的;
- 所以推断,外网数据包在进入6口之前是有做过源地址转换映射的、所以我们通过acl源地址匹配是匹配不上的;
- 所以我们在选用这个方法的时候需要先检查路由,看组网中是否有做源地址转换的地方;
- 那为什么acl匹配结果是有被匹配的数据包呢?
