总体结论:

在上云的场景中,客户需要本地数据中心到云上VPC,出现网络故障时做到自动倒换,保证业务不中断。

 

一、客户需求

1、客户有总厂、分厂、总厂是通过专线和VPN连接上云,分厂是通过专线先连接到总厂,分厂也有VPN连接上云。

2、客户要求,无论是总厂的专线故障,还是分厂的专线故障,都需要进行网络链路自动倒换,切换到VPN连接,从而保证业务快速恢复。

 

二、组网图:

BGP出口 bgp出口和静态出库_BGP出口

 

 

说明:1、在总厂和分厂的路由器上,分别使用loopback口模拟客户总厂和分厂的网络。

          2、AR5作为VPN网关,此处只配置了静态路由,IPSEC VPN的配置忽略。

 

三、配置思路与关键点

1、专线OK时,优选专线。

     CE1设备要求:到达总厂、分厂的网段,可以从AR5(VPN网关)得到,也可以从AR2(总厂路由器)得到,为了优选从AR2得到,需要配置与AR2(总厂路由器)的BGP邻居的本地优先级更高。



#
bgp 65001
 timer keepalive 20 hold 60
 peer 10.0.0.2 as-number 65002
 peer 20.0.0.2 as-number 65004
 #
 ipv4-family unicast
  network 10.0.0.0 255.255.255.0
  network 20.0.0.0 255.255.255.0
  network 169.254.195.0 255.255.255.0
  network 192.168.0.0 255.255.255.0
  peer 10.0.0.2 enable
  peer 10.0.0.2 preferred-value 10
  peer 20.0.0.2 enable
#



 

    对于总厂设备AR2,到达VPC网段也有两个路径,一个是从CE1通过BGP交互得到,一个是通过本地静态路由,下一跳是VPN网关AR5,为了确保专线的优先级更高,需要配置BGP的外部优先级比静态路由的外部优先级更高。不过,这里有两种方法达到此效果,见另外一篇博客。

    总厂路由器关键配置:



#
bgp 65002
 timer keepalive 20 hold 60
 peer 10.0.0.1 as-number 65001 
 peer 40.0.0.2 as-number 65003 
 #
 ipv4-family unicast
  undo synchronization
  preference 50 50 50 
  network 10.0.0.0 255.255.255.0 
  network 40.0.0.0 255.255.255.0 
  network 60.0.0.0 255.255.255.0 
  peer 10.0.0.1 enable
  peer 40.0.0.2 enable
#



 

    对于分厂设备而言,到达VPC网段也有与总厂相同的诉求,专线优先级高于VPN,所以,分厂路由器也有提高BGP优先级的相同配置。

 分厂路由器配置:



#
bgp 65003
 timer keepalive 20 hold 60
 peer 40.0.0.1 as-number 65002 
 #
 ipv4-family unicast
  undo synchronization
  preference 50 50 50 
  network 40.0.0.0 255.255.255.0 
  network 70.0.0.0 255.255.255.0 
  peer 40.0.0.1 enable
#



 

2、修改BGP心跳报文间隔为更短,以便尽早检测到网络故障。全部调整为20秒,也就是BGP邻居在1分钟后可以感知到网络故障。

配置见上面的BGP配置上的timer.

 

四、实测效果

1、专线OK时,流量优选专线。

云上VPC --- > 总厂:

    AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR2

    

BGP出口 bgp出口和静态出库_优先级_02

 

云上VPC --- > 总厂(回程):

    AR2(BGP路由) ---> CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

    

BGP出口 bgp出口和静态出库_运维_03

 

云上VPC ---> 分厂:

    AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR2(BGP路由) ---> AR3

    

BGP出口 bgp出口和静态出库_运维_04

 

云上VPC ---> 分厂(回程):

    AR3(BGP路由) ---> AR2(BGP路由) ---> CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

    

BGP出口 bgp出口和静态出库_运维_05

 

 

2、总厂专线故障 (总厂AR2 shutdown GE0/0/0端口, 等待1分钟后)

云上VPC --- > 总厂:

    AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR5(静态路由)---> AR2

BGP出口 bgp出口和静态出库_VPN_06

 

云上VPC --- > 总厂(回程):

    AR2(静态路由) ---> AR5(BGP路由)--->  CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

 

BGP出口 bgp出口和静态出库_VPN_07

 

云上VPC ---> 分厂:

     AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR5(静态路由)---> AR3

BGP出口 bgp出口和静态出库_VPN_08

 

 

云上VPC ---> 分厂(回程):

    AR3(静态路由) ---> AR5(BGP路由)--->  CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

BGP出口 bgp出口和静态出库_BGP出口_09

 

总厂专线故障恢复后,可以看到流量正常回切走总厂专线。

实测效果,同“1、专线OK时,流量优选专线。”

 

 

3、分厂专线故障(分厂AR3 shutdown GE0/0/0端口, 等待1分钟后)

云上VPC --- > 总厂:

    AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR2

BGP出口 bgp出口和静态出库_运维_10

 

云上VPC --- > 总厂(回程):

    AR2(BGP路由) ---> CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

 

BGP出口 bgp出口和静态出库_静态路由_11

 

云上VPC ---> 分厂:

     AR4 (默认路由) ---> AR1 (默认路由) ---> CE1 (BGP路由) ---> AR5(静态路由)---> AR3

BGP出口 bgp出口和静态出库_静态路由_12

 

 

云上VPC ---> 分厂(回程):

    AR3(静态路由) ---> AR5(BGP路由)--->  CE1 (静态路由) ---> AR1 (直连路由) ---> AR4

 

BGP出口 bgp出口和静态出库_运维_13

 

分厂专线故障恢复后,可以看到流量正常回切走分厂专线。

实测效果,同“1、专线OK时,流量优选专线。”

 

五、所有设备的配置

云上VPC

AR4配置


[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 192.168.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.0.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

 

 

AR1配置

[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 192.168.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
 ip address 169.254.195.201 255.255.255.0 
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 169.254.195.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

 

 

专线网关CE1交换机

!CfgFileCrc:1b29a473
!Software Version V800R013C00SPC560B560
!Last configuration was updated at 2018-05-06 11:32:22 UTC
!Last configuration was saved at 2018-05-06 11:41:11 UTC
!MKHash 0000000000000000
#
sysname HUAWEI
#
device board 1 board-type CE-MPUB
#
aaa
 #
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
 domain default_admin
#
interface MEth0/0/0
 undo shutdown
#
interface GE1/0/0
 undo portswitch
 undo shutdown
 ip address 20.0.0.1 255.255.255.0
#
interface GE1/0/1
 shutdown
#
interface GE1/0/2
 undo portswitch
 undo shutdown
 ip address 169.254.195.1 255.255.255.0
#
interface GE1/0/3
 undo portswitch
 undo shutdown
 ip address 10.0.0.1 255.255.255.0
#
interface GE1/0/4
 shutdown
#
interface GE1/0/5
 shutdown
#
interface GE1/0/6
 shutdown
#
interface GE1/0/7
 shutdown
#
interface GE1/0/8
 shutdown
#
interface GE1/0/9
 shutdown
#
interface GE1/0/10
 shutdown
#
interface GE1/0/11
 shutdown
#
interface GE1/0/12
 shutdown
#
interface GE1/0/13
 shutdown
#
interface GE1/0/14
 shutdown
#
interface GE1/0/15
 shutdown
#
interface GE1/0/16
 shutdown
#
interface GE1/0/17
 shutdown
#
interface GE1/0/18
 shutdown
#
interface GE1/0/19
 shutdown
#
interface GE1/0/20
 shutdown
#
interface GE1/0/21
 shutdown
#
interface GE1/0/22
 shutdown
#
interface GE1/0/23
 shutdown
#
interface GE1/0/24
 shutdown
#
interface GE1/0/25
 shutdown
#
interface GE1/0/26
 shutdown
#
interface GE1/0/27
 shutdown
#
interface GE1/0/28
 shutdown
#
interface GE1/0/29
 shutdown
#
interface GE1/0/30
 shutdown
#
interface GE1/0/31
 shutdown
#
interface GE1/0/32
 shutdown
#
interface GE1/0/33
 shutdown
#
interface GE1/0/34
 shutdown
#
interface GE1/0/35
 shutdown
#
interface GE1/0/36
 shutdown
#
interface GE1/0/37
 shutdown
#
interface GE1/0/38
 shutdown
#
interface GE1/0/39
 shutdown
#
interface GE1/0/40
 shutdown
#
interface GE1/0/41
 shutdown
#
interface GE1/0/42
 shutdown
#
interface GE1/0/43
 shutdown
#
interface GE1/0/44
 shutdown
#
interface GE1/0/45
 shutdown
#
interface GE1/0/46
 shutdown
#
interface GE1/0/47
 shutdown
#
interface NULL0
#
bgp 65001
 timer keepalive 20 hold 60
 peer 10.0.0.2 as-number 65002
 peer 20.0.0.2 as-number 65004
 #
 ipv4-family unicast
  network 10.0.0.0 255.255.255.0
  network 20.0.0.0 255.255.255.0
  network 169.254.195.0 255.255.255.0
  network 192.168.0.0 255.255.255.0
  peer 10.0.0.2 enable
  peer 10.0.0.2 preferred-value 10
  peer 20.0.0.2 enable
#
ip route-static 192.168.0.0 255.255.255.0 169.254.195.201
#
ssh authorization-type default aaa
#
user-interface con 0
#
vm-manager
#
return


 

 

VPN网关AR5

[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 20.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 30.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 50.0.0.2 255.255.255.0 
#
interface NULL0
#
bgp 65004
 peer 20.0.0.1 as-number 65001 
 #
 ipv4-family unicast
  undo synchronization
  network 20.0.0.0 255.255.255.0 
  import-route static
  peer 20.0.0.1 enable
#
ip route-static 60.0.0.0 255.255.255.0 30.0.0.1
ip route-static 70.0.0.0 255.255.255.0 50.0.0.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

 

 

总厂AR2配置


[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 30.0.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 40.0.0.1 255.255.255.0 
#
interface NULL0
#
interface LoopBack1
 ip address 60.0.0.1 255.255.255.0 
#
bgp 65002
 timer keepalive 20 hold 60
 peer 10.0.0.1 as-number 65001 
 peer 40.0.0.2 as-number 65003 
 #
 ipv4-family unicast
  undo synchronization
  preference 50 50 50 
  network 10.0.0.0 255.255.255.0 
  network 40.0.0.0 255.255.255.0 
  network 60.0.0.0 255.255.255.0 
  peer 10.0.0.1 enable
  peer 40.0.0.2 enable
#
ip route-static 192.168.0.0 255.255.255.0 30.0.0.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

 

 

分厂AR3配置

 

[V200R003C00]
#
 sysname branch
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 40.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
 ip address 50.0.0.1 255.255.255.0 
#
interface NULL0
#
interface LoopBack0
 ip address 70.0.0.1 255.255.255.0 
#
bgp 65003
 timer keepalive 20 hold 60
 peer 40.0.0.1 as-number 65002 
 #
 ipv4-family unicast
  undo synchronization
  preference 50 50 50 
  network 40.0.0.0 255.255.255.0 
  network 70.0.0.0 255.255.255.0 
  peer 40.0.0.1 enable
#
ip route-static 192.168.0.0 255.255.255.0 50.0.0.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return