使用路由故障转移配置 IP 监控
将 IP 监控与路由故障转移结合使用,您可以使用实时性能监控 (RPM) 探测来跟踪一个 IP 地址或一组 IP 地址。如果 RPM 探测失败,您可以将路由注入路由表。RPM 探测成功到达其目标后,路由将从路由表和转发表中撤销。
图 1 显示了配置示例中使用的拓扑以及 IP 监控的工作原理。
在正常运行状态下,到达 SRX 系列网关上 IP 地址 5.1.1.1 的下一跃点路由器为 1.1.1.2。但是,当 RPM 探测到 IP 地址 5.1.1.2 失败时,应使用 IP 地址 2.1.1.2 作为下一跃点。
要获得此结果,请定义一个 RPM 探测来监控 IP 地址 5.1.1.2。输入以下配置:
set services rpm probe Probe-Payment-Server test paysvr target address 5.1.1.2 set services rpm probe Probe-Payment-Server test paysvr probe-count 5 set services rpm probe Probe-Payment-Server test paysvr probe-interval 5 set services rpm probe Probe-Payment-Server test paysvr test-interval 3 set services rpm probe Probe-Payment-Server test paysvr thresholds successive-loss 5 set services rpm probe Probe-Payment-Server test paysvr destination-interface fe-0/0/1.0 set services rpm probe Probe-Payment-Server test paysvr hardware-timestamp set services rpm probe Probe-Payment-Server test paysvr next-hop 1.1.1.2
此外,配置 IP 监控策略,以便在 RPM 探测失败时添加首选路由。输入以下配置:
set services ip-monitoring policy payment match rpm-probe Probe-Payment-Server set services ip-monitoring policy payment then preferred-route route 5.1.1.0/24 next-hop 2.1.1.2
在稳定状态下,您可以通过IP地址为1.1.1.2的设备到达IP地址5.1.1.1,RPM探测成功。要验证稳定状态的操作,请使用以下命令:
root# run traceroute 5.1.1.1 source 10.1.1.1 traceroute to 5.1.1.1 (5.1.1.1) from 10.1.1.1, 30 hops max, 40 byte packets 1 1.1.1.2 (1.1.1.2) 14.697 ms 2.953 ms 9.043 ms 2 5.1.1.1 (5.1.1.1) 9.916 ms 3.612 ms 4.085 ms
在以下命令 show
输出中, PASS
字段中的结果 Status
指示探测成功:
root# run show services ip-monitoring status Policy - payment RPM Probes: Probe name Address Status ---------------------- ---------------- --------- Probe-Payment-Server 5.1.1.2 PASS Route-Action: route-instance route next-hop State ----------------- ----------------- ---------------- ------------- inet.0 5.1.1.0 2.1.1.2 NOT-APPLIED
在以下命令 show
输出中, Probes sent
计数和 Probes received
计数相等,并且为 Loss percentage
0
.这表示探测成功。
root# run show services rpm probe-results Owner: Probe-Payment-Server, Test: paysvr Target address: 5.1.1.2, Probe type: icmp-ping Destination interface name: fe-0/0/1.0 Test size: 5 probes Probe results: Response received, Tue Sep 20 06:18:00 2011, No hardware timestamps Rtt: 1776 usec Results over current test: Probes sent: 5, Probes received: 5, Loss percentage: 0 Measurement: Round trip time Samples: 5, Minimum: 1490 usec, Maximum: 7399 usec, Average: 2952 usec, Peak to peak: 5909 usec, Stddev: 2235 usec, Sum: 14758 usec Results over last test: Probes sent: 5, Probes received: 5, Loss percentage: 0 Test completed on Tue Sep 20 06:18:00 2011 Measurement: Round trip time Samples: 5, Minimum: 1490 usec, Maximum: 7399 usec, Average: 2952 usec, Peak to peak: 5909 usec, Stddev: 2235 usec, Sum: 14758 usec Results over all tests: Probes sent: 45, Probes received: 45, Loss percentage: 0 Measurement: Round trip time Samples: 45, Minimum: 1490 usec, Maximum: 93350 usec, Average: 4766 usec, Peak to peak: 91860 usec, Stddev: 13517 usec, Sum: 214456 usec
当无法访问 IP 地址 5.1.1.2 时,RPM 探测将失败,并将 IP 监控配置中指定的路由推送到路由表。推送的路由具有一 (1) 的优先级,其优先级高于任何静态路由或通过路由协议获知的路由。现在可以通过 IP 地址为 5.1.1.1 的设备访问 IP 地址 2.1.1.2
为 5.1.1.1 的服务器。若要验证失败状态的操作,请使用以下命令:
root# run show services ip-monitoring status Policy - test-remote-server RPM Probes: Probe name Address Status ---------------------- ---------------- --------- Probe-Payment-Server 5.1.1.2 FAIL Route-Action: route-instance route next-hop State ----------------- ----------------- ---------------- ------------- inet.0 5.1.1.0 2.1.1.2 APPLIED
在以下命令 show
输出中, to 2.1.1.2 via fe-0/0/2.0
指示路由已更改:
root# run show route 5.1.1.1 inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5.1.1.0/24 *[Static/1] 00:00:18, metric2 0 > to 2.1.1.2 via fe-0/0/2.0 [Static/5] 00:01:38 > to 1.1.1.2 via fe-0/0/1.0
在以下命令 show
输出中, (2.1.1.2)
指示路由已从稳定状态跟踪路由中显示的内容更改 (1.1.1.2)
:
root# run traceroute 5.1.1.1 source 10.1.1.1 traceroute to 5.1.1.1 (5.1.1.1) from 10.1.1.1, 30 hops max, 40 byte packets 1 2.1.1.2 (2.1.1.2) 9.436 ms 9.457 ms 9.011 ms 2 5.1.1.1 (5.1.1.1) 3.671 ms 3.553 ms 4.036 ms
当 IP 地址 5.1.1.2 再次可访问时,RPM 探测成功到达其目标,并撤回在路由表中添加的路由。
若要验证还原的稳定状态的操作,请使用以下命令并验证结果是否与前面描述的稳定状态结果相似:
root# run show services rpm probe-results Owner: Probe-Payment-Server, Test: paysvr Target address: 5.1.1.2, Probe type: icmp-ping Destination interface name: fe-0/0/1.0 Test size: 5 probes Probe results: Response received, Tue Sep 20 08:00:02 2011, No hardware timestamps Rtt: 1410 usec Results over current test: Probes sent: 3, Probes received: 3, Loss percentage: 0 Measurement: Round trip time Samples: 3, Minimum: 1410 usec, Maximum: 1769 usec, Average: 1596 usec, Peak to peak: 359 usec, Stddev: 147 usec, Sum: 4788 usec Results over last test: Probes sent: 5, Probes received: 5, Loss percentage: 0 Test completed on Tue Sep 20 07:59:49 2011 Measurement: Round trip time Samples: 5, Minimum: 1509 usec, Maximum: 3057 usec, Average: 1922 usec, Peak to peak: 1548 usec, Stddev: 579 usec, Sum: 9612 usec Results over all tests: Probes sent: 143, Probes received: 25, Loss percentage: 82 Measurement: Round trip time Samples: 25, Minimum: 1410 usec, Maximum: 8086 usec, Average: 2973 usec, Peak to peak: 6676 usec, Stddev: 2337 usec, Sum: 74333 usec
root# run show route 5.1.1.1 inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 5.1.1.0/24 *[Static/5] 00:13:18 > to 1.1.1.2 via fe-0/0/1.0
root# run show services ip-monitoring status Policy - test-remote-server RPM Probes: Probe name Address Status ---------------------- ---------------- --------- Probe-Payment-Server 5.1.1.2 PASS Route-Action: route-instance route next-hop State ----------------- ----------------- ---------------- ------------- inet.0 5.1.1.0 2.1.1.2 NOT-APPLIED
root# run traceroute 5.1.1.1 source 10.1.1.1 traceroute to 5.1.1.1 (5.1.1.1) from 10.1.1.1, 30 hops max, 40 byte packets 1 1.1.1.2 (1.1.1.2) 9.590 ms 9.968 ms 15.589 ms 2 5.1.1.1 (5.1.1.1) 9.175 ms 3.914 ms 3.750 ms
请务必注意,在 RPM 配置中,您可以指定下一跃点值。这可以保证所有探测(即使在故障转移后)采用相同的路径到达跟踪的 IP 地址。
如果没有下一跃点值,则在注入新路由后(当 RPM 探测失败时),可能会有新路由到达跟踪的 IP 地址。如果系统选择此新路由,则上游路由器可能没有到跟踪的 IP 地址的路由,探测可能始终失败,并且系统可能永远不会故障回复。因此,最佳做法 next-hop
始终是在配置中包含语句。