Cisco ASA可达性静态路由配置示例
如果网络中具有两个ISP的出口连接,为了确保目标地址可达,可配置一个服务等级协议(SLA)监视器进程来监视任意目标地址,这个进程与静态路由联合,使该路由跟踪可达的目标。
简易拓扑:
配置示例:
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# ip address 200.1.1.1 255.255.255.0 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# ip address 201.1.1.1 255.255.255.0 ciscoasa(config-if)# nameif outside_2 ciscoasa(config-if)# no shutdown
ciscoasa(config)# sla monitor 1 定义SLA监视过程
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 200.1.1.254 interface outside 定义可达性测试
ciscoasa(config-sla-monitor-echo)# frequency 30 测试频率设置为30秒一次 ciscoasa(config-sla-monitor-echo)# threshold 2000 测试阀值间隔为2秒 ciscoasa(config-sla-monitor-echo)# timeout 5000 测试超时间隔为5秒 ciscoasa(config-sla-monitor-echo)# exit
ciscoasa(config)# sla monitor schedule 1 life forever start-time now 立即开始SLA监控测试
ciscoasa(config)# track 1 rtr 1 reachability 启用可达性跟踪
ciscoasa(config)# sla monitor 2
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 201.1.1.254 interface outside_2
ciscoasa(config-sla-monitor-echo)# frequency 30 ciscoasa(config-sla-monitor-echo)# threshold 2000 ciscoasa(config-sla-monitor-echo)# timeout 5000 ciscoasa(config-sla-monitor-echo)# exit
ciscoasa(config)# sla monitor schedule 2 life forever start-time now ciscoasa(config)# track 2 rtr 2 reachability
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.254 track 1 对默认路由使用跟踪 ciscoasa(config)# route outside_2 0.0.0.0 0.0.0.0 201.1.1.254 2 track 2
检测静态路由可达性跟踪过程:
ciscoasa(config)# show track Track 1
Response Time Reporter 1 reachability Reachability is Down
1 change, last change 00:04:10
Latest operation return code: Timeout Tracked by:
STATIC-IP-ROUTING 0 Track 2
Response Time Reporter 2 reachability Reachability is Down
1 change, last change 00:01:34
Latest operation return code: Timeout Tracked by:
STATIC-IP-ROUTING 0
ciscoasa(config)# debug sla monitor trace
IP SLA Monitor TRACE debugging for all operations is on
ciscoasa(config)# IP SLA Monitor(1) echo operation: Timeout IP SLA Monitor(1) Scheduler: Updating result
IP SLA Monitor(2) Scheduler: Starting an operation
IP SLA Monitor(2) echo operation: Sending an echo operation IP SLA Monitor(2) echo operation: Timeout IP SLA Monitor(2) Scheduler: Updating result
检查SLA配置:
ciscoasa(config)# show sla monitor configuration SA Agent, Infrastructure Engine-II Entry number: 1 Owner: Tag:
Type of operation to perform: echo Target address: 200.1.1.254 Interface: outside Number of packets: 1
Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Type Of Service parameters: 0x0 Verify data: No
Operation frequency (seconds): 30
Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History: Entry number: 2 Owner: Tag:
Type of operation to perform: echo Target address: 201.1.1.254 Interface: outside_2 Number of packets: 1
Request size (ARR data portion): 28 Operation timeout (milliseconds): 5000 Type Of Service parameters: 0x0 Verify data: No
Operation frequency (seconds): 30
Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE Status of entry (SNMP RowStatus): Active Enhanced History:
ciscoasa(config)#show sla monitor operational-state Entry number: 1
Modification time: 16:17:04.626 UTC Tue Oct 30 2012
Number of Octets Used by this Entry: 1480 Number of operations attempted: 18 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 16:25:34.659 UTC Tue Oct 30 2012 Latest operation return code: Timeout RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0 Entry number: 2
Modification time: 16:19:41.114 UTC Tue Oct 30 2012 Number of Octets Used by this Entry: 1480 Number of operations attempted: 13 Number of operations skipped: 0 Current seconds left in Life: Forever Operational state of entry: Active Last time this entry was reset: Never Connection loss occurred: FALSE Timeout occurred: TRUE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): NoConnection/Busy/Timeout
Latest operation start time: 16:25:41.150 UTC Tue Oct 30 2012 Latest operation return code: Timeout RTT Values:
RTTAvg: 0 RTTMin: 0 RTTMax: 0 NumOfRTT: 0 RTTSum: 0 RTTSum2: 0
检查路由:
ciscoasa(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set
C 201.1.1.0 255.255.255.0 is directly connected, outside_2 C 200.1.1.0 255.255.255.0 is directly connected, outside C 192.168.1.0 255.255.255.0 is directly connected, inside
Cisco ASA可达性静态路由配置示例
