На маршрутизаторе ESR используется функционал MultiWAN в режиме failover для организации резервирования исходящего трафика при подключения к двум провайдерам(ISP1; ISP2).
Часть конфигурации:
esr# show running-config vlan 2 name "ISP1" exit vlan 3 name "ISP2" exit wan load-balance target-list Test target 1 ip address <ipaddr> enable exit exit bridge 1 vlan 2 ip firewall disable ip address 192.0.2.2/30 wan load-balance nexthop 192.0.2.1 wan load-balance target-list Test wan load-balance enable no spanning-tree enable exit bridge 2 vlan 3 ip firewall disable ip address 198.51.100.2/30 wan load-balance nexthop 198.51.100.1 wan load-balance target-list Test wan load-balance enable no spanning-tree enable exit interface gigabitethernet 1/0/2 mode switchport switchport forbidden default-vlan switchport mode trunk switchport trunk allowed vlan add 2-3 exit ip route 0.0.0.0/0 wan load-balance rule 1 wan load-balance rule 1 failover outbound interface bridge 1 3 outbound interface bridge 2 enable exit
При данной настройке bridge 1 имеет больший вес чем у bridge 2, соответственно при входящем трафике на bridge 2 (предназначен ip 198.51.100.2), ответы будут отправлены на nexthop 192.0.2.1(bridge 1) согласно таблицы маршрутизации.
# для примера отправляются icmp пакеты с src ip 203.0.113.1 esr# monitor bridge 2 address 203.0.113.1 13:12:11.085887 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 4988, offset 0, flags [DF], proto ICMP (1), length 84) 203.0.113.1 > 198.51.100.2: ICMP echo request, id 72, seq 20, length 64 13:12:12.086966 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5083, offset 0, flags [DF], proto ICMP (1), length 84) 203.0.113.1 > 198.51.100.2: ICMP echo request, id 72, seq 21, length 64 # ответы(src ip 198.51.100.2) отправляются на nexthop 192.0.2.1 с bridge 1 esr# monitor bridge 1 address 203.0.113.1 13:12:19.093404 a8:f9:4b:aa:b3:52 > a8:f9:4b:ac:9f:34, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 55599, offset 0, flags [none], proto ICMP (1), length 84) 198.51.100.2 > 203.0.113.1: ICMP echo reply, id 72, seq 28, length 64 13:12:20.094435 a8:f9:4b:aa:b3:52 > a8:f9:4b:ac:9f:34, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 55630, offset 0, flags [none], proto ICMP (1), length 84) 198.51.100.2 > 203.0.113.1: ICMP echo reply, id 72, seq 29, length 64
Для решения вопроса с отправкой ответных ip пакетов на необходимый nexthop, возможно воспользоваться функционалом Local PBR(прероутинг):
Конфигурация:
# Настройка ip access-list extended для матчинга src ip ответных пакетов ip access-list extended from_bridge_1 rule 1 action permit match source-address 192.0.2.2 255.255.255.255 enable exit exit ip access-list extended from_bridge_2 rule 1 action permit match source-address 198.51.100.2 255.255.255.255 enable exit # Настройка route-map для указания nexthop для ip пакетов, имеющих src ip 198.51.100.2(также для src ip 192.0.2.2 в случае настройки большего веса на bridge 2) route-map PBR rule 1 match ip access-group from_bridge_2 action set ip next-hop verify-availability 198.51.100.1 10 exit rule 2 match ip access-group from_bridge_1 action set ip next-hop verify-availability 192.0.2.1 10 exit exit # Назначается политика маршрутизации на основе списков доступа (ACL). Данная политика маршрутизации работает для пакетов, которые генерирует сам маршрутизатор. ip local policy route-map PBR # конфигурация, относящаяся к данному примеру esr# show running-config vlan 2 name "ISP1" exit vlan 3 name "ISP2" exit ip access-list extended from_bridge_1 rule 1 action permit match source-address 192.0.2.2 255.255.255.255 enable exit exit ip access-list extended from_bridge_2 rule 1 action permit match source-address 198.51.100.2 255.255.255.255 enable exit route-map PBR rule 1 match ip access-group from_bridge_2 action set ip next-hop verify-availability 198.51.100.1 10 exit rule 2 match ip access-group from_bridge_1 action set ip next-hop verify-availability 192.0.2.1 10 exit exit ip local policy route-map PBR wan load-balance target-list Test target 1 ip address <ipaddr> enable exit exit bridge 1 vlan 2 ip firewall disable ip address 192.0.2.2/30 wan load-balance nexthop 192.0.2.1 wan load-balance target-list Test wan load-balance enable no spanning-tree enable exit bridge 2 vlan 3 ip firewall disable ip address 198.51.100.2/30 wan load-balance nexthop 198.51.100.1 wan load-balance target-list Test wan load-balance enable no spanning-tree enable exit interface gigabitethernet 1/0/2 mode switchport switchport forbidden default-vlan switchport mode trunk switchport trunk allowed vlan add 2-3 exit ip route 0.0.0.0/0 wan load-balance rule 1 wan load-balance rule 1 failover outbound interface bridge 1 3 outbound interface bridge 2 enable exit
При данной конфигурации ответы будут отправлены согласно route-map PBR:
esr# monitor bridge 2 address 198.51.100.2 13:12:43.291585 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 6496, offset 0, flags [DF], proto ICMP (1), length 84) 203.0.113.1 > 198.51.100.2: ICMP echo request, id 73, seq 7, length 64 13:12:43.291669 a8:f9:4b:aa:b3:52 > a8:f9:4b:ab:a9:b0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58594, offset 0, flags [none], proto ICMP (1), length 84) 198.51.100.2 > 203.0.113.1: ICMP echo reply, id 73, seq 7, length 64 13:12:44.293118 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 6565, offset 0, flags [DF], proto ICMP (1), length 84) 203.0.113.1 > 198.51.100.2: ICMP echo request, id 73, seq 8, length 64 13:12:44.293193 a8:f9:4b:aa:b3:52 > a8:f9:4b:ab:a9:b0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58606, offset 0, flags [none], proto ICMP (1), length 84) 198.51.100.2 > 203.0.113.1: ICMP echo reply, id 73, seq 8, length 64