На маршрутизаторе ESR используется функционал MultiWAN в режиме failover для организации резервирования исходящего трафика при подключения к двум провайдерам(ISP1; ISP2).
Часть конфигурации:
esr# show running-config
vlan 2
name "ISP1"
exit
vlan 3
name "ISP2"
exit
wan load-balance target-list Test
target 1
ip address <ipaddr>
enable
exit
exit
bridge 1
vlan 2
ip firewall disable
ip address 192.0.2.2/30
wan load-balance nexthop 192.0.2.1
wan load-balance target-list Test
wan load-balance enable
no spanning-tree
enable
exit
bridge 2
vlan 3
ip firewall disable
ip address 198.51.100.2/30
wan load-balance nexthop 198.51.100.1
wan load-balance target-list Test
wan load-balance enable
no spanning-tree
enable
exit
interface gigabitethernet 1/0/2
mode switchport
switchport forbidden default-vlan
switchport mode trunk
switchport trunk allowed vlan add 2-3
exit
ip route 0.0.0.0/0 wan load-balance rule 1
wan load-balance rule 1
failover
outbound interface bridge 1 3
outbound interface bridge 2
enable
exit
При данной настройке bridge 1 имеет больший вес чем у bridge 2, соответственно при входящем трафике на bridge 2 (предназначен ip 198.51.100.2), ответы будут отправлены на nexthop 192.0.2.1(bridge 1) согласно таблицы маршрутизации.
# для примера отправляются icmp пакеты с src ip 203.0.113.1
esr# monitor bridge 2 address 203.0.113.1
13:12:11.085887 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 4988, offset 0, flags [DF], proto ICMP (1), length 84)
203.0.113.1 > 198.51.100.2: ICMP echo request, id 72, seq 20, length 64
13:12:12.086966 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 5083, offset 0, flags [DF], proto ICMP (1), length 84)
203.0.113.1 > 198.51.100.2: ICMP echo request, id 72, seq 21, length 64
# ответы(src ip 198.51.100.2) отправляются на nexthop 192.0.2.1 с bridge 1
esr# monitor bridge 1 address 203.0.113.1
13:12:19.093404 a8:f9:4b:aa:b3:52 > a8:f9:4b:ac:9f:34, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 55599, offset 0, flags [none], proto ICMP (1), length 84)
198.51.100.2 > 203.0.113.1: ICMP echo reply, id 72, seq 28, length 64
13:12:20.094435 a8:f9:4b:aa:b3:52 > a8:f9:4b:ac:9f:34, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 55630, offset 0, flags [none], proto ICMP (1), length 84)
198.51.100.2 > 203.0.113.1: ICMP echo reply, id 72, seq 29, length 64
Для решения вопроса с отправкой ответных ip пакетов на необходимый nexthop, возможно воспользоваться функционалом Local PBR(прероутинг):
Конфигурация:
# Настройка ip access-list extended для матчинга src ip ответных пакетов
ip access-list extended from_bridge_1
rule 1
action permit
match source-address 192.0.2.2 255.255.255.255
enable
exit
exit
ip access-list extended from_bridge_2
rule 1
action permit
match source-address 198.51.100.2 255.255.255.255
enable
exit
# Настройка route-map для указания nexthop для ip пакетов, имеющих src ip 198.51.100.2(также для src ip 192.0.2.2 в случае настройки большего веса на bridge 2)
route-map PBR
rule 1
match ip access-group from_bridge_2
action set ip next-hop verify-availability 198.51.100.1 10
exit
rule 2
match ip access-group from_bridge_1
action set ip next-hop verify-availability 192.0.2.1 10
exit
exit
# Назначается политика маршрутизации на основе списков доступа (ACL). Данная политика маршрутизации работает для пакетов, которые генерирует сам маршрутизатор.
ip local policy route-map PBR
# конфигурация, относящаяся к данному примеру
esr# show running-config
vlan 2
name "ISP1"
exit
vlan 3
name "ISP2"
exit
ip access-list extended from_bridge_1
rule 1
action permit
match source-address 192.0.2.2 255.255.255.255
enable
exit
exit
ip access-list extended from_bridge_2
rule 1
action permit
match source-address 198.51.100.2 255.255.255.255
enable
exit
route-map PBR
rule 1
match ip access-group from_bridge_2
action set ip next-hop verify-availability 198.51.100.1 10
exit
rule 2
match ip access-group from_bridge_1
action set ip next-hop verify-availability 192.0.2.1 10
exit
exit
ip local policy route-map PBR
wan load-balance target-list Test
target 1
ip address <ipaddr>
enable
exit
exit
bridge 1
vlan 2
ip firewall disable
ip address 192.0.2.2/30
wan load-balance nexthop 192.0.2.1
wan load-balance target-list Test
wan load-balance enable
no spanning-tree
enable
exit
bridge 2
vlan 3
ip firewall disable
ip address 198.51.100.2/30
wan load-balance nexthop 198.51.100.1
wan load-balance target-list Test
wan load-balance enable
no spanning-tree
enable
exit interface gigabitethernet 1/0/2
mode switchport
switchport forbidden default-vlan
switchport mode trunk
switchport trunk allowed vlan add 2-3
exit
ip route 0.0.0.0/0 wan load-balance rule 1
wan load-balance rule 1
failover
outbound interface bridge 1 3
outbound interface bridge 2
enable
exit
При данной конфигурации ответы будут отправлены согласно route-map PBR:
esr# monitor bridge 2 address 198.51.100.2
13:12:43.291585 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 6496, offset 0, flags [DF], proto ICMP (1), length 84)
203.0.113.1 > 198.51.100.2: ICMP echo request, id 73, seq 7, length 64
13:12:43.291669 a8:f9:4b:aa:b3:52 > a8:f9:4b:ab:a9:b0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58594, offset 0, flags [none], proto ICMP (1), length 84)
198.51.100.2 > 203.0.113.1: ICMP echo reply, id 73, seq 7, length 64
13:12:44.293118 a8:f9:4b:ab:a9:b0 > a8:f9:4b:aa:b3:52, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 6565, offset 0, flags [DF], proto ICMP (1), length 84)
203.0.113.1 > 198.51.100.2: ICMP echo request, id 73, seq 8, length 64
13:12:44.293193 a8:f9:4b:aa:b3:52 > a8:f9:4b:ab:a9:b0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58606, offset 0, flags [none], proto ICMP (1), length 84)
198.51.100.2 > 203.0.113.1: ICMP echo reply, id 73, seq 8, length 64