我们如何缩短DX和VPN之间的故障转移时间?
0
【以下的问题经过翻译处理】 AWS VPN 配置如下
config vpn ipsec phase1-interface
edit "transit-KR.P***"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 15.###.###.###
set psksecret .
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-****"
next
edit "transit-KR.****"
set interface "Loopbk"
set local-gw 182.###.###.###
set keylife 28800
set proposal aes128-sha1
set dhgrp 2
set remote-gw 52.###.###.###
set psksecret x
set dpd-retryinterval 1
set dpd enable
set comments "aws-transit-***"
next
end
config vpn ipsec phase2-interface
edit "transit-KR.####"
set phase1name "transit-KR.####"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "transit-KR.****"
set phase1name "transit-KR.****"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system interface
edit "transit-KR.####"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
edit "transit-KR****"
set ip 169.###.###.### 255.255.255.255
set allowaccess ping
set tcp-mss 1387
set remote-ip 169.###.###.###
set description "aws-transit-****"
next
end
config router bgp
config neighbor
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
edit "169.###.###.###"
set remote-as 64514
set route-map-in aws-transitgw
set route-map-out non-transit
next
end
end
*****-FW-1 $ get router info bgp nei 169.###.###.### routes
BGP table version is 6042, local router ID is 182.###.###.###
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 10.80.64.0/18 169.###.###.### 100 0 64514 e
*> 10.80.120.0/24 169.###.###.### 100 0 64514 e
Total number of prefixes 2
DX bgp 配置如下
interface g3/7.30
description AWS_DX_vpc_test
logging event subif-link-status
no ip redirects
encapsulation dot1Q 30
ip address 172.16.1.57 255.255.255.252
bfd interval 100 min_rx 100 multiplier 3
ip as-path access-list 92 permit ^64513$
ip prefix-list ***-OUT-IPLIST seq 10 permit 10.56.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 20 permit 10.64.0.0/13 le 32
ip prefix-list ***-OUT-IPLIST seq 30 permit 10.28.0.0/14 le 32
ip prefix-list ***-OUT-IPLIST seq 40 permit 172.16.128.0/23 le 32
ip prefix-list ***-IN-IPLIST seq 10 permit 10.80.0.0/12 le 32
route-map AWS-KR-IN permit 10
match ip address prefix-list ***-IN-IPLIST
match as-path 92
set local-preference 100
set community 9710:1493
route-map ***-OUT permit 10
match ip address prefix-list ***-OUT-IPLIST
match as-path 1
set community none
router bgp 64710
neighbor 172.16.1.58 remote-as 64513
neighbor 172.16.1.58 password **********
neighbor 172.16.1.58 description AWS dx-transitgw test
neighbor 172.16.1.58 soft-reconfiguration inbound
neighbor 172.16.1.58 route-map ***-IN in
neighbor 172.16.1.58 route-map ***-OUT out
neighbor 172.16.1.58 fall-over bfd
VPN 配置是从 AWS VPN Config 下载的。
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 您看到的故障转移时间都在可接受范围之内。BFD不能在VPN和DX连接之间提供亚毫秒级的故障转移。但BFD可以在DX连接之间提供快速的故障转移。AWS VPN不实现BFDs。最佳实践是使用基于BGP的VPN连接。在内部,路由需要几秒钟的时间才能收敛,然后从DX向VPN进行故障转移,反之亦然。
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前