After months of issues, they have finally restored my access to my blog! After such a hiatus, it is my pleasure to bring this particular post. I'm certain many will find it at the very least cool in an "I'm a network geek" kind of a way, or even better: you will find it very educational and even leverage it in your own world.
This is a solution I have been wanting to write about for a long time now, and let's be clear—it is not mine. This entire post is owed to a long-time personal friend of mine who is also one of the most talented and gifted technologists roaming the earth today. His name is Epaminondas Peter Karelis, CCIE #8068 (Pete).
皮特专为小ISE部署中有两个数据中心这个特殊的高可用性解决方案,如通过粗略我在下面的图所示。2020欧洲杯预赛
Aaron T. Woland
2. DC架构和IP SLA
I have often used Anycast in my Identity Service Engine (ISE) deployments. It's a terrific tool in the security toolbox to help ensure traffic goes to one place—the correct place, the closest place—and has a backup if that closer place is not available. However, this particular use of Anycast was something I never considered before.
对于那些你谁可能没有网络负责人,任播是一种联网技术,其中将完全相同的IP地址在网络内的多个地方存在。在这种情况下,相同的IP地址(2.2.2.2)被分配给Gig1接口上的所有RADIUS服务器(ISE PSN网络在我们的情况)的。在每个数据中心的路由器配置的静态路由22020欧洲杯预赛.2.2.2/32与PSN作为下一跳的Gig0 IP地址。这些静态路由被重新分配到路由协议;在这种情况下,使用EIGRP。选播依赖于路由协议,保证发往任播地址(2.2.2.2)的流量发送到该IP地址的最接近的实例。
Now that Anycast is setup to route 2.2.2.2 to the ISE PSN, Pete used EIGRP metrics to ensure that the preferred route pointed at the primary data center, while the route to the secondary data center is listed as the feasible successor (FS). With EIGRP, there is a sub-second delay when a route (known as the successor) is replaced with the backup route (known as the feasible successor).
How do we make the successor route drop from the routing table when the ISE node goes down? Pete configured an IP service-level agreement (IP SLA) on the router that checked the status of the HTTP service on the ISE PSN in the data center every five seconds. If the HTTP service stops responding on the active PSN, then the route is removed and the feasible successor takes over, causing all the traffic for 2.2.2.2 to be sent to the PSN in the secondary data center. The below figure illustrates the IP SLA function. And when it occurs, the only route left in the routing table is to the router at the secondary data center.
Aaron T. Woland
该IP SLA导致路由表中的变化
所有网络设备被配置为使用任播地址(2.2.2.2),如它们的配置的唯一RADIUS服务器。该RADIUS请求都将被发送到任何一个ISE节点活跃。
Example 1 below shows the interface configuration on the ISE PSN. The Gig0 interface is the actual routable IP address of the PSN, while Gig1 is in a VLAN to nowhere using the Anycast IP address.
实施例1 - ISE接口配置
Interface gig 0
!Actual IP of Nodeip address 1.1.1.1 255.255.255.0接口演出1!Anycast VIP assigned to all PSN nodes on G1ip address 2.2.2.2 255.255.255.255ip default-gateway[Real Gateway for Gig0]!note no static routes needed.
Example 2 shows the IP SLA configuration on the router, to test port 80 on the PSN every five seconds but to timeout after 1000 msec. When that timeout occurs, the router will be removed.
实施例2 - IP SLA配置
ip sla 1
!测试TCP端口80到节点的实际IP。!“控制禁用”是必要的,因为你是连接!to a host instead of an SLA respondertcp-connect 1.1.1.1 80 control disable!Consider the SLA as down if response gt 1000msec门槛1000!后1000毫秒超时。timeout 1000!Test every 5 Seconds:frequency 5ip sla schedule 1 life forever start-time now
track 1 ip sla 1
IP路由2.2.2.2 255.255.255.255 1.1.1.1轨道1
Example 3 shows the route redistribution configuration where the EIGRP metrics are applied. Pete was able to use the metrics that he chose specifically because he was very familiar his network. His warning to others attempting the same thing is to be familiar with your network or to test thoroughly when identifying the metrics that would work for you.
Example 3 — Route Redistribution
EIGRP的路由器[自治系统编号]引入静态路由映射,静态-TO-EIGRProute-map STATIC-TO-EIGRP permit 20match ip address prefix-list ISE_VIP!Set metrics correctlyset metric 1000000 1 255 1 1500ip prefix-list ISE_VIP seq 5 permit 2.2.2.2/32
嗯,这是它!我希望你喜欢这个,就像我没有看到它投入生产。与往常一样,我期待着阅读下面的评论。