Lowest Cost (SLA)
2025/10/29大约 12 分钟
Lowest Cost (SLA)
概念介绍
SLA
Service-Level Agreement,服务品质协议,是服务提供者和客户之间的一个协议,用来保证可计量的网络性能达到所定义的服务品质。SD-WAN 的选路基于这个 SLA 品质标准来判断,SD-WAN 规则保障让流量一直走符合 SLA 品质的链路出去。从而达到业务/客户的 SLA 品质要求。
SLA-Target
SD-WAN 可定义 SLA-Target 设置保障的目标延迟、抖动和丢包率,一旦超出 SLA-Target 配置的目标值,则切换另外一条线路,以确保持续提供 SLA-Target 品质级别的服务。
SLA Target 有三种类型的判断阈值:
Latency (ms)
Jitter (ms)
Packet Loss (%)
config system sdwan config health-check edit "114_Check" set server "114.114.114.114" set members 0 config sla edit 1 set latency-threshold 200 set packetloss-threshold 2 next edit 2 set latency-threshold 250 set jitter-threshold 10 set packetloss-threshold 5 next edit 3 set latency-threshold 300 set jitter-threshold 15 set packetloss-threshold 8 next end next end
3.Lowest Cost (SLA) 和 Maximize Bandwidth (SLA) 都需要调用 SLA Target,基于 SLA Target 进行相关的判断和选路。
选路原则
- 只有满足 SLA-Targets 的出接口才有机会被选中,如果低于 SLA-Targets 的接口将会被移除选中列表中。
- 如果有多个接口满足 SLA-Targets,那么就选择 SD-WAN 规则配置接口顺序靠前的接口用于转发 SD-WAN 流量。
- 同时只能一个出接口被优选,用于 SD-WAN 流量的转发。
- Lowest Cost(SLA)完全基于 SLA-Targets 进行工作,因此首先需要在 SD-WAN 状态检查里面配置具体的 SLA-Targets 标准,然后在 SD-WAN 规则中选择相应的 SLA-Targets,只有符合选择的 SLA-Targets 标准的出口,才会被 SD-WAN 规则所计算并用于出口数据的转发,将选择符合 SLA-Targets 且接口顺序靠前的出口用于数据转发,同时只有一个接口用于数据的转发。
配置举例
网络拓扑
配置步骤
SD-WAN 接口成员定义。
config system sdwan set status enable config zone edit "virtual-wan-link" next end config members edit 1 set interface "port2" set gateway 202.100.1.192 next edit 2 set interface "port3" set gateway 101.100.1.192 next edit 3 set interface "port4" set gateway 111.100.1.192 next edit 4 set interface "PPPOE1_DR_PENG" next end end配置 SD-WAN 关联的默认路由。
config router static edit 1 set distance 1 set sdwan-zone "virtual-wan-link" next end配置健康检查,SLA 目标监控阿里云的延迟及丢包率。
config system sdwan config health-check edit "Aliyun" set server "cn.aliyun.com" set members 1 2 3 config sla edit 1 set link-cost-factor latency packet-loss set latency-threshold 120 set packetloss-threshold 2 next end next end
配置 SD-WAN 规则,目标为阿里云相关 Internet 服务,引用上步配置的 SLA Target。
config system sdwan config service edit 1 set name "To_Aliyun" set mode sla set src "LAN_192.168.10.0" set internet-service enable set internet-service-name "Alibaba-Alibaba.Cloud" "Alibaba-DNS" "Alibaba-ICMP" "Alibaba-NTP" "Alibaba-SSH" "Alibaba-Web" config sla edit "Aliyun" set id 1 next end set priority-members 1 2 3 next end配置安全策略允许 SD-WAN 流量。
重要
如果使用 ippool 的方式做 SNAT,在 SD-WAN 环境下,一定要在 ippool 下配置绑定接口,防止 ippool 在 SD-WAN 成员中转换错误。
config firewall ippool edit xxxx set associated-interface port2 next end
config firewall policy edit 1 set name "To_Internet" set srcintf "port8" set dstintf "virtual-wan-link" set action accept set srcaddr "LAN_192.168.10.0" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "certificate-inspection" set webfilter-profile "default" set application-list "default" set logtraffic all set nat enable next end
结果验证
查看健康检查状态,三条链路均为 alive 状态。
SDWAN # diagnose sys sdwan health-check Health Check(Aliyun): Seq(1 port2): state(alive), packet-loss(0.000%) latency(19.893), jitter(0.531), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1 Seq(2 port3): state(alive), packet-loss(0.000%) latency(19.704), jitter(0.408), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1 Seq(3 port4): state(alive), packet-loss(0.000%) latency(19.719), jitter(0.556), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1查看 SD-WAN 规则状态,出接口顺序为 port2,port3,port4。
SDWAN # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(11), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(3): 1: Seq_num(1 port2), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected 2: Seq_num(2 port3), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected 3: Seq_num(3 port4), alive, sla(0x0), gid(0), cfg_order(2), cost(0), selected Internet Service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) Src address(1): 192.168.10.0-192.168.10.255查看策略路由中 SD-WAN 规则的列表,出接口顺序为 port2,port3,port4。
SDWAN # diagnose firewall proute list list route policy info(vf=root): id=2132213761(0x7f170001) vwl_service=1(To_Aliyun) vwl_mbr_seq=1 2 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(3) oif=4(port2) oif=5(port3) oif=6(port4) source(1): 192.168.10.0-192.168.10.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) hit_count=0 last_used=2023-01-03 22:16:17查看路由表。
SDWAN # get router info routing-table all ... S* 0.0.0.0/0 [1/0] via 101.100.1.192, port3, [1/0] [1/0] via 111.100.1.192, port4, [1/0] [1/0] via 114.100.1.196, PPPOE1_DR_PENG, [1/0] [1/0] via 202.100.1.192, port2, [1/0] ...
线路切换测试
让 port2 的延迟超过 SLA-Target。
SDWAN # diagnose sys sdwan health-check Health Check(Aliyun): Seq(1 port2): state(alive), packet-loss(1.000%) latency(187.502), jitter(8.489), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 Seq(2 port3): state(alive), packet-loss(1.000%) latency(48.102), jitter(9.499), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1 Seq(3 port4): state(alive), packet-loss(1.000%) latency(48.508), jitter(8.618), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1
查看 SD-WAN 策略状态,由于 port2 的延迟不满足 SLA Target,出接口顺序变为 port3,port4,port2。
SDWAN # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(6), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(3): 1: Seq_num(2 port3), alive, sla(0x1), gid(0), cfg_order(1), cost(0), selected //port3将会优先选择wan2进行转发 2: Seq_num(3 port4), alive, sla(0x1), gid(0), cfg_order(2), cost(0), selected 3: Seq_num(1 port2), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected //port2不满足的SLA,顺序置于最后面了 Internet Service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) Src address(1): 192.168.10.0-192.168.10.255查看策略路由列表中的 SD-WAN 规则,由于 port2 的延迟不满足 SLA Target,出接口顺序变为 port3,port4,port2。
SDWAN # diagnose firewall proute list list route policy info(vf=root): id=2132344833(0x7f190001) vwl_service=1(To_Aliyun) vwl_mbr_seq=2 3 1 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(3) oif=5(port3) oif=6(port4) oif=4(port2) source(1): 192.168.10.0-192.168.10.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) hit_count=0 last_used=2023-01-03 22:16:17使用内网 PC 客户端访问阿里云相关资源,查看流量日志,可以看到流量切换到了 port3。
接口成员 Cost 值对选路的影响
SD-WAN 接口成员的接口 Cost 值将影响 Lowest Cost (SLA) 的接口选择顺序,如果 SD-WAN 成员接口均达到了 SLA Target,那么 Cost 值越小越优先,这将打破配置顺序而进行用户自定义的 SD-WAN 接口优先级。
比如自定义:port2 Cost 222,port3 Cost 111,port4 Cost 333。此时 Lowest Cost (SLA) 将会优选 Cost 较小的 WAN2,而忽略配置接口的顺序,Cost 值优先进行比较。
查看健康检查状态,三个接口成员均达到了 SLA Target。
SDWAN # diagnose sys sdwan health-check Health Check(Aliyun): Seq(1 port2): state(alive), packet-loss(0.000%) latency(20.301), jitter(0.578), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1 Seq(2 port3): state(alive), packet-loss(0.000%) latency(20.225), jitter(0.610), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1 Seq(3 port4): state(alive), packet-loss(0.000%) latency(20.143), jitter(0.571), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x1查看 SD-WAN 策略状态,Cost 小的 port3 优先。
SDWAN # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(3): 1: Seq_num(2 port3), alive, sla(0x1), gid(0), cfg_order(0), cost(111), selected //Cost小的port3优先 2: Seq_num(1 port2), alive, sla(0x1), gid(0), cfg_order(2), cost(222), selected 3: Seq_num(3 port4), alive, sla(0x1), gid(0), cfg_order(1), cost(333), selected Internet Service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) Src address(1): 192.168.10.0-192.168.10.255查看策略路由列表中的 SD-WAN 规则,Cost 小的 port3 优先。
SDWAN # diagnose firewall proute list list route policy info(vf=root): id=2132869121(0x7f210001) vwl_service=1(To_Aliyun) vwl_mbr_seq=2 1 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(3) oif=5(port3) oif=4(port2) oif=6(port4) //Cost小的port3优先 source(1): 192.168.10.0-192.168.10.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) hit_count=25 last_used=2023-01-03 22:49:28
接口成员顺序对选路的影响
将 SD-WAN 成员接口的 cost 全部改回 0,如果 port2、port3、port4 三者都无法满足 SLA 目标了,那么 SD-WAN 规则如何选择出接口呢?
答案是:如果三者都无法满足 SLA 目标值了,那么将会按照 SD-WAN 规则配置的接口顺序选择出接口,也就是以 port2、port3、port4 这样的顺序选择,port2 将会优先转发数据。此时顺序优先。
将 port2、port3、port4 的延迟调整超过 SLA Target。
SDWAN # diagnose sys sdwan health-check Health Check(Aliyun): Seq(1 port2): state(alive), packet-loss(0.000%) latency(156.008), jitter(2.069), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 Seq(2 port3): state(alive), packet-loss(0.000%) latency(186.951), jitter(2.078), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0 Seq(3 port4): state(alive), packet-loss(0.000%) latency(176.968), jitter(2.055), bandwidth-up(9999999), bandwidth-dw(9999999), bandwidth-bi(19999998) sla_map=0x0
查看 SD-WAN 规则状态,全部不符合 SLA Target 的时候,按照配置的接口顺序进行选择出接口。
SDWAN # diagnose sys sdwan service Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order Members(3): 1: Seq_num(1 port2), alive, sla(0x0), gid(0), cfg_order(0), cost(0), selected //全部不符合的时候,按照配置的接口顺序进行选择出接口 2: Seq_num(2 port3), alive, sla(0x0), gid(0), cfg_order(1), cost(0), selected 3: Seq_num(3 port4), alive, sla(0x0), gid(0), cfg_order(2), cost(0), selected Internet Service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) Src address(1): 192.168.10.0-192.168.10.255查看策略路由列表,全部不符合 SLA Target 的时候,按照配置的接口顺序进行选择出接口。
SDWAN # diagnose firewall proute list list route policy info(vf=root): id=2133131265(0x7f250001) vwl_service=1(To_Aliyun) vwl_mbr_seq=1 2 3 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0-65535 iif=0(any) dport=1-65535 path(3) oif=4(port2) oif=5(port3) oif=6(port4) //全部不符合的时候,按照配置的接口顺序进行选择出接口 source(1): 192.168.10.0-192.168.10.255 destination wildcard(1): 0.0.0.0/0.0.0.0 internet service(6): Alibaba-Alibaba.Cloud(6881402,0,0,0) Alibaba-DNS(6881283,0,0,0) Alibaba-ICMP(6881282,0,0,0) Alibaba-NTP(6881288,0,0,0) Alibaba-SSH(6881286,0,0,0) Alibaba-Web(6881281,0,0,0) hit_count=25 last_used=2023-01-03 22:49:28
sla-compare-method number 对选路的影响
上述情况的一个补充命令:如果全部不符合则相对于没有 SLA Target 了,这显然不够合理,还有优化的空间,这时候就引出了另外一个参数:set sla-compare-method number。
SD-WAN 规则可以调用多个 SLA Target,然后优化计算的方法。
config system sdwan config service edit 1 ... config sla edit "Aliyun" set id 1 next edit "114_Check" set id 1 next edit "Default_DNS" set id 1 next edit "Default_Office_365" set id 1 next end ... set sla-compare-method order //默认值,如果按此设置,多个SLA目标之间的逻辑关系是and,只要有其中一个SLA目标不符合,则将该接口剔除SD-WAN规则的选择,如果SLA全部失效,则按照配置的接口顺序进行选择出接口 ... next end默认情况下,CLI 下 SLA 的设置为 set sla-compare-method order,如果按此设置,多个 SLA 目标之间的逻辑关系是 and,只要有其中一个 SLA 目标不符合,则将该接口剔除 SD-WAN 规则的选择,如果 SLA 全部失效,则按照配置的接口顺序进行选择出接口。
SDWAN (1) # set sla-compare-method order Compare SLA value based on the order of health-check. number Compare SLA value based on the number of satisfied health-check. Limits health-checks to only configured member interfaces.set sla-compare-method numbe,此参数是 SLA 目标全部失效的一个补充,如果全部失效,则选择失败数较小的接口进行 SD-WAN 流量的转发,比如 port2 失败 2 个,port3 失败 3 个,port4 失败 1 个,则会选择 port4 进行数据的转发。
我们配置多个服务器的 SLA Target,在 SD-WAN 规则里面也调用多个 SLA Target,然后虽然全部都失败了,但是可以选择符合 SLA Target 条件更多的接口作为 SD-WAN 规则的出接口,在全部失败的矮子中选择一个最优的出接口。当然我们需要设置不同的目的 IP 进行健康检查,同时配置不同的 SLA 条目,在 SD-WAN 规则调用的时候也只能调用不同服务器的 SLA 目标,才可以进行这样的进一步比较。