【太阁干货】这么基础的知识还有人不懂吗?
https://pic3.zhimg.com/80/v2-1881a72739b8d0d427a0bfb92d8d425e_720w.webp今天,我们探讨一下两种不同的配置其通信的过程,我们先讨论下一跳为自己出站接口的情况:
当R1尝试去ping通2.2.2.2的时候,需要封装ICMP数据包,但是不知道2.2.2.2的MAC地址的话就无法完成封装,会出现encapsulation failed!此时需要通过arp(同一个子网)或者代理arp(跨网段)获取2.2.2.2的MAC地址,由于把2.2.2.0/24 看做一个直联网段,所以会直接封装一个目的地址为2.2.2.2/24,目的MAC为全F的arp数据帧,R2接收到此arp广播帧,由于目的ip是跨网段而且路由器关闭了代理arp,那么此帧解封装后被丢弃。R1没能获取2.2.2.2的mac地址,所以一直都是encapsulation failed!自然不会ping通。此时如果从R2ping1.1.1.1却是能通的,与上面类似,第一个icmp包封装失败,然后R2发arp广播,由于R1未关闭代理arp,所以arp广播帧被解封装后R1发现目的ip在自己路由表中的loopback0,于是重新封装发送给1.1.1.1,但是由于此时不知道1.1.1.1的MAC地址,所以R1会向loopback 0发送一个目的MAC为全F目的ip为 1.1.1.1的arp广播,1.1.1.1收到后会发送给R1一个单播告诉它自己的Mac地址,然后R1就可以根据得到的MAC地址和1.1.1.1,把前面arp广播帧解封装后的数据进行封装发送给1.1.1.1,1.1.1.1.收到后再对R2作出回应,这样R2就知道了1.1.1.1的MAC地址和ip地址,就可以正常封装ICMP数据包,从而可以ping 通。
下面我们验证一下。基本配置:R1(config)#interface Loopback0ip address 1.1.1.1 255.255.255.0interface FastEthernet0/0ip address 10.1.1.1 255.255.255.0R1(config)#ip route 2.2.2.0 255.255.255.0 FastEthernet0/0R2(config)#interface Loopback0ip address 2.2.2.2 255.255.255.0interface FastEthernet0/0ip address 10.1.1.2 255.255.255.0R2(config)#ip route 1.1.1.0 255.255.255.0 10.1.1.1R2(config)#int f0/0R2(config-if)#no ip pro测试:R1#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP… … … … … … … … … …Gateway of last resort is not set1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback02.0.0.0/24 is subnetted, 1 subnetsS 2.2.2.0 is directly connected, FastEthernet0/010.0.0.0/24 is subnetted, 1 subnetsC 10.1.1.0 is directly connected, FastEthernet0/0
可以看出R1把2.2.2.0看做的是直连的网段
R1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 25 c002.1148.0000 ARPA FastEthernet0/0可以看到R1未学习到2.2.2.2的MAC地址R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)不通,正如我们的猜测下面切换到R2:R2#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP… … … … … … … …Gateway of last resort is not set1.0.0.0/24 is subnetted, 1 subnetsS 1.1.1.0 via 10.1.1.12.0.0.0/24 is subnetted, 1 subnetsC 2.2.2.0 is directly connected, Loopback010.0.0.0/24 is subnetted, 1 subnetsC 10.1.1.0 is directly connected, FastEthernet0/0
R2#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 1 c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0R2#ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/128 ms发现R1->2.2.2.2不通,但是R2->1.1.1.1却是通的,进一步验证我们的想法R2#下面我们在R2 的f0/0打开代理arpR2(config)#int f0/0R2(config-if)#ip proR2(config-if)#ip proxy-arpR2(config-if)#endR2#*Mar 1 00:59:58.691: %SYS-5-CONFIG_I: Configured from console by consoleR2#ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/124 msR2#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 21 c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0打开代理arp之后R2基本没什么可见的变化下面在R1上测试:R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 16/52/76 ms发现R1 ping 2.2.2.2.的时候第一帧封装失败,后面全通,和我们分析的是一致的R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/53/100 ms再查看R1 的arp 表,发现有了变化,R1已经学习到了2.2.2.2的MAC地址,证实了我们的猜想是正确的。R1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 2.2.2.2 21 c002.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 53 c002.1148.0000 ARPA FastEthernet0/0其实以上过程全程都是可以抓包的,做实验测试的时候我也都是亲自试过的,wireshark 上可以看到进出的情况:关掉R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:开启R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:接下来我们看一下下一跳为下一跳路由器的接口地址的情况:依然是上面的拓扑图,我们把配置做稍微的改动,R1(config)#no ip route 2.2.2.0 255.255.255.0 f0/0R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2同时我们打开R2的代理arp功能R2(config-if)#ip pro在R1 ping 2.2.2.2 :R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 24/42/76 msR1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 1 c002.1148.0000 ARPA FastEthernet0/0下面关掉R2的代理arp,然后在R1 ping 2.2.2.2:R1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 20/60/96 msR1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 0 c002.1148.0000 ARPA FastEthernet0/0抓包发现:以上可以看出,R1->2.2.2.2,目的ip是2.2.2.2,目的MAC却是R2的f0/0接口的MACR1#sh arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0Internet 10.1.1.2 7 c002.1148.0000 ARPA FastEthernet0/0比较两个过程,发现当下一跳为下一跳路由器接口ip地址的时候,关不关代理arp都一样,因为根本就没用到,目的ip是2.2.2.2 目的MAC是R2 f0/0的Mac,R2的f0/0作为了2.2.2.2的网关,全权代理了所有到2.2.2.2的数据。自始至终R1都没有学习到2.2.2.2.MAC地址。Cisco路由器默认是开启代理arp的,但是为了安全,往往在出口路由器上,代理arp都是被关掉的,所以局域网内配置静态路由如果采用下一跳为自己出站接口,就可能导致不能通信,所以在以太网中,我们推荐以下一跳路由器接口ip地址作为下一跳,这样可以避免了关闭掉代理arp之后不能通信的情况。备注:想要自己做实验测试的同学,注意更改一下arp的aging timer,或者重启路由器。下面我们讨论一下点对点,把路由器配置做一下改动:R1(config) #default int f0/0R1(config)#int s1/1R1(config-if)#ip add 10.1.1.1 255.255.255.0R2(config) #default int f0/0R2(config)#int s1/1R2(config-if)#ip add 10.1.1.2 255.255.255.0R1 ping R2:R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/44/76 msR1#关掉R2 arp代理,在R2 ping 1.1.1.1:R2(config)#int s1/1R2(config-if)#no ip proR2(config-if)#no ip proxy-arpR2(config-if)#endR2#*Mar 1 00:04:37.343: %SYS-5-CONFIG_I: Configured from console by consoleR2#ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/72 ms可以看到不涉及arp看数据包内容,发现没有源MAC和目的MAC,只有源IP和目的IP,下面将下一跳设置为自己的出接口:R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#ip route 2.2.2.0 255.255.255.0 s1/1R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2R1(config)#R1(config)#R1(config)#endR2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#ip route 1.1.1.0 255.255.255.0 s1/1R2(config)#no ip route 1.1.1.0 255.255.255.0 10.1.1.1R2(config)#R2(config)#R2(config)#endR1 ping R2 :R1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/57/108 ms关闭掉R2代理arp:R2(config)#int s1/1R2(config-if)#no ip proxy-arpR2(config-if)#endR1#ping 2.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/60 ms以上可以看出点对点链路,指定静态的下一跳时,无论是指定自己的出站接口还是指定下一跳的路由器的接口ip,效果完全是一样的,而且此时不受arp代理的影响。想听6IE闫辉老师的直播课学习,并且想要逐步提升的网络工程师们,也欢迎添加小老虎微信,小老虎会拉你进入学习群,我们会在直播课开课之前给大家提醒。
最后太阁老师的个人微信添加太阁老师个人微信领取:太阁免费视频资料、NA综合实验配置文件拓扑图及模拟器、太阁独家实验手册、网工必读书籍等
https://bbs.hh010.com/data/attachment/forum/202108/12/152306f0rn90ir97qeeh7h.jpg
11111111111
页:
[1]