目录
排错网络拓扑图
排错需求
故障排错
故障一
故障二
故障三
故障现象
分支A和分支B之间不通
故障分析
查看R1路由器中通过RIP学习到的路由
[R1]display ip routing-table protocol rip
Summary count : 7
RIP Routing table status :
Summary count : 4
Destination/Mask Proto Pre Cost NextHop Interface
172.16.1.1/32 RIP 100 1 10.1.1.3 GE0/1
172.16.2.1/32 RIP 100 1 10.2.2.4 GE0/2
192.168.1.1/32 RIP 100 1 10.1.1.3 GE0/1
192.168.2.1/32 RIP 100 1 10.2.2.4 GE0/2
RIP Routing table status :
Summary count : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 RIP 100 0 0.0.0.0 GE0/1
10.2.2.0/24 RIP 100 0 0.0.0.0 GE0/2
10.3.3.0/24 RIP 100 0 0.0.0.0 GE0/0
[R1]
查看R3路由器中通过RIP学习到的路由
display ip routing-table protocol rip
Summary count : 3
RIP Routing table status :
Summary count : 0
RIP Routing table status :
Summary count : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 RIP 100 0 0.0.0.0 GE0/0
172.16.1.1/32 RIP 100 0 0.0.0.0 Loop1
192.168.1.1/32 RIP 100 0 0.0.0.0 Loop0
查看R4路由器中通过RIP学习到的路由
display ip routing-table protocol rip
Summary count : 3
RIP Routing table status :
Summary count : 0
RIP Routing table status :
Summary count : 3
Destination/Mask Proto Pre Cost NextHop Interface
10.2.2.0/24 RIP 100 0 0.0.0.0 GE0/0
172.16.2.1/32 RIP 100 0 0.0.0.0 Loop1
192.168.2.1/32 RIP 100 0 0.0.0.0 Loop0
可以观察到分支A和分支B的路由器中没有通过RIP协议学习到对方的路由,说明RIP路由宣告可能存在问题。通过查看R1,R3,R4三个路由器的RIP协议的配置可以发现宣告配置没有问题。
那么为什么分支A和分支B之间的业务网段不通呢,由于排错需求中有分支之间只有B流可以互通这一需求,我们可以去查看是否是因为路由过滤配置不正确导致业务网段无法互通
通过查看R3和R4的RIP配置我们可以发现,R3和R4的RIP配置中都使用了过滤策略,流量进入时对ACL2000进行过滤。
[R3-rip-1]di th
#
rip 1
undo summary
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0
filter-policy 2000 import
#
return
[R3-rip-1]
[R4]rip
[R4-rip-1]di th
#
rip 1
undo summary
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.2.0
filter-policy 2000 import
#
return
[R4-rip-1]
查看ACL2000中的配置是否正确
可以看到虽然R3和R4的ACL2000中禁止了A流的业务网段,但是没有允许其它路由的通过,导致B流也无法通过。
[R3-acl-ipv4-basic-2000]di th
#
acl basic 2000
rule 0 deny source 192.168.2.1 0
#
return
[R4-acl-ipv4-basic-2000]di th
#
acl basic 2000
rule 0 deny source 192.168.1.1 0
#
return
故障解决
在R3和R4的ACL2000中加上允许其它路由的规则
[R3-acl-ipv4-basic-2000]rule 5 permit source any
[R4-acl-ipv4-basic-2000]rule 5 permit source any
修改之后,分支A和分支B之间只有B流可以通过
[R3]ping -a 172.16.1.1 172.16.2.1
Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, press CTRL+C to break
56 bytes from 172.16.2.1: icmp_seq=0 ttl=254 time=3.237 ms
56 bytes from 172.16.2.1: icmp_seq=1 ttl=254 time=2.260 ms
56 bytes from 172.16.2.1: icmp_seq=2 ttl=254 time=3.895 ms
56 bytes from 172.16.2.1: icmp_seq=3 ttl=254 time=3.659 ms
56 bytes from 172.16.2.1: icmp_seq=4 ttl=254 time=0.844 ms
--- Ping statistics for 172.16.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.844/2.779/3.895/1.117 ms
[R3]%Feb 6 14:01:33:956 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 172.16.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.844/2.779/3.895/1.117 ms.
[R3]
[R3]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R3]%Feb 6 14:01:27:324 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
故障现象
分支A和分支B与总部之间的A流无法通过
[R3]ping -a 192.168.1.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R3]%Feb 6 14:03:08:361 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
[R4]ping -a 192.168.2.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.2.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R4]%Feb 6 14:04:34:574 2024 R4 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
故障分析
排错需求需要在R1上配置OSPF和RIP的双向引入,要求总部和分支之间只有A流可以通过。所以我们在R1上查看在进行双向引入时是否路由过滤配置是否正确。
RIP协议中引入OSPF时调用了r2o的路由策略
[R1-rip-1]di th
#
rip 1
undo summary
version 2
network 10.0.0.0
import-route ospf 1 route-policy r2o
#
return
[R1-ospf-1]di th
#
ospf 1
import-route rip 1 route-policy o2r
area 0.0.0.0
network 10.3.3.0 0.0.0.255
#
return
OSPF协议中引入RIP时调用了o2r的路由策略,而o2r这个路由策略匹配了acl2001,这个acl中允许了192.168.0.1这条路由是不对的
[R1]ospf 1
[R1-ospf-1]di th
#
ospf 1
import-route rip 1 route-policy o2r
area 0.0.0.0
network 10.3.3.0 0.0.0.255
#
return
[R1-ospf-1]display route-policy name o2r
Route-policy: o2r
Permit : 10
if-match ip address acl 2001
[R1-ospf-1]display acl 2001
Basic IPv4 ACL 2001, 1 rule,
ACL's step is 5
rule 0 permit source 192.168.0.1 0
[R1-ospf-1]
RIP协议中引入 OSPF时调用了r2o的路由策略,而r2o这个路由策略匹配了acl2000,这个acl中允许了192.168.1.1和192.168.2.1这两条路由是不对的
[R1-rip-1]di th
#
rip 1
undo summary
version 2
network 10.0.0.0
import-route ospf 1 route-policy r2o
#
return
[R1]display route-policy name r2o
Route-policy: r2o
Permit : 10
if-match ip address acl 2000
[R1]display acl 2000
Basic IPv4 ACL 2000, 2 rules,
ACL's step is 5
rule 0 permit source 192.168.1.1 0
rule 5 permit source 192.168.2.1 0
[R1]
故障解决
通过观察我们发现是路由引入时我们将路由策略用反了,引入OSPF时应该调用o2r这个路由策略,引入RIP时应该调用r2o这个路由策略才是正确的
[R1-rip-1]import-route ospf route-policy o2r
[R1-ospf-1]import-route rip route-policy r2o
修改之后,R2中成功学到分支的A流路由
display ip routing-table
Destinations : 14 Routes : 14
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
10.3.3.0/24 Direct 0 0 10.3.3.2 GE0/0
10.3.3.2/32 Direct 0 0 127.0.0.1 InLoop0
10.3.3.255/32 Direct 0 0 10.3.3.2 GE0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
172.16.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.0.1/32 Direct 0 0 127.0.0.1 InLoop0
192.168.1.1/32 O_ASE2 150 1 10.3.3.1 GE0/0
192.168.2.1/32 O_ASE2 150 1 10.3.3.1 GE0/0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
同理R3和R4也通过RIP学习到了总部的A流路由
R3和R4成功与总部通过A流互通
ping -a 192.168.1.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=254 time=4.896 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=254 time=4.062 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=254 time=3.625 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=254 time=2.129 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=254 time=3.376 ms
--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.129/3.618/4.896/0.906 ms
%Feb 6 14:21:41:958 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.129/3.618/4.896/0.906 ms.
ping -a 192.168.2.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.2.1: 56 data bytes, press CTRL+C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=254 time=1.790 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=254 time=2.198 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=254 time=2.883 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=254 time=2.031 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=254 time=1.940 ms
--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.790/2.168/2.883/0.381 ms
%Feb 6 14:23:47:360 2024 R4 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.790/2.168/2.883/0.381 ms.
故障现象
在OSPF区域的R1中的0/0口抓包还有RIP协议报文
故障分析
R1上RIP协议宣告10.0.0.0网段时,将OSPF区域的R1中的0/0口也宣告到了RIP协议中,所以该接口会发送和接口RIP协议广播报文,没有在该接口开启沉默接口。
故障解决
在该接口开启沉默接口
[R1-rip-1]silent-interface GigabitEthernet 0/0