动态
***丢包解决方案
1.1.
实验目的:
路由器之间动态建立
***时使用的是静态路由,但是静态路由指向的下一跳还是自己的接口是有区别的(以太口),否则将造成丢包问题!
1.2.
实验top:
1.3.
实验配置:
R1#sh run
R1#sh running-config
Building configuration...
Current configuration : 1067 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto keyring cisco
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile cisco
keyring cisco
match identity address 0.0.0.0
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto dynamic-map cisco 1
set transform-set cisco
set isakmp-profile cisco
!
!
crypto map mymap 1 ipsec-isakmp dynamic cisco
!
!
!
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1/0
ip address 15.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 //特别提示这个标注!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R1#
R2#sh ip interface brief
Interface
IP-Address OK? Method Status Protocol
FastEthernet0/0
12.1.1.2 YES NVRAM up up
FastEthernet1/0
23.1.1.2 YES NVRAM up up
R2#
R3>en
R3#
R3#sh run
R3#sh running-config
Building configuration...
Current configuration : 936 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 12.1.1.1
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 12.1.1.1
set transform-set cisco
match address 100
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface FastEthernet0/0
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
crypto map mymap
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 23.1.1.2//特别提示这个设置倒是没啥问题!
!
!
access-list 100 permit ip host 3.3.3.3 host 15.1.1.5
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
R3#
R5#sh ip interface brief
Interface
IP-Address OK? Method Status Protocol
FastEthernet0/0
15.1.1.5 YES NVRAM up up
R5#sh ip ro
R5#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 15.1.1.1 to network 0.0.0.0
15.0.0.0/24 is subnetted, 1 subnets
C
15.1.1.0 is directly connected, FastEthernet0/0
S*
0.0.0.0/0 [1/0] via 15.1.1.1
R5#
1.4.
实验基本性测试:
在
R5上ping R1:
R5#ping 15.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/41/64 ms
R5#
在
R1上ping R3:
R1#p 23.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.1.1.3, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 20/84/120 ms
R1#
***测试:
在
R3上pingR5:
R3#ping
*Mar 1 00:24:05.487: %SYS-5-CONFIG_I: Configured from console by console15.
R3#ping 15.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
不通!
在
R5上ping R3的loopback0:
R5#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#
不通!此时还没建立
***通道,所以不通!
1.5.
×××丢包解决方案:
没触发流量之前,我们先看下各自的
arp-cache:
R1#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 15.1.1.5
21 cc00.0810.0000 ARPA FastEthernet1/0
Internet 12.1.1.1
- cc00.0a80.0000 ARPA FastEthernet0/0
Internet 15.1.1.1
- cc00.0a80.0010 ARPA FastEthernet1/0
Internet 23.1.1.3
0 cc00.0c5c.0000 ARPA FastEthernet0/0
R1#
仔细看红色标记的部分!
R2#sh ip arp
R2#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 12.1.1.1
1 cc00.0a80.0000 ARPA FastEthernet0/0
Internet 12.1.1.2
- cc00.0c5c.0000 ARPA FastEthernet0/0
Internet 23.1.1.3
2 cc00.0ea8.0000 ARPA FastEthernet1/0
Internet 23.1.1.2
- cc00.0c5c.0010 ARPA FastEthernet1/0
R2#
R3#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 23.1.1.3
- cc00.0ea8.0000 ARPA FastEthernet0/0
Internet 23.1.1.2
2 cc00.0c5c.0010 ARPA FastEthernet0/0
R3#
分别在
R1,R2上开启debug arp :
R1#debug arp
ARP packet debugging is on
R1#R2#debug arp
ARP packet debugging is on
R2#
看完了
arp cache,我们现在触发***流量,在R3上用loop0 ping R5:
R3#ping 15.1.1.5 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!.!.
Success rate is 60 percent (3/5), round-trip min/avg/max = 184/196/204 ms
R3#
此时丢了
3个:我们看下R1,R2上的arp debug 信息:
R1#
*Mar 1 00:34:15.643: IP ARP: creating incomplete entry for IP address: 3.3.3.3 interface FastEthernet0/0
*Mar 1 00:34:15.643: IP ARP: sent req src 12.1.1.1 cc00.0a80.0000,
dst 3.3.3.3 0000.0000.0000 FastEthernet0/0
*Mar 1 00:34:17.827: IP ARP: sent req src 12.1.1.1 cc00.0a80.0000,
dst 3.3.3.3 0000.0000.0000 FastEthernet0/0
*Mar 1 00:34:22.215: IP ARP: sent req src 12.1.1.1 cc00.0a80.0000,
dst 3.3.3.3 0000.0000.0000 FastEthernet0/0
*Mar 1 00:34:22.459: IP ARP throttled out the ARP Request for 3.3.3.3
*Mar 1 00:34:24.655: IP ARP: sent req src 12.1.1.1 cc00.0a80.0000,
dst 3.3.3.3 0000.0000.0000 FastEthernet0/0
R2#
*Mar 1 00:33:19.939: IP ARP: rcvd req src 12.1.1.1 cc00.0a80.0000, dst 3.3.3.3 FastEthernet0/0
*Mar 1 00:33:22.131: IP ARP: rcvd req src 12.1.1.1 cc00.0a80.0000, dst 3.3.3.3 FastEthernet0/0
*Mar 1 00:33:26.507: IP ARP: rcvd req src 12.1.1.1 cc00.0a80.0000, dst 3.3.3.3 FastEthernet0/0
*Mar 1 00:33:28.943: IP ARP: rcvd req src 12.1.1.1 cc00.0a80.0000, dst 3.3.3.3 FastEthernet0/0
再次查看下
R1的arp:
R1#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 3.3.3.3
0 Incomplete ARPA
Internet 15.1.1.5
26 cc00.0810.0000 ARPA FastEthernet1/0
Internet 12.1.1.1
- cc00.0a80.0000 ARPA FastEthernet0/0
Internet 15.1.1.1
- cc00.0a80.0010 ARPA FastEthernet1/0
Internet 23.1.1.3
5 cc00.0c5c.0000 ARPA FastEthernet0/0
R1#
看见了没,
R3 的loopback0是未完成的,没完成那就超时呗!
过一会再次查看
R1的arp cache:
R1#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 15.1.1.5
32 cc00.0810.0000 ARPA FastEthernet1/0
Internet 12.1.1.1
- cc00.0a80.0000 ARPA FastEthernet0/0
Internet 15.1.1.1
- cc00.0a80.0010 ARPA FastEthernet1/0
Internet 23.1.1.3
11 cc00.0c5c.0000 ARPA FastEthernet0/0
R1#
没有
3.3.3.3的未完成的那个表项了,再次在R3上ping 15.1.1.5:
R3#ping 15.1.1.5 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 160/189/204 ms
R3#
还是丢包!
再次查看
R1的arp cache:
R1#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 3.3.3.3
0 Incomplete ARPA
Internet 15.1.1.5
33 cc00.0810.0000 ARPA FastEthernet1/0
Internet 12.1.1.1
- cc00.0a80.0000 ARPA FastEthernet0/0
Internet 15.1.1.1
- cc00.0a80.0010 ARPA FastEthernet1/0
Internet 23.1.1.3
12 cc00.0c5c.0000 ARPA FastEthernet0/0
R1#
R1 上又出现了未完成的
3.3.3.3,结果就是每次在R3上用loop0 ping R5 ,每次都要发送arp 请求,而且都是未完成的!
因为前面
R1上那条静态路由的问题:
R1#sh ip ro
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
12.0.0.0/24 is subnetted, 1 subnets
C
12.1.1.0 is directly connected, FastEthernet0/0
15.0.0.0/24 is subnetted, 1 subnets
C
15.1.1.0 is directly connected, FastEthernet1/0
S*
0.0.0.0/0 is directly connected, FastEthernet0/0
R1#
静态路由指自己接口的话,那就是包在
R1上发布arp请求,如果指R2的接口地址12.1.1.2的话,那就是包到R2了然后再发arp请求!
在
R5上开启debug ip icmp 然后再在R5上查看debu信息:
R3#ping 15.1.1.5 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 168/222/292 ms
R3#
R5#
*Mar 1 00:48:09.235: ICMP: echo reply sent, src 15.1.1.5, dst 3.3.3.3
*Mar 1 00:48:09.435: ICMP: echo reply sent, src 15.1.1.5, dst 3.3.3.3
*Mar 1 00:48:11.407: ICMP: echo reply sent, src 15.1.1.5, dst 3.3.3.3
*Mar 1 00:48:11.715: ICMP: echo reply sent, src 15.1.1.5, dst 3.3.3.3
*Mar 1 00:48:13.683: ICMP: echo reply sent, src 15.1.1.5, dst 3.3.3.3
R5#
R3发了
5个icmp包,R5上也是收到了5个icmp包,并发送给3.3.3.3了!
在
R1上查看ipsec 的sa:
R1#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 12.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (15.1.1.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer 23.1.1.3 port 500
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 23.1.1.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xCEF3C146(3472081222)
inbound esp sas:
spi: 0x76BF842D(1992262701)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4417417/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCEF3C146(3472081222)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4417418/3456)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R1#
仔细观察
R1封装和解封装***流量的包有几个!
在
R3上查看ipsec的sa:
R3#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 23.1.1.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (15.1.1.5/255.255.255.255/0/0)
current_peer 12.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 23.1.1.3, remote crypto endpt.: 12.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x76BF842D(1992262701)
inbound esp sas:
spi: 0xCEF3C146(3472081222)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4493138/3384)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x76BF842D(1992262701)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4493137/3383)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R3#
我们说下上面
ipsec 包封装和解封装的过程:
首先在
R3上触发***流量,包被R3封装9个,然后包到了R1,R1 给解封装9个,是一样的,然后R5上也收到了5个icmp echo请求包,然后R5发送了5个reply 给R1,R1 然后封装了5个***的包,超时了,即没有给9个全部给封装,造成***丢包!
1.5.1.
解决方案!
(1) 在
R1上把静态路由指向R2的接口f0/0地址:
R1(config)#ip route 0.0.0.0 0.0.0.0 12.1.1.2
R1(config)#^Z
R1#sh ip ro
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 12.1.1.2 to network 0.0.0.0
12.0.0.0/24 is subnetted, 1 subnets
C
12.1.1.0 is directly connected, FastEthernet0/0
15.0.0.0/24 is subnetted, 1 subnets
C
15.1.1.0 is directly connected, FastEthernet1/0
S*
0.0.0.0/0 [1/0] via 12.1.1.2
R1#
再次在
R3上ping R5 :
R3#ping 15.1.1.5 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 80/91/112 ms
R3#
(2) 第二种解决方法
R1上的静态路由我们不改:
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
12.0.0.0/24 is subnetted, 1 subnets
C
12.1.1.0 is directly connected, FastEthernet0/0
15.0.0.0/24 is subnetted, 1 subnets
C
15.1.1.0 is directly connected, FastEthernet1/0
S*
0.0.0.0/0 is directly connected, FastEthernet0/0
R1#
刚才不是在
R1上看见了3.3.3.3的未完成的arp表项?,既然有3.3.3.3未完成,那么我们能不能让他完成呢,可以!
在
R2上加2条静态路由:
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
3.0.0.0/24 is subnetted, 1 subnets
S
3.3.3.0 [1/0] via 23.1.1.3
23.0.0.0/24 is subnetted, 1 subnets
C
23.1.1.0 is directly connected, FastEthernet1/0
12.0.0.0/24 is subnetted, 1 subnets
C
12.1.1.0 is directly connected, FastEthernet0/0
15.0.0.0/24 is subnetted, 1 subnets
S
15.1.1.0 [1/0] via 12.1.1.1
R2#
再次在
R3上ping R5:
R3#ping 15.1.1.5 so
R3#ping 15.1.1.5 source lo
R3#ping 15.1.1.5 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 15.1.1.5, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/108/200 ms
R3#
一个包也没丢!!
查看下
R1的arp-cache:
R1#sh ip arp
Protocol Address
Age (min) Hardware Addr Type Interface
Internet 3.3.3.3
0 cc00.0c5c.0000 ARPA FastEthernet0/0
Internet 15.1.1.5
50 cc00.0810.0000 ARPA FastEthernet1/0
Internet 12.1.1.1
- cc00.0a80.0000 ARPA FastEthernet0/0
Internet 12.1.1.2
13 cc00.0c5c.0000 ARPA FastEthernet0/0
Internet 15.1.1.1
- cc00.0a80.0010 ARPA FastEthernet1/0
Internet 23.1.1.3
12 cc00.0c5c.0000 ARPA FastEthernet0/0
R1#
此时
R1上有了3.3.3.3的表项,那么在R3上再次ping 15.1.1.5将不会再次发送arp请求,就不会造成超时,就不会丢包了!!
实验完成
转载于:https://blog.51cto.com/2882397/746612