路由引入路由过滤排错

排错网络拓扑图

排错需求

故障排错

故障一

故障二

故障三

排错网络拓扑图

排错需求

按照图示配置 IP 地址，总部和分支 A、分支 B 各自使用 loopback 口模拟业务网段
公司业务流分为 A 流和 B 流，网段如图所示
总部内部配置 OSPF 互通，总部和分支 A、分支 B 配置 RIP 互通
在 R1 上配置 OSPF 和 RIP 双向引入，要求总部和分支之间只有 A 流互通
配置路由过滤，使分支 A 与分支 B 只有 B 流可以互通
OSPF 区域不允许出现 RIP 协议报文
排除所有网络故障，使环境符合需求，并完成排错报告

故障排错

故障一

故障现象

分支A和分支B之间不通

故障分析

查看R1路由器中通过RIP学习到的路由

[R1]display ip routing-table protocol ripSummary count : 7RIP Routing table status : <Active>
Summary count : 4Destination/Mask   Proto   Pre Cost        NextHop         Interface
172.16.1.1/32      RIP     100 1           10.1.1.3        GE0/1
172.16.2.1/32      RIP     100 1           10.2.2.4        GE0/2
192.168.1.1/32     RIP     100 1           10.1.1.3        GE0/1
192.168.2.1/32     RIP     100 1           10.2.2.4        GE0/2RIP Routing table status : <Inactive>
Summary count : 3Destination/Mask   Proto   Pre Cost        NextHop         Interface
10.1.1.0/24        RIP     100 0           0.0.0.0         GE0/1
10.2.2.0/24        RIP     100 0           0.0.0.0         GE0/2
10.3.3.0/24        RIP     100 0           0.0.0.0         GE0/0
[R1]

查看R3路由器中通过RIP学习到的路由

<R3>display ip routing-table protocol rip Summary count : 3RIP Routing table status : <Active>
Summary count : 0RIP Routing table status : <Inactive>
Summary count : 3Destination/Mask   Proto   Pre Cost        NextHop         Interface
10.1.1.0/24        RIP     100 0           0.0.0.0         GE0/0
172.16.1.1/32      RIP     100 0           0.0.0.0         Loop1
192.168.1.1/32     RIP     100 0           0.0.0.0         Loop0
<R3>

查看R4路由器中通过RIP学习到的路由

<R4>display ip routing-table protocol rip Summary count : 3RIP Routing table status : <Active>
Summary count : 0RIP Routing table status : <Inactive>
Summary count : 3Destination/Mask   Proto   Pre Cost        NextHop         Interface
10.2.2.0/24        RIP     100 0           0.0.0.0         GE0/0
172.16.2.1/32      RIP     100 0           0.0.0.0         Loop1
192.168.2.1/32     RIP     100 0           0.0.0.0         Loop0
<R4>

可以观察到分支A和分支B的路由器中没有通过RIP协议学习到对方的路由，说明RIP路由宣告可能存在问题。通过查看R1，R3，R4三个路由器的RIP协议的配置可以发现宣告配置没有问题。

那么为什么分支A和分支B之间的业务网段不通呢，由于排错需求中有分支之间只有B流可以互通这一需求，我们可以去查看是否是因为路由过滤配置不正确导致业务网段无法互通

通过查看R3和R4的RIP配置我们可以发现，R3和R4的RIP配置中都使用了过滤策略，流量进入时对ACL2000进行过滤。

[R3-rip-1]di th
#
rip 1undo summaryversion 2network 10.0.0.0network 172.16.0.0network 192.168.1.0filter-policy 2000 import
#
return
[R3-rip-1]

[R4]rip
[R4-rip-1]di th
#
rip 1undo summaryversion 2network 10.0.0.0network 172.16.0.0network 192.168.2.0filter-policy 2000 import
#
return
[R4-rip-1]

查看ACL2000中的配置是否正确

可以看到虽然R3和R4的ACL2000中禁止了A流的业务网段，但是没有允许其它路由的通过，导致B流也无法通过。


[R3-acl-ipv4-basic-2000]di th
#
acl basic 2000rule 0 deny source 192.168.2.1 0
#
return

[R4-acl-ipv4-basic-2000]di th
#
acl basic 2000rule 0 deny source 192.168.1.1 0
#
return

故障解决

在R3和R4的ACL2000中加上允许其它路由的规则

[R3-acl-ipv4-basic-2000]rule 5 permit source any [R4-acl-ipv4-basic-2000]rule 5 permit source any

修改之后，分支A和分支B之间只有B流可以通过

[R3]ping -a 172.16.1.1 172.16.2.1
Ping 172.16.2.1 (172.16.2.1) from 172.16.1.1: 56 data bytes, press CTRL+C to break
56 bytes from 172.16.2.1: icmp_seq=0 ttl=254 time=3.237 ms
56 bytes from 172.16.2.1: icmp_seq=1 ttl=254 time=2.260 ms
56 bytes from 172.16.2.1: icmp_seq=2 ttl=254 time=3.895 ms
56 bytes from 172.16.2.1: icmp_seq=3 ttl=254 time=3.659 ms
56 bytes from 172.16.2.1: icmp_seq=4 ttl=254 time=0.844 ms--- Ping statistics for 172.16.2.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.844/2.779/3.895/1.117 ms
[R3]%Feb  6 14:01:33:956 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 172.16.2.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 0.844/2.779/3.895/1.117 ms.[R3][R3]ping -a 192.168.1.1 192.168.2.1
Ping 192.168.2.1 (192.168.2.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.2.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R3]%Feb  6 14:01:27:324 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.2.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss

故障二

故障现象

分支A和分支B与总部之间的A流无法通过

[R3]ping -a 192.168.1.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R3]%Feb  6 14:03:08:361 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

[R4]ping -a 192.168.2.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.2.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
[R4]%Feb  6 14:04:34:574 2024 R4 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.

故障分析

排错需求需要在R1上配置OSPF和RIP的双向引入，要求总部和分支之间只有A流可以通过。所以我们在R1上查看在进行双向引入时是否路由过滤配置是否正确。

RIP协议中引入OSPF时调用了r2o的路由策略

[R1-rip-1]di th
#
rip 1undo summaryversion 2network 10.0.0.0import-route ospf 1 route-policy r2o
#
return

[R1-ospf-1]di th
#
ospf 1import-route rip 1 route-policy o2rarea 0.0.0.0network 10.3.3.0 0.0.0.255
#
return

OSPF协议中引入RIP时调用了o2r的路由策略，而o2r这个路由策略匹配了acl2001，这个acl中允许了192.168.0.1这条路由是不对的

[R1]ospf 1
[R1-ospf-1]di th
#
ospf 1import-route rip 1 route-policy o2rarea 0.0.0.0network 10.3.3.0 0.0.0.255
#
return[R1-ospf-1]display route-policy name o2r
Route-policy: o2rPermit : 10if-match ip address acl 2001[R1-ospf-1]display acl 2001
Basic IPv4 ACL 2001, 1 rule,
ACL's step is 5rule 0 permit source 192.168.0.1 0[R1-ospf-1]

RIP协议中引入 OSPF时调用了r2o的路由策略，而r2o这个路由策略匹配了acl2000，这个acl中允许了192.168.1.1和192.168.2.1这两条路由是不对的

[R1-rip-1]di th
#
rip 1undo summaryversion 2network 10.0.0.0import-route ospf 1 route-policy r2o
#
return[R1]display route-policy name r2o
Route-policy: r2oPermit : 10if-match ip address acl 2000[R1]display acl 2000
Basic IPv4 ACL 2000, 2 rules,
ACL's step is 5rule 0 permit source 192.168.1.1 0rule 5 permit source 192.168.2.1 0[R1]

故障解决

通过观察我们发现是路由引入时我们将路由策略用反了，引入OSPF时应该调用o2r这个路由策略，引入RIP时应该调用r2o这个路由策略才是正确的

[R1-rip-1]import-route ospf route-policy o2r
[R1-ospf-1]import-route rip route-policy r2o

修改之后，R2中成功学到分支的A流路由

<R2>display ip routing-table Destinations : 14       Routes : 14Destination/Mask   Proto   Pre Cost        NextHop         Interface
0.0.0.0/32         Direct  0   0           127.0.0.1       InLoop0
10.3.3.0/24        Direct  0   0           10.3.3.2        GE0/0
10.3.3.2/32        Direct  0   0           127.0.0.1       InLoop0
10.3.3.255/32      Direct  0   0           10.3.3.2        GE0/0
127.0.0.0/8        Direct  0   0           127.0.0.1       InLoop0
127.0.0.1/32       Direct  0   0           127.0.0.1       InLoop0
127.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
172.16.0.1/32      Direct  0   0           127.0.0.1       InLoop0
192.168.0.1/32     Direct  0   0           127.0.0.1       InLoop0
192.168.1.1/32     O_ASE2  150 1           10.3.3.1        GE0/0
192.168.2.1/32     O_ASE2  150 1           10.3.3.1        GE0/0
224.0.0.0/4        Direct  0   0           0.0.0.0         NULL0
224.0.0.0/24       Direct  0   0           0.0.0.0         NULL0
255.255.255.255/32 Direct  0   0           127.0.0.1       InLoop0
<R2>

同理R3和R4也通过RIP学习到了总部的A流路由

R3和R4成功与总部通过A流互通

<R3>ping -a 192.168.1.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.1.1: 56 data bytes, press CTRL+C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=254 time=4.896 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=254 time=4.062 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=254 time=3.625 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=254 time=2.129 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=254 time=3.376 ms--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.129/3.618/4.896/0.906 ms
<R3>%Feb  6 14:21:41:958 2024 R3 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.129/3.618/4.896/0.906 ms.

<R4>ping -a 192.168.2.1 192.168.0.1
Ping 192.168.0.1 (192.168.0.1) from 192.168.2.1: 56 data bytes, press CTRL+C to break
56 bytes from 192.168.0.1: icmp_seq=0 ttl=254 time=1.790 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=254 time=2.198 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=254 time=2.883 ms
56 bytes from 192.168.0.1: icmp_seq=3 ttl=254 time=2.031 ms
56 bytes from 192.168.0.1: icmp_seq=4 ttl=254 time=1.940 ms--- Ping statistics for 192.168.0.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.790/2.168/2.883/0.381 ms
%Feb  6 14:23:47:360 2024 R4 PING/6/PING_STATISTICS: Ping statistics for 192.168.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.790/2.168/2.883/0.381 ms.
<R4>

故障三

故障现象

在OSPF区域的R1中的0/0口抓包还有RIP协议报文

故障分析

R1上RIP协议宣告10.0.0.0网段时，将OSPF区域的R1中的0/0口也宣告到了RIP协议中，所以该接口会发送和接口RIP协议广播报文，没有在该接口开启沉默接口。

故障解决

在该接口开启沉默接口

[R1-rip-1]silent-interface GigabitEthernet 0/0