华为交换机路由泄露配置全局路由进入instance下一跳问题

发布时间:  2016-12-20 浏览次数:  338 下载次数:  10
问题描述
 
C-SW上建立两个instance aa和bb,A-SW作为纯二层交换机用于用户接入,两个instance中的用户均需要访问Internet。

[C-SW]display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : aa, 1
  Interfaces : Vlanif10
Address family ipv4
  Create date : 2014-12-09 16:44:20-08:00
  Up time : 0 days, 00 hours, 30 minutes and 32 seconds
  Route Distinguisher : 10:1
  Export VPN Targets :  10:1
  Import VPN Targets :  10:1
  Log Interval : 5
VPN-Instance Name and ID : bb, 2
  Interfaces : Vlanif20
Address family ipv4
  Create date : 2014-12-09 16:45:02-08:00
  Up time : 0 days, 00 hours, 29 minutes and 50 seconds
  Route Distinguisher : 20:1
  Export VPN Targets :  20:1
  Import VPN Targets :  20:1
  Log Interval : 5
[C-SW]
[C-SW]display current-configuration  int gi0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
return
[C-SW]dis cu int gi0/0/2
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
[C-SW]dis cu int vlan 10
#
interface Vlanif10
ip binding vpn-instance aa
ip address 10.10.10.1 255.255.255.0
#
return
[C-SW]dis cu int vlan 20
#
interface Vlanif20
ip binding vpn-instance bb
ip address 20.20.20.1 255.255.255.0
#
C-SW上向instance泄露全局默认路由
ip route-static vpn-instance aa 0.0.0.0 0.0.0.0 100.1.1.2 public
ip route-static vpn-instance bb 0.0.0.0 0.0.0.0 100.1.1.2 public
[C-SW]display  ip  routing-table vpn-instance aa
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: aa
         Destinations : 3        Routes : 3       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   100.1.1.2       Vlanif100
     10.10.10.0/24  Direct  0    0           D   10.10.10.1      Vlanif10
     10.10.10.1/32  Direct  0    0           D   127.0.0.1       Vlanif10

[C-SW]dis ip routing vpn-instance bb
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: bb
         Destinations : 3        Routes : 3       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   100.1.1.2       Vlanif100
     20.20.20.0/24  Direct  0    0           D   20.20.20.1      Vlanif20
     20.20.20.1/32  Direct  0    0           D   127.0.0.1       Vlanif20

[C-SW]
这样instance里面有默认路由,可以保证instance内的流量疏导至全局,但是全局中没有回instance静态路由,需要手动添加全局回程至instance的静态路由,由于下面A-SW为纯二层交换机这样导致回程路由未能指定下一跳gateway地址,导致client访问Internet流量可以出去,但是无法返回。
[C-SW]ip route-static 10.10.10.0 24 vpn-instance aa ?
  X.X.X.X  Gateway address
告警信息
PC>ping 100.1.1.2

Ping 100.1.1.2: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 100.1.1.2 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss
处理过程
1、 在A-SW上分别在两个vlan下配置IP地址,使得全局向instance写回程路由时下一跳有gateway地址。

<A-SW>dis current-configuration  int vlan 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
return
<A-SW>dis cu int vlan 20
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#
return
<A-SW>

2、 在C-SW上全局向instance写静态回程路由,下一跳gateway地址为A-SW相应vlanif的接口地址。

ip route-static 10.10.10.0 255.255.255.0 vpn-instance aa 10.10.10.2
ip route-static 20.20.20.0 255.255.255.0 vpn-instance bb 20.20.20.2
[C-SW]dis ip routing-table protocol static
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : Static
         Destinations : 3        Routes : 3        Configured Routes : 3

Static routing table status : <Active>
         Destinations : 3        Routes : 3

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   100.1.1.2       Vlanif100
     10.10.10.0/24  Static  60   0          RD   10.10.10.2      Vlanif10
     20.20.20.0/24  Static  60   0          RD   20.20.20.2      Vlanif20

Static routing table status : <Inactive>
         Destinations : 0        Routes : 0

[C-SW]

3、  验证client访问Internet是否正常

PC>ping 100.1.1.2
Ping 100.1.1.2: 32 data bytes, Press Ctrl_C to break
From 100.1.1.2: bytes=32 seq=1 ttl=253 time=62 ms
From 100.1.1.2: bytes=32 seq=2 ttl=253 time=47 ms
From 100.1.1.2: bytes=32 seq=3 ttl=253 time=62 ms
From 100.1.1.2: bytes=32 seq=4 ttl=253 time=62 ms
From 100.1.1.2: bytes=32 seq=5 ttl=253 time=62 ms
--- 100.1.1.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/59/62 ms
PC>

[C-SW]dis arp
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE     
                                          VLAN
------------------------------------------------------------------------------
100.1.1.1       4c1f-ccbe-1ef7            I -  Vlanif100
100.1.1.2       4c1f-cc5c-4081  2         D-0  GE0/0/1
                                          100
10.1.1.1        4c1f-ccbe-1ef7            I -  Vlanif200
10.10.10.1      4c1f-ccbe-1ef7            I -  Vlanif10       aa
10.10.10.10     5489-9855-1cfa  18        D-0  GE0/0/2        aa
                                          10
10.10.10.2      4c1f-cc59-6e0b  19        D-0  GE0/0/2        aa
                                          10
20.20.20.1      4c1f-ccbe-1ef7            I -  Vlanif20       bb
20.20.20.20     5489-985b-29b2  11        D-0  GE0/0/2        bb
                                          20
20.20.20.2      4c1f-cc59-6e0b  19        D-0  GE0/0/2        bb
                                          20
------------------------------------------------------------------------------
Total:9         Dynamic:5       Static:0     Interface:4   
[C-SW]
根因
[C-SW-vlan20]display  ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 7        Routes : 7       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        0.0.0.0/0   Static  60   0          RD   100.1.1.2       Vlanif100
      100.1.1.0/24  Direct  0    0           D   100.1.1.1       Vlanif100
      100.1.1.1/32  Direct  0    0           D   127.0.0.1       Vlanif100
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0

[C-SW-vlan20]
由于C-SW全局向instance写静态回程路由没有下一跳gateway地址,导致静态回程路由无法生效。
解决方案
在接入交换机上相应的vlanif接口上配置本网段的一个ip,用户全局回程路由的下一跳。
建议与总结
将instance路由与全局路由互相泄露后,由于网关均在核心交换机上这样两个instance路由将可以互相访问,为了安全还需要配置traffic-policy过滤两个instance互访的流量。

此处理方式可以为instance做路由隔离引流至旁挂防火墙的组网方式提供逃生路由,当部署的双墙故障后为业务提供Internet服务保证业务流量出局不受影响。

END