乐趣区

Linux-tcpdump与VRF

搭建如下图所示的实验环境:

配置脚本如下:

admin@ubuntu:~/vrftcpdump$ cat test.sh 
#!/bin/bash
sudo ip netns add ns1 
sudo ip link add ns1veth1 type veth peer name eth0 netns ns1
sudo ip netns add ns2
sudo ip link add ns2veth1 type veth peer name eth0 netns ns2
sudo ip link set ns1veth1 master vrftest
sudo ip link set ns2veth1 master vrftest
sudo ip link set ns2veth1 up
sudo ip link set ns1veth1 up
sudo ip addr add 1.1.1.254/24 dev ns1veth1 
sudo ip addr add 2.2.2.254/24 dev ns2veth1 
sudo ip netns exec ns2 ip addr add 2.2.2.1/24 dev eth0 
sudo ip netns exec ns1 ip addr add 1.1.1.1/24 dev eth0 
sudo ip netns exec ns1 ip link set eth0 up
sudo ip netns exec ns1 ip link set lo up
sudo ip netns exec ns1 ip route add default via 1.1.1.254 dev eth0
sudo ip netns exec ns2 ip link set eth0 up
sudo ip netns exec ns2 ip link set lo up
sudo ip netns exec ns2 ip route add default via 2.2.2.254 dev eth0
admin@ubuntu:~/vrftcpdump$ 

外网访问本机

ping 网关 ns1test

admin@ubuntu:~$ sudo ip netns exec ns1 ping 1.1.1.254 -c 1       
PING 1.1.1.254 (1.1.1.254) 56(84) bytes of data.
64 bytes from 1.1.1.254: icmp_seq=1 ttl=64 time=0.044 ms

--- 1.1.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.044/0.044/0.044/0.000 ms
admin@ubuntu:~$ 

抓 vrftest 上的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:12:56.228438 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60591, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.1 > 1.1.1.254: ICMP echo request, id 33206, seq 1, length 64
19:12:56.228457 ca:f9:f0:37:4c:6c > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 9896, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.1: ICMP echo reply, id 33206, seq 1, length 64

转发报文

在 netns1 上 ping netns2

admin@ubuntu:~$ sudo ip netns exec ns1 ping 2.2.2.1 -c 1
PING 2.2.2.1 (2.2.2.1) 56(84) bytes of data.
64 bytes from 2.2.2.1: icmp_seq=1 ttl=63 time=0.058 ms

--- 2.2.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.058/0.058/0.058/0.000 ms
admin@ubuntu:~$ 

抓 vrftest 接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:11:29.852187 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 13375, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.1 > 2.2.2.1: ICMP echo request, id 33192, seq 1, length 64
19:11:29.852223 ba:19:4d:37:ac:8b > 02:25:0e:fe:52:35, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39804, offset 0, flags [none], proto ICMP (1), length 84)
    2.2.2.1 > 1.1.1.1: ICMP echo reply, id 33192, seq 1, length 64

在 vrftest 域中从本机访问外网

在 vrftest 域中 ping ns1

admin@ubuntu:~$ sudo ping 1.1.1.1 -I vrftest -c 1   
ping: Warning: source address might be selected on device other than vrftest.
PING 1.1.1.1 (1.1.1.1) from 1.1.1.254 vrftest: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.036 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms
admin@ubuntu:~$ 

抓 vrftest 接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:20:26.030756 ca:f9:f0:37:4c:6c > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 52323, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.1: ICMP echo request, id 33308, seq 1, length 64
19:20:26.030777 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 19617, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.1 > 1.1.1.254: ICMP echo reply, id 33308, seq 1, length 64

本机 ping 本机,即环回

VRF 接口会作为本 VRF 的环回接口,我们 ping 自己,看能不能在 vrftest 接口上抓到包。

在 vrftest 域中 ping 本地地址 1.1.1.254

admin@ubuntu:~$ sudo ping 1.1.1.254 -I vrftest -c 1
ping: Warning: source address might be selected on device other than vrftest.
PING 1.1.1.254 (1.1.1.254) from 1.1.1.254 vrftest: 56(84) bytes of data.
64 bytes from 1.1.1.254: icmp_seq=1 ttl=64 time=0.032 ms

--- 1.1.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
admin@ubuntu:~$ 

抓 vrftest 接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:18:01.997387 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 50471, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.254: ICMP echo request, id 33294, seq 1, length 64
19:18:01.997400 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 50472, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.254: ICMP echo reply, id 33294, seq 1, length 64

给 vrftest 配置 127.0.0.1, 然后在 vrftest 上下文 ping 127.0.0.1

admin@ubuntu:~$ sudo ip addr add 127.0.0.1/8 dev vrftest
admin@ubuntu:~$ sudo ping 127.0.0.1 -I vrftest -c 1                       
PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 vrftest: 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

admin@ubuntu:~$ 

从上面可以看出,在 vrftest 上下文 ping vrftest 的 IP 不能 ping 通过 127.0.0.1。重新配置 vrttest 的 ip 地址为 1.0.0.1。

admin@ubuntu:~$ sudo ip addr del 127.0.0.1/8 dev vrftest   
admin@ubuntu:~$ sudo ip addr add 1.0.0.1/8 dev vrftest
admin@ubuntu:~$ sudo ping 1.0.0.1 -I vrftest -c 1       
PING 1.0.0.1 (1.0.0.1) from 1.0.0.1 vrftest: 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=64 time=0.077 ms

--- 1.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms
admin@ubuntu:~$ 

抓包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:33:19.262089 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 51976, offset 0, flags [DF], proto ICMP (1), length 84)
    1.0.0.1 > 1.0.0.1: ICMP echo request, id 33462, seq 1, length 64
19:33:19.262126 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 51977, offset 0, flags [none], proto ICMP (1), length 84)
    1.0.0.1 > 1.0.0.1: ICMP echo reply, id 33462, seq 1, length 64

可以看出不是 127.0.0.1/ 8 的地址是可以 ping 通的。

总结

  • 可以在 vrf 接口上抓所有经过该从属于该 vrf 的设备上的报文。
  • vrf 接口作为本 vrf 的环回口。
  • vrf 接口配置 127.0.0.0/ 8 网段的地址不能 ping 通,这点不是很理解。
  • vrf 接口配置非 127.0.0.0/ 8 的地址可以 ping 通。
退出移动版