明天,咱们探讨一下两种不同的配置其通信的过程,咱们先探讨下一跳为本人出站接口的状况:

当R1尝试去ping通2.2.2.2的时候,须要封装ICMP数据包,然而不晓得2.2.2.2的MAC地址的话就无奈实现封装,会呈现encapsulation failed!此时须要通过arp(同一个子网)或者代理arp(跨网段)获取2.2.2.2的MAC地址,因为把2.2.2.0/24 看做一个直联网段,所以会间接封装一个目标地址为2.2.2.2/24,目标MAC为全F的arp数据帧,R2接管到此arp播送帧,因为目标ip是跨网段而且路由器敞开了代理arp,那么此帧解封装后被抛弃。R1没能获取2.2.2.2的mac地址,所以始终都是encapsulation failed!天然不会ping通。

此时如果从R2ping1.1.1.1却是能通的,与下面相似,第一个icmp包封装失败,而后R2发arp播送,因为R1未敞开代理arp,所以arp播送帧被解封装后R1发现目标ip在本人路由表中的loopback0,于是从新封装发送给1.1.1.1,然而因为此时不晓得1.1.1.1的MAC地址,所以R1会向loopback 0发送一个目标MAC为全F目标ip为 1.1.1.1的arp播送,1.1.1.1收到后会发送给R1一个单播通知它本人的Mac地址,而后R1就能够依据失去的MAC地址和1.1.1.1,把后面arp播送帧解封装后的数据进行封装发送给1.1.1.1,1.1.1.1.收到后再对R2作出回应,这样R2就晓得了1.1.1.1的MAC地址和ip地址,就能够失常封装ICMP数据包,从而能够ping 通。

上面咱们验证一下。

根本配置:

R1(config)#

interface Loopback0

ip address 1.1.1.1 255.255.255.0

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

R1(config)#ip route 2.2.2.0 255.255.255.0 FastEthernet0/0

R2(config)#

interface Loopback0

ip address 2.2.2.2 255.255.255.0

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

R2(config)#ip route 1.1.1.0 255.255.255.0 10.1.1.1

R2(config)#int f0/0

R2(config-if)#no ip pro

测试:

R1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

   …  … … … … … … … … …

Gateway of last resort is not set

 1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Loopback0

 2.0.0.0/24 is subnetted, 1 subnets

S 2.2.2.0 is directly connected, FastEthernet0/0

 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet0/0

能够看出R1把2.2.2.0看做的是直连的网段

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 25 c002.1148.0000 ARPA FastEthernet0/0

能够看到R1未学习到2.2.2.2的MAC地址

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

不通,正如咱们的猜想

上面切换到R2:

R2#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

  … … … … … … … …

Gateway of last resort is not set

 1.0.0.0/24 is subnetted, 1 subnets

S 1.1.1.0 [1/0] via 10.1.1.1

 2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Loopback0

 10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet0/0

R2#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 1 c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0

R2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/128 ms

发现R1->2.2.2.2不通,然而R2->1.1.1.1却是通的,进一步验证咱们的想法

R2#

上面咱们在R2 的f0/0关上代理arp

R2(config)#int f0/0

R2(config-if)#ip pro

R2(config-if)#ip proxy-arp

R2(config-if)#end

R2#

*Mar 1 00:59:58.691: %SYS-5-CONFIG_I: Configured from console by console

R2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/124 ms

R2#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 21 c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0

关上代理arp之后R2根本没什么可见的变动

上面在R1上测试:

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 16/52/76 ms

发现R1 ping 2.2.2.2.的时候第一帧封装失败,前面全通,和咱们剖析的是统一的

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/53/100 ms

再查看R1 的arp 表,发现有了变动,R1曾经学习到了2.2.2.2的MAC地址,证实了咱们的猜测是正确的。

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 2.2.2.2 21 c002.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 53 c002.1148.0000 ARPA FastEthernet0/0

其实以上过程全程都是能够抓包的,做试验测试的时候我也都是亲自试过的,wireshark 上能够看到进出的状况:

关掉R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:

开启R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:

接下来咱们看一下下一跳为下一跳路由器的接口地址的状况:

仍然是下面的拓扑图,咱们把配置做略微的改变,

R1(config)#no ip route 2.2.2.0 255.255.255.0 f0/0

R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2

同时咱们关上R2的代理arp性能

R2(config-if)#ip pro

在R1 ping 2.2.2.2 :

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 24/42/76 ms

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 1 c002.1148.0000 ARPA FastEthernet0/0

上面关掉R2的代理arp,而后在R1 ping 2.2.2.2:

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 20/60/96 ms

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 0 c002.1148.0000 ARPA FastEthernet0/0

抓包发现:

以上能够看出,R1->2.2.2.2,目标ip是2.2.2.2,目标MAC却是R2的f0/0接口的MAC

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0

Internet 10.1.1.2 7 c002.1148.0000 ARPA FastEthernet0/0

比拟两个过程,发现当下一跳为下一跳路由器接口ip地址的时候,关不关代理arp都一样,因为基本就没用到,目标ip是2.2.2.2 目标MAC是R2 f0/0的Mac,R2的f0/0作为了2.2.2.2的网关,全权代理了所有到2.2.2.2的数据。从头至尾R1都没有学习到2.2.2.2.MAC地址。

Cisco路由器默认是开启代理arp的,然而为了平安,往往在进口路由器上,代理arp都是被关掉的,所以局域网内配置动态路由如果采纳下一跳为本人出站接口,就可能导致不能通信,

所以在以太网中,咱们举荐以下一跳路由器接口ip地址作为下一跳,这样能够防止了敞开掉代理arp之后不能通信的状况。

备注:想要本人做试验测试的同学,留神更改一下arp的aging timer,或者重启路由器。

上面咱们讨论一下点对点,把路由器配置做一下改变:

R1(config) #default int f0/0

R1(config)#int s1/1

R1(config-if)#ip add 10.1.1.1 255.255.255.0

R2(config) #default int f0/0

R2(config)#int s1/1

R2(config-if)#ip add 10.1.1.2 255.255.255.0

R1 ping R2:

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/44/76 ms

R1#

关掉R2 arp代理,在R2 ping 1.1.1.1:

R2(config)#int s1/1

R2(config-if)#no ip pro

R2(config-if)#no ip proxy-arp

R2(config-if)#end

R2#

*Mar 1 00:04:37.343: %SYS-5-CONFIG_I: Configured from console by console

R2#ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/72 ms

能够看到不波及arp

看数据包内容,发现没有源MAC和目标MAC,只有源IP和目标IP,

上面将下一跳设置为本人的出接口:

R1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#ip route 2.2.2.0 255.255.255.0 s1/1

R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2

R1(config)#

R1(config)#

R1(config)#end

R2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

R2(config)#ip route 1.1.1.0 255.255.255.0 s1/1

R2(config)#no ip route 1.1.1.0 255.255.255.0 10.1.1.1

R2(config)#

R2(config)#

R2(config)#end

R1 ping R2 :

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/57/108 ms

敞开掉R2代理arp:

R2(config)#int s1/1

R2(config-if)#no ip proxy-arp

R2(config-if)#end

R1#ping 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/60 ms

以上能够看出点对点链路,指定动态的下一跳时,无论是指定本人的出站接口还是指定下一跳的路由器的接口ip,成果齐全是一样的,而且此时不受arp代理的影响。