明天,咱们探讨一下两种不同的配置其通信的过程,咱们先探讨下一跳为本人出站接口的状况:
当R1尝试去ping通2.2.2.2的时候,须要封装ICMP数据包,然而不晓得2.2.2.2的MAC地址的话就无奈实现封装,会呈现encapsulation failed!此时须要通过arp(同一个子网)或者代理arp(跨网段)获取2.2.2.2的MAC地址,因为把2.2.2.0/24 看做一个直联网段,所以会间接封装一个目标地址为2.2.2.2/24,目标MAC为全F的arp数据帧,R2接管到此arp播送帧,因为目标ip是跨网段而且路由器敞开了代理arp,那么此帧解封装后被抛弃。R1没能获取2.2.2.2的mac地址,所以始终都是encapsulation failed!天然不会ping通。
此时如果从R2ping1.1.1.1却是能通的,与下面相似,第一个icmp包封装失败,而后R2发arp播送,因为R1未敞开代理arp,所以arp播送帧被解封装后R1发现目标ip在本人路由表中的loopback0,于是从新封装发送给1.1.1.1,然而因为此时不晓得1.1.1.1的MAC地址,所以R1会向loopback 0发送一个目标MAC为全F目标ip为 1.1.1.1的arp播送,1.1.1.1收到后会发送给R1一个单播通知它本人的Mac地址,而后R1就能够依据失去的MAC地址和1.1.1.1,把后面arp播送帧解封装后的数据进行封装发送给1.1.1.1,1.1.1.1.收到后再对R2作出回应,这样R2就晓得了1.1.1.1的MAC地址和ip地址,就能够失常封装ICMP数据包,从而能够ping 通。
上面咱们验证一下。
根本配置:
R1(config)#
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
R1(config)#ip route 2.2.2.0 255.255.255.0 FastEthernet0/0
R2(config)#
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
R2(config)#ip route 1.1.1.0 255.255.255.0 10.1.1.1
R2(config)#int f0/0
R2(config-if)#no ip pro
测试:
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
… … … … … … … … … …
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
能够看出R1把2.2.2.0看做的是直连的网段
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 25 c002.1148.0000 ARPA FastEthernet0/0
能够看到R1未学习到2.2.2.2的MAC地址
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
不通,正如咱们的猜想
上面切换到R2:
R2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
… … … … … … … …
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 10.1.1.1
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 1 c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/56/128 ms
发现R1->2.2.2.2不通,然而R2->1.1.1.1却是通的,进一步验证咱们的想法
R2#
上面咱们在R2 的f0/0关上代理arp
R2(config)#int f0/0
R2(config-if)#ip pro
R2(config-if)#ip proxy-arp
R2(config-if)#end
R2#
*Mar 1 00:59:58.691: %SYS-5-CONFIG_I: Configured from console by console
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/67/124 ms
R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 21 c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 - c002.1148.0000 ARPA FastEthernet0/0
关上代理arp之后R2根本没什么可见的变动
上面在R1上测试:
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/52/76 ms
发现R1 ping 2.2.2.2.的时候第一帧封装失败,前面全通,和咱们剖析的是统一的
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/53/100 ms
再查看R1 的arp 表,发现有了变动,R1曾经学习到了2.2.2.2的MAC地址,证实了咱们的猜测是正确的。
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 2.2.2.2 21 c002.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 53 c002.1148.0000 ARPA FastEthernet0/0
其实以上过程全程都是能够抓包的,做试验测试的时候我也都是亲自试过的,wireshark 上能够看到进出的状况:
关掉R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:
开启R2代理arp之后在R1 ping 2.2.2.2在R2 f0/0抓包:
接下来咱们看一下下一跳为下一跳路由器的接口地址的状况:
仍然是下面的拓扑图,咱们把配置做略微的改变,
R1(config)#no ip route 2.2.2.0 255.255.255.0 f0/0
R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2
同时咱们关上R2的代理arp性能
R2(config-if)#ip pro
在R1 ping 2.2.2.2 :
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 24/42/76 ms
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 1 c002.1148.0000 ARPA FastEthernet0/0
上面关掉R2的代理arp,而后在R1 ping 2.2.2.2:
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/60/96 ms
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 0 c002.1148.0000 ARPA FastEthernet0/0
抓包发现:
以上能够看出,R1->2.2.2.2,目标ip是2.2.2.2,目标MAC却是R2的f0/0接口的MAC
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c003.1148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 7 c002.1148.0000 ARPA FastEthernet0/0
比拟两个过程,发现当下一跳为下一跳路由器接口ip地址的时候,关不关代理arp都一样,因为基本就没用到,目标ip是2.2.2.2 目标MAC是R2 f0/0的Mac,R2的f0/0作为了2.2.2.2的网关,全权代理了所有到2.2.2.2的数据。从头至尾R1都没有学习到2.2.2.2.MAC地址。
Cisco路由器默认是开启代理arp的,然而为了平安,往往在进口路由器上,代理arp都是被关掉的,所以局域网内配置动态路由如果采纳下一跳为本人出站接口,就可能导致不能通信,
所以在以太网中,咱们举荐以下一跳路由器接口ip地址作为下一跳,这样能够防止了敞开掉代理arp之后不能通信的状况。
备注:想要本人做试验测试的同学,留神更改一下arp的aging timer,或者重启路由器。
上面咱们讨论一下点对点,把路由器配置做一下改变:
R1(config) #default int f0/0
R1(config)#int s1/1
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R2(config) #default int f0/0
R2(config)#int s1/1
R2(config-if)#ip add 10.1.1.2 255.255.255.0
R1 ping R2:
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/44/76 ms
R1#
关掉R2 arp代理,在R2 ping 1.1.1.1:
R2(config)#int s1/1
R2(config-if)#no ip pro
R2(config-if)#no ip proxy-arp
R2(config-if)#end
R2#
*Mar 1 00:04:37.343: %SYS-5-CONFIG_I: Configured from console by console
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/72 ms
能够看到不波及arp
看数据包内容,发现没有源MAC和目标MAC,只有源IP和目标IP,
上面将下一跳设置为本人的出接口:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip route 2.2.2.0 255.255.255.0 s1/1
R1(config)#no ip route 2.2.2.0 255.255.255.0 10.1.1.2
R1(config)#
R1(config)#
R1(config)#end
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip route 1.1.1.0 255.255.255.0 s1/1
R2(config)#no ip route 1.1.1.0 255.255.255.0 10.1.1.1
R2(config)#
R2(config)#
R2(config)#end
R1 ping R2 :
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/57/108 ms
敞开掉R2代理arp:
R2(config)#int s1/1
R2(config-if)#no ip proxy-arp
R2(config-if)#end
R1#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/60 ms
以上能够看出点对点链路,指定动态的下一跳时,无论是指定本人的出站接口还是指定下一跳的路由器的接口ip,成果齐全是一样的,而且此时不受arp代理的影响。