Layer 3 层网络中的重定向
问题:
CPU Peak
解决:
设备从某端口收到的数据包又根据路由从此端口发送出去,这样导致了重定向的产生,并且关掉重定向后,cpu恢复正常。那么到底是什么数据包导致cpu高呢?是cpu发的icmp重定向提示包么(icmp type5)?用下面的实验来确认到底是什么包punt到了cpu。
Topology:
7609(10.1.1.1)——-(10.1.1.2)PC
Default Configuration:
在7609指默认路,出口地址为10.1.1.2,通过下面命令来确认软件和硬件转发是否对默认路由生效:
Router#sh ip cef exact-route 2.2.2.2 1.1.1.1 2.2.2.2 -> 1.1.1.1 => IP adj out of GigabitEthernet5/2, addr 10.1.1.2 Router# Router#sh mls cef exact-route 2.2.2.2 1.1.1.1 Interface: Gi5/2, Next Hop: 10.1.1.2, Vlan: 4084, Destination Mac: 0023.7d29.d8c3 Router# Router#sh vlan internal usage VLAN Usage ---- -------------------- 4084 GigabitEthernet5/2
步骤:
1. 在PC上向7609打源地址为“2.2.2.2”,目的地址为“1.1.1.1”的ICMP数据包,netdr分析如下:
------- dump of outgoing inband packet ------- destmac 00.23.7D.29.D8.C3, srcmac 00.1E.F7.41.3C.80, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 46, identifier 0 df 1, mf 0, fo 0, ttl 63, src 2.2.2.2, dst 1.1.1.1 icmp type 0, code 8 ------- dump of incoming inband packet ------- destmac 00.1E.F7.41.3C.80, srcmac 00.23.7D.29.D8.C3, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 46, identifier 0 df 1, mf 0, fo 0, ttl 64, src 2.2.2.2, dst 1.1.1.1 icmp type 0, code 8
打开“debug ip icmp”,并没有发现icmp重定向的包,关于icmp重定向提示包,看参考我之前的文章《ICMP 重定向的一些问题》
2. 在PC上向7609打源地址为“10.1.1.254”,目的地址为“1.1.1.1”的ICMP数据包,netdr分析如下:
------- dump of outgoing inband packet ------- destmac 00.23.7D.29.D8.C3, srcmac 00.1E.F7.41.3C.80, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 46, identifier 0 df 1, mf 0, fo 0, ttl 63, src 10.1.1.254, dst 1.1.1.1 icmp type 0, code 8 ------- dump of incoming inband packet ------- destmac 00.1E.F7.41.3C.80, srcmac 00.23.7D.29.D8.C3, protocol 0800 protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 46, identifier 0 df 1, mf 0, fo 0, ttl 64, src 10.1.1.254, dst 1.1.1.1 icmp type 0, code 8
打开“debug ip icmp”,发现有icmp重定向提示包,但是netdr里没有抓到这类包,这种包是如何产生的?为什么没有抓到?
*Feb 14 23:09:45.417: ICMP: redirect sent to 10.1.1.254 for dest 1.1.1.1, use gw 10.1.1.2 *Feb 14 23:09:46.429: ICMP: redirect sent to 10.1.1.254 for dest 1.1.1.1, use gw 10.1.1.2
3. 在7609上配置“no ip red”,重复1&2,没有发现路由包punt到cpu,一切正常。
结论:
从上面的实验可以看出,ICMP重定向不仅发生在Layer2,也发生在Layer3,但行为不太一样:
1. 路由器首先确认是否触发重定向
2. 如果触发就把数据包punt到cpu去确认源ip地址(一般路由器的转发机制是不会检查源ip地址)
3. 如果源ip地址跟接收端口在同一网段,就发送icmp重定向提醒报文,并由cpu把原始数据包转发出去
4. 如果不在同一网段,直接由cpu转发就可以了,不会产生icmp重定向提醒报文。
My opinion is that sending an ICMP redirect packet to the SA of the packet doesn’t make any sense. It just make sense to send such redirect packets to the “last hop device” which send the packet to the router, which should be in the same subnet of the router.
Router can use ASIC to hardware loop up the destination port for a receiving packet, if it is the port the packet comes in, router will consider to send ICMP redirect packet, however, due to sending to the SA of the packet doesn’t make sense, so router will check if the SA is in the same subnet with the router. I believe our router can’t do this in hardware, that’s why we see high cpu. And in your test 1, CPU found the SA is not in the same subnet of it’s interface, so didn’t send the ICMP redirect. In test 2, SA in same subnet, so router send ICMP redirect.
Thanks Daniel’s reminds.
Later I will update summary for redirect.