Linux tcpdump與VRF

搭建以下圖所示的實驗環境：

配置腳本以下：

admin@ubuntu:~/vrftcpdump$ cat test.sh 
#!/bin/bash
sudo ip netns add ns1 
sudo ip link add ns1veth1 type veth peer name eth0 netns ns1
sudo ip netns add ns2
sudo ip link add ns2veth1 type veth peer name eth0 netns ns2
sudo ip link set ns1veth1 master vrftest
sudo ip link set ns2veth1 master vrftest
sudo ip link set ns2veth1 up
sudo ip link set ns1veth1 up
sudo ip addr add 1.1.1.254/24 dev ns1veth1 
sudo ip addr add 2.2.2.254/24 dev ns2veth1 
sudo ip netns exec ns2 ip addr add 2.2.2.1/24 dev eth0 
sudo ip netns exec ns1 ip addr add 1.1.1.1/24 dev eth0 
sudo ip netns exec ns1 ip link set eth0 up
sudo ip netns exec ns1 ip link set lo up
sudo ip netns exec ns1 ip route add default via 1.1.1.254 dev eth0
sudo ip netns exec ns2 ip link set eth0 up
sudo ip netns exec ns2 ip link set lo up
sudo ip netns exec ns2 ip route add default via 2.2.2.254 dev eth0
admin@ubuntu:~/vrftcpdump$

外網訪問本機

ping網關ns1test

admin@ubuntu:~$ sudo ip netns exec ns1 ping 1.1.1.254 -c 1       
PING 1.1.1.254 (1.1.1.254) 56(84) bytes of data.
64 bytes from 1.1.1.254: icmp_seq=1 ttl=64 time=0.044 ms

--- 1.1.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.044/0.044/0.044/0.000 ms
admin@ubuntu:~$

抓vrftest上的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:12:56.228438 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 60591, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.1 > 1.1.1.254: ICMP echo request, id 33206, seq 1, length 64
19:12:56.228457 ca:f9:f0:37:4c:6c > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 9896, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.1: ICMP echo reply, id 33206, seq 1, length 64

轉發報文

在netns1上ping netns2

admin@ubuntu:~$ sudo ip netns exec ns1 ping 2.2.2.1 -c 1
PING 2.2.2.1 (2.2.2.1) 56(84) bytes of data.
64 bytes from 2.2.2.1: icmp_seq=1 ttl=63 time=0.058 ms

--- 2.2.2.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.058/0.058/0.058/0.000 ms
admin@ubuntu:~$

抓vrftest接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:11:29.852187 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 13375, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.1 > 2.2.2.1: ICMP echo request, id 33192, seq 1, length 64
19:11:29.852223 ba:19:4d:37:ac:8b > 02:25:0e:fe:52:35, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 39804, offset 0, flags [none], proto ICMP (1), length 84)
    2.2.2.1 > 1.1.1.1: ICMP echo reply, id 33192, seq 1, length 64

在vrftest域中從本機訪問外網

在vrftest域中ping ns1

admin@ubuntu:~$ sudo ping 1.1.1.1 -I vrftest -c 1   
ping: Warning: source address might be selected on device other than vrftest.
PING 1.1.1.1 (1.1.1.1) from 1.1.1.254 vrftest: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.036 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.036/0.036/0.036/0.000 ms
admin@ubuntu:~$

抓vrftest接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:20:26.030756 ca:f9:f0:37:4c:6c > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 52323, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.1: ICMP echo request, id 33308, seq 1, length 64
19:20:26.030777 6e:17:d5:b2:55:14 > b2:f8:2a:13:31:75, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 19617, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.1 > 1.1.1.254: ICMP echo reply, id 33308, seq 1, length 64

本機ping本機，即環回

VRF接口會做爲本VRF的環回接口，咱們ping本身，看能不能在vrftest接口上抓到包。

在vrftest域中ping 本地地址1.1.1.254

admin@ubuntu:~$ sudo ping 1.1.1.254 -I vrftest -c 1
ping: Warning: source address might be selected on device other than vrftest.
PING 1.1.1.254 (1.1.1.254) from 1.1.1.254 vrftest: 56(84) bytes of data.
64 bytes from 1.1.1.254: icmp_seq=1 ttl=64 time=0.032 ms

--- 1.1.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
admin@ubuntu:~$

抓vrftest接口的包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:18:01.997387 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 50471, offset 0, flags [DF], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.254: ICMP echo request, id 33294, seq 1, length 64
19:18:01.997400 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 50472, offset 0, flags [none], proto ICMP (1), length 84)
    1.1.1.254 > 1.1.1.254: ICMP echo reply, id 33294, seq 1, length 64

給vrftest配置127.0.0.1,而後在vrftest上下文ping 127.0.0.1

admin@ubuntu:~$ sudo ip addr add 127.0.0.1/8 dev vrftest
admin@ubuntu:~$ sudo ping 127.0.0.1 -I vrftest -c 1                       
PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 vrftest: 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

admin@ubuntu:~$

從上面能夠看出，在vrftest上下文ping vrftest的IP不能ping經過127.0.0.1。從新配置vrttest的ip地址爲1.0.0.1。

admin@ubuntu:~$ sudo ip addr del 127.0.0.1/8 dev vrftest   
admin@ubuntu:~$ sudo ip addr add 1.0.0.1/8 dev vrftest
admin@ubuntu:~$ sudo ping 1.0.0.1 -I vrftest -c 1       
PING 1.0.0.1 (1.0.0.1) from 1.0.0.1 vrftest: 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=64 time=0.077 ms

--- 1.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms
admin@ubuntu:~$

抓包

admin@ubuntu:~$ sudo tcpdump -i vrftest -eennvv icmp
tcpdump: listening on vrftest, link-type EN10MB (Ethernet), capture size 262144 bytes
19:33:19.262089 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 51976, offset 0, flags [DF], proto ICMP (1), length 84)
    1.0.0.1 > 1.0.0.1: ICMP echo request, id 33462, seq 1, length 64
19:33:19.262126 ca:f9:f0:37:4c:6c > ca:f9:f0:37:4c:6c, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 51977, offset 0, flags [none], proto ICMP (1), length 84)
    1.0.0.1 > 1.0.0.1: ICMP echo reply, id 33462, seq 1, length 64

能夠看出不是127.0.0.1/8的地址是能夠ping通的。

總結

• 能夠在vrf接口上抓全部通過該從屬於該vrf的設備上的報文。
• vrf接口做爲本vrf的環回口。
• vrf接口配置127.0.0.0/8網段的地址不能ping通，這點不是很理解。
• vrf接口配置非127.0.0.0/8的地址能夠ping通。