搭建实验环境如下图:配置脚本如下:admin@ubuntu:~/vrftcpdump$cattest.sh#!/bin/bashsudoipnetnsaddns1sudoip链接添加ns1veth1typevethpeernameeth0netnsns1sudoipnetnsaddns2sudoiplinkaddns2veth1typevethpeernameeth0netnsns2sudoiplinksetns1veth1mastervrftestsudoiplinksetns2veth1mastervrftestsudoiplinksetns2veth1upsudoiplinksetns1veth1addrupsudoip添加1.1.1.254/24devns1veth1sudoipaddr添加2.2.2.254/24devns2veth1sudoipnetnsexecns2ipaddr添加2.2.2.1/24deveth0sudoipnetnsexecns1ipaddr添加1.1.1.1/24deveth0sudoiplinknetnsexecns1ipseteth0upsudoipnetnsexecns1iplinksetloupsudoipnetnsexecns1iprouteadddefaultvia1.1.1.254deveth0sudoipnetnsexecns2iplinkseteth0upsudoipnetnsexecns2ipaddlinksetloupsudoipnetns2executedefaultvia2.2.2.254deveth0admin@ubuntu:~/vrftcpdump$外网访问本地ping网关ns1testadmin@ubuntu:~$sudoipnetnsexecns1ping1.1.1.254-c1PING1.1.1.254(1.1.1.254)56(84)字节数据。来自1.1.1.254的64字节:icmp_seq=1ttl=64time=0.044ms---1.1.1.254pingstatistics---1packetstransmitted,1received,0%packetloss,time0msrttmin/avg/max/mdev=0.044/0.044/0.044/0.000msadmin@ubuntu:~$抓vrftest上的包admin@ubuntu:~$sudotcpdump-ivrftest-eennvvicmptcpdump:侦听vrftest,链路类型EN10MB(以太网),捕获大小262144字节19:12:56.2284386e:17:d5:b2:55:14>b2:f8:2a:13:31:75,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id60591,offset0,flags[DF],protoICMP(1),length84)1.1.1.1>1.1.1.254:ICMPechorequest,id33206,seq1,长度6419:12:56.228457ca:f9:f0:37:4c:6c>00:00:00:00:00:00,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id9896,offset0,flags[none],protoICMP(1),length84)1.1.1.254>1.1.1.1:ICMPechoreply,id33206,seq1,length64转发报告文在netns1上pingnetns2admin@ubuntu:~$sudoipnetnsexecns1ping2.2.2.1-c1PING2.2.2.1(2.2.2.1)56(84)字节数据。来自2.2.2.1的64字节:icmp_seq=1ttl=63time=0.058ms---2.2.2.1ping统计---1个数据包传输,1个接收,0%数据包丢失,时间0msrttmin/avg/max/mdev=0.058/0.058/0.058/0.000msadmin@ubuntu:~$从vrftest接口捕获数据包admin@ubuntu:~$sudotcpdump-ivrftest-eennvvicmptcpdump:侦听vrftest,链接类型EN10MB(以太网),捕获大小262144字节19:11:29.8521876e:17:d5:b2:55:14>b2:f8:2a:13:31:75,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id13375,offset0,flags[DF],protoICMP(1),length84)1.1.1.1>2.2.2.1:ICMPechorequest,id33192,seq1,length6419:11:29.852223ba:19:4d:37:ac:8b>02:25:0e:fe:52:35,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id39804,offset0,flags[none],protoICMP(1),length84)2.2.2.1>1.1.1.1:ICMPechoreply,id33192,seq1,长度64in在vrftest域,本机访问外网,在vrftest域pingns1admin@ubuntu:~$sudoping1.1.1.1-Ivrftest-c1ping:警告:可能在vrftest以外的设备上选择了源地址。PING1.1.1.1(1.1.1.1)from1.1.1.254vrftest:56(84)bytesofdata.64bytesfrom1.1.1.1:icmp_seq=1ttl=64time=0.036ms---1.1.1.1pingstatistics---1packetstransmitted,1received,0%packetloss,time0msrttmin/avg/max/mdev=0.036/0.036/0.036/0.000msadmin@ubuntu:~$抓取vrftest接口的包admin@ubuntu:~$sudotcpdump-ivrftest-eennvvicmptcpdump:监听vrftest,link-typeEN10MB(Ethernet),捕获大小262144bytes19:20:26.030756ca:f9:f0:37:4c:6c>00:00:00:00:00:00,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id52323,offset0,flags[DF],protoICMP(1),length84)1.1.1.254>1.1.1.1:ICMPechorequest,id33308,seq1,length6419:20:26.0307776e:17:d5:b2:55:14>b2:f8:2a:13:31:75,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id19617,offset0,flags[none],protoICMP(1),length84)1.1.1.1>1.1.1.254:ICMPechoreply,id33308,seq1,length64本机ping本机,即loopbackVRF接口将作为本机的loopback接口VRF,我们自己ping一下,看看能不能在vrftest接口上抓包在vrftest域中ping本地址1.1.1.254admin@ubuntu:~$sudoping1.1.1.254-Ivrftest-c1ping:Warning:sourceaddressmaybeselectedondeviceotherthanvrftest.PING1.1.1.254(1.1.1.254)来自1.1.1.254vrftest:56(84)字节的数据。来自1.1.1.254的64字节:icmp_seq=1ttl=64time=0.032ms---1.1.1.254ping统计数据---1个数据包传输,1个接收,0%packetloss,time0msrttmin/avg/max/mdev=0.032/0.032/0.032/0.000msadmin@ubuntu:~$抓vrftest接口的包admin@ubuntu:~$sudotcpdump-ivrftest-eennvvicmptcpdump:listeningonvrftest,链路类型EN10MB(以太网),捕获大小262144字节19:18:01.997387ca:f9:f0:37:4c:6c>ca:f9:f0:37:4c:6c,以太网类型IPv4(0x0800),长度98:(tos0x0,ttl64,id50471,offset0,flags[DF],protoICMP(1),length84)1.1.1.254>1.1.1.254:ICMPechorequest,id33294,seq1,length6419:18:01.997400ca:f9:f0:37:4c:6c>ca:f9:f0:37:4c:6c,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id50472,offset0,flags[none],protoICMP(1),length84)1.1.1.254>1.1.1.254:ICMPechoreply,id33294,seq1,length64为vrftest配置127.0.0.1,然后ping127.0在vrftest.0.1admin@ubuntu:~$sudoipaddradd127.0.0.1/8devvrftestadmin@ubuntu:~$sudoping127.0.0.1-Ivrftest-c1PING127.0.0.1(127.0.0.1)来自127.0.0.1vrftest:56(84)bytesofdata.---127.0.0.1pingstatistics---1packetstransmitted,0received,100%packetloss,time0msadmin@ubuntu:~$从上面可以看出,pingvrftest上下文中的vrftestIP无法ping通127.0.0.1重新配置vrttest的ip地址为1.0.0.1。admin@ubuntu:~$sudoipaddrdel127.0.0.1/8devvrftestadmin@ubuntu:~$sudoipaddradd1.0.0.1/8devvrftestadmin@ubuntu:~$sudoping1.0.0.1-Ivrftest-c1PING1.0.0.1(1.0.0.1)from1.0.0.1vrftest:56(84)bytesofdata.64bytesfrom1.0.0.1:icmp_seq=1ttl=64time=0.077ms---1.0.0.1pingstatistics---1个数据包传输,1个接收,0%数据包丢失,时间0msrttmin/avg/max/mdev=0.077/0.077/0.077/0.000msadmin@ubuntu:~$抓包admin@ubuntu:~$sudotcpdump-ivrftest-eennvvicmptcpdump:侦听vrftest,链路类型EN10MB(以太网),捕获大小262144字节19:33:19.262089ca:f9:f0:37:4c:6c>ca:f9:f0:37:4c:6c,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id51976,offset0,flags[DF],protoICMP(1),length84)1.0.0.1>1.0.0.1:ICMPechorequest,id33462,seq1,长度6419:33:19.262126ca:f9:f0:37:4c:6c>ca:f9:f0:37:4c:6c,ethertypeIPv4(0x0800),长度98:(tos0x0,ttl64,id51977,偏移量0,标志s[none],protoICMP(1),length84)1.0.0.1>1.0.0.1:ICMPechoreply,id33462,seq1,length64可以看到除了127.0.0.1/8以外的地址都能ping通总结可以在vrf接口上捕获所有经过属于vrf的设备的数据包。vrf接口作为这个vrf的环回端口。vrf接口上配置的127.0.0.0/8网段的地址无法ping通,不是很理解。如果vrf接口配置了127.0.0.0/8以外的地址,可以ping通。
