IP : IP 版本 6 (IPv6)

通过接口 Null0 配置 IPv6 黑洞

2016 年 10 月 24 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈


目录


简介

本文描述如何通过接口 Null0 在 IPv6 中配置黑洞。黑洞路由是一种允许管理员封锁不需要流量的方法,例如来自非法来源的流量或由拒绝服务 (DoS) 攻击生成的流量,方法是将流量动态路由至一个停止的接口或一个被指定为收集信息进行调查的主机,这可以缓和对网络的攻击影响。

先决条件

要求

尝试进行此配置之前,请确保满足以下要求:

  • 了解 BGP 路由协议及其操作

  • 了解 IPv6 编址方案

使用的组件

本文档中的信息根据Cisco 7200系列路由器用Cisco IOS�软件版本15.0(1)。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)查找有关本文档所使用命令的详细信息。

网络图

本文档使用以下网络设置:

http://www.cisco.com/c/dam/en/us/support/docs/ip/ip-version-6-ipv6/113635-configure-ipv6-black-holing-01.gif

在此网络中,路由器 R1 与 R2 彼此形成 eBGP 关系。路由器使用 OSPFv3 进行内部通信。在路由器 R1 中,可通过配置 Null0 实现黑洞,方法是将任何源地址为 20:20::20/128 的数据包都导向至 Null0。换句话说,路由到 Null0 的所有流量都会被丢弃。

示例配置

本文档使用以下配置:

路由器 R1
!
hostname R1
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback1
 no ip address
 ipv6 address AA::1/128
 ipv6 enable
 ipv6 ospf 10 area 0
!
interface Loopback10
 no ip address
 ipv6 address AA:10::10/128
 ipv6 enable
!
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2012:AA::1/64
 ipv6 enable
 ipv6 ospf 10 area 0
!
router bgp 6501
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor BB::1 remote-as 6502
 neighbor BB::1 ebgp-multihop 2
 neighbor BB::1 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  redistribute static
  network AA:10::10/128
  neighbor BB::1 activate
 exit-address-family
!
ipv6 route 20:20::20/128 Null0
ipv6 router ospf 10
 router-id 1.1.1.1
!
end

路由器 R2
!
hostname R2
!
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback1
 no ip address
 ipv6 address BB::1/128
 ipv6 enable
 ipv6 ospf 10 area 0
!
interface Loopback20
 no ip address
 ipv6 address 20:20::20/128
 ipv6 enable
!
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2012:AA::2/64
 ipv6 enable
 ipv6 ospf 10 area 0
!
router bgp 6502
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor AA::1 remote-as 6501
 neighbor AA::1 ebgp-multihop 2
 neighbor AA::1 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 20:20::20/128
  neighbor AA::1 activate
 exit-address-family
!
ipv6 router ospf 10
 router-id 2.2.2.2
!
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

为了验证 eBGP 配置,在路由器 R1 中使用 show ipv6 route bgpshow bgp ipv6 unicast 命令。

路由器 R1
show ipv6 route
R1#show ipv6 route bgp
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

!---  The router R2 advertises the network 20:20::20/128, 
!--- but still the routing table is empty.

要检查哪些是 BGP 接收的路由,请使用 show bgp ipv6 unicast 命令。
R1#show bgp ipv6 unicast
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, I - internal,
              r RIB-failure, S Stale
Origin codes: I - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  20:20::20/128    BB::1                    0             0 6502 I
*>                  ::                       0         32768 ?
*> AA:10::10/128    ::                       0         32768 I

!--- Note that the route 20:20::20/128 is received,
!--- but it is not installed in the routing table.

请使用来源作为环回接口 20,以便从路由器 R2 ping 路由器 R1。

R2#ping ipv6 AA:10::10 source lo20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
Packet sent with a source address of 20:20::20
.....
Success rate is 0 percent (0/5)

!---  The reason is the ICMP packet reaches 
!--- router R1 with source address as 
!--- 20:20::20/128 and therefore gets dropped.

尝试在不使用环回接口作为来源的情况下从路由器 R2 ping 路由器 R1。

R2#ping AA:10::10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/61/180 ms

!--- In this case, the ICMP packet has
!--- the source address as BB::1.

如果 ipv6 route 20:20::20/128 Null0 语句从路由器 R1 删除,路由器 R2 通告的路由 20:20::20/128 在路由器里 R1 的路由表中获得安装。以下是输出示例:

在路由器 R1 中
R1(config)#no ipv6 route 20:20::20/128 Null0



!--- The Null0 command in removed from router R1.


R1#show bgp ipv6 unicast
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, I - internal,
              r RIB-failure, S Stale
Origin codes: I - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20:20::20/128    ::                       0         32768 ?
*                   BB::1                    0             0 6502 I
*> AA:10::10/128    ::                       0         32768 I

!--- After the removal of the statement, 
!--- the route 20:20::20/128 is shown as best route.


R1#show ipv6 route bgp
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
B   20:20::20/128 [20/0]
    via BB::1


!--- You can see that the route is displayed in routing table.

现在请设法从路由器 R2 ping 路由器 R1,将来源作为环回接口 Lo 20。

R2#ping ipv6  AA:10::10 source lo20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
Packet sent with a source address of 20:20::20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/54/140 ms

!--- You can see that the ping is successful.


相关信息


Document ID: 113635