GRE_Tunnel中由于递归路由而引起的Tunnel翻转.docx

说明:由于递归路由造成的Tunnel 临时关闭Posted onJuly 12, 2014byPaul Stewart, CCIE 26009 (Security)我们来看一Tunnel临时关闭的问题,这是由于IGP路由和GRETunnel 联合使用时由于递归路由而造成的 。为了证明这一点, 我们做一个实验，如下图所示。其中R1、R3参与的EIGRP,GRETunnel。Topology配置：R1hostname R1!interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0!interface Tunnel0 ip address 192.168.13.1 255.255.255.0 tunnel source 192.168.12.1 tunnel destination 192.168.23.3!router eigrp 1 network 192.168.0.0 0.0.255.255!ip route 0.0.0.0 0.0.0.0 192.168.12.2R2 (hub)hostname R2!interface FastEthernet0/1 ip address 192.168.12.2 255.255.255.0!interface FastEthernet0/1 ip address 192.168.23.2 255.255.255.0!R3hostname R3!interface FastEthernet0/1 ip address 192.168.23.3 255.255.255.0!interface Tunnel0 ip address 192.168.13.3 255.255.255.0 tunnel source 192.168.23.3 tunnel destination 192.168.12.1!router eigrp 1 network 192.168.0.0 0.0.255.255!ip route 0.0.0.0 0.0.0.0 192.168.23.2乍一看,这么配置似乎没有问题。路由器R1、R3可以使用静态默认路由相互可达。隧道将建立成功。事实上初期隧道确实会成功建立, 甚至EIGRP也会形成一个邻居。随后邻居关系丢失。Tunnel也将关闭。感觉接口只允许他们上线很短的时间。路由器R1、R3周期做一个迭代动作并生产下面的日志。貌似Tunnel在无穷翻转。*Mar 1 00:05:00.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up*Mar 1 00:05:22.843: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.13.3 (Tunnel0) is up: new adjacency*Mar 1 00:05:39.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.13.3 (Tunnel0) is down: holding time expired*Mar 1 00:06:38.575: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing*Mar 1 00:06:39.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down*Mar 1 00:06:39.583: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.13.3 (Tunnel0) is down: interface down解释：我看到这个问题一直出现,并且造成了一些混乱。它出现在隧道源和目的地之间的链路。EIGRP收敛之前,R1、R3之间最好的(唯一的)的路由是由管理员分配静态默认路由。让我们看看在两者之间建立了EIGRP邻居以后会发生什么：R1#debug ip routingR1#configure terminalR1(config)#interface tunnel 0R1(config-if)#shutR1(config-if)#no shutR1(config-if)#*Mar 1 00:12:01.775: RT: is_up: Tunnel0 1 state: 4 sub state: 1 line: 0 has_route: False*Mar 1 00:12:01.779: RT: SET_LAST_RDB for 192.168.13.0/24 NEW rdb: is directly connected*Mar 1 00:12:01.779: RT: add 192.168.13.0/24 via 0.0.0.0, connected metric 0/0*Mar 1 00:12:01.779: RT: NET-RED 192.168.13.0/24*Mar 1 00:12:01.783: RT: interface Tunnel0 added to routing table*Mar 1 00:12:03.767: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up*Mar 1 00:12:03.767: RT: is_up: Tunnel0 1 state: 4 sub state: 1 line: 0 has_route: True*Mar 1 00:12:04.055: RT: NET-RED 0.0.0.0/0*Mar 1 00:12:04.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up*Mar 1 00:12:04.767: RT: is_up: Tunnel0 1 state: 4 sub state: 1 line: 0 has_route: True*Mar 1 00:12:34.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.13.3 (Tunnel0) is up: new adjacency*Mar 1 00:12:39.491: RT: SET_LAST_RDB for 192.168.23.0/24 NEW rdb: via 192.168.13.3*Mar 1 00:12:39.491: RT: add 192.168.23.0/24 via 192.168.13.3, eigrp metric 90/297270016*Mar 1 00:12:39.495: RT: NET-RED 192.168.23.0/24查看R1配置,目的地址是2.168.23.3的隧道在建立之后, EIGRP邻局建立并开始交换路由信息。如图所示,R1到192.168.23.0/24 有了一个新的途径。这条路线实际上是通过隧道的。这时注意了：路由选路的结果就是：隧道的目的端口将是通过本身到达的。逻辑将如下:1. R1通过Tunnel0发出一个数据包2. Tunnel为数据包添加一个GRE和额外的IP报头3. 数据包更新源地址为192.168.23 ，目的地址 192.168.12.1。4. 路由器需要将新的数据包发送到192.168.23.35. 路由表显示192.168.23.3应该由Tunnel发送6. Tunnel为数据包添加一个GRE和额外的IP报头7. 跳转到第3步。这是一个无限循环的状态，这时路由器识别出这是递归路由, 不允许它继续存在。于是Tunnel 状态被置为 down。解决方案：了解了翻转的过程，那么解决起来也就简单了:只要将建立隧道的源目的路由地址不与建立隧道本身所依赖的物理端口地址重合即可。有不止一个方法可以解决这种问题。是其中一个方法就是在R1、R3之间配置静态路由。R1ip route 192.168.23.3 255.255.255.255 192.168.12.2R3ip route 192.168.12.1 255.255.255.255 192.168.23.2这条路由比从EIGRP学到的路由有更小的AD，将被优选。另一个方法是精准的宣告前缀，将物理接口排除在外。.R1router eigrp 1 no network 192.168.0.0 0.0.255 network 192.168.13.0R3router eigrp 1 no network 192.168.0.0 0.0.0.255 network 192.168.13.0最后，还有一个方法是物理接口启用VRF，以实现他与Tunnel接口隔离。R1ip vrf FVRF!interface FastEthernet0/0 ip vrf forwarding FVRF ip address 192.168.12.1 255.255.255.0!no ip route 0.0.0.0 0.0.0.0 192.168.12.2ip route vrf FVRF 0.0.0.0 0.0.0.0 192.168.12.2!interface tunnel 0 tunnel vrf FVRFR3ip vrf FVRF!interface FastEthernet0/1 ip vrf forwarding FVRF ip address 192.168.23.3 255.255.255.0!no ip route 0.0.0.0 0.0.0.0 192.168.23.2ip route vrf FVRF 0.0.0.0 0.0.0.0 192.168.23.2