通过接口 Null0 配置 IPv6 黑洞

下载选项

PDF (274.9 KB)
在各种设备上使用 Adobe Reader 查看
ePub (95.0 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
Mobi (Kindle) (79.3 KB)
在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看

已更新: 2012 年 7 月 30 日

文档 ID:113635

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中，非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言，文档中可能无法确保完全使用非歧视性语言。深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言，希望全球的用户都能通过各自的语言得到支持性的内容。请注意：即使是最好的机器翻译，其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任，并建议您总是参考英文原始文档（已提供链接）。

简介

本文档介绍如何通过接口Null0配置IPv6中的黑洞。黑洞路由是允许管理员通过将流量动态路由到失效接口或收集信息以供调查的主机来阻止非法流量(例如来自非法源的流量或拒绝服务(DoS)攻击生成的流量)的方法，可减轻攻击对网络的影响。

先决条件

要求

尝试进行此配置之前，请确保满足以下要求：

了解 BGP 路由协议及其操作
了解 IPv6 编址方案

路由器 R1
路由器 R2

路由器 R1
! hostname R1 ! no ip domain lookup ip cef ipv6 unicast-routing ipv6 cef ! ! interface Loopback1 no ip address ipv6 address AA::1/128 ipv6 enable ipv6 ospf 10 area 0 ! interface Loopback10 no ip address ipv6 address AA:10::10/128 ipv6 enable ! interface FastEthernet1/0 no ip address speed auto duplex auto ipv6 address 2012:AA::1/64 ipv6 enable ipv6 ospf 10 area 0 ! router bgp 6501 bgp router-id 1.1.1.1 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor BB::1 remote-as 6502 neighbor BB::1 ebgp-multihop 2 neighbor BB::1 update-source Loopback1 ! address-family ipv4 exit-address-family ! address-family ipv6 redistribute static network AA:10::10/128 neighbor BB::1 activate exit-address-family ! ipv6 route 20:20::20/128 Null0 ipv6 router ospf 10 router-id 1.1.1.1 ! end

路由器 R1

!
hostname R1
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback1
 no ip address
 ipv6 address AA::1/128
 ipv6 enable
 ipv6 ospf 10 area 0
!
interface Loopback10
 no ip address
 ipv6 address AA:10::10/128
 ipv6 enable
!
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2012:AA::1/64
 ipv6 enable
 ipv6 ospf 10 area 0
!
router bgp 6501
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor BB::1 remote-as 6502
 neighbor BB::1 ebgp-multihop 2
 neighbor BB::1 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  redistribute static
  network AA:10::10/128
  neighbor BB::1 activate
 exit-address-family
!
ipv6 route 20:20::20/128 Null0
ipv6 router ospf 10
 router-id 1.1.1.1
!
end

路由器 R2
! hostname R2 ! ipv6 unicast-routing ipv6 cef ! ! interface Loopback1 no ip address ipv6 address BB::1/128 ipv6 enable ipv6 ospf 10 area 0 ! interface Loopback20 no ip address ipv6 address 20:20::20/128 ipv6 enable ! interface FastEthernet1/0 no ip address speed auto duplex auto ipv6 address 2012:AA::2/64 ipv6 enable ipv6 ospf 10 area 0 ! router bgp 6502 bgp router-id 2.2.2.2 bgp log-neighbor-changes no bgp default ipv4-unicast neighbor AA::1 remote-as 6501 neighbor AA::1 ebgp-multihop 2 neighbor AA::1 update-source Loopback1 ! address-family ipv4 exit-address-family ! address-family ipv6 network 20:20::20/128 neighbor AA::1 activate exit-address-family ! ipv6 router ospf 10 router-id 2.2.2.2 ! end

路由器 R2

!
hostname R2
!
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback1
 no ip address
 ipv6 address BB::1/128
 ipv6 enable
 ipv6 ospf 10 area 0
!
interface Loopback20
 no ip address
 ipv6 address 20:20::20/128
 ipv6 enable
!
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2012:AA::2/64
 ipv6 enable
 ipv6 ospf 10 area 0
!
router bgp 6502
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor AA::1 remote-as 6501
 neighbor AA::1 ebgp-multihop 2
 neighbor AA::1 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
  network 20:20::20/128
  neighbor AA::1 activate
 exit-address-family
!
ipv6 router ospf 10
 router-id 2.2.2.2
!
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序（仅限注册用户）(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

要验证eBGP配置，请在路由器R1中使用show ipv6 route bgp和show bgp ipv6 unicast命令。

路由器 R1
show ipv6 route R1#show ipv6 route bgp IPv6 Routing Table - default - 7 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 !--- The router R2 advertises the network 20:20::20/128, !--- but still the routing table is empty. 要检查哪些是 BGP 接收的路由，请使用 show bgp ipv6 unicast 命令。 R1#show bgp ipv6 unicast BGP table version is 3, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, I - internal, r RIB-failure, S Stale Origin codes: I - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 20:20::20/128 BB::1 0 0 6502 I > :: 0 32768 ? > AA:10::10/128 :: 0 32768 I !--- Note that the route 20:20::20/128 is received, !--- but it is not installed in the routing table.

路由器 R1

show ipv6 route

R1#show ipv6 route bgp
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

!--- The router R2 advertises the network 20:20::20/128, !--- but still the routing table is empty.

要检查哪些是 BGP 接收的路由，请使用 show bgp ipv6 unicast 命令。

R1#show bgp ipv6 unicast
BGP table version is 3, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, I - internal,
              r RIB-failure, S Stale
Origin codes: I - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*  20:20::20/128    BB::1                    0             0 6502 I
*>                  ::                       0         32768 ?
*> AA:10::10/128    ::                       0         32768 I

!--- Note that the route 20:20::20/128 is received, !--- but it is not installed in the routing table.

请使用来源作为环回接口 20，以便从路由器 R2 ping 路由器 R1。

R2#ping ipv6 AA:10::10 source lo20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
Packet sent with a source address of 20:20::20
.....
Success rate is 0 percent (0/5)

!--- The reason is the ICMP packet reaches !--- router R1 with source address as !--- 20:20::20/128 and therefore gets dropped.

尝试在不使用环回接口作为来源的情况下从路由器 R2 ping 路由器 R1。

R2#ping AA:10::10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/61/180 ms

!--- In this case, the ICMP packet has !--- the source address as BB::1.

如果从路由器R1中删除ipv6 route 20:20::20/128 Null0语句，则路由器R2通告的路由20:20::20/128将安装在路由器R1的路由表中。以下是输出示例：

在路由器 R1 中
R1(config)#no ipv6 route 20:20::20/128 Null0 !--- The Null0 command in removed from router R1. R1#show bgp ipv6 unicast BGP table version is 7, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, I - internal, r RIB-failure, S Stale Origin codes: I - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path > 20:20::20/128 :: 0 32768 ? BB::1 0 0 6502 I > AA:10::10/128 :: 0 32768 I !--- After the removal of the statement, !--- the route 20:20::20/128 is shown as best route.* R1#show ipv6 route bgp IPv6 Routing Table - default - 7 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 B 20:20::20/128 [20/0] via BB::1 !--- You can see that the route is displayed in routing table.

在路由器 R1 中

R1(config)#no ipv6 route 20:20::20/128 Null0



!--- The Null0 command in removed from router R1.


R1#show bgp ipv6 unicast
BGP table version is 7, local router ID is 1.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, I - internal,
              r RIB-failure, S Stale
Origin codes: I - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 20:20::20/128    ::                       0         32768 ?
*                   BB::1                    0             0 6502 I
*> AA:10::10/128    ::                       0         32768 I

!--- After the removal of the statement, !--- the route 20:20::20/128 is shown as best route.


R1#show ipv6 route bgp
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       D - EIGRP, EX - EIGRP external, ND - Neighbor Discovery
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
B   20:20::20/128 [20/0]
    via BB::1


!--- You can see that the route is displayed in routing table.

现在请设法从路由器 R2 ping 路由器 R1，将来源作为环回接口 Lo 20。

R2#ping ipv6  AA:10::10 source lo20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AA:10::10, timeout is 2 seconds:
Packet sent with a source address of 20:20::20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/54/140 ms

!--- You can see that the ping is successful.

通过接口 Null0 配置 IPv6 黑洞

下载选项

非歧视性语言

关于此翻译

目录

简介

先决条件

要求

使用的组件

规则

配置

网络图

示例配置

验证

相关信息

修订历史记录

此文档是否有帮助?

联系我们

本文档适用于以下产品