Inconsistencias
con RIP como protocolo de enrutamiento
Clase:
Exploration
2 Fecha: 4 de Octubre del 2013
Escenario
En este escenario se reproduce una falla
típica en la implementación de una ACL mal configurada o donde
se omite permitir paquetes
del protocolo de enrutamiento utilizado.
En este caso, la demora de convergencia
de RIP (tanto v1 y v2) permite que se genere este “agujero negro”
donde las tablas de
enrutamiento son diferentes y aún permiten la conectividad de extremo a extremo,
perdiéndose esta luego de
varios minutos de implementada la ACL, lo cual puede dificultar una rápida
solución del problema ya
que generalmente este tipo de escenario, el downtime de la red comienza de
manera casi
instantánea.
Prueba
preliminar: Reacción frente a una caída de vínculo (cambios en
capas 1 y 2 )
Cordoba(config)#interface Serial0/0/1
Cordoba(config-if)#shutdown (provocamos caída del
vínculo)
Cordoba(config-if)#
%LINK-5-CHANGED: Interface Serial0/0/1, changed
state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0/0/1, changed state to down
RIP: sending
v1 update to 255.255.255.255 via FastEthernet0/0 (192.168.1.1)
RIP: build update entries (se genera un triggered update)
network
172.16.0.0 metric 16
network
192.168.0.0 metric 16
Rosario#debug
ip rip events
RIP event debugging is on
Rosario#
RIP: received v1 update from 172.16.0.2 on
Serial0/0/0
172.16.0.4 in 1 hops
192.168.1.0 in 2 hops
RIP: received v1 update from 172.16.0.2 on
Serial0/0/0 (recibe triggered update)
172.16.0.4 in 16 hops
192.168.1.0 in 16 hops
PC>ping -t
192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=78ms TTL=125 (momento de caída del vínculo)
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 172.16.0.2: Destination host unreachable.
Reply from 172.16.0.2: Destination host unreachable.
Reply from 172.16.0.2: Destination host unreachable.
Reply from 172.16.0.2: Destination host unreachable.
Objetivo
del escenario: Reacción frente a una pérdida de vecino (no hay cambios
de capas 1 y 2)
A diferencia de la prueba anterior, se
bloqueará tráfico en la capa 3 del modelo OSI, evitando que se
generen triggered
updates con métrica 16 (cuenta al infinito).
Cordoba#sh ip
route (verificamos convergencia)
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30
is subnetted, 2 subnets
R
172.16.0.0 [120/1] via 172.16.0.5, 00:00:07, Serial0/0/1
C
172.16.0.4 is directly connected, Serial0/0/1
R
192.168.0.0/24 [120/2] via 172.16.0.5, 00:00:07, Serial0/0/1
C
192.168.1.0/24 is directly connected, FastEthernet0/0
Cordoba#
Cordoba#configure
terminal (implementamos ACL)
Enter configuration commands, one per line. End with CNTL/Z.
Cordoba(config)#interface Serial0/0/1
Cordoba(config-if)#ip access-group 100 in
Cordoba(config-if)#^Z
Cordoba#
Cordoba#sh
access-lists (ya que en este escenario no se estudia la ACL en sí,se
Extended IP access list 100 generó una sencilla
para desestabilizar la red)
permit icmp any any (11 match(es))
deny ip any any (1
match(es))
Cordoba#sh ip
route
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30 is subnetted, 2 subnets
R
172.16.0.0 [120/1] via 172.16.0.5, 00:01:22, Serial0/0/1
C
172.16.0.4 is directly connected, Serial0/0/1
R 192.168.0.0/24 [120/2] via 172.16.0.5,
00:01:22, Serial0/0/1(a los 3 minutos entrará
C
192.168.1.0/24 is directly connected, FastEthernet0/0 en métrica
16)
Cordoba#
Se observa que las dos tablas de
enrutamiento son diferentes pero la conectividad sigue.
Cordoba#sh ip
route
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30
is subnetted, 2 subnets
R
172.16.0.0 is possibly down, routing via 172.16.0.5, Serial0/0/1
C
172.16.0.4 is directly connected, Serial0/0/1
R 192.168.0.0/24 is possibly down, routing
via 172.16.0.5, Serial0/0/1(luego de 3 minutos)
C
192.168.1.0/24 is directly connected, FastEthernet0/0
Cordoba#sh
access-lists
Extended IP access list 100
permit icmp any any (342 match(es))
deny ip any any (15
match(es))(15 paquetes cada 30 segundos = 450 segundos = 4,5 minutos)
Cordoba#
Cordoba#debug
ip routing
RT: del 192.168.0.0 via 172.16.0.5, rip metric
[120/16](red local Rosario)
RT: delete network route to 192.168.0.0
RT: NET-RED 192.168.0.0/24
RT: del 172.16.0.0 via 172.16.0.5, rip metric
[120/16] (segmento Rosario-WAN)
RT: delete network route to 172.16.0.0
RT: NET-RED 172.16.0.0/30
Cordoba#sh ip
route
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30 is subnetted, 1 subnets
C
172.16.0.4 is directly connected, Serial0/0/1
C
192.168.1.0/24 is directly connected, FastEthernet0/0
Cordoba#
Rosario#debug
ip rip events
RIP event debugging is on
Rosario#RIP: received v1 update from 172.16.0.2 on
Serial0/0/0
172.16.0.4 in 1 hops
192.168.1.0 in 2 hops
Rosario#
Rosario#sh ip
route
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D - EIGRP,
EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30 is subnetted, 2 subnets
C
172.16.0.0 is directly connected, Serial0/0/0
R
172.16.0.4 [120/1] via 172.16.0.2, 00:00:19, Serial0/0/0
C
192.168.0.0/24 is directly connected, FastEthernet0/0
R 192.168.1.0/24 [120/2] via 172.16.0.2,
00:00:19, Serial0/0/0 (la ruta sigue activa)
Rosario#
PC>ping -t
192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=63ms
TTL=125 (se aplica ACL)
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
---resumido---
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Request timed out.
Request timed out.
Ping statistics for 192.168.1.10:
Packets: Sent
= 378, Received = 375, Lost = 3 (1%
loss),
Approximate round trip times in milli-seconds:
Minimum =
16ms, Maximum = 141ms, Average = 61ms
Control-C
^C
PC>
Implementación
con EIGRP
Cordoba#sh ip
route (verificación)
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30 is subnetted, 2 subnets
D
172.16.0.0 [90/2681856] via 172.16.0.5, 00:00:09, Serial0/0/1
C
172.16.0.4 is directly connected, Serial0/0/1
D 192.168.0.0/24 [90/2684416] via 172.16.0.5,
00:00:09, Serial0/0/1
C
192.168.1.0/24 is directly connected, FastEthernet0/0
Cordoba#
Cordoba#configure
terminal
Enter configuration commands, one per line. End with CNTL/Z.
Cordoba(config)#interface Serial0/0/1
Cordoba(config-if)#ip access-group 100 in
Cordoba(config-if)#
%DUAL-5-NBRCHANGE: IP-EIGRP 10: Neighbor 172.16.0.5
(Serial0/0/1) is down: holding time expired
RT: del 172.16.0.0 via 172.16.0.5, eigrp metric
[90/2681856]
RT: delete network route to 172.16.0.0
RT: NET-RED 172.16.0.0/30
RT: del 192.168.0.0 via 172.16.0.5, eigrp metric
[90/2684416]
RT: delete network route to 192.168.0.0
RT: NET-RED 192.168.0.0/24
Cordoba#
PC>ping -t
192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=78ms TTL=125
(se aplica ACL)
Reply from 192.168.1.10: bytes=32 time=46ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=47ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=78ms TTL=125
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.0.1: Destination host
unreachable.
Reply from 192.168.0.1: Destination host
unreachable.
Reply from 192.168.0.1: Destination host
unreachable.
Reply from 192.168.0.1: Destination host
unreachable.
Ping statistics for 192.168.1.10:
Packets:
Sent = 21, Received = 17, Lost = 4
(20% loss),
Approximate round trip times in milli-seconds:
Minimum =
0ms, Maximum = 78ms, Average = 62ms
Control-C
^C
PC>
Implementación
con OSPF
Cordoba#sh ip
route (verificación)
Codes: C - connected, S - static, I - IGRP, R - RIP,
M - mobile, B - BGP
D -
EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 -
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 -
OSPF external type 1, E2 - OSPF external type 2, E - EGP
i -
IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -
candidate default, U - per-user static route, o - ODR
P -
periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/30 is subnetted, 2 subnets
O
172.16.0.0 [110/128] via 172.16.0.5, 00:00:02, Serial0/0/1
C
172.16.0.4 is directly connected, Serial0/0/1
O 192.168.0.0/24 [110/129] via 172.16.0.5,
00:00:02, Serial0/0/1
C
192.168.1.0/24 is directly connected, FastEthernet0/0
Cordoba#
Cordoba(config)#interface Serial0/0/1
Cordoba(config-if)#ip access-group 100 in
Cordoba(config-if)#
00:57:37: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.0.5
on Serial0/0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
00:57:37: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.0.5
on Serial0/0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
RT: del 172.16.0.0 via 172.16.0.5, ospf metric
[110/128]
RT: delete network route to 172.16.0.0
RT: NET-RED 172.16.0.0/30
RT: del 192.168.0.0 via 172.16.0.5, ospf metric
[110/129]
RT: delete network route to 192.168.0.0
RT: NET-RED 192.168.0.0/24
Cordoba#
PC>ping -t
192.168.1.10 (se aplica ACL)
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=63ms TTL=125
Reply from 192.168.1.10: bytes=32 time=47ms TTL=125
---resumido---
Reply from 192.168.1.10: bytes=32 time=62ms TTL=125
Reply from 192.168.1.10: bytes=32 time=47ms TTL=125
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.10:
Packets:
Sent = 39, Received = 36, Lost = 3
(8% loss),
Approximate round trip times in milli-seconds:
Minimum =
32ms, Maximum = 78ms, Average = 60ms
Control-C
^C
PC>
Lista
de acceso bien configurada para permitir los protocolos de enrutamiento:
Para
el caso de RIP:
Cordoba#sh
access-lists
Extended IP access list 100
permit icmp any any (342 match(es))
permit udp any any eq rip (10 match(es))(no soportado en Packet Tracer)
ó
permit udp any any eq 520 (10 match(es))(soportado en Packet Tracer)
deny ip any any
Cordoba#
Detalle
de la trama/paquete/segmento completo:
Para
los otros protocolos:
Cordoba(config)#access-list 100 permit ?
ahp Authentication
Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation
Security Payload
gre Cisco's GRE
tunneling
icmp Internet
Control Message Protocol
ip Any Internet
Protocol
ospf OSPF routing protocol
tcp Transmission
Control Protocol
udp User Datagram
Protocol
Cordoba(config)#access-list 100 permit ospf any
any
Cordoba(config)#access-list 100 permit eigrp any
any
Cordoba(config)#
Fuente:
(2013)
Networking for lonely nights
Rosario, Argentina