我有一个小网络,其中 Linux 内核 4.9 充当 v6 路由器。有另外两台服务器连接到此路由器,并且都在连接到此路由器的接口上配置了 ipv6 地址。地址前缀为fc::/8。
但当我尝试从一台服务器 ping 另一台服务器时,它会失败并显示错误“地址不可达”
因此,我尝试在路由器上 ping 本地 v6 地址,但也失败并显示错误“地址不可达”
当我检查数据包捕获时,我看到服务器尝试使用邻居请求获取 MAC 地址,但 Linux 路由器没有对此做出响应。我已启用 v6 转发。
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:53:02.828354 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:03.869313 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:04.907996 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:05.947761 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:06.987722 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:08.027434 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:09.067203 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:10.107501 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:11.146856 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:12.186701 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:13.226875 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:14.266411 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:15.306211 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
17:53:16.346467 IP6 fdcd:dead:beef:babe::2 > ff02::1:ff00:3: ICMP6, neighbor solicitation, who has fdcd:dead:beef:cafe::3, length 32
路由器侧接口:
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:67:09:97:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fdcd:dead:beef:babe::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::2e0:67ff:fe09:9785/64 scope link
valid_lft forever preferred_lft forever
4: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:67:09:97:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet6 fdcd:dead:beef:cafe::3/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::2e0:67ff:fe09:9786/64 scope link
valid_lft forever preferred_lft forever
路由器端路由配置:
::1 dev lo proto kernel metric 256 pref medium
0:0:0:a::/64 dev enp4s0 proto kernel metric 256 expires 86348sec pref medium
fdcd:dead:beef:babe::/64 dev enp2s0 proto kernel metric 256 pref medium
fdcd:dead:beef:cafe::/64 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev enp4s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
default via fe80::6238:e0ff:fed0:1db9 dev enp4s0 proto ra metric 1024 expires 1748sec hoplimit 64 pref medium
主机1接口:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:0d:e9:58 brd ff:ff:ff:ff:ff:ff
inet6 fdcd:dead:beef:babe::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe0d:e958/64 scope link
valid_lft forever preferred_lft forever
路由配置:
fdcd:dead:beef:babe::/64 dev eth0 proto kernel metric 256 pref medium
fdcd:dead:beef:cafe::/64 dev eth0 metric 1024 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fdcd:dead:beef:babe::3 dev eth0 metric 1024 pref medium
主机2接口:
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:e0:67:09:97:81 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 brd 192.168.100.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fdcd:dead:beef:cafe::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::2e0:67ff:fe09:9781/64 scope link
valid_lft forever preferred_lft forever
路由配置:
fdcd:dead:beef:babe::/64 dev enp2s0 metric 1024 pref medium
fdcd:dead:beef:cafe::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp2s0 proto kernel metric 256 pref medium
fe80::/64 dev enp1s0 proto kernel metric 256 pref medium
网络:
Host A (eth0) <----> L2 switch A <---> Linux v6 router (enp2s0)
Host B (enp2s0) <----> L2 switch B <---> Linux v6 router (enp3s0)
防火墙配置:
root@XXXXX:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
任何帮助深表感谢
答案1
我刚刚遇到这个问题,tcpdump在目标机器上运行时,我根本看不到邻居请求数据包到达,所以机器没有响应,因为它首先没有看到请求。事实上,tcpdump一台机器告诉我数据包正在发送,但tcpdump目标机器告诉我数据包没有到达,这告诉我问题不在于这两台机器,而在于它们之间的任何东西,在本例中是网络交换机。 ip6tables在这种情况下不是问题,因为在tcpdump处理原始网络流量之前对其进行监控ip6tables,所以即使您有阻止流量的规则,这些数据包仍然对可见tcpdump。
问题出在我使用的 Cisco 2975 交换机中,IPv6 多播固件存在问题。我注意到我的 IPv6 多播流量被转发到交换机上的每个端口,导致不感兴趣的机器接收到它,从而占用了部分网络带宽。通过启用 MLD 监听,交换机会监视多播订阅消息,并仅将多播流量转发到已订阅它的端口。
邻居请求消息也通过多播发送,交换机应该将这些消息转发到所有端口,即使它们没有订阅这些消息。但由于一个明显的错误,交换机将它们视为任何其他多播流量,并且不会转发它们,因为没有机器订阅这些地址(您不应该这样做)。交换机正确地转发了较简单的广播(如ff02::1),但没有转发包含部分 MAC 地址的更复杂的邻居请求,以缩小收件人的数量。
当我在交换机上禁用 MLD 监听时(config;no ipv6 mld snooping),一切立即开始正常工作。
由于此交换机早已不再受支持,我想我唯一的选择就是忍受额外的网络流量或用具有更好的 IPv6 支持的新交换机替换它。