F5 Bigip 如何在其路由域内/之间路由数据包?
我有一台 F5 BigIP 设备。在该 BigIP 上,我创建了一个名为 的测试分区test123,该分区的路由域、VLAN、自身 IP test123。如下所示:
现象描述:
[root@bigip:Active:Standalone] partitions # cat test123/bigip_base.conf
#TMSH-VERSION: 14.1.0
net route-domain /test123/test111 {
id 111
strict disabled
vlans {
/test123/test111
}
}
net route-domain /test123/test321 {
id 321
strict disabled
vlans {
/test123/test321
}
}
net self /test123/test111 {
address 172.168.111.111%111/24
allow-service all
traffic-group /Common/traffic-group-local-only
vlan /test123/test111
}
net self /test123/test321 {
address 172.168.32.32%321/24
allow-service all
traffic-group /Common/traffic-group-local-only
vlan /test123/test321
}
net vlan /test123/test111 {
interfaces {
1.1 {
tagged
}
}
sflow {
poll-interval-global no
sampling-rate-global no
}
tag 111
}
net vlan /test123/test123 {
interfaces {
1.1 {
tagged
}
}
sflow {
poll-interval-global no
sampling-rate-global no
}
tag 123
}
net vlan /test123/test321 {
interfaces {
1.1 {
tagged
}
}
sflow {
poll-interval-global no
sampling-rate-global no
}
tag 321
}
net fdb vlan /test123/test111 { }
net fdb vlan /test123/test123 { }
net fdb vlan /test123/test321 { }
如您所见分区test123的配置。
vlan111我创建了一个名为的标记 VLAN 111,一个名为 的路由域,test111域 ID111使用vlan111,最后我还在172.168.111.111%111/24上绑定了一个自身 IP vlan111。
与自身 IP 类似,172.168.32.32%321/24
我创建一个名为 的标记 VLAN vlan321,321一个名为 的标记域,test321域 ID321使用vlan321,最后,我还在172.168.32.32%321/24上绑定了一个自身 IP vlan321。
到目前为止,我有自己的 IP 172.168.111.111%111 和 172.168.32.32%321。
然后我 ssh 到我的 BigIP 终端,在本地 ping 每个 IP,如下所示:
# I am in the default route-domain ping both IP without domain id
# cannot reach.
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.111.111
PING 172.168.111.111 (172.168.111.111) 56(84) bytes of data.
--- 172.168.111.111 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.32.32
PING 172.168.32.32 (172.168.32.32) 56(84) bytes of data.
--- 172.168.32.32 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
# ping with the route domain, they can be reached
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.111.111%111
PING 172.168.111.111%111 (172.168.111.111%111) 56(84) bytes of data.
64 bytes from 172.168.111.111%111: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 172.168.111.111%111: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 172.168.111.111%111: icmp_seq=3 ttl=64 time=0.043 ms
--- 172.168.111.111%111 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.039/0.041/0.043/0.005 ms
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.32.32%321
PING 172.168.32.32%321 (172.168.32.32%321) 56(84) bytes of data.
64 bytes from 172.168.32.32%321: icmp_seq=1 ttl=64 time=0.032 ms
64 bytes from 172.168.32.32%321: icmp_seq=2 ttl=64 time=0.039 ms
64 bytes from 172.168.32.32%321: icmp_seq=3 ttl=64 time=0.033 ms
--- 172.168.32.32%321 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.032/0.034/0.039/0.007 ms
# Swith to route domain 111, the 172.168.111.111 can be reached.
[root@bigip:Active:Standalone] partitions # rdsh 111
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.111.111
PING 172.168.111.111 (172.168.111.111) 56(84) bytes of data.
64 bytes from 172.168.111.111: icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from 172.168.111.111: icmp_seq=2 ttl=64 time=0.025 ms
64 bytes from 172.168.111.111: icmp_seq=3 ttl=64 time=0.035 ms
--- 172.168.111.111 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.025/0.029/0.035/0.004 ms
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.32.32
connect: Network is unreachable
# Ping other route domain IP, it needs %route-domain-id
[root@bigip:Active:Standalone] partitions # ping -W 5 -c 3 172.168.32.32%321
PING 172.168.32.32%321 (172.168.32.32%321) 56(84) bytes of data.
64 bytes from 172.168.32.32%321: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 172.168.32.32%321: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 172.168.32.32%321: icmp_seq=3 ttl=64 time=0.021 ms
--- 172.168.32.32%321 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.021/0.033/0.050/0.013 ms
我的问题: ICMP 数据包在未配置静态网关的不同子网和路由域之间流动。
F5 BigIP 内部数据包在不同路由域之间的路由流程(过程/机制)是怎样的?
我尝试通过追踪不同子网之间的路由来解决这个问题。
# I switch to 321 route domain
[root@bigip:Active:Standalone] config # rdsh 321
# in 321 route domain net space shows route table, no route to 172.168.111.0/24 network.
[root@bigip:Active:Standalone] config # ip r
127.1.1.0/24 dev if3 proto kernel scope link src 127.1.1.254
172.168.32.0/24 dev if5 proto kernel scope link src 172.168.32.32
# trace the route, the bigip.hostname is the hostname mapped to IP 172.168.111.111
[root@bigip:Active:Standalone] etc # tmsh run util traceroute 172.168.111.111%111
traceroute to 172.168.111.111 (172.168.111.111), 30 hops max, 60 byte packets
1 bigip.hostname (172.168.111.111) 0.047 ms 0.009 ms 0.008 ms
# switch to 111 route domain net space
[root@bigip:Active:Standalone] config # rdsh 111
# the IP bigip.hostname is changed to 172.168.32.32
[root@bigip:Active:Standalone] config # tmsh run util traceroute 172.168.32.32%321
traceroute to 172.168.32.32 (172.168.32.32), 30 hops max, 60 byte packets
1 bigip.hostname (172.168.32.32) 0.036 ms 0.084 ms 0.070 ms
看起来数据包直接进入接口,因为 IP 是 BigIP 机器上的本地 IP。并且没有路由表。这是否意味着我可以将其视为本地 IP,并且不同路由域中的不同子网 IP 之间没有路由?
不过我猜这肯定和地图有关吧?有没有什么路线域地图可以展示?
网上关于F5 BigIP路由域映射机制的资料很少,大部分关于路由域的资料都是关于BigIP路由域的管理和使用案例。
希望有人能帮助阐明这一部分吗?
答案1
系统(您的 CLI 命令所在的系统)只能访问 RD0 中的路由,这就是为什么如果不指定包含这些自 IP 的其他路由域,您甚至无法 ping 本地接口。如果配置了父域,则可以在父域中查找在子域中找不到的路由,但反过来不行。