在 aws ec2 中添加辅助网络接口后无法 ping 通

在 aws ec2 中添加辅助网络接口后无法 ping 通

Ubuntu 版本 20.04。

首先,我们在唯一的(主)网络接口上创建了第二个私有 IP。两个私有 IP 地址都可以 ping 通。现在实例有 2 个私有 IP 地址和 1 个公有 IP 地址。

然后,我们附加了一个具有两个私有 IP 地址(没有公共 IP 地址)的辅助网络接口并将其连接到实例,然后添加 .yaml 配置,如下所示本文。现在实例有4个内网IP,1个公网IP。4个内网IP都无法ping通。

                             First Private IP   Second Private IP
Primary Network Interface    172.31.1.101       172.31.1.102
Secondary Netwk Interface    172.31.2.201       172.31.2.202

主网络接口的 /etc/netplan/50-cloud-init.yaml :

network:
    ethernets:
        ens5:
            addresses:
                - 172.31.1.102/20
            dhcp4: true
            dhcp6: false
            match:
                macaddress: 0e:dc:a1:64:a6:88
            set-name: ens5
    version: 2

辅助网络接口的 /etc/netplan/51-ens6.yaml :

network:
  version: 2
  renderer: networkd
  ethernets:
    ens6:
      addresses:
        - 172.31.2.201/20
        - 172.31.2.202/20
      dhcp4: no
      routes:
        - to: 0.0.0.0/0
          via: 172.31.0.1 # Default gateway
          table: 1000
        - to: 172.31.2.201
          via: 0.0.0.0
          scope: link
          table: 1000
        - to: 172.31.2.202
          via: 0.0.0.0
          scope: link
          table: 1000
      routing-policy:
        - from: 172.31.2.201
          table: 1000
        - from: 172.31.2.202
          table: 1000

ip a输出:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:54:c0:50:88:04 brd ff:ff:ff:ff:ff:ff
    inet 172.31.1.102/20 brd 172.31.15.255 scope global ens5
       valid_lft forever preferred_lft forever
    inet 172.31.1.101/20 brd 172.31.15.255 scope global secondary dynamic ens5
       valid_lft 3574sec preferred_lft 3574sec
    inet6 fe80::c54:c0ff:fe50:8804/64 scope link
       valid_lft forever preferred_lft forever
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 0e:ff:4a:aa:cb:66 brd ff:ff:ff:ff:ff:ff
    inet 172.31.2.201/20 brd 172.31.15.255 scope global ens6
       valid_lft forever preferred_lft forever
    inet 172.31.2.202/20 brd 172.31.15.255 scope global secondary ens6
       valid_lft forever preferred_lft forever
    inet6 fe80::cff:4aff:feaa:cb66/64 scope link
       valid_lft forever preferred_lft forever

ip r show table 1000输出:

default via 172.31.0.1 dev ens5 proto dhcp src 172.31.1.101 metric 100
172.31.0.0/20 dev ens6 proto kernel scope link src 172.31.2.201
172.31.0.0/20 dev ens5 proto kernel scope link src 172.31.1.102
172.31.0.1 dev ens5 proto dhcp scope link src 172.31.1.101 metric 100

ip rule输出:

0:      from all lookup local
0:      from 172.31.2.201 lookup 1000
0:      from 172.31.2.202 lookup 1000
32766:  from all lookup main
32767:  from all lookup default

netplan --debug generate输出:

DEBUG:command generate: running ['/lib/netplan/generate']
** (generate:2245): DEBUG: 00:33:01.254: Processing input file /etc/netplan/50-cloud-init.yaml..
** (generate:2245): DEBUG: 00:33:01.254: starting new processing pass
** (generate:2245): DEBUG: 00:33:01.255: Processing input file /etc/netplan/51-ens6.yaml..
** (generate:2245): DEBUG: 00:33:01.255: starting new processing pass
** (generate:2245): DEBUG: 00:33:01.255: We have some netdefs, pass them through a final round of validation
** (generate:2245): DEBUG: 00:33:01.255: ens5: setting default backend to 1
** (generate:2245): DEBUG: 00:33:01.255: Configuration is valid
** (generate:2245): DEBUG: 00:33:01.255: ens6: setting default backend to 1
** (generate:2245): DEBUG: 00:33:01.255: Configuration is valid
** (generate:2245): DEBUG: 00:33:01.255: Generating output files..
** (generate:2245): DEBUG: 00:33:01.255: NetworkManager: definition ens5 is not for us (backend 1)
** (generate:2245): DEBUG: 00:33:01.255: NetworkManager: definition ens6 is not for us (backend 1)
(generate:2245): GLib-DEBUG: 00:33:01.255: posix_spawn avoided (fd close requested)

答案1

完整的合并 netplan 配置是:

network:
    renderer: networkd
    version: 2
    ethernets:
        ens5:
            addresses:
                - 172.31.1.102/20
            dhcp4: true
            dhcp6: false
            match:
                macaddress: 0e:dc:a1:64:a6:88
            set-name: ens5
        ens6:
          addresses:
            - 172.31.2.201/20
            - 172.31.2.202/20
          dhcp4: no
          routes:
            - to: 0.0.0.0/0
              via: 172.31.0.1 # Default gateway
              table: 1000
            - to: 172.31.2.201
              via: 0.0.0.0
              scope: link
              table: 1000
            - to: 172.31.2.202
              via: 0.0.0.0
              scope: link
              table: 1000
          routing-policy:
            - from: 172.31.2.201
              table: 1000
            - from: 172.31.2.202
              table: 1000

这里需要注意的一点是,您在路由策略中明确定义了到 172.31.2.201 和 172.31.2.202 的路由。这应该是不必要的,因为这些都是本地地址。

最终的路由表显示:

172.31.0.0/20 dev ens5 proto kernel scope link src 172.31.1.102
172.31.0.1 dev ens5 proto dhcp scope link src 172.31.1.101 metric 100

当然,您没有将这些路由配置为路由策略的一部分。我不确定这是否是预期的行为,因为这些是设备上的本地链路路由。然而,这些路由是您无法 ping 172.31.2.x 地址的根本原因,因为 172.31.0.0/20 有两个具有相同路由度量(优先级)的冲突路由,并且有一个主机路由声明您的网关应通过 ens5 路由,这意味着您的其余路由策略无效,因为全部非本地流量正在通过 ens5 发送出去。

您将需要找出这些路由的来源 - 因为它们不是来自您显示的 netplan 配置 - 并将其删除,以解决您的 ping 问题。

相关内容