IPV6——地址分配+部分互聯網絡

第一部分：地址分配

驗證理論

ICMPv6 RA消息中的Flags字段

 

ICMPv6 RA消息中IPv6前綴信息的Flags字段

 

 

 

實驗拓撲

 

 

 

初始配置及初始結果

無

 

 

實驗步驟

第一步：無狀態自動配置獲取地址

AR1:

[AR1]int g 0/0/0
[AR1-GigabitEthernet0/0/0]ipv6 enable
[AR1-GigabitEthernet0/0/0]ipv6 address auto global

AR2:

[AR2]ipv6
[AR2-GigabitEthernet0/0/0]ipv6 enable
[AR2-GigabitEthernet0/0/0]ipv6 address 2000:1::2/64
[AR2-GigabitEthernet0/0/0]undo ipv6 nd ra halt

驗證：

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2000:1::2E0:FCFF:FECB:71BA                           //該地址前64位為獲取到的前綴，后64位為根據EUI-64規范計算出的接口ID。AR1的0/0/0接口的MAC地址為00e0-fccb-71ba，將第7位的值取反（比如0改成1）並將FFFE插入MAC地址的前24位與后24位之間即可得到02E0:FCFF:FECB:71BA
[AR1]dis dhcpv6 client
[AR1]

[AR1]dis int g 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : DOWN
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fccb-71ba

抓包分析：

 

 

第二步：無狀態自動配置獲取不到地址

將L，A比特位置0，使得RA中的前綴不分配給本地鏈路，收到RA的終端不能使用RA中的前綴進行無狀態地址配置

AR2:

[AR2-GigabitEthernet0/0/0]ipv6 nd ra prefix 2000:1:: 64 3600 1800 no-autoconfig off-link 

驗證：

[AR1]dis ipv6 int brief
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] FE80::2E0:FCFF:FECB:71BA

抓包分析：

 

 

 

第三步：有狀態自動獲取地址及其他參數（DNS等）

AR1:

dhcp en

#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address auto global
ipv6 address auto dhcp

AR2:

dhcp enable
#
dhcpv6 pool user_pool
address prefix 2021::/64
dns-server 2021::114:114
dns-domain-name huawei.com
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2000:1::2/64
ipv6 address 2021::2/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag                        //采用有狀態自動配置分配IP地址
ipv6 nd autoconfig other-flag                                            //采用有狀態自動配置分配其他參數
dhcpv6 server user_pool

驗證：

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2021::1
[AR1]dis dhcpv6 client
GigabitEthernet0/0/0 is in stateful DHCPv6 client mode.
State is BOUND.
Preferred server DUID : 0003000100E0FC87691E
Reachable via address : FE80::2E0:FCFF:FE87:691E
IA NA IA ID 0x00000031 T1 43200 T2 69120
Obtained : 2021-08-26 10:37:57
Renews : 2021-08-26 22:37:57
Rebinds : 2021-08-27 05:49:57
Address : 2021::1
Lifetime valid 172800 seconds, preferred 86400 seconds
Expires at 2021-08-28 10:37:57(172728 seconds left)
DNS server : 2021::114:114

 

抓包分析：

 

 

 

第四步：無狀態獲取IP地址，有狀態獲取其他參數（DNS等）

AR1:

interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address auto global
dhcpv6 client information-request                     //可以通過有狀態獲取其他參數（DNS,域名）（這里只是使能這個功能，讓他可以這個做，最優是不是通過有狀態獲取其他參數還是由RA里面的O位決定。如果確定了是需要通過喲有狀態獲取其他參數，則由主機主動發起請求，路由器回應其他參數。IP地址不需要請求可以直接隨RA發給用戶）

AR2:

dhcpv6 pool user_pool
dns-server 2021::114:114
dns-domain-name huawei.com
#
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 2000:1::2/64
undo ipv6 nd ra halt
ipv6 nd autoconfig other-flag
dhcpv6 server user_pool

驗證：

[AR1]dis dhcpv6 client interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is in stateless DHCPv6 client mode.
State is OPEN.
Preferred server DUID : 0003000100E0FC87691E
Reachable via address : FE80::2E0:FCFF:FE87:691E
Infomation refresh time is 86400 seconds
DNS server : 2021::114:114

[AR1]dis ipv6 int b
*down: administratively down
(l): loopback
(s): spoofing
Interface Physical Protocol
GigabitEthernet0/0/0 up up
[IPv6 Address] 2000:1::2E0:FCFF:FECB:71BA

抓包分析：

 

 

AR1通過DHCP獲取其他參數。目的地址是FF02::1:2,這個地址是DHCP服務器監聽地址

 

 

 

 

 

第二部分：部分互聯網絡

驗證理論

通過配置實現部分互聯網絡環回口之間互訪

 

實驗拓撲

 

 

初始配置

路由器上配置接口及環回IPV6地址，交換機上做端口隔離，使得23端口之間不能互訪

[LSW1]port-group group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/3

[LSW1-port-group]port-isolate enable

 

 

初始結果

AR1可以ping通AR23的互聯接口，但是23之間不能互相ping通

[AR1]ping ipv 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::3
bytes=56 Sequence=1 hop limit=64 time = 120 ms

 

[AR1]ping ipv 2001:155:1::2
PING 2001:155:1::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::2
bytes=56 Sequence=1 hop limit=64 time = 100 ms

 

[AR2]ping ipv 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out

--- 2001:155:1::3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
round-trip min/avg/max = 0/0/0 ms

 

 

實驗步驟：

一.先解決部分互聯問題

IPV6沒有ARP，要互通，首先看有沒有鄰居關系。可以看到AR2上沒有AR3的鄰居關系，同樣AR3上也沒有AR2的鄰居關系

 

 所以要實現互通，手動增加鄰居即可（原理與IPV4添加靜態ARP一樣）

[AR2-GigabitEthernet0/0/0]ipv6 neighbor 2001:155:1::3 00e0-fcc9-7315                 //地址是AR3的地址，但是MAC是AR1的MAC

[AR3-GigabitEthernet0/0/0]ipv6 neighbor 2001:155:1::2 00e0-fcc9-7315                 //地址是AR2的地址，但是MAC是AR1的MAC

此時部分互聯問題解決：

[AR3]ping ipv6 2001:155:1::2
PING 2001:155:1::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:155:1::2
bytes=56 Sequence=1 hop limit=63 time = 110 ms

 

然后配置環回口互通

AR1到2,3的環回口通信：

為了方便辨識，更改AR123上0/0/0口的Linklocal地址為fe80::1,2,3

在AR1上配置靜態路由

[AR1]ipv6 route-static 2001:150:1:2::2 128 2001:155:1::2
[AR1]ipv6 route-static 2001:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3

[AR1]ipv6 route-static 2002:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3
[AR1]ping ipv6 2001:150:1:2::2
PING 2001:150:1:2::2 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:2::2
bytes=56 Sequence=1 hop limit=64 time = 100 ms

[AR1]ping ipv6 2001:150:1:3::3
PING 2001:150:1:3::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:3::3
bytes=56 Sequence=1 hop limit=64 time = 80 ms

可以ping通的原因是首先去，AR1上有靜態路由，AR23回包時目的地址AR1的0/0/0接口地址2001:155:1：：1查鄰居表項也是可達的

 

AR2和AR3的環回口之間通信：

如果用全局單播地址寫路由，是沒有問題的，因為之前已經將2001:155:1：：3增加進了鄰居表項了

[AR2]ipv6 route-static 2001:150:1:3::3 128 2001:155:1::3
[AR2]ping ipv6 2001:150:1:3::3
PING 2001:150:1:3::3 : 56 data bytes, press CTRL_C to break
Reply from 2001:150:1:3::3
bytes=56 Sequence=1 hop limit=63 time = 80 ms

如果用link-local地址來寫路由

[AR2]ipv6 route-static 2001:150:1:3::3 128 GigabitEthernet 0/0/0 fe80::3

但是因為再AR2的鄰居表里面沒有FE80::3的鄰居，所以肯定是無法通信的，手動增加FE80::3的鄰居

[AR2-GigabitEthernet0/0/0]ipv6 neighbor fe90::3 00e0-fcc9-7315
[AR2-GigabitEthernet0/0/0]q
[AR2]ping ipv6 2001:155:1::3
PING 2001:155:1::3 : 56 data bytes, press CTRL_C to break
Request time out
Reply from 2001:155:1::3
bytes=56 Sequence=2 hop limit=63 time = 100 ms

 

 

 

第三部分：IPV6 ACL

因為IPV6的地址解析也在三層里面，所以IPV6配置ACL時要注意不要禁用了NS,NA導致網絡無法通信

延續第二部分的實驗拓撲及配置

[AR2]acl ipv6 3000
[AR2-acl6-adv-3000]rule deny icmpv6 icmp6-type ?
INTEGER<0-255> ICMP type
Redirect Type=137, Code=0
echo Type=128, Code=0
echo-reply Type=129, Code=0
err-Header-field Type=4, Code=0
frag-time-exceeded Type=3, Code=1
hop-limit-exceeded Type=3, Code=0
host-admin-prohib Type=1, Code=1
host-unreachable Type=1, Code=3
neighbor-advertisement Type=136, Code=0
neighbor-solicitation Type=135, Code=0
network-unreachable Type=1, Code=0
packet-too-big Type=2, Code=0
port-unreachable Type=1, Code=4
router-advertisement Type=134, Code=0
router-solicitation Type=133, Code=0
unknown-ipv6-opt Type=4, Code=2
unknown-next-hdr Type=4, Code=1
[AR2-acl6-adv-3000]rule deny icmpv6 icmp6-type echo
[AR2-GigabitEthernet0/0/0]traffic-filter inbound ipv6 acl 3000

此時除了之前手動硬性配置上去的鄰居，無法自動學習到鄰居。可見是默認拒絕了所有通信

 

 在ACL中再新增加一條規則，允許除了Ping的其他ICMP數據包通過

[AR2-acl6-adv-3000]rule permit icmpv6

 

 表項仍然沒有出來，應該是ENSP的bug

前綴列表抓

[AR2]ip ipv6-prefix  test permit :: 0 less-equal 128              //所有地址

[AR2]ip ipv6-prefix  teset permit 2000:: 3 greater-equal 3    //全球單播地址