Sharing of classic traffic diversion solutions for network exit zone traffic cleaning

Enterprise 2023-10-02 18:24:21 views: null

Sharing of classic traffic diversion solutions for network exit zone traffic cleaning

Topology

Insert image description here

Business needs

A network needs to deploy Anti-DDoS equipment in the network egress area. Now it is necessary to statically divert the north-south business traffic (in this case, traffic simulation between PC1<—>PC2) to the cleaning device (in this case, use Router model simulator to simulate).

Program planning

1. Bind a VPN instance to any interface connected to the north-south business flow of the egress router R1 (in this case, the VPN instance is bound to the port connected to PC1), so that the interface bound to the VPN instance receives the traffic and performs follow-up operations. When forwarding, search the next hop corresponding to the destination route in the VPF corresponding to the VPN instance for forwarding.

2. Use a static route to point the next hop to the destination (PC2 in this case) to the cleaning device. That is, when the R1 device queries the VRF, the next hop points to the cleaning device.

3. The physical port of the R1 device connected to the cleaning device is divided into two logical sub-interfaces, and one of the sub-interfaces is also bound to the previously created VPN instance as a traffic diversion interface, and the other sub-interface is used as a traffic injection port.

4. The R1 device sends business traffic to the cleaning device through the traffic diversion interface through the configured static route.

5. The switch is only used as an interconnection device. The port type of the interconnection interfaces on both sides is set to Trunk, and the VLAN ID bound to the logical sub-interface is released under the interface.

6. As a cleaning device, it is also necessary to divide its interface connected to the business device into two logical sub-interfaces. Plan the corresponding traffic diversion interface and reinjection interface according to the configuration of the R1 device. Later, you need to configure a static route to let it know how to go to PC1. and the next hop address of PC2. It should be noted that the next hop address should be avoided here.

Compared with the "static routing + policy routing redirection" solution, this solution has been greatly simplified and optimized at the configuration level.

Configuration implementation

PC1:
Insert image description here

PC2:
Insert image description here

R1:

sysname r1
#
vlan batch 10 20
#
ip vpn-instance vpn1
 ipv4-family
  route-distinguisher 1:1
#
interface Ethernet0/0/0.1
 dot1q termination vid 10
 ip binding vpn-instance vpn1
 ip address 1.1.1.1 255.255.255.0
 arp broadcast enable
#
interface Ethernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.1 255.255.255.0
#
interface Ethernet0/0/1
 ip binding vpn-instance vpn1
 ip address 1.1.0.254 255.255.255.0
#
interface GigabitEthernet0/0/0
 ip address 2.2.0.254 255.255.255.0
#
ip route-static 1.1.0.0 255.255.255.0 2.2.2.2
ip route-static vpn-instance vpn1 2.2.0.0 255.255.255.0 1.1.1.2
#
return

LSW1:

sysname Sw
#
vlan batch 10 20
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return

Cleaning equipment:

sysname CleanDevice
#
vlan batch 10 20
#
interface Ethernet0/0/0.1
 dot1q termination vid 10
 ip address 1.1.1.2 255.255.255.0
 arp broadcast enable
#
interface Ethernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.2 255.255.255.0
 arp broadcast enable
#
ip route-static 1.1.0.0 255.255.255.0 1.1.1.1
ip route-static 2.2.0.0 255.255.255.0 2.2.2.1
#
return

Forwarding principle

Take PC1 accessing PC2 as an example

  1. Because the destination network segment is not known, the destination IP address 2.2.0.1 and its own mask 255.255.255.0 are ANDed. The destination network segment is obtained 2.2.0.0/24
  2. Do the AND operation between the source IP address and the mask to get the local network segment 1.1.0.0/24
  3. Since the destination network segment is different from the local network segment, check whether the gateway is configured.
  4. If there is no gateway configured, the data packet will be sent directly to the destination address 2.2.0.1, and the entry of 2.2.0.1 will be found in the ARP cache table.
  5. In this figure, PC1 is configured with gateway 1.1.0.254. When PC1 sends data to 2.2.0.1, it first sends the data to the gateway for processing.
  6. Look for the MAC address of gateway 1.1.0.254 in the ARP cache table of PC1, but there is no hit.
  7. The ARP miss message is triggered and sent to the CPU, and the CPU notifies the ARP module to perform the ARP learning process.
  8. PC1 learns the 1.1.0.254 MAC of the gateway through an ARP process.
  9. PC1 sends a data packet with destination address 2.2.0.1, source address 1.1.0.1, destination MAC gateway, source MAC PC1, and is sent from the E0/0/1 interface.
  10. The E0/0/1 interface of the R1 router receives a data frame whose destination MAC is its own interface, accepts and processes it, and counts the self-learning into the MAC table. At the same time, since the interface is bound to a VPN instance, we search in the VRF and find that the route to 2.2.0.1 is reachable through longest mask matching, and the next hop is 1.1.1.2.
  11. By searching the ARP cache table and the ARP learning process, the learned MAC corresponding to 1.1.1.2 is the MAC of the E0/0/0.1 interface of the cleaning device.
    Send the packet from the E0/0/0.1 interface according to the forwarding table of the VRF. Among them, the source IP is 1.1.0.1, the destination IP is 2.2.0.1, the E0/0/0.1 interface MAC of the source MAC R1, the E0/0/0.1 interface MAC of the destination MAC R2, and carries the vlan label 10
  12. E0/0/1 of SW1 receives the data frame with tag10 for the trunk interface. The source MAC is learned and added to the MAC table of vlan10, or the entry is refreshed (already learned during ARP). Since vlan10 is in the trunk interface release list, and Because pvid is 1, the packet is received but the label is not stripped.
  13. The SW1 switching module thinks that it has received the data with vlan10, searches for the destination MAC in the MAC table of vlan10, and hits the E0/0/02 outbound interface, and the E0/0/02 interface is used as a trunk interface in the release list to allow vlan10 to pass.
  14. Since the PVID of the E0/0/02 interface is 1, switch SW1 forwards the vlan10 label from the E0/0/2 interface. The source and destination IP and source and destination MAC of the message remain unchanged.
  15. The R2 device receives the tag10 marked data frame from the E0/0/0.1 interface and the destination mac is itself. It receives and processes the tag10 tag according to dot1q.
  16. Find the next hop 2.2.2.1 to 2.2.0.1 based on the longest mask match in the IP routing table.
  17. Search the ARP cache, learn the MAC corresponding to 2.2.2.1 through ARP, search the forwarding table, and direct the data to be forwarded from the outbound interface E0/0/0.2. The dot1q encapsulation carries label 20, source IP 1.1.0.1, destination IP 2.2.0.1, source MAC R2 E/0/0.2 interface MAC, destination MAC R1E0/0/0.2 interface MAC
  18. E0/0/2 of SW1 receives the data frame with tag20 for the trunk interface. The source MAC is learned and added to the MAC table of vlan20, or the table entry is refreshed (already learned during ARP)
  19. Since vlan20 is in the trunk interface release list and pvid is 1, the packet is received but the label is not stripped.
  20. The SW1 switching module thinks that it has received data with vlan20, searches for the destination MAC in the MAC table of vlan20, and hits the E0/0/01 outbound interface. And the E0/0/02 interface is used as a trunk interface in the release list to allow vlan20 to pass.
  21. Since the PVID of the E0/0/2 interface is 1, switch SW1 forwards the vlan20 label from the E0/0/2 interface. The source and destination IP and source and destination MAC of the message remain unchanged.
  22. The R1 device receives a data frame with a tag20 tag from the E0/0/0.2 interface. The destination mac is itself. It receives and processes the data frame and strips the tag20 tag according to dot1q.
  23. Find the next hop 2.2.0.254 to 2.2.0.1 based on the longest mask match in the IP routing table, search the ARP cache, learn the MAC corresponding to 2.2.0.1 through ARP, search the forwarding table, and direct the data from the outbound interface G0/0 /0 forward. Message source IP 1.1.0.1, destination IP 2.2.0.1, source MAC R1 interface MAC of G0/0/0, destination MAC PC2 MAC

The return trip is similar.

Result test

PC1 accesses PC2 path:
Insert image description here

Guess you like

Origin blog.csdn.net/qq_37633855/article/details/123090822
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com