运行瞻博网络 SRX 设备。
在路由实例中,我删除了两条 /25 静态路由并用一条 /24 静态路由替换它。这个 /24 静态路由从同一个 IP 开始,只是一个更大的子网。注意 172.18.10.10 是一个黑洞;10.10.201.128/25 尚未使用。
路由实例 A 的配置:
[omitted]
routing-options {
static {
inactive: route 10.212.17.0/24 next-hop 10.212.210.17;
route 10.10.200.0/25 next-hop 172.18.10.2;
route 10.10.201.0/25 next-hop 172.18.10.6;
route 10.10.201.128/25 next-hop 172.18.10.10;
}
[omitted]
路由实例 A 的新配置:
[omitted]
routing-options {
static {
inactive: route 10.212.17.0/24 next-hop 10.212.210.17;
route 10.10.200.0/25 next-hop 172.18.10.2;
route 10.10.201.0/24 next-hop 172.18.10.6;
}
[omitted]
进行此更改后,我无法再从某些地方(但不是全部)路由到 10.10.201.0/25 主机。起初我认为这可能是由汇总问题引起的,但后来我意识到同一个路由实例(我们称之为路由实例 B)和同一个路由器(不通过来自其他站点的 ebgp 连接)内的另外两个随机网络) 没有类似的行为。具体来说,10.212.200.0/24 无法到达 10.10.201.0/25,但 10.212.203.0/24 可以。同样,10.212.200/24 和 10.212.203/24 都来自同一物理路由器上的同一路由实例。
所以...我检查了安全流以查看流量,我发现流量能够从 10.10.201.0/25 路由到适当的主机,但是有些主机无法通过回显响应进行响应:
Session ID: 6726, **Policy name: HQ-VPN-DMZ_To_Trust**/30, Timeout: 2, Valid
In: 10.10.201.3/152 --> 10.212.200.1/63851;icmp, If: ge-0/0/7.0, Pkts: 1, Bytes: **84**
Out: 10.212.200.1/63851 --> 10.10.201.3/152;icmp, If: ge-0/0/4.0, Pkts: 0, Bytes: **0**
所以...我检查了策略命中数,发现命中数在增加。该政策如下:
policy HQ-VPN-DMZ_To_Trust {
match {
source-address [ *omitted* 10.212.210.18/32 10.10.201.0/25 ];
destination-address any;
application any;
}
then {
permit;
}
由于源 IP 是 10.10.201.3,因此策略命中计数器不应该一直在增加。
我的问题是:在明确允许的情况下,该政策怎么可能阻止从 10.212.200.1 -> 10.10.201.3 返回的回声响应?
还:
我应该注意,当我添加特定的静态路由时......
[omitted]
routing-options {
static {
inactive: route 10.212.17.0/24 next-hop 10.212.210.17;
route 10.10.200.0/25 next-hop 172.18.10.2;
route 10.10.201.0/24 next-hop 172.18.10.6;
route 10.10.201.0/25 next-hop 172.18.10.6;
}
[omitted]
...回到路由实例配置,一切又开始工作了。
既然我们在这个话题上,10.10.201.0/25 静态路由怎么会起作用,而 10.10.201.0/24 静态路由却不起作用呢?10.10.201.0/25 汇总在 10.10.201.0/24 内!!!
显示路由输出差异如下所示(一个带有 /25 英寸,一个带有 /24 英寸):
使用 /24:
x@x> show route 10.10.201.0
inet.0: 919 destinations, 1825 routes (919 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[BGP/80] 18w6d 22:42:17, localpref 100
AS path: YYYY AAAA I
> to 104.x.x.x via ge-0/0/0.0
[BGP/80] 7w4d 10:38:07, localpref 50, from 10.99.1.23
AS path: YYYY BBBB I
> to 10.99.1.2 via ge-0/0/15.0
[OSPF/150] 14w5d 02:01:25, metric 1, tag 0
> to 10.99.1.2 via ge-0/0/15.0
DMZ.inet.0: 101 destinations, 101 routes (101 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.201.0/24 *[Static/5] 00:49:33
> to 172.18.10.6 via ge-0/0/7.0
tunnel.inet.0: 90 destinations, 113 routes (73 active, 0 holddown, 25 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[BGP/80] 18w6d 22:42:17, localpref 100
AS path: YYYY AAAA I
> to 104.x.x.x via ge-0/0/0.0
lan-vr.inet.0: 58 destinations, 83 routes (58 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[BGP/80] 18w6d 22:42:17, localpref 100
AS path: YYYY AAAA I
> to 104.x.x.x via ge-0/0/0.0
[OSPF/150] 7w4d 10:38:06, metric 0, tag 0
> to 10.212.6.20 via ge-0/0/1.0
使用 /25:
x@x# run show route 10.10.201.0
inet.0: 921 destinations, 1829 routes (921 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.201.0/25 *[Static/5] 01:04:04
> to 172.18.10.6 via ge-0/0/7.0
[OSPF/150] 01:04:02, metric 1, tag 0
> to 10.99.1.2 via ge-0/0/15.0
DMZ.inet.0: 102 destinations, 102 routes (102 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.201.0/25 *[Static/5] 01:04:06
> to 172.18.10.6 via ge-0/0/7.0
tunnel.inet.0: 91 destinations, 114 routes (74 active, 0 holddown, 25 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.201.0/25 *[Static/5] 01:04:04
> to 172.18.10.6 via ge-0/0/7.0
lan-vr.inet.0: 59 destinations, 84 routes (59 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.201.0/25 *[Static/5] 01:04:04
> to 172.18.10.6 via ge-0/0/7.0