×

Loading...
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务
Ad by
  • 推荐 OXIO 加拿大高速网络,最低月费仅$40. 使用推荐码 RCR37MB 可获得一个月的免费服务

我的测试和观点

再次使用两台3550测试,果然能够互相访问。从原理上也确实能够解释的通。

我来这里的目的是多结识一些同道中人,互相交流进步。所以我也说说我对这种方式的看法---从技术上,绝对不是狡辩。

首先,我觉得这种方式不是正常的TCP/IP协议框架的思维,应该说,这种方式只是利用了一些协议中的漏洞,并且也挪用了default gateway的概念。我以前确实遇到过不小心配错地址,结果网络设备(忘了是什么设备了)报警的情况。

如果你想一想整个访问过程,其实,你所说的把自己配制成default gateway,本身就没有起到正常意义上的default gateway 的功能,建议你google一下gateway defination就明白了,它的操作对象是packet(三层数据格式), 而非 frame(二层数据格式), 所采用的方式是routed, 而不是简单的二层 switched,也就是说,是通过三层起作用的。 而你的配置方式,它是在二层起作用的。这种方式,所谓的default gateway只能把数据交换到同一个物理网络上,而不能超越这一限制,至于被下一跳转发,那已经是完全不同的方式了。
Report

Replies, comments and Discussions:

  • 工作学习 / 学科技术讨论 / Router Configuration.
    There are 2 sites, A is head office and B is a branch.

    Site A IP range 10.12.0.0 subnet 255.255.0.0
    All servers (such as DC, exchange etc )are in site A with IP range: from 10.12.5.0 to 10.12.5.255

    Site B IP range 10.50.0.0 subnet 255.255.0.0

    Now, we have to move all servers from A to B, keep servers IP address.

    Is there any way I can get it?

    Thanks a lot
    • Change the subnet mask.
      • could you please let me know which interface subnet mask should be changed?
    • I can not find any problem to re-locate. if you can give more details, such as diagram and device configuration, maybe I can help you.
      • 都ccie了,这种问题还要看图,看来还是不行啊
        • You got it !
      • Please see topology inside, thanks
        There are 2 sites, A is head office and B is a branch.

        Site A IP range 10.12.0.0 subnet 255.255.0.0
        All servers (such as DC, exchange etc )are in site A with IP range: from 10.12.5.0 to 10.12.5.255

        Site B IP range 10.50.0.0 subnet 255.255.0.0

        Now, we have to move all servers from A to B, keep servers IP address.

        However, there is still PC’s at Site A within IP address ranging from 10.12. 1.0 to 10.12.4.255, 10.12.6.0 to 10.12.12.255.

        What I want is that, after moving server to subnet 10.50.0.0 (Site B)
        1. Servers still keep the IP address within 10.12.5.0 to 10.12.5.255
        2. PC at Site A still can access to those server.

        Thanks
        • NAT?
        • 跟你的硬件有比较大的关系。
          1。上同一低端交换机直接改subnet to 255.0.0.0 or 255.128.0.0(要算一下)。问题是你有那么多机器么?这种subnet mask的网络流量可是很吓人。
          2。不同交换机,之间用路由器连起来,什么头不用改,问题是两个子网间的性能比较低下。
          3。support VLAN,或者三层交换,或者路由交换的交换机,直接改交换机配置就行了。没什么问题。

          很久没碰网络了,有问题别见怪。
        • see your PM
    • two ways: 1. change both subnet mask to 255.0.0.0. 2. add the secondary IP address on the router for the servers. Neither is good, you'd better change the PC or Server IP into one subnet
      • the first way is totally wrong, you can not put the same subnet IP addresses in different interfaces in the same device.
    • 子网间相互访问,加路由;子网合并,修改子网掩码。
    • check your PM
    • put them in different vlan
    • my suggestion, see inside
      本文发表在 rolia.net 枫下论坛As I do not know your network well, I assume that your router has two FastEthernet F0 and F1

      F0: connect to site A with the IP address 10.12.255.254 255.255.0.0 and this IP address is all of the site A devices’ default gateway;
      F1: connect to site B with the IP address 10.50.255.254 255.255.0.0 and this IP address is all of the site B devices’ default gateway;

      If I am correct, I have to say that the design is totally bad, honestly.

      Anyway, you can achieve it by two ways:

      The first way:

      1, change your F0 IP address from 10.12.255.254 255.255.0.0 to:
      Ip address 10.12.1.254 255.255.255.0
      Ip address 10.12.2.254 255.255.255.0 secondary
      Ip address 10.12.3.254 255.255.255.0 secondary
      Ip address 10.12.4.254 255.255.255.0 secondary
      Ip address 10.12.6.254 255.255.255.0 secondary

      2, keep your site A devices’ IP addresses, but change the subnet mask from 255.255.0.0 to 255.255.255.0.
      Then change their default gateway from 10.12.255.254 to 10.12.X.254 ( X=1,2,3,4,6, depends on the devices’ IP address or subnet)

      3, keep the F1 IP address and add a secondary IP address:
      IP address 10.12.5.254 255.255.255.0 secondary

      4, Move your servers’ to site B, keep the servers’ IP address but change the subnet mask to 255.255.255.0 and the default gateway 10.12.5.254.

      This way is so unprofessional and so bad too, but you can get the achievement.

      The potential issues are:
      1, it will cause the F0 performance problem if the traffic between subnets is heavy, as the traffic is not “switched” as before, but “routed” via F0, but it is not the criminal;
      2, if your router is running some dynamic routing protocol and all of the IP blocks take part in it, it will cause some IP route issue as some dynamic routing protocols do not support secondary IP address or do not support well.

      The second way:

      I assume your router and switches support trunk encapsulate( 802.1q or ISL)

      1, encapsulate F0 to trunk and use the sub-interfaces:
      F0.1: vlan 10 IP:10.12.1.254 255.255.255.0
      F0.2: vlan 20 IP:10.12.2.254 255.255.255.0
      F0.3: vlan 30 IP:10.12.3.254 255.255.255.0
      F0.4: vlan 40 IP:10.12.4.254 255.255.255.0
      F0.6: vlan 60 IP:10.12.6.254 255.255.255.0

      2, configure your switch, the interface connecting to F0 need to encapsulate trunk( the same protocol as F0)
      Create VLAN10,20,30,40,60 and allocate the other interfaces to the proper vlan as access mode;

      If you have more than one switches, you need configure the same way.
      Note: interfaces between switches need to be trunk.
      3, keep your site A devices’ IP addresses, but change the subnet mask from 255.255.0.0 to 255.255.255.0.
      Then change their default gateway from 10.12.255.254 to 10.12.X.254 ( X=1,2,3,4,6, depends on the devices’ IP address or vlan)

      4, configure F1 and site B’s devices, include switch(es) as the same way. Make the 10.12.5.0/24 as a subnet in F1.
      5,move your servers to site B and connect to proper interfaces of the switches.

      This way has the same potential issue as the first way’s #1.

      I do not think it carefully, I hope it is helpful.更多精彩文章及讨论,请光临枫下论坛 rolia.net
    • I guess most router support something like "ip route 10.12.5.0 0.0.0.255 interfacexxx", guess your 2 sites directly connected to 1 router, then on server PC, set 2nd ip which is for real packet routing
    • 各位大虾,俺都糊涂了,这又是网络专家又是安全专家的在这忙活了大半天,俺看着都汗了。人家LZ不是说了有两个site吗。不就是site A 跟site B吗?那把site B换成/8不就得了吗?以防万一就再加几个host route应该保险了吧?看把一帮子专家给忙活的。呵呵。。
      • 笑话我没关系
        你在上面笑话了我没关系,确实,我这个有13年cisco经验的ccie不行,我看到的比我牛的多的人很多。
        我需要看拓扑图和配置,是因为网络中任何一点变动都可能会牵扯到很多其他问题,不搞清楚总体网络结构,只谈一点,很难保证不顾此失彼。
        不过,话说回来,建议你还是不要笑话别人,谁也不是什么都知道。
        另外,建议你在给别人出主意之前先去学习一下简单的网络原理好吗?通过你出的主意,坦率地说,你连IP地址都没搞清楚呢,更不用提什么二层三层原理了。误己没关系,不要再误人。
        你知道你为什么把这个问题看得那么简单么?那是因为你无知,在你所知道的范围内,你根本看不到由此会引来其他的连带反应。

        话不一定好听,但是都是实话好话。
        • u are right, we cannot touch anything right now before figuring out the affect for the whole network.
        • 人生攻击就不对了,至于网络理论那肯定是没你们这些大专家门能把个简单问题复杂化。先别急,能想得复杂代表你还有思考能力。理论方面还是俺N年前学校里头学的,不过32bit的IP应该还没变吧?说实话,俺对这个东东也没啥兴趣,只是几个月前愕然的翻了几页很初级的本本而已
          这么说吧,您这个大专家就说说我到底错哪儿吧。说不出来俺可真笑啦。。呵呵
          • I have answered your question below #4313099 and #4313138
      • 虽说都改8位掩码可以互通,但实际使用不要说8位,16位掩码都很少见,否则里面垃圾traffic太多尤其是broadcast,很难控制,安全性级差。不过你只改siteB我是不太理解,要改就全改了,router那2 interface直接改bridge,再设个3层虚拟口,要不连个switch 也行。
        • 两个端口都改成/8是断不可行的,不能够两个三层端口都在同一个网段内。如果一定要把两段网合并,应该把/8设在三层虚端口上,bridge这两个端口,但是这样会使广播域超大,基本不具有可行性。
      • unless you extend layer 2 vlan to both sites using .1q, you can't have one subnet at two locations by use of layer 3.
        • 支持
    • thanks buddys anyway, but i am lost completely.
      • 最最简单的办法就是……
        在你的B site 加一个子网 10.12.5.0/24. gateway可以是 10.12.5.1 呀什么的
        把server 挪过来,换/24的子网掩码,换gateway to be 10.12.5.1
        根据你的路由协议,手动或者自动把这个新子网加进去
        然后就可以了。
        A site --- 10.12.0.0/16
        B site -- 10.50.0.0/16 plus 10.12.50/24
        至于怎么加这个子网,怎么配置,我想再问就要花钱请consultant了,不同的设备,方法不同
        再不懂呢,请我吃饭,我就都告诉你,呵呵呵呵
        • Actually this is the first solution came into my mind, but what we want is to keep the Server’s IP and subnet, still /24, instead of /16
          • Sorry, should be “still /16, instead of /24
            • Please give up, it is totally impossible to keep the same IP address and subnet mask
              本文发表在 rolia.net 枫下论坛Please give up, it is totally impossible to keep the same IP address and subnet mask.

              if you want to keep the same IP address of the servers, not only your servers but also the other devices in site A have to change their subnet mask.

              from the site A devices' perspective:

              If you keep the same address/mask, you can image the process that the PC with 10.12.1.1/16 in site A (call it PCA below) access the server 10.12.5.1 in site B (call it ServerB below).

              1, as PCA is in the 10.12.0.0/16 subnet, from its perspective, the destination ServerB is in the same LAN, so PCA will check the layer 2 information: MAC address table, to find the ServerB's MAC address;

              2, at that time, there is not this entry in its MAC table, so it will generate an ARP Request broadcast to the whole LAN, the ARP Request means "who is 10.12.5.1, please let me know your MAC address";
              3, this broadcast will be terminated on the router's interface (this is one of layer 3 device's functions), so there is not any device can reply this ARP Request.

              Even though you configured the router's interface as PCA's default gateway, Ethernet is a layer 2 protocol(switching), will not check the layer 3 configuration(routing). when it access to the different LAN, it will check its layer 3 information, such as static ip route or default gateway.

              From the Servers' perspective, when they try to access site A's devices, it has the same issue. additionally, if you keep the same IP address/mask, you have to configure the router's interface connecting to site B as 10.12.0.0/16 as you need it as the server's default gateway, it cause the "IP address overlap" in your router again.更多精彩文章及讨论,请光临枫下论坛 rolia.net
              • i agree your statement in this portion.
        • Have you tried to confirm your solution?
          Have you tried to test your solution? To be honest, I do not think it can work by this way.

          If you configure the Interface connecting to site A as 10.12.0.0/16, it means that the IP range from 10.12.0.0 to 10.12.255.255 is allocated to this LAN.

          The IP range from 10.12.5.0/24 is the sub-net of the above range, if you configure it on the interface connecting to site B, as this interface belongs to a different LAN, what you are doing is allocating an allocated IP block, which will cause the "IP address overlap" and the router will reject this command.

          So the different layer 3 interfaces in the same device can not be in the same subnet.
          • hahaha, the length of the subnet mask are different. I have tested it in my IOU environment.
            • 完全测试?
              在同一个路由器得不同三层端口,一个配制成10.12.0.0/16,另一个配成它的一段子网10.12.5.0/24?我不知道你在什么设备上配的,至少cisco得不行,由于这会引起IP空间重叠,你的配置命令会被拒绝。以前在国内的时候(记不大清了),测试迈普路由器的时候,好像能配上,和他们开发人员说过了,不知道最后是否更正了。
              我不知道你用的是什么设备,从二层原理上讲,同一个网段是基于ARP/broadcast 基础通讯的,你用三层设备隔离了广播域,不知道被隔离的设备之间怎么通讯,就算你能配置上,那也是设备软件设计得不够精确,要想互相通讯却是不能。
              能不能把你的配置贴上来,包括互相通讯的测试结果。不知道你的“the length of the subnet mask are different”是什么意思,如果是两个不同的IP地址空间,掩码相同不相同自然没有任何关系。
              稍后我去做个实验(记得很久以前在cisco设备上作过),把结果贴给你。
          • by the way, it the server subnet 10.12.5.0.24 will be configured in router B in stead of A.
            • my test result
              本文发表在 rolia.net 枫下论坛I tried to test and the result is below:

              ######### show ver to show the IOS ver, it is " Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(37)SG"
              TEST#show ver
              Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-ENTSERVICESK9-M), Version 12.2(37)SG, RELEASE SOFTWARE (fc1)
              Technical Support: http://www.cisco.com/techsupport
              Copyright (c) 1986-2007 by Cisco Systems, Inc.
              Compiled Tue 17-Apr-07 18:22 by prod_rel_team
              Image text-base: 0x10000000, data-base: 0x11860220

              ROM: 12.1(12r)EW
              Dagobah Revision 95, Swamp Revision 24

              TEST uptime is 6 weeks, 1 day, 20 hours, 12 minutes
              Uptime for this control processor is 6 weeks, 1 day, 20 hours, 8 minutes
              System returned to ROM by Admin requested switchover during ISSU
              System image file is "slot0:cat4500-entservicesk9-mz.122-37.SG.bin"


              This product contains cryptographic features and is subject to United
              States and local country laws governing import, export, transfer and
              use. Delivery of Cisco cryptographic products does not imply
              third-party authority to import, export, distribute or use encryption.
              Importers, exporters, distributors and users are responsible for
              compliance with U.S. and local country laws. By using this product you
              agree to comply with applicable laws and regulations. If you are unable
              to comply with U.S. and local laws, return this product immediately.

              A summary of U.S. laws governing Cisco cryptographic products may be found at:
              http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

              If you require further assistance please contact us by sending email to
              export@cisco.com.

              cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.
              Processor board ID FOX081800LP
              MPC8245 CPU at 333Mhz, Supervisor IV
              Last reset from Redundancy Reset
              12 Virtual Ethernet interfaces
              52 Gigabit Ethernet interfaces
              403K bytes of non-volatile configuration memory.

              Configuration register is 0x2102

              ################ confirm that there is not VLAN 11 or VLAN 12, then create them

              TEST#show vlan id 11
              VLAN id 11 not found in current VLAN database
              TEST#show vlan id 12
              VLAN id 12 not found in current VLAN database
              TEST#conf t
              Enter configuration commands, one per line. End with CNTL/Z.
              TEST(config)#vlan 11
              TEST(config-vlan)#name testvlan11
              TEST(config-vlan)#vlan 12
              TEST(config-vlan)#name testvlan12
              TEST(config-vlan)#exit

              ############### confirm that no any layer 3 interface in the 10.0.0.0

              TEST(config)#do show ip route 10.0.0.0
              % Network not in table

              ################# configure the interface VLAN 11&12 layer 3 information: IP address, you can fin that there is an alarm"10.12.5.0 overlaps with Vlan11"
              TEST(config)#inter vlan11
              TEST(config-if)#ip address 10.12.0.1 255.255.0.0
              TEST(config-if)#no shut
              TEST(config-if)#int vlan 12
              TEST(config-if)#ip address 10.12.5.1 255.255.255.0
              10.12.5.0 overlaps with Vlan11

              ################## check the interfaces' IP address, the interface vlan 12 got the IP address! it is different from my previous test, maybe it depends on the IOS, but look my next step
              TEST(config-if)#do show run int vlan 11
              Building configuration...

              Current configuration : 58 bytes
              !
              interface Vlan11
              ip address 10.12.0.1 255.255.0.0
              end

              TEST(config-if)#do show run int vlan 12
              Building configuration...

              Current configuration : 70 bytes
              !
              interface Vlan12
              ip address 10.12.5.1 255.255.255.0
              shutdown
              end

              ###### as the interface vlan 12's status is "shutdown", try to makt it up, but got the alarm "10.12.5.0 overlaps with Vlan11 Vlan12: incorrect IP address assignment"

              TEST(config-if)#int vlan 12
              TEST(config-if)#no shut
              10.12.5.0 overlaps with Vlan11
              Vlan12: incorrect IP address assignment

              ############# check the interface vlan 12 again after the command of "no shut", it is still "shutdown", it means, it can not be up if the IP address overlap!
              TEST(config-if)#do show run int vlan 12
              Building configuration...

              Current configuration : 70 bytes
              !
              interface Vlan12
              ip address 10.12.5.1 255.255.255.0
              shutdown
              end

              TEST(config-if)#更多精彩文章及讨论,请光临枫下论坛 rolia.net
              • again, 10.12.5.0/24 is configured in the other router (not the one which has the subnet 10.12.0.0/16 configured).
                1) The original map
                Site 2 ............................................................................Site 1
                10.50.0.0/16 ------ Router B--------Router A----------10.12.0.0/16

                2) after moving the server subnet from RA-->RB.
                Site 2...................................................Site 1
                10.50.0.0/16----RB---------RA------10.12.0.0/16
                10.12.5.0/24------/

                先把题目看好了再做测试好不好, CCIE大拿同志
    • I am not CCIE or cisco guru by any means. Just to give some general ideas.... So do not laugh...
      if you want to keep the server IP and move it to another site, you will have to further subneting you site A - from /16 to /24 such that, in the global routing table, PC subnets are seperated from server subnet. From site A, only advertise PC subnets; from site B, advertise existing subnet plus the server subnet.
      • yes
    • 本来我不相说的了,就这么简单个事儿非得想成造火箭似的。专家门到底懂不懂cidr and host routing啊?晕。。。
      • 极尽冷嘲热讽之能事,并不能提高自己。还是踏踏实实去做个模拟测试,到时候你就不是这个口气说话了。
        送你一句话:牙尖齿利,伤人害己。
        嘲笑别人,只能反映自身修养低下,而嘲笑错了,则更显得自己无知,为别人徒增笑尔。

        踏踏实实去做个实验,回来再嘲笑别人吧。
        • 偶没笑你,是在论事。不过你一直都在人生攻击偶
          • please see my test result ##4320600.
      • I am no expert in any area. But some times got involved in large network design review. how about you lay out your plan in detail and we will see if it makes sense?
        • 别跟他一般见识。这家伙估计理论学了一大堆,没有实际经验,而对理论其实有很多误解,呵呵。他其实根本不知道在什么场合下需要CIDR,怎么用?也不一定能分清VLSM与CIDR的区别与联系。对主机路由的概念估计还是清楚的,但不一定对路由器的路由选择概念清楚。
      • 看了上面那么多争论,觉得关键还是需求及现状没有提明白。我们想象一下Site A如果地址是10.12.0.0/16,全连在一个三层端口下面而且再往下就没有三层设备了吧?如果已经以/24划分网段了,那么很简单就是把以前的/16汇聚路由split,把10.12.5.0/24指向路由器B就是了。
        其他的不管是/17、/18..../24的网段,留在site A就是。如果原来A site没有划分子网,所有机器的掩码是/16,那么可以说原来的IP Addressing简直是Bull Shit,现在重现Readdressing也不为过。不过硬要不动Readdress,可以在A,B路由器上设一堆静态Proxy Arp(具体是在A路由器上Proxy ARP把所有的服务器IP,在B路由器上Proxy ARP所有A Site需要与服务器通信的机器IP地址),但如果机器众多的话,这个配置维护的工作量代价太高。
        • 前面说得我赞同,后面说得我没有试过,不敢乱说。
          • 你有设备,可以做一下实验试试么。记住要改cost值,把connected的cost改成比static的要大。
            • 我感觉还是不行
              首先声明,我没有做试验测试,但是感觉理论上还是行不通:
              这是同一个路由器的两个不同的三层端口A和B,如果按照你说的proxy arp,你还是要设想一下site A's device(PCA) access site B's server(ServerB):

              1, PCA 产生一个ARP请求,由于A端口在这个网段上,所以收到了这个广播,由于proxy arp,它会回应这个arp request;
              2, interface A 收到目的IP地址为ServerB的数据包,查找路由表,根据精确匹配原则(而不是你说的cost问题,因为端口A直连的是10.12.0.0/16,而你要增加的配置应该是10.12.5.0/24指向端口B,如果你增加的也是一条/16,那么路由器对外界的通讯就会出现问题),数据包被routed to interface B,
              3,下面的问题就出来了,interface B怎么样才能把这个数据包转发(switching or routing)给ServerB,显然不会是routing,而switching的前提是在同一个subnet内,也就是说,interface B 必须有一个10.12.5.0/24的地址,这就又回到了最初的"IP overlap"的问题上了。
              从另一个角度说,B需要同一个网段的地址作为default gateway,只能是interface B,这同要造成了A,B的地址重叠问题。

              这只是我自己的分析,由于没有用过proxy arp,不知道我说得对不对。
              • 第三点说错了,应该是interface B必须有一个10.12.0.0/16 IPaddress,因为你前面说的是server保持/16。 不过最终的结论是一样的“IP地址重叠”
            • 又仔细看了看你说的proxy arp,如果你说的是在两个路由器上,感觉原理上可行,但是在路由选择时应该是精确匹配,而不是compare the metric.如果是一个路由器,还是象我说的一样,感觉行不通。
              • 我是assume他说的没有site至少有一个路由器的。但即使一台路由器,也应该可以的,第二个口只需配10.50.0.0/16得地址,不配10.12.0.0/16地址,不会有地址重叠问题。路由选择首先是根据metric,然后才是精确匹配,metric低的永远优先。
                我没有设备,如果你能做个实验,我比较appreciate。
                • 不是这样的
                  本文发表在 rolia.net 枫下论坛proxy arp我不敢肯定,因为我没有用过。

                  但是如果interface B 不配置10.12.0.0/16的地址,那么有10.12.0.0/16地址的server怎么可能和这个端口连在一起呢,如果你联上,会不停地报错。这个端口和server在不同的网段,怎么能通过interface B与外界通讯呢?一个不具有路由功能的NIC,只能直接通过二层通讯,可是在第二层上,这个NIC又和interface B不在同一网段上,并且中间没有任何三层设备,也就是说,本身ServerB和interface B本身就不能通讯,更不用说通过interface B 与外界通讯了。

                  另外,路由匹配是最长匹配优先,这是绝对不会有任何疑问的,很多的路由策略也是基于这个基础的。只有在匹配长度一样的情况下,才会去比较路由协议的distance,然后才是metric。举个例子吧,一般来说,企业连接Internet的路由器,除去有若干内部动态/静态路由之外,都会有一条静态路由0.0.0.0/0指向Internet出口,而一般这条路由的distance/metric都是缺省的。这一条的匹配长度为0,就是为保证其他内部路由优先。在所有的内部路由找不到的情况下,这个数据包就是访问Internet的,也就是说,内部路由优先查找,优先的机制就是确保内部路由的匹配长度大于0.0.0.0/0。这一点不用做实验,我每天的工作都是类似的事情。

                  如果你要一定让我证明给你看,回头我做一个,然后贴上来。更多精彩文章及讨论,请光临枫下论坛 rolia.net
                  • 我举个简单的例子,你认为两台电脑用交叉线互联,一台IP是192.168.1.1/24,另一台是10.1.1.1/24,他们相互之间能否PING通?每台机器只要把自己的IP配成网关以后,他们就能相互通信。最长匹配优先于distance,你是对的。
                • CISCO网站关于proxy arp的应用举例
                  链接:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

                  请注意例子里面,虽然host A是/16,但它所连接的路由器端口e0是/24,以确保与e1不重叠。
                  • Cisco只是举例了一种可能,它并没有把所有的可能都举例了。要了解Proxy ARP,还得看RFC。但Cisco对RFC的Proxy是遵从的。我举个简单的例子,你认为两台电脑用交叉线互联,一台IP是192.168.1.1/24,另一台是10.1.1.1/24,他们相互之间能否PING通?怎样才能PING通?
                    • to be honest, I do not think they can ping each other. maybe they can by some ways, but I do not know.
                      • 把各自电脑的gateway设为自己。这个实验很简单,谁都可以做。你不妨做一下。
                        • thank you
                          本文发表在 rolia.net 枫下论坛thank you for the skills,I will try later. from the theory, your way is correct. as the NIC will send the broadcast and the destination is ffff.ffff.ffff and the peer got it and then response, the destination device does not know the broadcast is from another IP subnet.

                          but what you are talking is PC/Server, they are not smart enough to check if the peer is in the same IP subnet. they get the MAC address by "cheat".

                          if it is a professional "network" device, your way can not be running, the device will give you the alarm as you connect the devices with different IP subnets to the same LAN. the simple example is that if you connect two router's interfaces directly and then configure the different subnet's IP address, the interfaces can be up physically, but the protocol should be "down".

                          please check the RFC1072 at:
                          http://www.ietf.org/rfc/rfc1027.txt
                          the mechanism is totally the same, got the MAC addrsss by broadcast, and the broadcast should be in the LAN, so they need in the same subnet (or the subnet included).

                          I will try to do some test that connect two different subnet's devices (at lease one professional network device, such as router or layer 3 switch) to the same LAN and check the result.
                          I will let you know the result, maybe I am wrong, but I'd like to try.更多精彩文章及讨论,请光临枫下论坛 rolia.net
                        • please see my test, cisco3550 is smarter than a PC/Server
                          本文发表在 rolia.net 枫下论坛I configured my laptop 172.16.0.1 255.255.255.0, default gateway: 172.16.0.1. I connect it to Cisco3550 FastEthernet 0/48

                          the output form 3550:

                          SHOW VER
                          Cisco Internetwork Operating System Software
                          IOS (tm) C3550 Software (C3550-I5K2L2Q3-M), Version 12.1(22)EA5, RELEASE SOFTWARE (fc1)
                          Copyright (c) 1986-2005 by cisco Systems, Inc.
                          Compiled Thu 14-Jul-05 02:20 by antonino
                          Image text-base: 0x00003000, data-base: 0x0097D530

                          ROM: Bootstrap program is C3550 boot loader

                          Switch uptime is 26 minutes
                          System returned to ROM by power-on
                          System image file is "flash:c3550-i5k2l2q3-mz.121-22.EA5.bin"


                          This product contains cryptographic features and is subject to United
                          States and local country laws governing import, export, transfer and
                          use. Delivery of Cisco cryptographic products does not imply
                          third-party authority to import, export, distribute or use encryption.
                          Importers, exporters, distributors and users are responsible for
                          compliance with U.S. and local country laws. By using this product you
                          agree to comply with applicable laws and regulations. If you are unable
                          to comply with U.S. and local laws, return this product immediately.

                          A summary of U.S. laws governing Cisco cryptographic products may be found at:
                          http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

                          If you require further assistance please contact us by sending email to
                          export@cisco.com.

                          cisco WS-C3550-48 (PowerPC) processor (revision G0) with 65526K/8192K bytes of memory.
                          Processor board ID CHK0641W0QV
                          Last reset from warm-reset
                          Bridging software.
                          Running Layer2/3 Switching Image

                          Ethernet-controller 1 has 12 Fast Ethernet/IEEE 802.3 interfaces

                          Ethernet-controller 2 has 12 Fast Ethernet/IEEE 802.3 interfaces

                          Ethernet-controller 3 has 12 Fast Ethernet/IEEE 802.3 interfaces

                          Ethernet-controller 4 has 12 Fast Ethernet/IEEE 802.3 interfaces

                          Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interface

                          Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interface

                          48 FastEthernet/IEEE 802.3 interface(s)
                          2 Gigabit Ethernet/IEEE 802.3 interface(s)

                          The password-recovery mechanism is enabled.
                          384K bytes of flash-simulated non-volatile configuration memory.
                          Base ethernet MAC Address: 00:0B:46:6A:FC:80
                          Motherboard assembly number: 73-5701-07
                          Power supply part number: 34-0967-01
                          Motherboard serial number: CAT06400DV7
                          Power supply serial number: LIT063400S5
                          Model revision number: G0
                          Motherboard revision number: A0
                          Model number: WS-C3550-48-EMI
                          System serial number: CHK0641W0QV
                          Configuration register is 0x10F

                          Switch# SHOW RUN INT VLAN 1
                          Building configuration...

                          Current configuration : 59 bytes
                          !
                          interface Vlan1
                          ip address 10.12.0.1 255.255.255.0
                          end

                          Switch#SHOW RUN INT F0/48
                          Building configuration...

                          Current configuration : 106 bytes
                          !
                          interface FastEthernet0/48
                          switchport mode access
                          switchport nonegotiate
                          speed 100
                          duplex full
                          end

                          Switch#SHOW INT F0/48
                          FastEthernet0/48 is up, line protocol is up (connected)
                          Hardware is Fast Ethernet, address is 000b.466a.fcb0 (bia 000b.466a.fcb0)
                          MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
                          reliability 255/255, txload 1/255, rxload 1/255
                          Encapsulation ARPA, loopback not set
                          Keepalive set (10 sec)
                          Full-duplex, 100Mb/s, media type is 100BaseTX
                          input flow-control is off, output flow-control is unsupported
                          ARP type: ARPA, ARP Timeout 04:00:00
                          Last input never, output 00:00:00, output hang never
                          Last clearing of "show interface" counters never
                          Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
                          Queueing strategy: fifo
                          Output queue: 0/40 (size/max)
                          5 minute input rate 0 bits/sec, 0 packets/sec
                          5 minute output rate 0 bits/sec, 0 packets/sec
                          2691 packets input, 263858 bytes, 0 no buffer
                          Received 2671 broadcasts (0 multicast)
                          0 runts, 0 giants, 0 throttles
                          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
                          0 watchdog, 1327 multicast, 0 pause input
                          0 input packets with dribble condition detected
                          380 packets output, 32620 bytes, 0 underruns
                          0 output errors, 0 collisions, 1 interface resets
                          0 babbles, 0 late collision, 0 deferred
                          0 lost carrier, 0 no carrier, 0 PAUSE output
                          0 output buffer failures, 0 output buffers swapped out

                          Switch#SHOW MAC- INTER F0/48
                          Mac Address Table
                          -------------------------------------------

                          Vlan Mac Address Type Ports
                          ---- ----------- -------- -----
                          1 001c.2318.4e53 DYNAMIC Fa0/48
                          Total Mac Addresses for this criterion: 1
                          Switch#SHOW IP ARP VLAN 1
                          Protocol Address Age (min) Hardware Addr Type Interface
                          Internet 10.12.0.1 - 000b.466a.fc80 ARPA Vlan1
                          Internet 172.16.0.1 2 001c.2318.4e53 ARPA Vlan1
                          Switch#SHOW IP ROUTE
                          Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
                          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                          E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
                          i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
                          * - candidate default, U - per-user static route, o - ODR
                          P - periodic downloaded static route

                          Gateway of last resort is 0.0.0.0 to network 0.0.0.0

                          10.0.0.0/24 is subnetted, 1 subnets
                          C 10.12.0.0 is directly connected, Vlan1
                          S* 0.0.0.0/0 is directly connected, Vlan1
                          Switch#SHOW RUN | IN ip route
                          ip route 0.0.0.0 0.0.0.0 Vlan1
                          Switch#ping 172.16.0.1

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
                          .....
                          Success rate is 0 percent (0/5)
                          Switch#conf t
                          Enter configuration commands, one per line. End with CNTL/Z.
                          Switch(config)#int vlan 1
                          Switch(config-if)#ip address 172.16.0.100 255.255.255.0
                          Switch(config-if)#^Z
                          Switch#clear mac- dyna vlan 1
                          00:29:08: %SYS-5-CONFIG_I: Configured from console by console
                          Switch#ping 172.16.0.1

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
                          !!!!!
                          Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
                          Switch#show mac- vlan 1 | in DYN
                          1 001c.2318.4e53 DYNAMIC Fa0/48
                          Switch#show ip arp vlan 1
                          Protocol Address Age (min) Hardware Addr Type Interface
                          Internet 172.16.0.1 0 001c.2318.4e53 ARPA Vlan1
                          Internet 172.16.0.100 - 000b.466a.fc80 ARPA Vlan1
                          Switch#conf t
                          Enter configuration commands, one per line. End with CNTL/Z.
                          Switch(config)#int vlan 1
                          Switch(config-if)#no ip address
                          Switch(config-if)#inter f0/48
                          Switch(config-if)#no switch
                          Switch(config-if)#ip address 10.12.0.1 255.255.255.0
                          00:30:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
                          00:30:11: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/48, changed state to down
                          00:30:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/48, changed state to up
                          Switch(config-if)#^Z
                          00:30:33: %SYS-5-CONFIG_I: Configured from console by console

                          Switch#show run int f0/48
                          Building configuration...

                          Current configuration : 109 bytes
                          !
                          interface FastEthernet0/48
                          no switchport
                          ip address 10.12.0.1 255.255.255.0
                          speed 100
                          duplex full
                          end

                          Switch#show int f0/48
                          FastEthernet0/48 is up, line protocol is up (connected)
                          Hardware is Fast Ethernet, address is 000b.466a.fc80 (bia 000b.466a.fc80)
                          Internet address is 10.12.0.1/24
                          MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
                          reliability 255/255, txload 1/255, rxload 1/255
                          Encapsulation ARPA, loopback not set
                          Keepalive set (10 sec)
                          Full-duplex, 100Mb/s, media type is 100BaseTX
                          input flow-control is off, output flow-control is unsupported
                          ARP type: ARPA, ARP Timeout 04:00:00
                          Last input 00:00:00, output 00:00:07, output hang never
                          Last clearing of "show interface" counters never
                          Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
                          Queueing strategy: fifo
                          Output queue: 0/40 (size/max)
                          5 minute input rate 6000 bits/sec, 7 packets/sec
                          5 minute output rate 0 bits/sec, 0 packets/sec
                          3054 packets input, 308680 bytes, 0 no buffer
                          Received 3028 broadcasts (0 IP multicast)
                          0 runts, 0 giants, 0 throttles
                          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
                          0 watchdog, 1528 multicast, 0 pause input
                          0 input packets with dribble condition detected
                          502 packets output, 42012 bytes, 0 underruns
                          0 output errors, 0 collisions, 2 interface resets
                          0 babbles, 0 late collision, 0 deferred
                          0 lost carrier, 0 no carrier, 0 PAUSE output
                          0 output buffer failures, 0 output buffers swapped out

                          Switch#ping 172.16.0.1

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
                          .....
                          Success rate is 0 percent (0/5)
                          Switch#show ip route
                          Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
                          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                          E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
                          i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
                          * - candidate default, U - per-user static route, o - ODR
                          P - periodic downloaded static route

                          Gateway of last resort is not set

                          10.0.0.0/24 is subnetted, 1 subnets
                          C 10.12.0.0 is directly connected, FastEthernet0/48
                          Switch#show run | in ip route 0.0.0.0
                          ip route 0.0.0.0 0.0.0.0 Vlan1
                          Switch#conf t
                          Enter configuration commands, one per line. End with CNTL/Z.
                          Switch(config)#no ip route 0.0.0.0 0.0.0.0 Vlan1
                          Switch(config)#ip route 0.0.0.0 0.0.0.0 f0/48
                          Switch(config)#do show ip route
                          Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
                          D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
                          N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
                          E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
                          i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
                          * - candidate default, U - per-user static route, o - ODR
                          P - periodic downloaded static route

                          Gateway of last resort is 0.0.0.0 to network 0.0.0.0

                          10.0.0.0/24 is subnetted, 1 subnets
                          C 10.12.0.0 is directly connected, FastEthernet0/48
                          S* 0.0.0.0/0 is directly connected, FastEthernet0/48
                          Switch(config)#^Z
                          00:32:14: %SYS-5-CONFIG_I: Configured from console by console

                          Switch#ping 172.16.0.1

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
                          .....
                          Success rate is 0 percent (0/5)

                          Switch#show ip arp ?
                          Async Async interface
                          BVI Bridge-Group Virtual Interface
                          Dialer Dialer interface
                          FastEthernet FastEthernet IEEE 802.3
                          GigabitEthernet GigabitEthernet IEEE 802.3z
                          H.H.H 48-bit hardware address of ARP entry
                          Hostname or A.B.C.D IP address or hostname of ARP entry
                          Lex Lex interface
                          Loopback Loopback interface
                          Multilink Multilink-group interface
                          Null Null interface
                          Port-channel Ethernet Channel of interfaces
                          Tunnel Tunnel interface
                          Virtual-Template Virtual Template interface
                          Virtual-TokenRing Virtual TokenRing
                          Vlan Catalyst Vlans
                          summary IP ARP table summary
                          | Output modifiers
                          <cr>

                          Switch#show ip arp f0/48
                          Protocol Address Age (min) Hardware Addr Type Interface
                          Internet 10.12.0.1 - 000b.466a.fc80 ARPA FastEthernet0/48
                          Internet 172.16.0.1 0 001c.2318.4e53 ARPA FastEthernet0/48

                          Switch#conf t
                          Enter configuration commands, one per line. End with CNTL/Z.
                          Switch(config)#int f0/48

                          Switch(config-if)#ip addre 172.16.0.100 255.255.255.0
                          Switch(config-if)#^Z

                          00:33:32: %SYS-5-CONFIG_I: Configured from console by consoles
                          Switch#how ip arp f0/48
                          Protocol Address Age (min) Hardware Addr Type Interface
                          Internet 172.16.0.1 0 001c.2318.4e53 ARPA FastEthernet0/48
                          Internet 172.16.0.100 - 000b.466a.fc80 ARPA FastEthernet0/48
                          Switch#ping 172.16.0.1

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
                          !!!!!
                          Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
                          Switch#更多精彩文章及讨论,请光临枫下论坛 rolia.net
                          • Switch不是已经学到了另一IP网段的PC机的MAC了吗,但PC未必学到Switch相应IP对应的MAC,Switch必须要响应PC的ARP查询才行。我并不认为是因为cisco switch更智能而不能通信,而是因为没有设置自己为gateway或者没有添加静态arp。
                            • 我的测试和观点
                              再次使用两台3550测试,果然能够互相访问。从原理上也确实能够解释的通。

                              我来这里的目的是多结识一些同道中人,互相交流进步。所以我也说说我对这种方式的看法---从技术上,绝对不是狡辩。

                              首先,我觉得这种方式不是正常的TCP/IP协议框架的思维,应该说,这种方式只是利用了一些协议中的漏洞,并且也挪用了default gateway的概念。我以前确实遇到过不小心配错地址,结果网络设备(忘了是什么设备了)报警的情况。

                              如果你想一想整个访问过程,其实,你所说的把自己配制成default gateway,本身就没有起到正常意义上的default gateway 的功能,建议你google一下gateway defination就明白了,它的操作对象是packet(三层数据格式), 而非 frame(二层数据格式), 所采用的方式是routed, 而不是简单的二层 switched,也就是说,是通过三层起作用的。 而你的配置方式,它是在二层起作用的。这种方式,所谓的default gateway只能把数据交换到同一个物理网络上,而不能超越这一限制,至于被下一跳转发,那已经是完全不同的方式了。
                              • 谢谢你的实验证实。我不太赞成说这是“协议漏洞”,但是这个实验证实了TCP/IP协议本身安全性考虑的比较少。实际工程中我是绝对不赞成这样做的,但是你对协议理解透了,你会知道这样做是可以的,也就会分析出一些潜在的不安全因素。
                                • you are right, I appreciate it very much.
        • 原来的Site A 所有ip的确都是/16。proxy是个好办法,但是工作量太大了。
          • 友情提示
            本文发表在 rolia.net 枫下论坛那天电话里没来得及说几句话,好像你后来说是两个site各有一个路由器,通过mpls互联,用的都是静态路由。

            如果是这样,proxy arp或许可行(我感觉理论上行得通,但没有实际测试过),但是,如果你是通过三层的mpls互联的,你一定要告诉你的mpls provider,他们需要修改vrf的。
            虽然你的server地址依然是/16,你的site A的路由器和mpls provider需要加的静态路由一定要是:10.12.5.0/24,否则会出麻烦。另外,site B需要一个10.12.0.0/16的secondary地址赖作为服务器的网关,同时需要多条静态路由:10.12.x.0/24(x=1,2,3,4,6,7,..注意这里没有5)指向site A,这样做确保到10.12.x.0(site A 的设备)的数据包根据精确匹配原则(匹配长度大于直联的/16),会被转发到site A,到10.12.5.0网段的数据包,会被转发到本地LAN(本地直连网段)

            以上方式是建立在proxy arp理论上可行的基础上的,至于是否真正可行,我没有测试过。就算理论上可行,话实说,这种方式只是理论探讨,真的不具有可操作性。

            如果实在不行,就让你们公司请人做吧,价钱合适的话,我第一个报名! 呵呵!更多精彩文章及讨论,请光临枫下论坛 rolia.net
      • 说实话,你的水平是没枫叶高嘛
        • 过奖了,其实大家无所谓水平高低,不过是各有所长罢了,来这里交流的目的就是为了多学一些东西。至少通过这个案例,我也学习了一些技巧。
    • 多谢各位这些天来的帮助,出谋划策。在今天的最终会议上,公司的负责IT 的director最终否决了这个提议而改用别的方法。 谢谢各位,不好意思ccie18641,一直很忙,没有和你联系,回头给你电话,抱歉!
      • I am not a network guy but learned a lot from your discussion, really appreciate the detail oriented example from ccie18614.
      • 不必客气
      • 那就对了。好好规划一下,否则越补越烂,随着系统增大,管理、维护、变迁成本越高。很多情况下技术上可行,并不意味这Cost effective。