S9703与山石防火墙对接,直连不通

发布时间:  2015-11-23 浏览次数:  148 下载次数:  0
问题描述

S9703 GE2/0/41接山石防火墙,直连不通

S9703 vlanif 1: 10.136.201.1 
山石防火墙:10.136.201.221

处理过程

1.查看S9703 ARP表项:

  ===============display arp===============
10.136.201.1    d494-e804-b182            I -         Vlanif1      //本端S9703上vlanif1 ARP表项:IP 10.136.201.1, MAC:d494-e804-b182           
10.136.201.221  001c-5437-4407  17        D-0         GE2/0/41     //对方天融信ARP表项:IP 10.136.201.221,MAC:001c-5437-4407

2.流量统计:

[shpc-s9703]dis traffic policy statistics interface GigabitEthernet2/0/41 inbound  

Interface: GigabitEthernet2/0/41
Traffic policy inbound: 10
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 2
---------------------------------------------------------------------
Matched          |      Packets:                            10          //入方向匹配到10个包
                  |      Bytes:                           1,020
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Passed         |      Packets:                            10         //入方向转发10个包
                  |      Bytes:                           1,020
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Dropped        |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
     Filter       |      Packets:                             0
                  |      Bytes:                               0
---------------------------------------------------------------------
     Car          |      Packets:                             0
                  |      Bytes:                               0
---------------------------------------------------------------------
[shpc-s9703]dis traffic policy statistics interface GigabitEthernet2/0/41 outbound

Interface: GigabitEthernet2/0/41
Traffic policy outbound: 10
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 2
---------------------------------------------------------------------
Matched          |      Packets:                            10        //出方向匹配到10个包 
                  |      Bytes:                           1,020
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Passed         |      Packets:                            10     //出方向转发10个包
                  |      Bytes:                           1,020 
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Dropped        |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
     Filter       |      Packets:                             0
                  |      Bytes:                               0
---------------------------------------------------------------------
     Car          |      Packets:                             0
                  |      Bytes:                               0
---------------------------------------------------------------------

流量统计结果没有问题,进出都有数据包。

3.抓包:

S9703到山石防火墙的ping request:源mac地址d494-e804-b182  //d494-e804-b182是vlanif 1接口mac

山石防火墙回包:目的mac地址d494-e804-b180    //d494-e804-b180是交换机的系统mac

山石防火墙回应的echo replay报文的mac地址不是交换机vlanif 1接口的mac地址。

根因

山石防火墙回应的echo replay报文的mac地址不是交换机vlanif 1接口的mac地址。

山石防火墙带有一键扫描功能,但是扫描出来的mac地址是交换机的系统mac,根据扫描出来的结果做了IP MAC绑定,导致直连不通。

解决方案
在山石防火墙上更改错误的IP MAC绑定

END