S7706交换机办公业务访问出现故障

发布时间:  2015-12-29 浏览次数:  176 下载次数:  0
问题描述

1,组网概述

    某项目采用两级网络结构,全网运行ospf路由协议,市局核心两台NE40E-X3,数据中心交换机CE12808堆叠使用,

目前区县两台AR2220路由器,下联S7706堆叠交换机,S7706交换机堆叠接入使用,连接区县终端和区县服务器。

2,设备脚本

 <S7706-1-2>dis cu
#
sysname S7706-1-2
#
vlan batch 2 to 4094
#
interface Vlanif2
 ip address 10.77.1.10 255.255.255.252
#
interface Vlanif3
 ip address 10.77.1.14 255.255.255.252
#
interface Vlanif10
 ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
 ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
 ip address 192.168.3.1 255.255.255.0
#
acl number 3000 
 rule 5 deny ip destination 172.16.1.0 0.0.0.255
 rule 10 deny ip destination 172.16.2.0 0.0.0.255
 rule 15 deny ip destination 172.16.3.0 0.0.0.255
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
 traffic-filter outbound acl 3000
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 area 0.0.0.0
  network 10.77.1.10 0.0.0.0
  network 10.77.1.14 0.0.0.0
  network 192.168.1.1 0.0.0.0
  network 192.168.2.1 0.0.0.0
  network 192.168.3.1 0.0.0.0
#

<BR-AR2220-A>dis cu
#
 sysname BR-AR2220-A
#
interface GigabitEthernet0/0/0
 ip address 10.58.1.6 255.255.255.252
#
interface GigabitEthernet0/0/1
 ip address 10.58.1.13 255.255.255.252
#

interface GigabitEthernet0/0/2.1
 dot1q termination vid 2
 ip address 10.77.1.9 255.255.255.252
 arp broadcast enable
#
ospf 1
 area 0.0.0.0
  network 10.58.1.6 0.0.0.0
  network 10.58.1.13 0.0.0.0
  network 10.77.1.9 0.0.0.0

<BR-AR2220-B>dis cu
#
 sysname BR-AR2220-B

interface GigabitEthernet0/0/0
 ip address 10.58.1.2 255.255.255.252
#
interface GigabitEthernet0/0/1
 ip address 10.58.1.14 255.255.255.252
#
interface GigabitEthernet0/0/2.1
 dot1q termination vid 3
 ip address 10.77.1.13 255.255.255.252
 arp broadcast enable
#
ospf 1
 area 0.0.0.0
  network 10.58.1.2 0.0.0.0
  network 10.58.1.14 0.0.0.0
  network 10.77.1.13 0.0.0.0

<CR-NE40E-X3-A>dis cu
#
 sysname CR-NE40E-X3-A
#

interface GigabitEthernet0/0/0.1
 dot1q termination vid 2
 ip address 10.77.1.1 255.255.255.252
 arp broadcast enable
#
interface GigabitEthernet0/0/1
 ip address 10.58.1.5 255.255.255.252
#
interface GigabitEthernet0/0/2
 ip address 10.58.1.9 255.255.255.252
#
ospf 1
 area 0.0.0.0
  network 10.58.1.5 0.0.0.0
  network 10.58.1.9 0.0.0.0
  network 10.77.1.1 0.0.0.0

<CR-NE40E-X3-B>dis cu

 sysname CR-NE40E-X3-B
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 3
 ip address 10.77.1.5 255.255.255.252
 arp broadcast enable
#
interface GigabitEthernet0/0/1
 ip address 10.58.1.1 255.255.255.252
#
interface GigabitEthernet0/0/2
 ip address 10.58.1.10 255.255.255.252
#
ospf 1
 area 0.0.0.0
  network 10.58.1.1 0.0.0.0
  network 10.58.1.10 0.0.0.0
  network 10.77.1.5 0.0.0.0

<CE12808-1-2>dis cu
#
sysname CE12808-1-2
#
vlan batch 2 to 4094
#
interface Vlanif2
 ip address 10.77.1.2 255.255.255.252
#
interface Vlanif3
 ip address 10.77.1.6 255.255.255.252
#
interface Vlanif10
 ip address 172.16.1.1 255.255.255.0
#
interface Vlanif20
 ip address 172.16.2.1 255.255.255.0
#
interface Vlanif30
 ip address 172.16.3.1 255.255.255.0
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
ospf 1
 area 0.0.0.0
  network 10.77.1.2 0.0.0.0
  network 10.77.1.6 0.0.0.0
  network 172.16.1.1 0.0.0.0
  network 172.16.2.1 0.0.0.0
  network 172.16.3.1 0.0.0.0
#

3,故障现象

     区县终端设备无法正常访问市局数据中心,用ping命令测试如下;

 <S7706-1-2>ping -a  192.168.1.1  172.16.1.1
  PING 172.16.1.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.16.1.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

处理过程

1,故障重现

   在区县S7706上ping测试市局数据中心地址,测试如下结果;

 <S7706-1-2>ping -a  192.168.1.1  172.16.1.1
  PING 172.16.1.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.16.1.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss


<S7706-1-2>ping -a 192.168.2.1 172.16.2.1

  PING 172.16.2.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.16.2.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

<S7706-1-2>ping -a 192.168.3.1 172.16.3.1
  PING 172.16.3.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.16.3.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

以上结果显示,故障确实存在。

2,区县访问市局的数据中心必须要有市局的数据中心的路由,检查S7706上的路由表;

 <S7706-1-2>display  ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 21       Routes : 26      

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

      10.58.1.0/30  OSPF    10   2           D   10.77.1.13      Vlanif3
      10.58.1.4/30  OSPF    10   2           D   10.77.1.9       Vlanif2
      10.58.1.8/30  OSPF    10   3           D   10.77.1.9       Vlanif2
                    OSPF    10   3           D   10.77.1.13      Vlanif3
     10.58.1.12/30  OSPF    10   2           D   10.77.1.9       Vlanif2
                    OSPF    10   2           D   10.77.1.13      Vlanif3
      10.77.1.0/30  OSPF    10   3           D   10.77.1.9       Vlanif2
      10.77.1.4/30  OSPF    10   3           D   10.77.1.13      Vlanif3

     172.16.1.0/24  OSPF    10   4           D   10.77.1.9       Vlanif2
                    OSPF    10   4           D   10.77.1.13      Vlanif3
     172.16.2.0/24  OSPF    10   4           D   10.77.1.9       Vlanif2
                    OSPF    10   4           D   10.77.1.13      Vlanif3
     172.16.3.0/24  OSPF    10   4           D   10.77.1.9       Vlanif2
                    OSPF    10   4           D   10.77.1.13      Vlanif3

......

以上命令输出显示,在S7706上存在去往市局数据中心业务的路由,且是负载均衡。


3,在S7706上跟踪去往市局数据中心路由的路径,检查在哪一跳节点出现问题;
 <S7706-1-2>tracert -a 192.168.3.1 172.16.3.1

 traceroute to  172.16.3.1(172.16.
3.1), max hops: 30 ,packet length: 40,press CTRL_C to break

 1  * 10.77.1.13 40 ms  50 ms

 2 10.58.1.1 60 ms  50 ms  50 ms

 3 10.77.1.6 30 ms  *  *

<S7706-1-2>tracert -a 192.168.2.1 172.16.2.1

 traceroute to  172.16.2.1(172.16.
2.1), max hops: 30 ,packet length: 40,press CTRL_C to break

 1  * 10.77.1.13 50 ms  40 ms

 2 10.58.1.1 30 ms  50 ms  50 ms

 3 10.77.1.6 60 ms  *  *

<S7706-1-2>tracert -a 192.168.1.1 172.16.1.1

 traceroute to  172.16.1.1(172.16.
1.1), max hops: 30 ,packet length: 40,press CTRL_C to break

 1  * 10.77.1.13 30 ms  50 ms

 2 10.58.1.1 50 ms  40 ms  30 ms

 3 10.77.1.6 50 ms  *  *

以上输出结果显示,去往市局的路由的第一跳可以到达AR2220-B,但是都不能到达AR2220-A,所以初步判断是AR2220-A的入方向存在去往市局数据中心的流量过滤
或者是S7706上存在出方向去往市局数据中心的流量过滤,下一步检查AR2220-A和S7706上是否存在流量过滤。

4,检查AR2220-A和S7706上是否存在流量过滤;
 
 <S7706-1-2>display  traffic-policy applied-record
#
[S7706-1-2]display traffic-applied interface g0/0/2 outbound
[S7706-1-2]

[S7706-1-2]display traffic-applied interface g0/0/1 outbound
-----------------------------------------------------------
ACL applied outbound interface GigabitEthernet0/0/1

ACL 3000
 rule 5 deny ip destination 172.16.1.0 0.0.0.255
ACTIONS:
 filter
-----------------------------------------------------------

ACL 3000
 rule 10 deny ip destination 172.16.2.0 0.0.0.255
ACTIONS:
 filter
-----------------------------------------------------------

ACL 3000
 rule 15 deny ip destination 172.16.3.0 0.0.0.255
ACTIONS:
 filter
-----------------------------------------------------------

<BR-AR2220-A>display  traffic-policy applied-record
-------------------------------------------------

<BR-AR2220-A>display  traffic-filter applied-record
-----------------------------------------------------------
Interface                   Direction  AppliedRecord      
-----------------------------------------------------------
-----------------------------------------------------------


如上所示,S7706上确实存在流量过滤。

总结,故障定位在S7706上存在去往市局数据中心出方向的流量过滤。
处理方法是删除S7706上的流量过滤策略。






根因

   故障根本原因是S7706上存在去往市局数据中心出方向的流量过滤。

解决方案

解决方案是删除S7706上存在的流量过滤。

END