因生成树阻塞端口导致VRRP异常

发布时间:  2016-10-12 浏览次数:  659 下载次数:  0
问题描述

说明:

1、SW1、SW2为汇聚交换机,两台交换机之间采用Eth-Trunk的方式互联并透传相应的VLAN;

2、SW3、SW4为接入交换机,分别通过双上行的方式连接到SW1和SW2,互联链路为Trunk链路,透传指定VLAN;

3、SW1、SW2上存在管理VLAN 10,业务VLAN 20、VLAN 21,SW1、SW2上部署VRRP,SW1为VRRP的master、SW2位VRRP的backup设备;

4、SW3上的管理VLAN为10、业务VLAN为20,下接所属VLAN 20的PC2,SW4上的管理VLAN为10、业务VLAN为21,下接所属VLAN 21的PC3。

故障:

1、SW1、SW2上vlanif20、vlanif21对应的VRRP状态都为Master;

2、当SW1的G0/0/1口down后PC2无法与网关通信。

处理过程

1、分别在SW1和SW2上通过命令display vrrp brief查看VRRP状态:

<SW1>dis vrrp br
VRID  State        Interface                Type     Virtual IP    
----------------------------------------------------------------
10    Master       Vlanif10                 Normal   10.10.10.3    
20    Master       Vlanif20                 Normal   20.20.20.3    
21    Master       Vlanif21                 Normal   21.21.21.3    
----------------------------------------------------------------
Total:3     Master:3     Backup:0     Non-active:0    

<SW2>display vrrp brief
VRID  State        Interface                Type     Virtual IP    
----------------------------------------------------------------
10    Backup       Vlanif10                 Normal   10.10.10.3    
20    Master       Vlanif20                 Normal   20.20.20.3    
21    Master       Vlanif21                 Normal   21.21.21.3    
----------------------------------------------------------------
Total:3     Master:2     Backup:1     Non-active:0    
<SW2>

发现Vlanif20、Vlanif21对应的VRRP状态均为Master。

2、在PC2上ping 20.20.20.3发现可以ping通

PC>ping 20.20.20.3

Ping 20.20.20.3: 32 data bytes, Press Ctrl_C to break
From 20.20.20.3: bytes=32 seq=1 ttl=255 time=422 ms
From 20.20.20.3: bytes=32 seq=2 ttl=255 time=62 ms
From 20.20.20.3: bytes=32 seq=3 ttl=255 time=63 ms
From 20.20.20.3: bytes=32 seq=4 ttl=255 time=31 ms
From 20.20.20.3: bytes=32 seq=5 ttl=255 time=47 ms

--- 20.20.20.3 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/125/422 ms

3、将SW1的G0/0/1 down掉发现PC2无法ping通20.20.20.3

PC>ping 20.20.20.3

Ping 20.20.20.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 20.20.20.3 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

4、分别在SW1和SW2上通过display vrrp interface vlanif检查vlanif20、vlanif21的VRRP信息:

SW1:

<SW1>dis vrrp interface Vlanif 20
  Vlanif20 | Virtual Router 20
    State : Master
    Virtual IP : 20.20.20.3
    Master IP : 20.20.20.1
    PriorityRun : 150
    PriorityConfig : 150
    MasterPriority : 150
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0114
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2016-10-12 08:55:13 UTC-08:00
    Last change time : 2016-10-12 10:06:57 UTC-08:00
<SW1>dis vrrp interface Vlanif 21
  Vlanif21 | Virtual Router 21
    State : Master
    Virtual IP : 21.21.21.3
    Master IP : 21.21.21.1
    PriorityRun : 150
    PriorityConfig : 150
    MasterPriority : 150
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0115
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2016-10-12 08:55:13 UTC-08:00
    Last change time : 2016-10-12 08:57:02 UTC-08:00
-----------------------------------------------------------

SW2:

<SW2>display vrrp interface Vlanif 20
  Vlanif20 | Virtual Router 20
    State : Master
    Virtual IP : 20.20.20.3
    Master IP : 20.20.20.2
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0114
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2016-10-12 09:26:15 UTC-08:00
    Last change time : 2016-10-12 09:26:19 UTC-08:00

<SW2>display vrrp interface Vlanif 21
  Vlanif21 | Virtual Router 21
    State : Master
    Virtual IP : 21.21.21.3
    Master IP : 21.21.21.2
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0115
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2016-10-12 09:33:34 UTC-08:00
    Last change time : 2016-10-12 09:33:37 UTC-08:00
-------------------------------------------------------------

通过以上信息得知VRRP配置没有问题。

5、通过display vrrp statistics分别在SW1和SW2上查看vlanif20、vlanif21的统计信息

SW1:

<SW1>display vrrp statistics
  Checksum errors : 0
   Version errors : 0
      Vrid errors : 0
     Other errors : 0
 Vlanif20 | Virtual Router 20
                            Transited to master : 2
                            Transited to backup : 2
                        Transited to initialize : 1
                        Received advertisements : 0
                            Sent advertisements : 12322
                  Advertisement interval errors : 0
                 Failed to authentication check : 0
                         Received ip ttl errors : 0
            Received packets with priority zero : 0
                Sent packets with priority zero : 1
                  Received invalid type packets : 0
        Received unmatched address list packets : 0
            Unknown authentication type packets : 0
                 Mismatched authentication type : 0
                           Packet length errors : 0
       Discarded packets since track admin-vrrp : 0
                     Received attacking packets : 0
                      Received selfsend packets : 0

Vlanif21 | Virtual Router 21
                            Transited to master : 2
                            Transited to backup : 2
                        Transited to initialize : 1
                        Received advertisements : 0
                            Sent advertisements : 12343
                  Advertisement interval errors : 0
                 Failed to authentication check : 0
                         Received ip ttl errors : 0
            Received packets with priority zero : 0
                Sent packets with priority zero : 1
                  Received invalid type packets : 0
        Received unmatched address list packets : 0
            Unknown authentication type packets : 0
                 Mismatched authentication type : 0
                           Packet length errors : 0
       Discarded packets since track admin-vrrp : 0
                     Received attacking packets : 0
                      Received selfsend packets : 0
----------------------------------------------------------

SW2:

<SW2>display vrrp statistics
  Checksum errors : 0
   Version errors : 0
      Vrid errors : 0
     Other errors : 0

 Vlanif20 | Virtual Router 20
                            Transited to master : 1
                            Transited to backup : 1
                        Transited to initialize : 0
                        Received advertisements : 0
                            Sent advertisements : 10753
                  Advertisement interval errors : 0
                 Failed to authentication check : 0
                         Received ip ttl errors : 0
            Received packets with priority zero : 0
                Sent packets with priority zero : 0
                  Received invalid type packets : 0
        Received unmatched address list packets : 0
            Unknown authentication type packets : 0
                 Mismatched authentication type : 0
                           Packet length errors : 0
       Discarded packets since track admin-vrrp : 0
                     Received attacking packets : 0
                      Received selfsend packets : 0

  Vlanif21 | Virtual Router 21
                            Transited to master : 1
                            Transited to backup : 1
                        Transited to initialize : 0
                        Received advertisements : 0
                            Sent advertisements : 10318
                  Advertisement interval errors : 0
                 Failed to authentication check : 0
                         Received ip ttl errors : 0
            Received packets with priority zero : 0
                Sent packets with priority zero : 0
                  Received invalid type packets : 0
        Received unmatched address list packets : 0
            Unknown authentication type packets : 0
                 Mismatched authentication type : 0
                           Packet length errors : 0
       Discarded packets since track admin-vrrp : 0
                     Received attacking packets : 0
                      Received selfsend packets : 0

-------------------------------------------------------

通过以上信息发现SW1和SW2的vlanif20和vlanif21只有发送的vrrp advertisements报文,没有有收到的vrrp advertisements。正常情况下SW2作为backup设备应该有收到的vrrp advertisements才正常,所以猜测是某种原因导致vrrp advertisements报文无法正常传递。

6、SW1与SW2之间传递vrrp advertisements报文的路径有SW1与SW2之间的互联的Eth-Trunk链路以及与接入交换机SW3、SW4之间的互联的二层链路。所以接下来检查这些互联链路的配置情况是否有误

<SW1>display current-configuration interface Eth-Trunk 1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10
<SW2>display current-configuration interface Eth-Trunk 1
#
interface Eth-Trunk1
 port link-type trunk
 port trunk allow-pass vlan 10
#
---------------------------------------------------------

SW1与SW2之间的互联链路只允许vlan 10通过,所以vlanif20与vlanif21的vrrp advertisements报文无法通过该链路传递。

<SW1>display current-configuration interface g0/0/1
#
interface GigabitEthernet0/0/1
 description TO-SW3
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return
<SW1>display current-configuration interface g0/0/2
#
interface GigabitEthernet0/0/2
 description TO-SW4
 port link-type trunk
 port trunk allow-pass vlan 10 21


<SW2>display current-configuration interface g0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 21
#
return
<SW2>display current-configuration interface g0/0/2
#
interface GigabitEthernet0/0/2
 description TO-SW3
 port link-type trunk
 port trunk allow-pass vlan 10 20

<SW3>display current-configuration interface e0/0/1
#
interface Ethernet0/0/1
 description TO-SW1
 port link-type trunk
 port trunk allow-pass vlan 10 20
#
return
<SW3>display current-configuration interface e0/0/2
#
interface Ethernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 20
#


[SW4]display current-configuration interface Ethernet 0/0/1
#
interface Ethernet0/0/1

description TO-SW2
 port link-type trunk
 port trunk allow-pass vlan 10 21
#
return
[SW4]display current-configuration interface Ethernet 0/0/2
#
interface Ethernet0/0/2
 description TO-SW1
 port link-type trunk
 port trunk allow-pass vlan 10 21
#
return

-------------------------------------------------------------

通过以上信息发现接入交换机与汇聚交换机SW1及SW2互联链路配置没问题,透传了相应的vlan,所以vlanif20与vlanif21的vrrp advertisements报文只能通过该互联链路传递。

7、由于接入交换机和汇聚交换机之间通过双上行组成了环形网络,所以网路中开启了MSTP来防止环路。由此推测可能是MSTP阻断了相应的接口道值vrrp advertisements报文无法传递。分别在SW3和SW4上通过display stp brief查看STP的端口阻塞情况。

<SW3>dis stp brief
 MSTID  Port                        Role  STP State     Protection
   0    Ethernet0/0/1               ROOT  FORWARDING      NONE
   0    Ethernet0/0/2               ALTE  DISCARDING      NONE
   0    Ethernet0/0/22              DESI  FORWARDING      NONE
<SW4>display stp br
 MSTID  Port                        Role  STP State     Protection
   0    Ethernet0/0/1               ALTE  DISCARDING      NONE
   0    Ethernet0/0/2               ROOT  FORWARDING      NONE
   0    Ethernet0/0/22              DESI  FORWARDING      NONE
--------------------------------------------------------------------

通过以上信息看到SW3的Ethernet0/0/2和SW4的Ethernet0/0/1口处于阻塞状态,由此使得vrrp advertisements无法传递,进而导致VRRP状态不正常。

8、由于该网络是环状网络所以不能关闭生成树协议,因此分别在SW1和SW2上的eth-trunk接口透传VLAN 20、VLAN 21解决vrrp advertisements传递的问题。按此设置后发现网络恢复正常。

 

 

 

 

 

根因
生成树协议阻断了VRRP报文传递的路径使得VRRP备份组中的设备无法进行正常的VRRP状态选举,导致VRRP故障的产生。
解决方案
针对以上情况可以在SW1与SW2之间互联的eth-trunk链路中透传VLAN 20、VLAN 21,使得vlanif20、vlanif21的vrrp advertisements报文能正常通过,又不影响生成树的使用。
建议与总结

在像本案例中存在环形的双上行链路的网络中使用VRRP一定要注意生成树协议对VRRP的影响,要注意在VRRP备份组中设备之间互联的二层链路上透传对应的vlan,以免导致VRRP报文无法传递。

END