Communication is Abnormal Due to a Wrong MAC Address Learned from ARP

Publication Date:  2012-07-27 Views:  132 Downloads:  0
Issue Description
The networking of a governmental network is 6506?A5200F?ANSWITCH?C. The MA5200F connects couples of enterprises, each of which is in a VLAN. In this networking, only users within an enterprise can inter-communication but two enterprises cannot do so. As each enterprise is in one VLAN, two users under one switch can inter-communication by forwarding data on the L2 LANSWITCH rather than through MA 5200F. To meet requirements of users and demonstrate these functions to users, during the initial period of data configuration, connect the three PCs to three ports of the same LANSWITCH. Two PCs are in one VLAN (VLAN 1), and one PC is in another VALN (VLAN 2). For data configuration on MA5200F, the three PCs which belong to the different INTERGROUPs are segmented into two groups. The two PCs in the same VLAN (group 1) are in one group (group 1) and the other PC is in another group (group 2). Configure the specific data on MA5200F to enable the mutual-access between group 1 and group 2. And the mutual access is normal. Then disable the mutual access between groups. As data packets of two PCs in the same VLAN can be forwarded on the L2 switch, users can re-access the network after executing the rule 2 user-user deny ip command on MA5200F. At the same time the inter-group users cannot access each other, the two PCs in one VLAN also cannot access each other.
Alarm Information
Handling Process
1) Check the LANSWITCH data configuration through HGMP on the MA5200F, the VLAN configuration is normal and the ports connecting between PC and LANSWITCH are correct too. 2) On MA5200F, check the on-line information of users and find that all the three users have been on line and groups are correctly segmented. Check the ACL configuration and find that it has been effective on the whole this equipment and takes effect for users. 3) Replace the rule 2 user-user deny ip command with the rule user-user deny ip source 1 destination 2 bidirectional command, then users in different groups cannot access each other, but users in the same group can. 4) By executing the ARP? command on PC, you will find that the MAC addresses of other PCs learned by a PC are that of the MA5200F. And this is right the reason for the mutual access failure of the two PCs in the same VLAN. The MA5200F perform data configuration to all the PC mutual access packets. However, it is configured that all user groups cannot mutually access on MA5200F with the rule 2 user-user deny ip command, users in the same group cannot access each other. 5) This problem can be solved with the following two methods: When importing rule 2 user-user deny ip, at the same time add two rules, which are: rule 0 user-user permit ip source 1 destination 1 and rule 1 user-user permit ip source 2 destination 2. On MA5200F, set the ARP-PROXY attribute of PORTVLAN as [MA5200F-ethernet-1-vlan1-1] undo arp-proxy and disable the ARP-PROXY function of the port VLAN. In this way, users can learn the correct MAC address of users in the same VLAN. For the reason that users learn the MAC address of the MA5200F, it is because the PC receives the response packet from the MA5200F firstly when PC initiates an ARP request.
Root Cause
1) VLAN configuration on the L2 switch is faulty. 2) Data configuration on the MA5200F is faulty. 3) The PC configuration is faulty.