所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级
案例库

S9712交换机配置问题导致直连防火墙Ping不通交换机的故障

发布时间:  2019-07-14  |   浏览次数:  614  |   下载次数:  0  |   作者:  s00356396  |   文档编号: EKB1000760988

目录

问题描述

1、组网信息:

分布层采用两台高性能路由交换机S9712,上联、互联均采用2×GE光口跨板捆绑,接入层交换机通过GE双归接入。出口部署防火墙,保证本分区和其它功能区的互访有安全控制,采用旁挂方式,上下联均采用2GE光口跨板捆绑。

2、S9712设备信息:

版本:V200R001C00SPC300

3、故障现象:

防火墙升级完成后,主备倒换,出现主防火墙Ping不通交换机的故障。

 

 




 

告警信息

处理过程

1、先做防火墙主备倒换测试,将备墙切到主墙后,主墙ping交换机虚地址不通,主墙上报文头分析确认已经发出去了;在主交换机上匹配icmp报文做流量统计,能收到主墙发的ping请求报文,但是没有回应报文发出去。
<NM1_LU_DS_01>dis traffic policy statistics interface Eth-Trunk 3 inbound Interface: Eth-Trunk3
Traffic policy inbound: test-in
Rule number: 1
Current status: OK!
---------------------------------------------------------------------
 Board : 8
Item                              Packets                       Bytes
---------------------------------------------------------------------
Matched                                 0                           0
  +--Passed                             0                           0
  +--Dropped                            0                           0
    +--Filter                           0                           0
    +--CAR                              0                           0
 Board : 9
Item                              Packets                       Bytes
---------------------------------------------------------------------
Matched                                 5                         510
  +--Passed                             5                         510
  +--Dropped                            0                           0
    +--Filter                           0                           0
    +--CAR                              0                           0
<NM1_LU_DS_01><NM1_LU_DS_01>dis
traffic policy statistics interface Eth-Trunk 3 outbound 
 Interface: Eth-Trunk3
 Traffic policy outbound: test-out
 Rule number: 1
 Current status: OK!
---------------------------------------------------------------------
 Board : 8
Item                              Packets                       Bytes
---------------------------------------------------------------------
Matched                                 0                           0
  +--Passed                             0                           0
  +--Dropped                            0                           0
    +--Filter                           0                           0
    +--CAR                              0                           0
 Board : 9
Item                              Packets                       Bytes
---------------------------------------------------------------------
Matched                                 0                           0
  +--Passed                             0                           0
  +--Dropped                            0                           0
    +--Filter                           0                           0
    +--CAR                              0                           0
2、在主交换机上查看arp学习到互连口eth-trunk1上,没有刷新到与主墙的互连口eth-trunk3上。

<NM1_LU_DS_01>dis arp int vl 814

IP   ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE

                                         VLAN/CEVLAN

------------------------------------------------------------------------------
11.139.69.217   cc53-XXXX-4895            I -         Vlanif814
11.139.69.221   0009-XXXX-3e59  13       D-0         Eth-Trunk1

                                          814/-

11.139.69.222  0000-XXXX-01fa  20        D-0         Eth-Trunk1

                                          814/-
------------------------------------------------------------------------------
Total:3         Dynamic:2       Static:0     Interface:1   

3、匹配arp报文做流量统计,能统计收到主防火墙发的arp报文。
<NM1_LU_DS_01>dis traffic po stat int eth-3 i v r
 Interface: Eth-Trunk3
 Traffic policy inbound: test-in
 Rule number: 2
 Current status: OK!
---------------------------------------------------------------------
 Classifier: test-in operator or
 Behavior: test-in
 Board : 8
 rule 5 permit l2-protocol arp destination-mac
ffff-ffff-ffff source-mac 0000-XXXX-01fa vlan-id 814
 Passed Packet                        26,Passed Bytes                     1,664
 Dropped Packet                        0,Dropped Bytes                        0
 rule 10 permit l2-protocol arp destination-mac cc53-XXXX-4895 source-mac 0000-XXXX-01fa vlan-id 814
 Passed Packet                         0,Passed Bytes                         0
 Dropped Packet                        0,Dropped Bytes                        0
 Board : 9
 rule 5 permit l2-protocol arp destination-mac
ffff-XXXX-ffff source-mac 0000-XXXX-XXXX vlan-id 814
 Passed Packet                        36,Passed Bytes                     2,304
 Dropped Packet                        0,Dropped Bytes                        0
 rule 10 permit l2-protocol arp destination-mac
cc53-XXXX-4895 source-mac 0000-XXXX-01fa vlan-id 814
 Passed Packet                         0,Passed Bytes                         0
 Dropped Packet                        0,Dropped Bytes                       0                      0
4、Debug arp查看收到防火墙发的免费arp报文后做arp检查,并提示存在攻击。
Jul 10 2017 19:10:45.790.1+08:00 NM1_LU_DS_01 ARP/7/arp_rcv:Receive an ARP Packet,
operation : 1, sender_eth_addr : 0000-XXXX-01fa, sender_ip_addr :
11.XX.XX.222, target_eth_addr : 0000-XXXX-0000, target_ip_addr : 11.XX.XX.219
Jul 10 2017 19:10:45.790.2+08:00 NM1_LU_DS_01 ARP/7/arp_send:Send an ARP Packet,
operation : 2, sender_eth_addr : 0000-XXXX-01c9,sender_ip_addr : 11.XX.XX.219,
target_eth_addr : 0000-XXXX-01fa, target_ip_addr : 11.XX.XX.222
Jul10 2017 19:10:46+08:00 NM1_LU_DS_01 SECE/4/ARP_ENTRY_CHECK:OID
1.3.6.1.4.1.2011.5.25.165.2.2.2.2 Arp entry attack.(SourceInterface=Eth-Trunk3,
SourceIP=11.XX.XX.222, SourceMAC=0000-XXXX-01fa, PVLAN=814, CVLAN=0)
5、检查设备配置了arp固化命令,适用于静态配置IP地址,网络没有冗余链路,同一IP地址用户不会从不同接口接入的情况。
#

arp anti-attack entry-check fixed-all enable

#
6、arp固化命令删除掉后,做主备墙倒换测试正常,arp能够正常刷新到与主墙互连端口。
<NM1_LU_DS_01>dis arp int vl 814
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE

                                         VLAN/CEVLAN

------------------------------------------------------------------------------
11.139.69.217   cc53-XXXX-4895            I -         Vlanif814
11.139.69.221   0009-XXXX-3e59  4        D-0         Eth-Trunk1

                                          814/-

11.139.69.220   0009-XXXX-3d2d  9        D-0         Eth-Trunk3

                                          814/-

11.139.69.222   0000-XXXX-01fa  13       D-0         Eth-Trunk3

                                          814/-

------------------------------------------------------------------------------
Total:4         Dynamic:3       Static:0     Interface:1   












根因

主墙升级重启后业务切换到备墙,汇聚主交换机与主墙的互连口eth-trunk3 down,在汇聚主交换机上与备交换机的互连口eth-trunk1学习到防火墙的虚地址。备防火墙升级重启切换到主墙,此时汇聚主交换机与备交换机的互连口是up的,由于设备上配置了arp固化,主墙发到主交换机的免费arp被主交换机判断是攻击,将防火墙的arp地址固化到与备交换机的互连口,所以arp无法刷新到与主墙的互连口eth-trunk3,导致不通。
经过了解,早期存在用户乱配置IP地址的情况,当时为了防止用户随意配置IP地址影响业务,通过配置arp固化解决,后来一直没有删除。




解决方案

删除arp固化命令。
Undo arp anti-attack entry-check fixed-all enable

建议与总结

配置arp固化命令时,注意以下几点:

1、使能ARP表项固化功能后会导致mac-address update arp命令提供的MAC地址刷新触发ARP表项刷新的功能失效。
2、send-ack模式下,设备同时最多记录100个请求修改ARP表项的报文信息。
3、在系统视图下执行本命令,则所有接口都使能ARP表项固化功能;在接口视图下执行本命令,则只有指定接口使能ARP表项固化功能。
4、当全局和VLANIF接口下同时配置了该功能时,VLANIF接口下的配置优先生效。