S9712交换机配置问题导致直连防火墙Ping不通交换机的故障
问题描述
1、组网信息:
分布层采用两台高性能路由交换机S9712,上联、互联均采用2×GE光口跨板捆绑,接入层交换机通过GE双归接入。出口部署防火墙,保证本分区和其它功能区的互访有安全控制,采用旁挂方式,上下联均采用2GE光口跨板捆绑。
2、S9712设备信息:
版本:V200R001C00SPC300
3、故障现象:
防火墙升级完成后,主备倒换,出现主防火墙Ping不通交换机的故障。
告警信息
无
处理过程
1、先做防火墙主备倒换测试,将备墙切到主墙后,主墙ping交换机虚地址不通,主墙上报文头分析确认已经发出去了;在主交换机上匹配icmp报文做流量统计,能收到主墙发的ping请求报文,但是没有回应报文发出去。
<NM1_LU_DS_01>dis traffic policy statistics interface Eth-Trunk 3 inbound Interface: Eth-Trunk3
Traffic policy inbound: test-in
Rule number: 1
Current status: OK!
---------------------------------------------------------------------
Board : 8
Item Packets Bytes
---------------------------------------------------------------------
Matched 0 0
+--Passed 0 0
+--Dropped 0 0
+--Filter 0 0
+--CAR 0 0
Board : 9
Item Packets Bytes
---------------------------------------------------------------------
Matched 5 510
+--Passed 5 510
+--Dropped 0 0
+--Filter 0 0
+--CAR 0 0
<NM1_LU_DS_01><NM1_LU_DS_01>dis
traffic policy statistics interface Eth-Trunk 3 outbound
Interface: Eth-Trunk3
Traffic policy outbound: test-out
Rule number: 1
Current status: OK!
---------------------------------------------------------------------
Board : 8
Item Packets Bytes
---------------------------------------------------------------------
Matched 0 0
+--Passed 0 0
+--Dropped 0 0
+--Filter 0 0
+--CAR 0 0
Board : 9
Item Packets Bytes
---------------------------------------------------------------------
Matched 0 0
+--Passed 0 0
+--Dropped 0 0
+--Filter 0 0
+--CAR 0 0
2、在主交换机上查看arp学习到互连口eth-trunk1上,没有刷新到与主墙的互连口eth-trunk3上。
<NM1_LU_DS_01>dis arp int vl 814
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
11.139.69.217 cc53-XXXX-4895 I - Vlanif814
11.139.69.221 0009-XXXX-3e59 13 D-0 Eth-Trunk1
814/-
11.139.69.222 0000-XXXX-01fa 20 D-0 Eth-Trunk1
814/-
------------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
3、匹配arp报文做流量统计,能统计收到主防火墙发的arp报文。
<NM1_LU_DS_01>dis traffic po stat int eth-3 i v r
Interface: Eth-Trunk3
Traffic policy inbound: test-in
Rule number: 2
Current status: OK!
---------------------------------------------------------------------
Classifier: test-in operator or
Behavior: test-in
Board : 8
rule 5 permit l2-protocol arp destination-mac
ffff-ffff-ffff source-mac 0000-XXXX-01fa vlan-id 814
Passed Packet 26,Passed Bytes 1,664
Dropped Packet 0,Dropped Bytes 0
rule 10 permit l2-protocol arp destination-mac cc53-XXXX-4895 source-mac 0000-XXXX-01fa vlan-id 814
Passed Packet 0,Passed Bytes 0
Dropped Packet 0,Dropped Bytes 0
Board : 9
rule 5 permit l2-protocol arp destination-mac
ffff-XXXX-ffff source-mac 0000-XXXX-XXXX vlan-id 814
Passed Packet 36,Passed Bytes 2,304
Dropped Packet 0,Dropped Bytes 0
rule 10 permit l2-protocol arp destination-mac
cc53-XXXX-4895 source-mac 0000-XXXX-01fa vlan-id 814
Passed Packet 0,Passed Bytes 0
Dropped Packet 0,Dropped Bytes 0 0
4、Debug arp查看收到防火墙发的免费arp报文后做arp检查,并提示存在攻击。
Jul 10 2017 19:10:45.790.1+08:00 NM1_LU_DS_01 ARP/7/arp_rcv:Receive an ARP Packet,
operation : 1, sender_eth_addr : 0000-XXXX-01fa, sender_ip_addr :
11.XX.XX.222, target_eth_addr : 0000-XXXX-0000, target_ip_addr : 11.XX.XX.219
Jul 10 2017 19:10:45.790.2+08:00 NM1_LU_DS_01 ARP/7/arp_send:Send an ARP Packet,
operation : 2, sender_eth_addr : 0000-XXXX-01c9,sender_ip_addr : 11.XX.XX.219,
target_eth_addr : 0000-XXXX-01fa, target_ip_addr : 11.XX.XX.222
Jul10 2017 19:10:46+08:00 NM1_LU_DS_01 SECE/4/ARP_ENTRY_CHECK:OID
1.3.6.1.4.1.2011.5.25.165.2.2.2.2 Arp entry attack.(SourceInterface=Eth-Trunk3,
SourceIP=11.XX.XX.222, SourceMAC=0000-XXXX-01fa, PVLAN=814, CVLAN=0)
5、检查设备配置了arp固化命令,适用于静态配置IP地址,网络没有冗余链路,同一IP地址用户不会从不同接口接入的情况。
#arp anti-attack entry-check fixed-all enable
#
6、将arp固化命令删除掉后,做主备墙倒换测试正常,arp能够正常刷新到与主墙互连端口。
<NM1_LU_DS_01>dis arp int vl 814
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
11.139.69.217 cc53-XXXX-4895 I - Vlanif814
11.139.69.221 0009-XXXX-3e59 4 D-0 Eth-Trunk1
814/-
11.139.69.220 0009-XXXX-3d2d 9 D-0 Eth-Trunk3
814/-
11.139.69.222 0000-XXXX-01fa 13 D-0 Eth-Trunk3
814/-
------------------------------------------------------------------------------
Total:4 Dynamic:3 Static:0 Interface:1
根因
主墙升级重启后业务切换到备墙,汇聚主交换机与主墙的互连口eth-trunk3 down,在汇聚主交换机上与备交换机的互连口eth-trunk1学习到防火墙的虚地址。备防火墙升级重启切换到主墙,此时汇聚主交换机与备交换机的互连口是up的,由于设备上配置了arp固化,主墙发到主交换机的免费arp被主交换机判断是攻击,将防火墙的arp地址固化到与备交换机的互连口,所以arp无法刷新到与主墙的互连口eth-trunk3,导致不通。
经过了解,早期存在用户乱配置IP地址的情况,当时为了防止用户随意配置IP地址影响业务,通过配置arp固化解决,后来一直没有删除。
解决方案
删除arp固化命令。
Undo arp anti-attack entry-check fixed-all enable
建议与总结
配置arp固化命令时,注意以下几点:
1、使能ARP表项固化功能后会导致mac-address update arp命令提供的MAC地址刷新触发ARP表项刷新的功能失效。
2、send-ack模式下,设备同时最多记录100个请求修改ARP表项的报文信息。
3、在系统视图下执行本命令,则所有接口都使能ARP表项固化功能;在接口视图下执行本命令,则只有指定接口使能ARP表项固化功能。
4、当全局和VLANIF接口下同时配置了该功能时,VLANIF接口下的配置优先生效。
云服务器爆款直降90%
新客首单¥68起 | 人人可享99元套餐,续费同价 | u2a指定配置低至2.5折1年,立即选购享更多福利!
