S9703与友商防火墙对接，直连不通

S9703 GE2/0/41接友商防火墙,直连不通

S9703 vlanif 1: 10.136.201.1

友商防火墙:10.136.201.221

1.查看S9703 ARP表项:

===============display arp===============
10.136.201.1    d494-e804-b182            I -         Vlanif1      //本端S9703上vlanif1 ARP表项：IP 10.136.201.1， MAC：d494-e804-b182
10.136.201.221  001c-5437-4407  17        D-0         GE2/0/41     //对方天融信ARP表项：IP 10.136.201.221，MAC：001c-5437-4407

2.流量统计:

[shpc-s9703]dis traffic policy statistics interface GigabitEthernet2/0/41 inbound

Interface: GigabitEthernet2/0/41
Traffic policy inbound: 10
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 2
---------------------------------------------------------------------
Matched          |      Packets:                            10          //入方向匹配到10个包
|      Bytes:                           1,020
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Passed         |      Packets:                            10         //入方向转发10个包
|      Bytes:                           1,020
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Dropped        |      Packets:                             0
|      Bytes:                               0
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Filter       |      Packets:                             0
|      Bytes:                               0
---------------------------------------------------------------------
Car          |      Packets:                             0
|      Bytes:                               0
---------------------------------------------------------------------
[shpc-s9703]dis traffic policy statistics interface GigabitEthernet2/0/41 outbound

Interface: GigabitEthernet2/0/41
Traffic policy outbound: 10
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 2
---------------------------------------------------------------------
Matched          |      Packets:                            10        //出方向匹配到10个包
|      Bytes:                           1,020
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Passed         |      Packets:                            10     //出方向转发10个包
|      Bytes:                           1,020
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Dropped        |      Packets:                             0
|      Bytes:                               0
|      Rate(pps):                           0
|      Rate(bps):                           0
---------------------------------------------------------------------
Filter       |      Packets:                             0
|      Bytes:                               0
---------------------------------------------------------------------
Car          |      Packets:                             0
|      Bytes:                               0
---------------------------------------------------------------------

流量统计结果没有问题，进出都有数据包。

3.报文头分析:

S9703到友商防火墙的ping request:源mac地址d494-e804-b182  //d494-e804-b182是vlanif 1接口mac

友商防火墙回包:目的mac地址d494-e804-b180    //d494-e804-b180是交换机的系统mac

友商防火墙回应的echo replay报文的mac地址不是交换机vlanif 1接口的mac地址。

防火墙回应的echo replay报文的mac地址不是交换机vlanif 1接口的mac地址。

防火墙带有一键扫描功能,但是扫描出来的mac地址是交换机的系统mac,根据扫描出来的结果做了IP MAC绑定,导致直连不通。