组网拓扑如下;
两台交换机M-LAG+VRRP单挂分别接入第三方防火墙IRF+VRRP。
第三方防火墙做测试,IRF备防火墙用VRRP虚地址去ping交换机M-LAG备接口实地址发现无法ping通,备交换机主动去ping防火墙vrrp虚地址和接口实地址都无问题。
1、让现场复现故障也就是备防火墙指导源地址为vrrp虚地址主动去ping交换机备接口实地址,查看arp防火墙那边都是稳定存在的。
2、在备交换机上debug ip packet和ip info、icmp等信息可以看到备交换机收到了对应的icmp报文,但是没有回包。
<FJFZ-MS-RADIUS-SW32>*Apr 28 20:48:32:870 2024 FJFZ-MS-RADIUS-SW32 IPFW/7/IPFW_PACKET:
Receiving, interface = Vlan-interface538, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 1052, offset = 0, ttl = 255, protocol = 1,
checksum = 37286, s = 172.23.102.217, d = 172.23.102.222
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet.
*Apr 28 20:48:32:870 2024 FJFZ-MS-RADIUS-SW32 IPFW/7/IPFW_PACKET:
Delivering, interface = Vlan-interface538, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 1052, offset = 0, ttl = 255, protocol = 1,
checksum = 37286, s = 172.23.102.217, d = 172.23.102.222
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: IP packet is delivering up.
*Apr 28 20:48:32:870 2024 FJFZ-MS-RADIUS-SW32 SOCKET/7/ICMP:
ICMP Input:
ICMP Packet: src = 172.23.102.217, dst = 172.23.102.222
type = 8, code = 0 (echo)
*Apr 28 20:48:34:840 2024 FJFZ-MS-RADIUS-SW32 IPFW/7/IPFW_PACKET:
Delivering, interface = Vlan-interface538, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 1081, offset = 0, ttl = 255, protocol = 1,
checksum = 37257, s = 172.23.102.217, d = 172.23.102.222
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: IP packet is delivering up.
*Apr 28 20:48:34:840 2024 FJFZ-MS-RADIUS-SW32 SOCKET/7/ICMP:
ICMP Input:
ICMP Packet: src = 172.23.102.217, dst = 172.23.102.222
type = 8, code = 0 (echo)
3、此时查看备交换机的arp表项可以看到,m-lag备是通过peerlink口学到的防火墙vrrp虚地址arp,m-lag主是通过直连口1/0/15学到的vrrp虚地址,所以转发情况就是;防火墙备用虚地址去ping交换机m-lag备,交换机备收到了报文之后通过peerlink口转发给了m-lag主,m-lag主再转发给了防火墙的主。这样的话,防火墙就会认为来回路径不一致从而导致丢包。
m-lag备聚合1是peerlink
Arp表项
m-lag主arp是通过直连口学到的
4、 至于为什么m-lag备通过peerlink学到的因为vrrp主才响应arp报文,所以m-lag交换机arp请求防火墙vrrp虚地址广播arp报文的时候,仅有m-lag主直连的防火墙主会响应arp报文,虽然m-lag备也会收到arp广播报文并泛洪给防火墙的备,但是vrrp备不响应arp报文,后续m-lag主再将arp响应报文通过rlink封装发给m-lag备,所以m-lag备显示arp通过peerlink学到的。
正常情况,无需关注。m-lag备收到报文之后,通过m-lag主回包了,防火墙认为来回路径不一致导致丢包。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作