问题描述:
show fib出现如下异常记录:
Destination/Mask Nexthop Flag OutInterface/Token Label
223.5.5.5/32 223.5.5.5 UH Vlan1 Null
有时还有Destination/Mask为223.6.6.6/32,8.8.8.8/32的,其他都一样;
223.5.5.5/223.6.6.6/8.8.8.8都是外网DNS服务器,OutInterface给成Vlan1造成无法做DNS解析,进而上不了网;
无论是show current-config还是show ip routing-table都没有跟这几个地址有关的记录,因此怀疑相关FIB是不知收到了什么消息自动产生的;
这几个地址在内网DHCP服务器(通过Vlan1连接)有配置,猜测会不会是MSR860错误的接受了DHCP广播,并产生相关FIB;
不知猜测是否合理?以及如何避免这种情况出现?
另外,有没有清理FIB的办法?现在是一旦出现上述FIB,只能重启路由器,但一段时间后又再次出现,:/
- 2025-02-05提问
- 举报
-
(0)
上配置看下吧
- 2025-02-05回答
- 评论(5)
- 举报
-
(0)
谢谢。 见下,包括show current-config, show ip routing-table, show fib, 和几个ping结果; Your login failures since the last successful login: Sat Jan 1 08:02:45 2011 Last successfully login time: Wed Feb 5 15:35:37 2025 ****************************************************************************** * Copyright (c) 2004-2023 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner"s prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <H3C>show cu <H3C>show current-configuration # version 7.1.064, Release 6749P21 # sysname H3C # clock timezone Beijing add 08:00:00 clock protocol ntp # wlan global-configuration # telnet server acl 2909 # security-zone intra-zone default permit # track 1022 nqa entry ge0/2 1 reaction 1 # track 1023 nqa entry ge0/0 1 reaction 1 # dialer-group 2 rule ip permit dialer-group 3 rule ip permit # ip load-sharing mode per-flow src-ip global # bandwidth-based-sharing # dhcp server always-broadcast # dns proxy enable # lldp global enable # system-working-mode standard password-recovery enable # vlan 1 # object-group ip address _manage_group_ 0 network range 192.168.5.0 192.168.5.255 10 network range 192.168.20.0 192.168.20.255 20 network range 192.168.180.0 192.168.180.255 # object-group ip address _web_manageHttp_group_ 0 network range 192.168.0.0 192.168.255.255 # nqa entry ge0/0 1 type icmp-echo destination ip IP1.XX.XX.66 frequency 10000 probe timeout 1000 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa entry ge0/1 1 type icmp-echo destination ip 100.72.128.1 frequency 10000 probe timeout 1000 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa entry ge0/2 1 type icmp-echo destination ip IP2.XX.0.1 frequency 10000 out interface Dialer2 probe timeout 1000 reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only # nqa schedule ge0/1 1 start-time now lifetime forever nqa schedule ge0/2 1 start-time now lifetime forever # wlan service-template h3c ssid H3C service-template enable # wlan service-template h3c_5g ssid H3C_5G service-template enable # controller Cellular0/0 # interface Dialer0 mtu 1492 tcp mss 1280 # interface Dialer2 bandwidth 200000 mtu 1492 ppp chap password cipher XXXX ppp chap user XXXX ppp ipcp dns admit-any ppp ipcp dns request ppp pap local-user XXXX password cipher XXXX dialer bundle enable dialer-group 3 dialer timer idle 0 dialer timer autodial 5 ip address ppp-negotiate tcp mss 1280 ip last-hop hold nat outbound # interface Dialer3 # interface Dialer4 # interface Dialer5 # interface Dialer6 # interface Dialer7 # interface Dialer8 # interface Dialer1023 # interface NULL0 # interface Vlan-interface1 description LAN-interface ip address 192.168.5.103 255.255.255.0 tcp mss 1280 nat hairpin enable undo dhcp select server ip subscriber l2-connected enable ip subscriber initiator dhcp enable ip subscriber initiator unclassified-ip enable ip subscriber dhcp domain ipoeenabledomain ip subscriber unclassified-ip domain ipoeenabledomain # interface GigabitEthernet0/0 port link-mode route description Double_Line1 bandwidth 100000 combo enable copper ip address IP1.XX.XX.65 255.255.255.252 dns server 202.101.98.55 tcp mss 1280 ip last-hop hold nat outbound # interface GigabitEthernet0/1 port link-mode route # interface GigabitEthernet0/2 port link-mode route description Double_Line2 ip last-hop hold pppoe-client dial-bundle-number 2 # interface GigabitEthernet0/3 port link-mode bridge # interface GigabitEthernet0/4 port link-mode bridge # interface GigabitEthernet0/5 port link-mode bridge # scheduler logfile size 16 # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-operator # ip route-static 0.0.0.0 0 GigabitEthernet0/0 IP1.XX.XX.66 track 1023 ip route-static 0.0.0.0 0 Dialer2 track 1022 ip route-static IP2.XX.0.1 32 Dialer2 description NqaTrack ip route-static IP1.XX.XX.66 32 GigabitEthernet0/0 ip route-static 192.168.20.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.22.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.25.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.122.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.180.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.190.0 24 Vlan-interface1 192.168.5.2 ip route-static 192.168.250.0 24 Vlan-interface1 192.168.5.2 # performance-management # ssh server enable ssh user admin service-type all authentication-type password ssh server acl 2909 # time-range all-time 00:00 to 24:00 daily # ntp-service enable ntp-service unicast-server 202.112.29.82 # acl basic 2909 rule 10 permit source object-group _manage_group_ # acl basic name web_manageHttp_acl rule 0 permit source object-group _web_manageHttp_group_ rule 65534 deny # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control update-interval 0 password-control login idle-time 0 # domain ipoeenabledomain authorization-attribute idle-cut 5 1 authentication ipoe none authorization ipoe none accounting ipoe none # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage service-type ssh telnet http https authorization-attribute user-role network-admin # security-enhanced level 1 # ssl version gm-tls1.1 disable undo ssl renegotiation disable undo ssl version ssl3.0 disable undo ssl version tls1.0 disable undo ssl version tls1.1 disable undo ssl version tls1.2 disable undo ssl version tls1.3 disable # session statistics enable # connection-limit apply global policy 32 # netconf soap http enable # ip http acl name web_manageHttp_acl ip https acl name web_manageHttp_acl ip https enable web new-style # url-filter category custom severity 65535 # wlan auto-ap enable # wlan ap-group default-group vlan 1 ap-model WA2610H radio 1 radio enable service-template h3c ethernet 1 ethernet 2 ethernet 3 ap-model WA2610H-LI radio 1 radio enable service-template h3c ethernet 1 ethernet 2 ethernet 3 ap-model WA4320-ACN-C radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA4320-ACN-D radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA4320-ACN-E radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA4320H radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 gigabitethernet 4 gigabitethernet 5 ap-model WA4320H-SI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c ethernet 1 ethernet 2 ethernet 3 ap-model WA4320i-X radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320 radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320-C radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320-C-EI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320-C-IOT radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320-D radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA5320H radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 gigabitethernet 4 ap-model WA5320H-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 gigabitethernet 4 gigabitethernet 5 ap-model WA5320X radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 ap-model WA5320X-E radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5320X-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 ap-model WA5320X-SI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 ap-model WA5320i-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5530 radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c_5g radio 3 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5530-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c_5g radio 3 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA5530S radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c_5g radio 3 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 ap-model WA6320-C radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA6320-D radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA6320H-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 gigabitethernet 4 gigabitethernet 5 ap-model WA6330-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c_5g radio 3 radio enable service-template h3c gigabitethernet 1 smartrate-ethernet 1 ap-model WA6520S-C radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA6520S-E radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 ap-model WA6522H-LI radio 1 radio enable service-template h3c_5g radio 2 radio enable service-template h3c gigabitethernet 1 gigabitethernet 2 gigabitethernet 3 # traffic-policy rule 1 name web_AppTraffRank application app http # dac log-collect service dpi traffic enable dac traffic-statistic application enable # dac storage service dpi traffic limit hold-time 1 dac storage service traffic limit hold-time 1 # return <H3C> <H3C> <H3C> <H3C> <H3C> <H3C> <H3C> <H3C>show ip ro <H3C>show ip routing-table Destinations : 22 Routes : 22 Destination/Mask Proto Pre Cost NextHop Interface 0.0.0.0/0 Static 60 0 IP1.XX.XX.66 GE0/0 0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0 IP1.XX.XX.64/30 Direct 0 0 IP1.XX.XX.65 GE0/0 IP1.XX.XX.65/32 Direct 0 0 127.0.0.1 InLoop0 IP1.XX.XX.66/32 Static 60 0 0.0.0.0 GE0/0 IP1.XX.XX.67/32 Direct 0 0 IP1.XX.XX.65 GE0/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0 192.168.5.0/24 Direct 0 0 192.168.5.103 Vlan1 192.168.5.103/32 Direct 0 0 127.0.0.1 InLoop0 192.168.5.255/32 Direct 0 0 192.168.5.103 Vlan1 192.168.20.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.22.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.25.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.122.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.180.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.190.0/24 Static 60 0 192.168.5.2 Vlan1 192.168.250.0/24 Static 60 0 192.168.5.2 Vlan1 224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0 <H3C> <H3C> <H3C> <H3C> <H3C> <H3C> <H3C>show fib <H3C>show fib Route destination count: 20 Directly-connected host count: 87 Flag: U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Relay F:FRR Destination/Mask Nexthop Flag OutInterface/Token Label 0.0.0.0/0 IP1.XX.XX.66 USG GE0/0 Null 0.0.0.0/32 127.0.0.1 UH InLoop0 Null IP1.XX.XX.64/30 IP1.XX.XX.65 U GE0/0 Null IP1.XX.XX.65/32 127.0.0.1 UH InLoop0 Null IP1.XX.XX.66/32 0.0.0.0 USH GE0/0 Null IP1.XX.XX.66/32 IP1.XX.XX.66 H GE0/0 Null IP1.XX.XX.67/32 IP1.XX.XX.65 UBH GE0/0 Null 127.0.0.0/8 127.0.0.1 U InLoop0 Null 127.0.0.1/32 127.0.0.1 UH InLoop0 Null 127.255.255.255/32 127.0.0.1 UH InLoop0 Null 192.168.5.0/24 192.168.5.103 U Vlan1 Null 192.168.5.2/32 192.168.5.2 UH Vlan1 Null 192.168.5.8/32 192.168.5.8 UH Vlan1 Null 192.168.5.103/32 127.0.0.1 UH InLoop0 Null 192.168.5.151/32 192.168.5.151 UH Vlan1 Null 192.168.5.152/32 192.168.5.152 UH Vlan1 Null 192.168.5.255/32 192.168.5.103 UBH Vlan1 Null 192.168.20.0/24 192.168.5.2 USG Vlan1 Null 192.168.20.3/32 192.168.20.3 UH Vlan1 Null 192.168.20.8/32 192.168.20.8 UH Vlan1 Null 192.168.20.16/32 192.168.20.16 UH Vlan1 Null 192.168.20.36/32 192.168.20.36 UH Vlan1 Null 192.168.20.43/32 192.168.20.43 UH Vlan1 Null 192.168.20.44/32 192.168.20.44 UH Vlan1 Null 192.168.20.47/32 192.168.20.47 UH Vlan1 Null 192.168.20.49/32 192.168.20.49 UH Vlan1 Null 192.168.20.52/32 192.168.20.52 UH Vlan1 Null 192.168.20.53/32 192.168.20.53 UH Vlan1 Null 192.168.20.55/32 192.168.20.55 UH Vlan1 Null 192.168.20.56/32 192.168.20.56 UH Vlan1 Null 192.168.20.57/32 192.168.20.57 UH Vlan1 Null 192.168.20.60/32 192.168.20.60 UH Vlan1 Null 192.168.20.61/32 192.168.20.61 UH Vlan1 Null 192.168.20.62/32 192.168.20.62 UH Vlan1 Null 192.168.20.66/32 192.168.20.66 UH Vlan1 Null 192.168.20.67/32 192.168.20.67 UH Vlan1 Null 192.168.20.82/32 192.168.20.82 UH Vlan1 Null 192.168.20.93/32 192.168.20.93 UH Vlan1 Null 192.168.20.101/32 192.168.20.101 UH Vlan1 Null 192.168.20.104/32 192.168.20.104 UH Vlan1 Null 192.168.20.150/32 192.168.20.150 UH Vlan1 Null 192.168.20.164/32 192.168.20.164 UH Vlan1 Null 192.168.20.169/32 192.168.20.169 UH Vlan1 Null 192.168.20.175/32 192.168.20.175 UH Vlan1 Null 192.168.20.206/32 192.168.20.206 UH Vlan1 Null 192.168.20.238/32 192.168.20.238 UH Vlan1 Null 192.168.20.251/32 192.168.20.251 UH Vlan1 Null 192.168.20.252/32 192.168.20.252 UH Vlan1 Null 192.168.22.0/24 192.168.5.2 USG Vlan1 Null 192.168.25.0/24 192.168.5.2 USG Vlan1 Null 192.168.25.2/32 192.168.25.2 UH Vlan1 Null 192.168.25.100/32 192.168.25.100 UH Vlan1 Null 192.168.25.101/32 192.168.25.101 UH Vlan1 Null 192.168.25.103/32 192.168.25.103 UH Vlan1 Null 192.168.25.104/32 192.168.25.104 UH Vlan1 Null 192.168.25.105/32 192.168.25.105 UH Vlan1 Null 192.168.122.0/24 192.168.5.2 USG Vlan1 Null 192.168.150.104/32 192.168.150.104 UH Vlan1 Null 192.168.180.0/24 192.168.5.2 USG Vlan1 Null 192.168.180.4/32 192.168.180.4 UH Vlan1 Null 192.168.180.7/32 192.168.180.7 UH Vlan1 Null 192.168.180.8/32 192.168.180.8 UH Vlan1 Null 192.168.180.9/32 192.168.180.9 UH Vlan1 Null 192.168.180.11/32 192.168.180.11 UH Vlan1 Null 192.168.180.13/32 192.168.180.13 UH Vlan1 Null 192.168.180.14/32 192.168.180.14 UH Vlan1 Null 192.168.180.16/32 192.168.180.16 UH Vlan1 Null 192.168.180.17/32 192.168.180.17 UH Vlan1 Null 192.168.180.19/32 192.168.180.19 UH Vlan1 Null 192.168.180.21/32 192.168.180.21 UH Vlan1 Null 192.168.180.22/32 192.168.180.22 UH Vlan1 Null 192.168.180.26/32 192.168.180.26 UH Vlan1 Null 192.168.180.27/32 192.168.180.27 UH Vlan1 Null 192.168.180.31/32 192.168.180.31 UH Vlan1 Null 192.168.180.33/32 192.168.180.33 UH Vlan1 Null 192.168.180.49/32 192.168.180.49 UH Vlan1 Null 192.168.180.63/32 192.168.180.63 UH Vlan1 Null 192.168.180.65/32 192.168.180.65 UH Vlan1 Null 192.168.180.66/32 192.168.180.66 UH Vlan1 Null 192.168.180.67/32 192.168.180.67 UH Vlan1 Null 192.168.180.76/32 192.168.180.76 UH Vlan1 Null 192.168.180.78/32 192.168.180.78 UH Vlan1 Null 192.168.180.79/32 192.168.180.79 UH Vlan1 Null 192.168.180.82/32 192.168.180.82 UH Vlan1 Null 192.168.180.94/32 192.168.180.94 UH Vlan1 Null 192.168.180.101/32 192.168.180.101 UH Vlan1 Null 192.168.180.104/32 192.168.180.104 UH Vlan1 Null 192.168.180.113/32 192.168.180.113 UH Vlan1 Null 192.168.180.124/32 192.168.180.124 UH Vlan1 Null 192.168.180.125/32 192.168.180.125 UH Vlan1 Null 192.168.180.127/32 192.168.180.127 UH Vlan1 Null 192.168.180.164/32 192.168.180.164 UH Vlan1 Null 192.168.180.181/32 192.168.180.181 UH Vlan1 Null 192.168.180.189/32 192.168.180.189 UH Vlan1 Null 192.168.180.191/32 192.168.180.191 UH Vlan1 Null 192.168.180.199/32 192.168.180.199 UH Vlan1 Null 192.168.180.203/32 192.168.180.203 UH Vlan1 Null 192.168.180.233/32 192.168.180.233 UH Vlan1 Null 192.168.180.239/32 192.168.180.239 UH Vlan1 Null 192.168.180.245/32 192.168.180.245 UH Vlan1 Null 192.168.190.0/24 192.168.5.2 USG Vlan1 Null 192.168.190.28/32 192.168.190.28 UH Vlan1 Null 192.168.190.34/32 192.168.190.34 UH Vlan1 Null 192.168.250.0/24 192.168.5.2 USG Vlan1 Null 223.5.5.5/32 223.5.5.5 UH Vlan1 Null 255.255.255.255/32 127.0.0.1 UH InLoop0 Null <H3C> <H3C> <H3C> <H3C> <H3C>ping 223.5.5.5 Ping 223.5.5.5 (223.5.5.5): 56 data bytes, press CTRL_C to break --- Ping statistics for 223.5.5.5 --- 1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss <H3C>ping 223.6.6.6 Ping 223.6.6.6 (223.6.6.6): 56 data bytes, press CTRL_C to break 56 bytes from 223.6.6.6: icmp_seq=0 ttl=117 time=23.771 ms 56 bytes from 223.6.6.6: icmp_seq=1 ttl=117 time=23.640 ms 56 bytes from 223.6.6.6: icmp_seq=2 ttl=117 time=23.626 ms --- Ping statistics for 223.6.6.6 --- 4 packet(s) transmitted, 3 packet(s) received, 25.0% packet loss round-trip min/avg/max/std-dev = 23.626/23.679/23.771/0.065 ms <H3C>
抱歉,本打算把下面的回答迁过来,但格式都丢了,也没法再改,:/ 还是看下面的回答吧。
ping其他的DNS没问题;如果是ping有错误FIB的DNS,即使指定出接口也不通; 另外我们有两条线路做负载分担,因此只用一个公网出口不能作为长期方案; 刚才把内网流量转到另一台出口路由器去了,MSR860重启之后较长时间没有再出现错误的FIB(仍然连着内网的线); 这个问题的原因应该有两方面,一是我们内网有一些软件/设备产生的未知消息,二是MSR860对这些消息的反应(产生错误FIB); 从MSR860方面来看,它在什么情况下会产生这样的FIB?有没有什么配置项可以阻止这种行为?了解了这些,就可以进一步监控内网流量,找到是什么消息/软件/设备导致了这种情况;
看起来好像是内网的一些异常流量引起的。 我们的网络拓扑大致是(没法贴图): LAN (192.168.0.0/16) -> WS5800 (三层交换机) -> MSR860 -> WAN1 + WAN2 MSR860上出现错误FIB,将公网DNS服务器地址出接口指定为与WS5800相连的Vlan1; 因并无这样的路由设置,猜测有源地址为公网DNS的数据包(DNS应答)从Vlan1进入MSR860,因开启了“保存接口上一跳”功能(这是WAN1+WAN2链路负载均衡所需),导致错误FIB生成; 在WS5800出接口设置ACL禁止源地址不是192.168.0.0/16的数据外出; 观察一段时间后,MSR860上不再出现错误FIB,WS5800的ACL也有相应的拦截记录; 至于这些异常流量是如何产生的,观察到ACL拦截记录和内网使用的一个名为easy-tier的VPN穿透组网工具有一定时间上的相关性; 猜测easy-tier将VPN地址(10.0.0.0/8)泄漏到了LAN中,导致WS5800转发异常; 但按此猜测去抓包,并未得到确切的证据;不打算深究了,:P
谢谢。
见下,包括show current-config, show ip routing-table, show fib, 和几个ping结果;
Your login failures since the last successful login:
Sat Jan 1 08:02:45 2011
Last successfully login time: Wed Feb 5 15:35:37 2025
******************************************************************************
* Copyright (c) 2004-2023 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner"s prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<H3C>show cu
<H3C>show current-configuration
#
version 7.1.064, Release 6749P21
#
sysname H3C
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
wlan global-configuration
#
telnet server acl 2909
#
security-zone intra-zone default permit
#
track 1022 nqa entry ge0/2 1 reaction 1
#
track 1023 nqa entry ge0/0 1 reaction 1
#
dialer-group 2 rule ip permit
dialer-group 3 rule ip permit
#
ip load-sharing mode per-flow src-ip global
#
bandwidth-based-sharing
#
dhcp server always-broadcast
#
dns proxy enable
#
lldp global enable
#
system-working-mode standard
password-recovery enable
#
vlan 1
#
object-group ip address _manage_group_
0 network range 192.168.5.0 192.168.5.255
10 network range 192.168.20.0 192.168.20.255
20 network range 192.168.180.0 192.168.180.255
#
object-group ip address _web_manageHttp_group_
0 network range 192.168.0.0 192.168.255.255
#
nqa entry ge0/0 1
type icmp-echo
destination ip IP1.XX.XX.66
frequency 10000
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry ge0/1 1
type icmp-echo
destination ip 100.72.128.1
frequency 10000
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry ge0/2 1
type icmp-echo
destination ip IP2.XX.0.1
frequency 10000
out interface Dialer2
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule ge0/1 1 start-time now lifetime forever
nqa schedule ge0/2 1 start-time now lifetime forever
#
wlan service-template h3c
ssid H3C
service-template enable
#
wlan service-template h3c_5g
ssid H3C_5G
service-template enable
#
controller Cellular0/0
#
interface Dialer0
mtu 1492
tcp mss 1280
#
interface Dialer2
bandwidth 200000
mtu 1492
ppp chap password cipher XXXX
ppp chap user XXXX
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user XXXX password cipher XXXX
dialer bundle enable
dialer-group 3
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1280
ip last-hop hold
nat outbound
#
interface Dialer3
#
interface Dialer4
#
interface Dialer5
#
interface Dialer6
#
interface Dialer7
#
interface Dialer8
#
interface Dialer1023
#
interface NULL0
#
interface Vlan-interface1
description LAN-interface
ip address 192.168.5.103 255.255.255.0
tcp mss 1280
nat hairpin enable
undo dhcp select server
ip subscriber l2-connected enable
ip subscriber initiator dhcp enable
ip subscriber initiator unclassified-ip enable
ip subscriber dhcp domain ipoeenabledomain
ip subscriber unclassified-ip domain ipoeenabledomain
#
interface GigabitEthernet0/0
port link-mode route
description Double_Line1
bandwidth 100000
combo enable copper
ip address IP1.XX.XX.65 255.255.255.252
dns server 202.101.98.55
tcp mss 1280
ip last-hop hold
nat outbound
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode route
description Double_Line2
ip last-hop hold
pppoe-client dial-bundle-number 2
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 GigabitEthernet0/0 IP1.XX.XX.66 track 1023
ip route-static 0.0.0.0 0 Dialer2 track 1022
ip route-static IP2.XX.0.1 32 Dialer2 description NqaTrack
ip route-static IP1.XX.XX.66 32 GigabitEthernet0/0
ip route-static 192.168.20.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.22.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.25.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.122.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.180.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.190.0 24 Vlan-interface1 192.168.5.2
ip route-static 192.168.250.0 24 Vlan-interface1 192.168.5.2
#
performance-management
#
ssh server enable
ssh user admin service-type all authentication-type password
ssh server acl 2909
#
time-range all-time 00:00 to 24:00 daily
#
ntp-service enable
ntp-service unicast-server 202.112.29.82
#
acl basic 2909
rule 10 permit source object-group _manage_group_
#
acl basic name web_manageHttp_acl
rule 0 permit source object-group _web_manageHttp_group_
rule 65534 deny
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
domain ipoeenabledomain
authorization-attribute idle-cut 5 1
authentication ipoe none
authorization ipoe none
accounting ipoe none
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type ssh telnet http https
authorization-attribute user-role network-admin
#
security-enhanced level 1
#
ssl version gm-tls1.1 disable
undo ssl renegotiation disable
undo ssl version ssl3.0 disable
undo ssl version tls1.0 disable
undo ssl version tls1.1 disable
undo ssl version tls1.2 disable
undo ssl version tls1.3 disable
#
session statistics enable
#
connection-limit apply global policy 32
#
netconf soap http enable
#
ip http acl name web_manageHttp_acl
ip https acl name web_manageHttp_acl
ip https enable
web new-style
#
url-filter category custom severity 65535
#
wlan auto-ap enable
#
wlan ap-group default-group
vlan 1
ap-model WA2610H
radio 1
radio enable
service-template h3c
ethernet 1
ethernet 2
ethernet 3
ap-model WA2610H-LI
radio 1
radio enable
service-template h3c
ethernet 1
ethernet 2
ethernet 3
ap-model WA4320-ACN-C
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA4320-ACN-D
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA4320-ACN-E
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA4320H
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
ap-model WA4320H-SI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
ethernet 1
ethernet 2
ethernet 3
ap-model WA4320i-X
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320-C
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320-C-EI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320-C-IOT
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320-D
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA5320H
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
ap-model WA5320H-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
ap-model WA5320X
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WA5320X-E
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5320X-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WA5320X-SI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
ap-model WA5320i-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5530
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c_5g
radio 3
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5530-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c_5g
radio 3
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA5530S
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c_5g
radio 3
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
ap-model WA6320-C
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA6320-D
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA6320H-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
gigabitethernet 4
gigabitethernet 5
ap-model WA6330-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c_5g
radio 3
radio enable
service-template h3c
gigabitethernet 1
smartrate-ethernet 1
ap-model WA6520S-C
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA6520S-E
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
ap-model WA6522H-LI
radio 1
radio enable
service-template h3c_5g
radio 2
radio enable
service-template h3c
gigabitethernet 1
gigabitethernet 2
gigabitethernet 3
#
traffic-policy
rule 1 name web_AppTraffRank
application app http
#
dac log-collect service dpi traffic enable
dac traffic-statistic application enable
#
dac storage service dpi traffic limit hold-time 1
dac storage service traffic limit hold-time 1
#
return
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>show ip ro
<H3C>show ip routing-table
Destinations : 22 Routes : 22
Destination/Mask Proto Pre Cost NextHop Interface
0.0.0.0/0 Static 60 0 IP1.XX.XX.66 GE0/0
0.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
IP1.XX.XX.64/30 Direct 0 0 IP1.XX.XX.65 GE0/0
IP1.XX.XX.65/32 Direct 0 0 127.0.0.1 InLoop0
IP1.XX.XX.66/32 Static 60 0 0.0.0.0 GE0/0
IP1.XX.XX.67/32 Direct 0 0 IP1.XX.XX.65 GE0/0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
192.168.5.0/24 Direct 0 0 192.168.5.103 Vlan1
192.168.5.103/32 Direct 0 0 127.0.0.1 InLoop0
192.168.5.255/32 Direct 0 0 192.168.5.103 Vlan1
192.168.20.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.22.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.25.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.122.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.180.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.190.0/24 Static 60 0 192.168.5.2 Vlan1
192.168.250.0/24 Static 60 0 192.168.5.2 Vlan1
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>show fib
<H3C>show fib
Route destination count: 20
Directly-connected host count: 87
Flag:
U:Usable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
0.0.0.0/0 IP1.XX.XX.66 USG GE0/0 Null
0.0.0.0/32 127.0.0.1 UH InLoop0 Null
IP1.XX.XX.64/30 IP1.XX.XX.65 U GE0/0 Null
IP1.XX.XX.65/32 127.0.0.1 UH InLoop0 Null
IP1.XX.XX.66/32 0.0.0.0 USH GE0/0 Null
IP1.XX.XX.66/32 IP1.XX.XX.66 H GE0/0 Null
IP1.XX.XX.67/32 IP1.XX.XX.65 UBH GE0/0 Null
127.0.0.0/8 127.0.0.1 U InLoop0 Null
127.0.0.1/32 127.0.0.1 UH InLoop0 Null
127.255.255.255/32 127.0.0.1 UH InLoop0 Null
192.168.5.0/24 192.168.5.103 U Vlan1 Null
192.168.5.2/32 192.168.5.2 UH Vlan1 Null
192.168.5.8/32 192.168.5.8 UH Vlan1 Null
192.168.5.103/32 127.0.0.1 UH InLoop0 Null
192.168.5.151/32 192.168.5.151 UH Vlan1 Null
192.168.5.152/32 192.168.5.152 UH Vlan1 Null
192.168.5.255/32 192.168.5.103 UBH Vlan1 Null
192.168.20.0/24 192.168.5.2 USG Vlan1 Null
192.168.20.3/32 192.168.20.3 UH Vlan1 Null
192.168.20.8/32 192.168.20.8 UH Vlan1 Null
192.168.20.16/32 192.168.20.16 UH Vlan1 Null
192.168.20.36/32 192.168.20.36 UH Vlan1 Null
192.168.20.43/32 192.168.20.43 UH Vlan1 Null
192.168.20.44/32 192.168.20.44 UH Vlan1 Null
192.168.20.47/32 192.168.20.47 UH Vlan1 Null
192.168.20.49/32 192.168.20.49 UH Vlan1 Null
192.168.20.52/32 192.168.20.52 UH Vlan1 Null
192.168.20.53/32 192.168.20.53 UH Vlan1 Null
192.168.20.55/32 192.168.20.55 UH Vlan1 Null
192.168.20.56/32 192.168.20.56 UH Vlan1 Null
192.168.20.57/32 192.168.20.57 UH Vlan1 Null
192.168.20.60/32 192.168.20.60 UH Vlan1 Null
192.168.20.61/32 192.168.20.61 UH Vlan1 Null
192.168.20.62/32 192.168.20.62 UH Vlan1 Null
192.168.20.66/32 192.168.20.66 UH Vlan1 Null
192.168.20.67/32 192.168.20.67 UH Vlan1 Null
192.168.20.82/32 192.168.20.82 UH Vlan1 Null
192.168.20.93/32 192.168.20.93 UH Vlan1 Null
192.168.20.101/32 192.168.20.101 UH Vlan1 Null
192.168.20.104/32 192.168.20.104 UH Vlan1 Null
192.168.20.150/32 192.168.20.150 UH Vlan1 Null
192.168.20.164/32 192.168.20.164 UH Vlan1 Null
192.168.20.169/32 192.168.20.169 UH Vlan1 Null
192.168.20.175/32 192.168.20.175 UH Vlan1 Null
192.168.20.206/32 192.168.20.206 UH Vlan1 Null
192.168.20.238/32 192.168.20.238 UH Vlan1 Null
192.168.20.251/32 192.168.20.251 UH Vlan1 Null
192.168.20.252/32 192.168.20.252 UH Vlan1 Null
192.168.22.0/24 192.168.5.2 USG Vlan1 Null
192.168.25.0/24 192.168.5.2 USG Vlan1 Null
192.168.25.2/32 192.168.25.2 UH Vlan1 Null
192.168.25.100/32 192.168.25.100 UH Vlan1 Null
192.168.25.101/32 192.168.25.101 UH Vlan1 Null
192.168.25.103/32 192.168.25.103 UH Vlan1 Null
192.168.25.104/32 192.168.25.104 UH Vlan1 Null
192.168.25.105/32 192.168.25.105 UH Vlan1 Null
192.168.122.0/24 192.168.5.2 USG Vlan1 Null
192.168.150.104/32 192.168.150.104 UH Vlan1 Null
192.168.180.0/24 192.168.5.2 USG Vlan1 Null
192.168.180.4/32 192.168.180.4 UH Vlan1 Null
192.168.180.7/32 192.168.180.7 UH Vlan1 Null
192.168.180.8/32 192.168.180.8 UH Vlan1 Null
192.168.180.9/32 192.168.180.9 UH Vlan1 Null
192.168.180.11/32 192.168.180.11 UH Vlan1 Null
192.168.180.13/32 192.168.180.13 UH Vlan1 Null
192.168.180.14/32 192.168.180.14 UH Vlan1 Null
192.168.180.16/32 192.168.180.16 UH Vlan1 Null
192.168.180.17/32 192.168.180.17 UH Vlan1 Null
192.168.180.19/32 192.168.180.19 UH Vlan1 Null
192.168.180.21/32 192.168.180.21 UH Vlan1 Null
192.168.180.22/32 192.168.180.22 UH Vlan1 Null
192.168.180.26/32 192.168.180.26 UH Vlan1 Null
192.168.180.27/32 192.168.180.27 UH Vlan1 Null
192.168.180.31/32 192.168.180.31 UH Vlan1 Null
192.168.180.33/32 192.168.180.33 UH Vlan1 Null
192.168.180.49/32 192.168.180.49 UH Vlan1 Null
192.168.180.63/32 192.168.180.63 UH Vlan1 Null
192.168.180.65/32 192.168.180.65 UH Vlan1 Null
192.168.180.66/32 192.168.180.66 UH Vlan1 Null
192.168.180.67/32 192.168.180.67 UH Vlan1 Null
192.168.180.76/32 192.168.180.76 UH Vlan1 Null
192.168.180.78/32 192.168.180.78 UH Vlan1 Null
192.168.180.79/32 192.168.180.79 UH Vlan1 Null
192.168.180.82/32 192.168.180.82 UH Vlan1 Null
192.168.180.94/32 192.168.180.94 UH Vlan1 Null
192.168.180.101/32 192.168.180.101 UH Vlan1 Null
192.168.180.104/32 192.168.180.104 UH Vlan1 Null
192.168.180.113/32 192.168.180.113 UH Vlan1 Null
192.168.180.124/32 192.168.180.124 UH Vlan1 Null
192.168.180.125/32 192.168.180.125 UH Vlan1 Null
192.168.180.127/32 192.168.180.127 UH Vlan1 Null
192.168.180.164/32 192.168.180.164 UH Vlan1 Null
192.168.180.181/32 192.168.180.181 UH Vlan1 Null
192.168.180.189/32 192.168.180.189 UH Vlan1 Null
192.168.180.191/32 192.168.180.191 UH Vlan1 Null
192.168.180.199/32 192.168.180.199 UH Vlan1 Null
192.168.180.203/32 192.168.180.203 UH Vlan1 Null
192.168.180.233/32 192.168.180.233 UH Vlan1 Null
192.168.180.239/32 192.168.180.239 UH Vlan1 Null
192.168.180.245/32 192.168.180.245 UH Vlan1 Null
192.168.190.0/24 192.168.5.2 USG Vlan1 Null
192.168.190.28/32 192.168.190.28 UH Vlan1 Null
192.168.190.34/32 192.168.190.34 UH Vlan1 Null
192.168.250.0/24 192.168.5.2 USG Vlan1 Null
223.5.5.5/32 223.5.5.5 UH Vlan1 Null
255.255.255.255/32 127.0.0.1 UH InLoop0 Null
<H3C>
<H3C>
<H3C>
<H3C>
<H3C>ping 223.5.5.5
Ping 223.5.5.5 (223.5.5.5): 56 data bytes, press CTRL_C to break
--- Ping statistics for 223.5.5.5 ---
1 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
<H3C>ping 223.6.6.6
Ping 223.6.6.6 (223.6.6.6): 56 data bytes, press CTRL_C to break
56 bytes from 223.6.6.6: icmp_seq=0 ttl=117 time=23.771 ms
56 bytes from 223.6.6.6: icmp_seq=1 ttl=117 time=23.640 ms
56 bytes from 223.6.6.6: icmp_seq=2 ttl=117 time=23.626 ms
--- Ping statistics for 223.6.6.6 ---
4 packet(s) transmitted, 3 packet(s) received, 25.0% packet loss
round-trip min/avg/max/std-dev = 23.626/23.679/23.771/0.065 ms
<H3C>
- 2025-02-05回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
看起来好像是内网的一些异常流量引起的。 我们的网络拓扑大致是(没法贴图): LAN (192.168.0.0/16) -> WS5800 (三层交换机) -> MSR860 -> WAN1 + WAN2 MSR860上出现错误FIB,将公网DNS服务器地址出接口指定为与WS5800相连的Vlan1; 因并无这样的路由设置,猜测有源地址为公网DNS的数据包(DNS应答)从Vlan1进入MSR860,因开启了“保存接口上一跳”功能(这是WAN1+WAN2链路负载均衡所需),导致错误FIB生成; 在WS5800出接口设置ACL禁止源地址不是192.168.0.0/16的数据外出; 观察一段时间后,MSR860上不再出现错误FIB,WS5800的ACL也有相应的拦截记录; 至于这些异常流量是如何产生的,观察到ACL拦截记录和内网使用的一个名为easy-tier的VPN穿透组网工具有一定时间上的相关性; 猜测easy-tier将VPN地址(10.0.0.0/8)泄漏到了LAN中,导致WS5800转发异常; 但按此猜测去抓包,并未得到确切的证据;不打算深究了,:P