拓扑如下,两台F1090RBM透明双主,上行出口路由器,下行核心交换机,防火墙上下行分别是聚合口1和聚合口2:
ping管理备(56.13)的上下行不通:
以56.4为例,查看会话:
debug查看发现反向报文被ASPF策略丢弃了:
May 17 16:02:50:211 2024 CZ-CJ-F04G04U12-F1090 FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=Bridge-Aggregation2(328), If-Out=Bridge-Aggregation1(327), VLAN-In=364, VLAN-Out=364; Packet Info:Src-IP=X.X.56.4, Dst-IP=X.X.133.2, VPN-Instance=, Src-MacAddr=X-X-X,Src-Port=0, Dst-Port=0, Protocol=ICMP(1), Application=invalid(0),Terminal=invalid(0), SecurityPolicy=Permit-ALL, Rule-ID=10.
*May 17 16:02:50:211 2024 CZ-CJ-F04G04U12-F1090 ASPF/7/PACKET: -COntext=1; The first packet was dropped by ASPF for invalid status. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=Bridge-Aggregation2(328), If-Out=Bridge-Aggregation1(327), VLAN-In=364, VLAN-Out=364; Packet Info:Src-IP=X.X.56.4, Dst-IP=X.X.133.2, VPN-Instance=none, Src-Port=7680, Dst-Port=0. Protocol=ICMP(1).
查看debug回显信息,确认不存在来回流量转发方式不同,尝试修改会话模式为宽松模式依旧不行
再次对比发现来回VLAN不一致,会话中正向报文vlan362,debug中反向报文vlan364
设备上聚合口是放通了vlan361 to 370:
interface Bridge-Aggregation1
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 361 to 370
link-aggregation mode dynamic
#
interface Bridge-Aggregation2
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 361 to 370
link-aggregation mode dynamic
使用undo mac fast-forwarding check-vlan-id 命令关闭快速二层转发时对VLAN ID字段的检查功能
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作