关于H3C高端防火墙从CMW520-B3103升级到B3155及以后版本必须手动设置MAC地址的解决方法

一、  问题描述：

    H3C高端防火墙设备(F1000-E、SecBladeII)，当版本从CMW520-B3103升级到CMW520-3155及以后的版本，其固定4GE接口MAC地址会被重置，升级完成后，必须手动设置固定4GE接口的MAC地址。

涉及产品：H3C SecPath F1000-E、H3C SecBladeII

涉及版本：CMW520-B3103，后续版本升级不存在此问题

二、  原因分析：

    H3C高端防火墙从CMW520-B3155版本开始，软件修改了MAC地址存放格式。

三、  解决办法：

     版本从B3103升级到B3155及以后版本后，需要手动修改固定4GE接口MAC地址。实际操作时，只需要手动修改第一个接口即可（F1000-E为int g0/0，SecBladeII为int g0/1），系统会自动重置后续接口MAC。

下面以F1000-E为例介绍手动设置int g0/0 MAC的操作步骤，设置SecBladeII int g0/1 MAC方法类似：

1、升级前记录MAC地址：

    对于F1000-E记录int g0/0口MAC地址，对于SecBladeII记录int g0/1的MAC地址。

以F1000-E为例，将int g0/0的MAC地址（红色字体部分）记下来：

<F1000-E>display interface gigabitethernet 0/0

GigabitEthernet0/0 current state: UP

Line protocol current state: UP

Description: GigabitEthernet0/0 Interface

The Maximum Transmit Unit is 1500, Hold timer is 10(sec)

Internet Address is 192.168.1.226/24 Primary

IP Packet Frame Type: PKTFMT_ETHNT_2,  Hardware Address: 000f-e200-8871

Media type is twisted pair, loopback not set, promiscuous mode not set

100Mb/s, Full-duplex, link type is autonegotiation

Output flow-control is disabled, input flow-control is disabled

Last clearing of counters: Never

    Last 300 seconds input rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Last 300 seconds output rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Input: 0 packets, 0 bytes, 0 buffers

           0 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 runts, 0 giants

           0 crc, 0 align errors, 0 overruns

           0 dribbles, 0 drops, 0 no buffers

    Output:1 packets, 42 bytes, 1 buffers

           1 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 underruns, 0 collisions

           0 deferred, 0 lost carriers

2、升级到CMW520-3155及以后版本

升级步骤详见《版本使用指导书》，升级后MAC地址会被重置：

<F1000E>display interface gigabitethernet 0/0

GigabitEthernet0/0 current state: UP

Line protocol current state: UP

Description: GigabitEthernet0/0 Interface

The Maximum Transmit Unit is 1500, Hold timer is 10(sec)

Internet Address is 192.168.1.226/24 Primary

IP Packet Frame Type: PKTFMT_ETHNT_2,  Hardware Address: 000f-e200-0002

Media type is twisted pair, loopback not set, promiscuous mode not set

100Mb/s, Full-duplex, link type is autonegotiation

Output flow-control is disabled, input flow-control is disabled

Last clearing of counters: Never

    Last 300 seconds input rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Last 300 seconds output rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Input: 0 packets, 0 bytes, 0 buffers

           0 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 runts, 0 giants

           0 crc, 0 align errors, 0 overruns

           0 dribbles, 0 drops, 0 no buffers

    Output:1 packets, 42 bytes, 1 buffers

           1 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 underruns, 0 collisions

           0 deferred, 0 lost carriers

3、手动设置MAC地址，对于F1000-E：

<F1000E>

%Dec 21 19:15:04:942 2007 F1000E SHELL/4/LOGIN: Console login from con0

<F1000E>system-view

System View: return to User View with Ctrl+Z.

[F1000E]_hidecmd

Now you enter a hidden command view for developer's testing, some commands may affect operation by wrong use, please carefully use it with our engineer's direction.

[F1000E-hidecmd]en_equipment

 input password (1-12 characters) :************

 This mode is for our engineers to test. Running these commands could result in

exceptions. Please carefully use it with our engineer's direction.

其中，键入en_equipment命令后，系统要求输入密码，密码为diagnosis，全部为小写英文字母。注意en_equipment命令为内部受控命令，仅限于公司内部人员使用。

进入诊断模式之后，键入命令修改MAC地址：

[F1000E-equipment]test ethernet 0/0/0 setmac HHHH-HHHH-HHHH

其中，HHHH-HHHH-HHHH（红色字体部分）为前面步骤1记录下来的int g0/0的MAC地址。

4、确认设置的MAC地址生效：

执行完上述操作后，重新启动设备，验证刚才操作是否生效：

使用display interface命令可以看到，设备出厂时的MAC地址重新生效。

<F1000-E>display interface gigabitethernet 0/0

GigabitEthernet0/0 current state: UP

Line protocol current state: UP

Description: GigabitEthernet0/0 Interface

The Maximum Transmit Unit is 1500, Hold timer is 10(sec)

Internet Address is 192.168.1.226/24 Primary

IP Packet Frame Type: PKTFMT_ETHNT_2,  Hardware Address: 000f-e200-8871

Media type is twisted pair, loopback not set, promiscuous mode not set

100Mb/s, Full-duplex, link type is autonegotiation

Output flow-control is disabled, input flow-control is disabled

Last clearing of counters: Never

    Last 300 seconds input rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Last 300 seconds output rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec

    Input: 0 packets, 0 bytes, 0 buffers

           0 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 runts, 0 giants

           0 crc, 0 align errors, 0 overruns

           0 dribbles, 0 drops, 0 no buffers

    Output:1 packets, 42 bytes, 1 buffers

           1 broadcasts, 0 multicasts, 0 pauses

           0 errors, 0 underruns, 0 collisions

           0 deferred, 0 lost carriers