Print

S7608-X业务转发正常无法ping通问题分析

2015-07-31 发表

S7608-X作为客户业务网络核心交换机,S5500-EI是业务网络的汇聚交换机,两台设备直连并转发业务数据。近期客户发现网络中业务运行正常,网管显示核心交换机托管,无法显示业务流量统计数据以及设备运行状态,进一步分析发现汇聚交换机下联的PC和核心交换机互ping不通,但是业务不受影响,测试PC的网关在汇聚交换机上。


网管告警核心交换机托管。


1、在两台交换机上做流量统计分析,并从测试PC上ping核心交换机,通过流量统计记录核心交换机收到报文,但是未回应报文:

[Zhongxing7608_1]dis qos policy interface

  Interface: GigabitEthernet1/1/0/13

  Direction: Inbound

  Policy: test
   Classifier: test
     Operator: AND
     Rule(s) : If-match acl 3100
     Behavior: test
      Accounting Enable:
        4 (Packets)

  Direction: Outbound

  Policy: test
   Classifier: test
     Operator: AND
     Rule(s) : If-match acl 3100
     Behavior: test
      Accounting Enable:
        0 (Packets)

经过确认,交换机对于CPU处理的报文在出方向无法统计;

2、在核心交换机上debug ip icmp信息分析,统计调试信息显示,设备发送报文中存在TTL超时:

ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.70.1.103; Original IP header: Pro = 1, Src = 10.70.1.103, Dst = 180.76.22.49, First 8 bytes = 0800BCE9 02003916
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.74.4.206; Original IP header: Pro = 1, Src = 10.74.4.206, Dst = 180.76.22.49, First 8 bytes = 080092E9 02006316
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 1.1.91.2, Dst = 10.3.81.94; Original IP header: Pro = 1, Src = 10.3.81.94, Dst = 61.155.162.135, First 8 bytes = 0800BB30 18F80005
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.76.81.24; Original IP header: Pro = 1, Src = 10.76.81.24, Dst = 10.208.101.56, First 8 bytes = 080076FD 02007F02
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.20.59.209; Original IP header: Pro = 1, Src = 10.20.59.209, Dst = 219.133.40.180, First 8 bytes = 0800D005 00010128
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.67.23.223; Original IP header: Pro = 1, Src = 10.67.23.223, Dst = 180.76.22.49, First 8 bytes = 0800CC56 01002AA9
ICMP Send: ttl-exceeded(Type=11, Code=0), Src = 172.31.0.1, Dst = 10.72.176.4; Original IP header: Pro = 1, Src = 10.72.176.4, Dst = 61.135.185.216, First 8 bytes = 0800CDC4 013B2900

3.为进一步确认是哪台设备问题,在核心交换机上抓包,通过抓包分析,核心交换机发出报文TTL值为1:

4.通过进一步确认,交换机默认对于TTL=1的报文不回应处理,所以显示ping不通


1、在核心交换机上删除SNMP写权限,或者在写权限增加ACL访问权限;

2、使用网管软件修改核心设备的TTL值为255,或者重启核心交换机(客户选择使用网管软件修改)。