查看完整版本: cisco的工程师目前还没有解决-两台Catalyst4503做HSRP的奇怪问题-附拓扑

cisco的工程师目前还没有解决-两台Catalyst4503做HSRP的奇怪问题-附拓扑

如题：

[[i] Last edited by tks_333 on 2005-5-18 at 16:45 [/i]]

我把所有的配置都已经发给cisco的工程师了，他们也没有看出来什么，请大家讨论讨论是什么原因

目前的情况如下：防火墙双机，在防火墙上做透明，内部全部是校园网地址并且是一个网段（暂时使用），4503的地址是251，4503-2的地址是252，虚拟地址是250，45下面的服务器双千兆网卡邦定分别连到4503，4503做hsrp，4503中间有一对光纤连接，

问题如下：从服务器上面ping虚拟地址250，时通时不通，如果关掉一台4503，切换正常，而且可以一直ping通，如果再打开的话，过了几十分钟，又不通了，在45上面用clear arp的命令，通了有不到10个ping包，继续不通，在校园网内的任何地址都可以ping通250，在4503-1上面用show spanning-tree detail查看，发现4503-1上面和另外一台4503连接的端口gi3/1状态blocking，说明他们目前协商包是通过上面的防火墙来传递的，就是在ping不通的时候，我通过debug standby
查看协商，包也是正常的，in  out

可能情况：1、ios的bug
          2、服务器---〉4503——〉服务器中间 出现环路，网络不稳定

一些配置：

CISCO4503-1#show standby
Vlan2 - Group 1
  Local state is Active, priority 180, may preempt
  Hellotime 3 sec, holdtime 10 sec
  Next hello sent in 0.528
  Virtual IP address is 202.197.191.250 configured
  Active router is local
  Standby router is 202.197.191.252 expires in 7.784
  Virtual mac address is 0000.0c07.ac01
  1 state changes, last state change 00:41:49
  IP redundancy name is "hsrp-Vl2-1" (default)
CISCO4503-1#show span
CISCO4503-1#show spanning-tree de

VLAN0002 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 2, address 0012.dabc.1600
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32768, address 0011.bc64.d402
  Root port is 131 (GigabitEthernet3/3), cost of root path is 8
  Topology change flag not set, detected flag not set
  Number of topology changes 6 last change occurred 00:21:58 ago
          from GigabitEthernet3/6
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

Port 2 (GigabitEthernet1/2) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.2, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1288, received 0

  Port 4 (GigabitEthernet1/4) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.4.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.4, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1288, received 0

Port 8 (GigabitEthernet1/8) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.8, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1289, received 0

Port 129 (GigabitEthernet3/1) of VLAN0002 is blocking
  Port path cost 4, Port priority 128, Port Identifier 128.129.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.129, designated path cost 8
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 0
   Link type is point-to-point by default
   BPDU: sent 1, received 1286

Port 131 (GigabitEthernet3/3) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.131.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32769, address 0090.fb01.6e92
   Designated port id is 128.4, designated path cost 4
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 6, received 1290

Port 132 (GigabitEthernet3/4) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.132.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.132, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0

Port 134 (GigabitEthernet3/6) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.134.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.134, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 683, received 0

Port 135 (GigabitEthernet3/7) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.135.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.135, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0

Port 136 (GigabitEthernet3/8) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.136.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.136, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0

Port 138 (GigabitEthernet3/10) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.138.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.138, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0

4503-2的配置：
how spn an

VLAN0002
  Spanning tree enabled protocol ieee
  Root ID    Priority    32768
             Address     0011.bc64.d402
             Cost        8
             Port        131 (GigabitEthernet3/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     0012.dabc.15c0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/1            Desg FWD 19        128.1    P2p
Gi3/1            Desg FWD 4         128.129  P2p
Gi3/3            Root FWD 4         128.131  P2p
Gi3/4            Desg FWD 4         128.132  Edge P2p
Gi3/5            Desg FWD 4         128.133  Edge P2p
Gi3/6            Desg FWD 4         128.134  Edge P2p
Gi3/7            Desg FWD 4         
Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------

Gi3/9            Desg FWD 4         128.137  Edge P2p

CISCO4503-2#show span
CISCO4503-2#show spanning-tree de

VLAN0002 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 2, address 0012.dabc.15c0
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32768, address 0011.bc64.d402
  Root port is 131 (GigabitEthernet3/3), cost of root path is 8
  Topology change flag not set, detected flag not set
  Number of topology changes 6 last change occurred 00:23:51 ago
          from GigabitEthernet1/3
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

Port 1 (GigabitEthernet1/1) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.1, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 31588, received 0

  Port 129 (GigabitEthernet3/1) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.129.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.129, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1151, received 1

Port 131 (GigabitEthernet3/3) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.131.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32769, address 0090.fb01.6e92
   Designated port id is 128.3, designated path cost 4
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 6, received 31591

Port 132 (GigabitEthernet3/4) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.132.
   Designated root has priority 32768, address 0011.bc64.d402
Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.132, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 2977, received 0

Port 133 (GigabitEthernet3/5) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.133.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.133, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 31591, received 0

Port 134 (GigabitEthernet3/6) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.134.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.134, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 31591, received 0

Port 135 (GigabitEthernet3/7) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.135.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.135, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 806, received 0

Port 137 (GigabitEthernet3/9) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.137.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.137, designated path cost 8
    Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1258, received 0

CISCO4503-2#  show span 

CISCO4503-2#show spanning-tree roo

                                        Root Hello Max Fwd
Vlan                   Root ID          Cost  Time Age Dly  Root Port
---------------- -------------------- ------ ----- --- ---  ----------------
VLAN0002         32768 0011.bc64.d402542789000    2   20  15  Gi3/3

只要线路没有问题，最好是找一个4503的稳定点的IOS再试一下，一些怪问题都是软件引起的。

把配置写出来吧。

我觉得不是IOS的问题，可能配置有问题或者是环路问题；

问题应该有可能是在你服务器上,你服务器都是双网卡绑定,我想问一下,你的服务器双网卡的模式是做成出错冗余方式,还是负载均衡方式,还是链路汇聚方式?这几种方式协议标准和工作方式都是有区别的,当然有些也是要交换机也支持,就比如链路汇聚一样,注意,建议你把网卡的绑定方式和两台4503的配置最好帖出来,就明白了,我初步估计你是在服务器那边做了链路汇聚或负载均衡,而交换机那边的端口又没有正确配置.
服务器的网卡是用INTEL 的PROSET程序配置的,还是3COM的?

WGH的想法和我开始的想法一样，我也是一直怀疑是服务器双网卡出现的问题

不过大家应该注意到4503-1里面的3/1（对端连的是另外一台4503）端口已经bloking掉了，之所以bloking之后两台45还可以协商主备信息，是由于协商包走的是上面的防火墙，防火墙上面还有一台6506，这样6506（root） 与两台4503组成一个环路，就把3/1bloking掉了，我把4503的priority改为4096让它成为根交换机，这样问题就解决了，此时standby信息走的才是中间的级联线。

不过我现在仅仅根据现象了解了一点点，至于深层次的东西还是有点模糊

HSRP的工作原理
HSRP协议利用一个优先级方案来决定哪个配置了HSRP协议的路由器成为默认的主动路由器。如果一个路由器的优先级设置得比所有其他路由器的优先级高，则该路由器成为主动路由器。路由器的缺省优先级是100，所以如果只设置一个路由器的优先级高于100，则该路由器将成为主动路由器。
通过在设置了HSRP协议的路由器之间广播HSRP优先级，HSRP协议选出当前的主动路由器。当在预先设定的一段（Hold Time 缺省为10秒）时间内主动路由器不能发送hello消息，或者说HSRP检测不到主动路由器的hello消息时，将认为主动路由器有故障，这时HSRP会选择优先级最高的备用路由器变为主动路由器，同时将按HSRP优先级在配置了HSRP的路由器中再选择一台路由器作为新的备用路由器。
所有参与HSRP的路由器共享一个虚的IP地址，网络中的工作站将缺省网关指向该虚地址，被选出的主动路由器负责转发由工作站发到虚地址的数据包。
Hello消息是基于UDP的信息包，配置了HSRP的路由器将会周期性的广播Hello消息包，并利用Hello消息包来选择主动路由器和备用路由器及判断路由器是否失效。
如图所示，PC将数据包发送到设置的缺省网关（配置HSRP路由器所共享的虚拟IP地址），假设图中的7609设置了较高的优先级，7609将被选为主动路由器，并负责转发网络中所有由PC发送到其网关（HSRP地址）的数据包。当7609发生故障时，7609就不会广播Hello信息包，HSRP如果经过Hold Time还未收到来自7609的Hello信息包，将认为7609实效，这时HSRP将选择备用的5500作为主动路由器，并由5500来负责转发网络中所有由PC发送到其网关（HSRP地址）的数据包。而当7609恢复后，将继续发送Hello信息包，HSRP检测到其发送的Hello信息包具有高的优先级，则会重新将7609选为主动路由器，5500则仍将恢复成为备用路由器。
配置了HSRP协议的路由器交换以下三种多点广播消息：
●Hello──hello消息通知其他路由器，发送路由器的HSRP优先级和状态信息，HSRP路由器默认为每3秒钟发送一个hello消息；
●Coup──当一个备用路由器变为一个主动路由器时发送一个coup消息；
●Resign──当主动路由器要宕机或者当有优先级更高的路由器发送hello消息时，主动路由器发送一个resign消息。
在任一时刻，配置了HSRP协议的路由器处于由以下六种状态：
●Initial ——表示路由器的HSRP还未运行，一般在配置第一台HSRP路由器时会显示此状态；
●Learn——表示配置HSRP的路由器还未知道虚地址，并一直监听来自主动路由器的消息包；
●Listening──表示配置HSRP的路由器还已知道虚地址，路由器还在监听hello消息；
●Speaking and listening──路由器正在发送和监听hello消息；
●Standby──处于被用状态，当主动路由器失效时路由器可被选为主动路由器，接管包转发功能；
●Active──路由器执行包转发功能。

偶也说说偶的看法  关于hsrp的机制我已经贴出来了
按照上面的机制  既然你可以ping通地址 说明你的hsrp的虚拟地址还是存在的 而一会通一会不通说明是在router 的选择上出现了问题 hsrp的虚拟地址指向是不是有了问题
我怀疑是不是stp一直在变化 引起g3/1的一直变化  从而引起hsrp的选择一直在变化

3/1一直处于阻断状态，没有什么变化

上次遇到一个类似的情况（pc server 平台），把双网卡的负载均衡模式改为容错模式就ok了，楼主的问题在SUN平台上应该不会出现吧，hehe
针对PC平台，应该是服务器双网卡绑定的问题，可以试着禁用一块网卡看看网络情况，基本上在交换机上不需要作什么配置
建议将双网卡的容错或者负载均衡模式作些改动看看

呵呵，和kufei看来是真的有同感阿
不过有没有遇到了sun的服务器两块网卡mac地址一样的问题?

呵呵，这个到没有遇见过，如果是sun下关于双网卡的 ip Multipathing问题可以参考这篇文章：
[url]http://bbs.chinaunix.net/forum/viewtopic.php?t=552584&highlight=[/url]网卡

有解决结果了吗？

仔细说来听听，我们也好学着点

楼主得问题解决了没，解决了最好能说明一下

就是啊

如果解决了，仔细说说啊

1.对服务器接入这个区域建议采用802.1ad来做
2.防火墙是HA模式有个问题是只有一台墙处于主模式,根据图上的连接方式很难保证来去路径一致,所以违背了防火墙的基本工作原理,为了解决这个问题建议严格控制链路的COST.
3.4503在这样的环境下建议采用VRRP的方式
4.网络设计违背设计原则-----防火墙成为了网络的核心!
5.防火墙是否支持OSPF或者802.1ad协议?可以通过别的方式解决.
如需要详细讨论(027-63211665)

待续！　我也遇到这样的情况，自己搭了一环境结构也一样，搞了N天也还是出现环路。

搂主把交换机、服务器相连端口的 duplex 都配成半双工或全双工试试，不要用auto

[quote]Originally posted by [i]xiongwei1982[/i] at 2005-7-31 11:31 AM:
1.对服务器接入这个区域建议采用802.1ad来做
2.防火墙是HA模式有个问题是只有一台墙处于主模式,根据图上的连接方式很难保证来去路径一致,所以违背了防火墙的基本工作原理,为了解决这个问题建议严格控制链路的COS ... [/quote]

多谢
防火墙就是核心,全千兆的,这样做访问控制很方便

现在问题已经解决了,上面的帖子里面已经提到,请注意看看

现在又出现新的情况,客户又在下面增加一个网段的教育网地址,在2950管理区用,于是我就在2950以及6506之间做了trunk,不得已在3750以及4503上面也需要做trunk.
问题出现了,4503又出现了环路,4503-2的上联端口和3/1(对接4503-1)提示两个端口同时收到一个mac地址(其中有6506的mac地址还有其它区的mac地址),断断续续的丢包 ,环路又出现了,各位分析一下

[quote]Originally posted by [i]tks_333[/i] at 2005-10-8 10:32 AM:
现在又出现新的情况,客户又在下面增加一个网段的教育网地址,在2950管理区用,于是我就在2950以及6506之间做了trunk,不得已在3750以及4503上面也需要做trunk.
问题出现了,4503又出现了环路,4503-2的上联端口和3/1( ... [/quote]

是ARP广播环,不能全部都做成trunk,建议把NGFW-4000之间再做一组VRRP
即使要做TRUNK也只能对部分VLAN做穿透,用户网段不要穿透在核心上,如果穿透在核心上,第一丧失了做VLAN的意义(不能有效隔离广播),第二违背了网络的设计原则(层次化的网络结构).

目前得NGFW4000作得是主备模式
“用户网段不要穿透在核心上”，强烈同意你这句话

[quote]Originally posted by [i]tks_333[/i] at 2006-2-8 04:58 PM:
目前得NGFW4000作得是主备模式
“用户网段不要穿透在核心上”，强烈同意你这句话 [/quote]
这种机构NGFW4000做主备强烈支持!,只有这样才能更好的保障包的来去路径一致
如果不一致防火墙就会把包丢掉

厉害呀

请版主总结一下这个帖子吧　很有价值。。。

第一个问题怎么解决的?

整理一下吧,我们也好学习学习

怎么没图？？？？

好多呀。。多看看。。　呵呵　。。。　学习下楼主的东西，不过4、6系例这些和平常的不一样吧？

太经典了.

是否可总结如下:
1,双工模式特定情况下需要手工指定
2,trunk链路remove掉不需要的vlan