交换机因生成树阻塞端口导致VRRP异常,王海军老师告诉你
1,问题描述
说明:
1、SW1、SW2为汇聚交换机,两台交换机之间采用Eth-Trunk的方式互联并透传相应的VLAN;
2、SW3、SW4为接入交换机,分别通过双上行的方式连接到SW1和SW2,互联链路为Trunk链路,透传指定VLAN;
3、SW1、SW2上存在管理VLAN 10,业务VLAN 20、VLAN 21,SW1、SW2上部署VRRP,SW1为VRRP的master、SW2位VRRP的backup设备;
4、SW3上的管理VLAN为10、业务VLAN为20,下接所属VLAN 20的PC2,SW4上的管理VLAN为10、业务VLAN为21,下接所属VLAN 21的PC3。
故障:
1、SW1、SW2上vlanif20、vlanif21对应的VRRP状态都为Master;
2、当SW1的G0/0/1口down后PC2无法与网关通信。
2,处理过程
1、分别在SW1和SW2上通过命令display vrrp brief查看VRRP状态:
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Master Vlanif10 Normal 10.10.10.3
20 Master Vlanif20 Normal 20.20.20.3
21 Master Vlanif21 Normal 21.21.21.3
----------------------------------------------------------------
Total:3 Master:3 Backup:0 Non-active:0
VRID State Interface Type Virtual IP
----------------------------------------------------------------
10 Backup Vlanif10 Normal 10.10.10.3
20 Master Vlanif20 Normal 20.20.20.3
21 Master Vlanif21 Normal 21.21.21.3
----------------------------------------------------------------
Total:3 Master:2 Backup:1 Non-active:0
发现Vlanif20、Vlanif21对应的VRRP状态均为Master。
2、在PC2上ping 20.20.20.3发现可以ping通
PC>ping 20.20.20.3
Ping 20.20.20.3: 32 data bytes, Press Ctrl_C to break
From 20.20.20.3: bytes=32 seq=1 ttl=255 time=422 ms
From 20.20.20.3: bytes=32 seq=2 ttl=255 time=62 ms
From 20.20.20.3: bytes=32 seq=3 ttl=255 time=63 ms
From 20.20.20.3: bytes=32 seq=4 ttl=255 time=31 ms
From 20.20.20.3: bytes=32 seq=5 ttl=255 time=47 ms
--- 20.20.20.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/125/422 ms
3、将SW1的G0/0/1 down掉发现PC2无法ping通20.20.20.3
PC>ping 20.20.20.3
Ping 20.20.20.3: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 20.20.20.3 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
4、分别在SW1和SW2上通过display vrrp interface vlanif检查vlanif20、vlanif21的VRRP信息:
SW1:
Vlanif20 | Virtual Router 20
State : Master
Virtual IP : 20.20.20.3
Master IP : 20.20.20.1
PriorityRun : 150
PriorityConfig : 150
MasterPriority : 150
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0114
Check TTL : YES
Config type : normal-vrrp
Create time : 2016-10-12 08:55:13 UTC-08:00
Last change time : 2016-10-12 10:06:57 UTC-08:00
Vlanif21 | Virtual Router 21
State : Master
Virtual IP : 21.21.21.3
Master IP : 21.21.21.1
PriorityRun : 150
PriorityConfig : 150
MasterPriority : 150
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0115
Check TTL : YES
Config type : normal-vrrp
Create time : 2016-10-12 08:55:13 UTC-08:00
Last change time : 2016-10-12 08:57:02 UTC-08:00
-----------------------------------------------------------
SW2:
Vlanif20 | Virtual Router 20
State : Master
Virtual IP : 20.20.20.3
Master IP : 20.20.20.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0114
Check TTL : YES
Config type : normal-vrrp
Create time : 2016-10-12 09:26:15 UTC-08:00
Last change time : 2016-10-12 09:26:19 UTC-08:00
Vlanif21 | Virtual Router 21
State : Master
Virtual IP : 21.21.21.3
Master IP : 21.21.21.2
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 100
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0115
Check TTL : YES
Config type : normal-vrrp
Create time : 2016-10-12 09:33:34 UTC-08:00
Last change time : 2016-10-12 09:33:37 UTC-08:00
-------------------------------------------------------------
通过以上信息得知VRRP配置没有问题。
5、通过display vrrp statistics分别在SW1和SW2上查看vlanif20、vlanif21的统计信息
SW1:
Checksum errors : 0
Version errors : 0
Vrid errors : 0
Other errors : 0
Vlanif20 | Virtual Router 20
Transited to master : 2
Transited to backup : 2
Transited to initialize : 1
Received advertisements : 0
Sent advertisements : 12322
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 1
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
Received attacking packets : 0
Received selfsend packets : 0
Vlanif21 | Virtual Router 21
Transited to master : 2
Transited to backup : 2
Transited to initialize : 1
Received advertisements : 0
Sent advertisements : 12343
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 1
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
Received attacking packets : 0
Received selfsend packets : 0
----------------------------------------------------------
SW2:
Checksum errors : 0
Version errors : 0
Vrid errors : 0
Other errors : 0
Vlanif20 | Virtual Router 20
Transited to master : 1
Transited to backup : 1
Transited to initialize : 0
Received advertisements : 0
Sent advertisements : 10753
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 0
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
Received attacking packets : 0
Received selfsend packets : 0
Vlanif21 | Virtual Router 21
Transited to master : 1
Transited to backup : 1
Transited to initialize : 0
Received advertisements : 0
Sent advertisements : 10318
Advertisement interval errors : 0
Failed to authentication check : 0
Received ip ttl errors : 0
Received packets with priority zero : 0
Sent packets with priority zero : 0
Received invalid type packets : 0
Received unmatched address list packets : 0
Unknown authentication type packets : 0
Mismatched authentication type : 0
Packet length errors : 0
Discarded packets since track admin-vrrp : 0
Received attacking packets : 0
Received selfsend packets : 0
-------------------------------------------------------
通过以上信息发现SW1和SW2的vlanif20和vlanif21只有发送的vrrp advertisements报文,没有有收到的vrrp advertisements。正常情况下SW2作为backup设备应该有收到的vrrp advertisements才正常,所以猜测是某种原因导致vrrp advertisements报文无法正常传递。
6、SW1与SW2之间传递vrrp advertisements报文的路径有SW1与SW2之间的互联的Eth-Trunk链路以及与接入交换机SW3、SW4之间的互联的二层链路。所以接下来检查这些互联链路的配置情况是否有误
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
#
---------------------------------------------------------
SW1与SW2之间的互联链路只允许vlan 10通过,所以vlanif20与vlanif21的vrrp advertisements报文无法通过该链路传递。
#
interface GigabitEthernet0/0/1
description TO-SW3
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
#
interface GigabitEthernet0/0/2
description TO-SW4
port link-type trunk
port trunk allow-pass vlan 10 21
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 21
#
return
#
interface GigabitEthernet0/0/2
description TO-SW3
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface Ethernet0/0/1
description TO-SW1
port link-type trunk
port trunk allow-pass vlan 10 20
#
return
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
[SW4]display current-configuration interface Ethernet 0/0/1
#
interface Ethernet0/0/1
description TO-SW2
port link-type trunk
port trunk allow-pass vlan 10 21
#
return
[SW4]display current-configuration interface Ethernet 0/0/2
#
interface Ethernet0/0/2
description TO-SW1
port link-type trunk
port trunk allow-pass vlan 10 21
#
return
-------------------------------------------------------------
通过以上信息发现接入交换机与汇聚交换机SW1及SW2互联链路配置没问题,透传了相应的vlan,所以vlanif20与vlanif21的vrrp advertisements报文只能通过该互联链路传递。
7、由于接入交换机和汇聚交换机之间通过双上行组成了环形网络,所以网路中开启了MSTP来防止环路。由此推测可能是MSTP阻断了相应的接口道值vrrp advertisements报文无法传递。分别在SW3和SW4上通过display stp brief查看STP的端口阻塞情况。
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 ALTE DISCARDING NONE
0 Ethernet0/0/22 DESI FORWARDING NONE
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ALTE DISCARDING NONE
0 Ethernet0/0/2 ROOT FORWARDING NONE
0 Ethernet0/0/22 DESI FORWARDING NONE
--------------------------------------------------------------------
通过以上信息看到SW3的Ethernet0/0/2和SW4的Ethernet0/0/1口处于阻塞状态,由此使得vrrp advertisements无法传递,进而导致VRRP状态不正常。
8、由于该网络是环状网络所以不能关闭生成树协议,因此分别在SW1和SW2上的eth-trunk接口透传VLAN 20、VLAN 21解决vrrp advertisements传递的问题。按此设置后发现网络恢复正常。
3,根因
生成树协议阻断了VRRP报文传递的路径使得VRRP备份组中的设备无法进行正常的VRRP状态选举,导致VRRP故障的产生。
4,解决方案
针对以上情况可以在SW1与SW2之间互联的eth-trunk链路中透传VLAN 20、VLAN 21,使得vlanif20、vlanif21的vrrp advertisements报文能正常通过,又不影响生成树的使用。
5,建议与总结
在像本案例中存在环形的双上行链路的网络中使用VRRP一定要注意生成树协议对VRRP的影响,要注意在VRRP备份组中设备之间互联的二层链路上透传对应的vlan,以免导致VRRP报文无法传递。
查看原文 >>
