网络工程 - Server1无法到达Server2，都连接到同一个交换机 - 吾爱随笔录

我有一个用户在尝试从 Server1 访问 Server2 时遇到一些“安全错误”。server1 和 server2 都连接到同一台交换机，但服务器位于不同的 VLAN 上。

Server1 - IP 地址。10.114.91.40 - Vlan1904 - 网关 10.114.91.252/24

Server2 - IP 地址。10.115.210.76 - Vlan1877 - 网关 10.115.210.252/24

我登录 Switch 并成功 ping 10.115.210.76 但无法 ping 10.114.91.40：

SW1# ping 10.114.91.40
PING 10.114.91.40 (10.114.91.40): 56 data bytes
36 bytes from 10.114.91.252: Destination Host Unreachable
Request 0 timed out
36 bytes from 10.114.91.252: Destination Host Unreachable
Request 1 timed out
36 bytes from 10.114.91.252: Destination Host Unreachable
Request 2 timed out
36 bytes from 10.114.91.252: Destination Host Unreachable
Request 3 timed out
36 bytes from 10.114.91.252: Destination Host Unreachable
Request 4 timed out

这里有更多细节。对我来说奇怪的是，如果我跟踪 Server1，我得到的回复不是来自服务器本身，而是来自其默认网关。为什么会这样，它是如何工作的。还要注意在 traceroute 输出中有 !H 符号：

SW1# traceroute 10.114.91.40
traceroute to 10.114.91.40 (10.114.91.40), 30 hops max, 40 byte packets
1 10.114.91.252 (10.114.91.252) 1.008 ms !H 0.418 ms !H 0.474 ms !H

这是 Server1 的 show ip route 命令 - 它表示到 Server1 的路径通过其默认网关：

SW1# sh ip route 10.114.91.40
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]

10.114.91.0/24, ubest/mbest: 1/0, attached
*via 10.114.91.252, Vlan1904, [0/0], 2y3w, direct

Server1 在 VLAN1904 上。这是 VLAN1904 接口：

SW1# sh int Vlan1904
Vlan1904 is up, line protocol is up
Hardware is EtherSVI, address is 00aa.980c.3f41
Description: ***Linux_User_Test_2***
Internet Address is 10.114.91.252/24
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA
Last clearing of "show interface" counters never
60 seconds input rate 9968116 bits/sec, 2960 packets/sec
60 seconds output rate 7807575 bits/sec, 2650 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 12.25 Mbps, 3.24 Kpps; output rate 11.08 Mbps, 2.97 Kpps
L3 Switched:
input: 61594435293 pkts, 20817831682880 bytes - output: 62930952743 pkts, 19735891643201 bytes
L3 in Switched:
ucast: 61529227443 pkts, 20810125939277 bytes - mcast: 65207850 pkts, 7705743603 bytes
L3 out Switched:
ucast: 62930952743 pkts, 19735891643201 bytes - mcast: 0 pkts, 0 bytes

现在另一端 - Server2。正如我前面提到的，我可以 ping Server2。当我跟踪 Server2 IP 地址时，我直接从 Server2 而不是从其默认网关获得回复，就像 Server1 的情况一样：

SW1traceroute 10.115.210.76
traceroute to 10.115.210.76 (10.115.210.76), 30 hops max, 40 byte packets
1 10.115.210.76 (10.115.210.76) 0.712 ms 0.554 ms 0.591 ms

这里是显示到 Server2 的 ip 路由。这里的输出表明 server2 的路径通过 10.115.210.76 - 即服务器本身。请记住，当我为 Server1 发出 show ip route 时，输出表明该路径通过了 Server1 的默认网关。正常吗？

SW1# sh ip route 10.115.210.76
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]

10.115.210.76/32, ubest/mbest: 1/0, attached
*via 10.115.210.76, Vlan1877, [250/0], 1d00h, am

Server2 位于 Vlan 1877 中，这是 VLAN 接口：

SW1# sh int Vlan1877
Vlan1877 is up, line protocol is up
Hardware is EtherSVI, address is bbbb.980c.3f41
Description: ***LINUX_BACKUP_TEST***
Internet Address is 10.115.210.252/24
MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA
Last clearing of "show interface" counters never
60 seconds input rate 22116 bits/sec, 4 packets/sec
60 seconds output rate 2976 bits/sec, 3 packets/sec
Load-Interval #2: 5 minute (300 seconds)
input rate 21.92 Kbps, 4 pps; output rate 3.17 Kbps, 3 pps
L3 Switched:
input: 227370630555 pkts, 330619803530696 bytes - output: 209935318021 pkts, 21355307781488 bytes
L3 in Switched:
ucast: 227167894930 pkts, 330596189744029 bytes - mcast: 202735625 pkts, 23613786667 bytes
L3 out Switched:
ucast: 209935318021 pkts, 21355307781488 bytes - mcast: 0 pkts, 0 bytes

您认为连接问题存在于 Switch 的某处还是 Server1 的网络配置中的某处？

如果您需要开关的一些额外输出，请告诉我。我无法粘贴整个运行配置，因为它真的很大。以下是 VLAN 接口的配置以获取更多详细信息：

SW1# sh run int Vlan1877



!Command: show running-config interface Vlan1877





version 5.2(7)



interface Vlan1877

  no ip redirects

  ip address 10.115.210.252/24

  ip unreachables

  ip ospf passive-interface

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 1877

  authentication md5 key-chain HSRP

  preempt delay minimum 180 reload 240

  timers 1 3

  ip 10.115.210.254

  no shutdown

  mtu 9216

  description ***LINUX_BACKUP_TEST***



SW1# sh run int Vlan1904



!Command: show running-config interface Vlan1904



version 5.2(7)



interface Vlan1904

  no ip redirects

  ip address 10.114.91.252/24

  ip unreachables

  ip ospf passive-interface

  ip router ospf 1 area 0.0.0.0

  hsrp version 2

  hsrp 1904

  authentication md5 key-chain HSRP

  preempt delay minimum 180 reload 240

  timers 1 3

  ip 10.114.91.254

  ip dhcp relay address 10.252.63.132

  ip dhcp relay address 10.252.63.4

  ip dhcp relay address 10.83.234.2

  ip dhcp relay address 10.83.234.34

  no shutdown

  mtu 9216

  description ***Linux_User_Test_2***