CAM 表条目消失和单播泛滥的未知原因

网络工程 思科 路由 MAC地址 苹果电脑 洪水
2022-02-25 20:37:30

发布此以回应已关闭的问题:目标中没有 ff-ff-ff-ff-ff-ff(第 2 层广播)MAC 地址的网络泛滥?

我的网络遇到以下问题:发送到特定机器(ip 192.168.107.125,mac bbbb.bbbb.bbbb)的帧被发送到同一 VLAN 中的某些设备。

例如,另一台机器(ip 192.168.107.10,mac aaaa.aaaa.aaaa)上的wireshark捕获列出了发往(ip 192.168.107.125,mac bbbb.bbbb.bbbb)的数据包。流量是 FTP 流量(包括登录名和密码),所以我很确定它在 192.168.107.10 上没有位置。

我还发现mac address-table当洪水发生时 bbbb.bbbb.bbbb 的条目丢失了。重新启动 bbbb.bbbb.bbbb 后,MAC 条目又回来了,但只是暂时的。

所有图中的服务器(网络客户端)都在同一个 VLAN 中

开关型号如图所示。配置显示在图表上并在下面列出。

网络图

编辑 1:使用丢失的 MAC 的设备肯定会在地址消失之前发出帧 - 我们对此进行了 Wireshark 捕获。事实上,即使在消失之后,设备也会继续发出帧,所以我希望交换机会创建一个新的 MAC 地址表条目。

我检查了交换机日志,在丢失连接客户端的 MAC 的端口上没有链路抖动的迹象。例如,有一次当 MAC 地址丢失时,我重新启动了客户端设备。在日志中,我可以看到接口经过指定->阻塞->学习->转发阶段(在 30 秒内),然后没有出现有关该接口的消息。重新启动后,MAC 条目仍然丢失!只有将设备移动到另一个端口才让它出现了一段时间。

编辑2:

Nexus 1 配置:

version 8.2(5)
feature-set fex
switchname Core
                 
feature telnet
feature vrrp
feature scheduler
feature ospf
feature pim
feature msdp
feature eigrp
feature port-security
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature ptp
feature lldp
feature sla sender
feature sla responder

logging level aaa 5
logging level cdp 6
logging level hsrp 5
logging level interface-vlan 5
logging level monitor 6
logging level otm 5
logging level radius 5
logging level spanning-tree 6
logging level dhcp_snoop 5
logging level vpc 5

ip domain-lookup
service unsupported-transceiver
errdisable recovery cause link-flap
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause loopback
errdisable recovery cause storm-control
errdisable recovery cause security-violation
errdisable recovery cause psecure-violation
errdisable recovery cause vpc-peerlink
errdisable recovery cause failed-port-state

ip access-list accessblock121
  statistics per-entry
  11 deny ip 192.168.107.0/24 192.168.121.200/32 
  30 permit ip any any 
  
ip access-list cape
  statistics per-entry
  10 permit icmp 192.168.120.125/32 192.168.107.152/32 
  20 permit ip any any 

ip access-list tac
  statistics per-entry
  10 permit icmp 192.168.120.159/32 192.168.107.152/32 
  20 permit ip any any 
  
time-range 02:07:00

ip dhcp snooping
service dhcp
ip dhcp relay
ipv6 dhcp relay
ipv6 dhcp guard policy DHCP_CLIENT
!
class-map type qos match-any VLAN_QOS
policy-map type qos NFLINT
  class class-default
    police cir 200 mbps bc 200 ms conform transmit violate drop
    
fex 42
  pinning max-links 1
  debounce time 0
  description FEX_42
  
fex 45
  pinning max-links 1
  debounce time 0
  description FEX_45
  

ip pim rp-address 192.169.180.3 group-list 224.0.0.0/4
ip pim auto-rp mapping-agent Vlan107
ip pim ssm range 232.0.0.0/8
ip pim auto-rp forward
ip pim pre-build-spt
ip igmp any-query-destination

vlan 107
  name EEE

spanning-tree vlan 107 priority 4096
vrf context keepalive
vrf context management
  ip route 0.0.0.0/0 192.168.121.254
vpc domain 10
  peer-switch
  role priority 1500
  peer-keepalive destination 192.168.145.14 source 192.168.145.13 vrf keepalive
  peer-gateway
  config-sync
  ip arp synchronize

cfs eth distribute

interface Vlan107
  description EEE1
  no shutdown
  mtu 9216
  no ip redirects
  ip address 192.168.107.252/24
  no ipv6 redirects
  ip ospf passive-interface
  ip pim sparse-mode


interface port-channel1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  vpc peer-link


interface port-channel42
  description FEX_42
  switchport
  switchport mode fex-fabric
  fex associate 42
  mtu 9216

interface port-channel45
  description FEX_45
  switchport
  switchport mode fex-fabric
  fex associate 45
  mtu 9216


interface Ethernet4/1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  channel-group 1 mode active
  no shutdown

interface Ethernet4/3
  description VPC KeepAlive Link
  vrf member keepalive
  ip address 192.168.145.13/24
  no shutdown

interface Ethernet5/1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  channel-group 1 mode active
  no shutdown

interface Ethernet5/45
  description FLOODING_ADDRESSED_HERE
  switchport
  switchport access vlan 107
  ipv6 dhcp guard attach-policy DHCP_CLIENT
  no shutdown

interface Ethernet7/46
  description NO_FLOODING_HERE_1                    
  switchport
                                                  
  switchport access vlan 107
  ipv6 dhcp guard attach-policy DHCP_CLIENT
  no shutdown

interface Ethernet42/1/10
  description NO_FLOODING_HERE_2
  switchport
  switchport access vlan 107
                            
  no shutdown

interface Ethernet45/1/10
  description NO_FLOODING_HERE_3
  switchport
  switchport access vlan 107
  no shutdown

logging logfile messages 6
no terminal log-all
line console
  terminal width  80
line vty
                           
router ospf core
  network 192.168.107.0/24 area 0.0.0.0

monitor session 2 
  source interface Ethernet5/45 both
  destination interface Ethernet5/11
ip dhcp snooping vlan 107

scheduler logfile size 1024

Nexus 2 配置:

version 8.2(5)
feature-set fex
hostname HOSTNAME

feature privilege
feature telnet
feature vrrp
feature scheduler
feature ospf
feature pim
feature msdp
feature eigrp
feature port-security
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature ptp
feature lldp
feature sla sender
feature sla responder

logging level aaa 5
logging level cdp 6
logging level hsrp 5
logging level interface-vlan 5
logging level monitor 6
logging level otm 5
logging level radius 5
logging level spanning-tree 6
logging level dhcp_snoop 5
logging level vpc 5

ip domain-lookup
service unsupported-transceiver
errdisable recovery cause link-flap
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause loopback
errdisable recovery cause storm-control
errdisable recovery cause security-violation
errdisable recovery cause psecure-violation
errdisable recovery cause vpc-peerlink
errdisable recovery cause failed-port-state

ip access-list accessblock121
  statistics per-entry             
  11 deny ip 192.168.107.0/24 192.168.121.200/32                       
  30 permit ip any any
ip access-list cape
  statistics per-entry
  10 permit icmp 192.168.120.125/32 192.168.107.152/32 
  20 permit ip any any 

ip access-list tac
  statistics per-entry
  10 permit icmp 192.168.120.159/32 192.168.107.152/32 
  20 permit ip any any 
                           
ip dhcp snooping
service dhcp
ip dhcp relay
ipv6 dhcp relay
ipv6 dhcp guard policy DHCP_CLIENT
!
class-map type qos match-all trustme
fex 48
  pinning max-links 1
  debounce time 0
  description FEX_48
  
fex 54
  pinning max-links 1
  debounce time 0
  description FEX_54

ntp server 192.168.140.13
ntp server 192.168.140.14

ip pim rp-address 192.169.180.3 group-list 224.0.0.0/4
ip pim auto-rp mapping-agent Vlan107
ip pim ssm range 232.0.0.0/8
ip pim auto-rp forward
ip pim pre-build-spt
ip igmp any-query-destination

vlan 107
  name EEE                                       
vrf context keepalive
vrf context management
  ip route 0.0.0.0/0 192.168.121.254
vpc domain 10
  peer-switch
  role priority 1000
  peer-keepalive destination 192.168.145.13 source 192.168.145.14 vrf keepalive
  peer-gateway
  config-sync
  ip arp synchronize
cfs eth distribute


interface Vlan107
  description EEE1
  no shutdown
  mtu 9216
  no ip redirects
  ip address 192.168.107.254/24
  no ipv6 redirects
  ip ospf passive-interface
  ip pim sparse-mode


interface port-channel1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  vpc peer-link

interface port-channel48
  description FEX_48
  switchport
  switchport mode fex-fabric
  fex associate 48
  mtu 9216

interface port-channel54
  description FEX_54
  switchport
  switchport mode fex-fabric
  fex associate 54
  mtu 9216
  vpc 54

interface Ethernet4/1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  channel-group 1 mode active
  no shutdown
  
interface Ethernet4/3
  description VPC KeepAlive Link
  vrf member keepalive
  ip address 192.168.145.14/30
  no shutdown
  
interface Ethernet5/1
  description VPC Peer-Link
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 107
  spanning-tree port type network
  channel-group 1 mode active
  no shutdown

interface Ethernet6/41
  description FEX_48
  switchport
  switchport mode fex-fabric
  fex associate 48
  mtu 9216
  channel-group 48
  no shutdown

interface Ethernet6/42
  description FEX_48
  switchport
  switchport mode fex-fabric
  fex associate 48
  mtu 9216
  channel-group 48
  no shutdown

interface Ethernet7/28
  description Link FEX54
  switchport
  switchport mode fex-fabric
  fex associate 54
  mtu 9216
  channel-group 54
  no shutdown

interface Ethernet48/1/3
  description FLOODING_RECEIVED_HERE_1
  switchport
  switchport access vlan 107
  ipv6 dhcp guard attach-policy DHCP_CLIENT
  no shutdown

interface Ethernet48/1/8    
  description FLOODING_RECEIVED_HERE_2
  switchport
  switchport access vlan 107
  ipv6 dhcp guard attach-policy DHCP_CLIENT
  no shutdown
  
interface Ethernet54/1/10
  description FLOODING_RECEIVED_HERE_3
  switchport
  switchport access vlan 107
  no shutdown
  
logging logfile messages 6
no terminal log-all
line console
  terminal width  80
line vty
router eigrp 10
  router-id 192.168.133.253
  default-information originate
router ospf 1
router ospf core
  network 192.168.107.0/24 area 0.0.0.0
monitor session 2 
ip dhcp snooping vlan 107

scheduler logfile size 1024

编辑 3:假设:MAC 地址丢失是因为它过期了。谢谢你,Zac67,我想进一步测试一下。当 bbbb.bbbb.bbbb 的 MAC 地址表条目丢失时,我已经从两台交换机导出了 ARP 和 CAM 表。存在 ARP 条目:

192.168.107.125 00:15:53 bbbb.bbbb.bbbb Vlan107

但是两个交换机上的 CAM 表都不包含这个 MAC 条目!我知道,如果我们仅在一侧看到泛滥,就会得出结论,该条目仅在该一侧丢失,但事实并非如此:泛滥仅在一侧发生,并且两个 CAM 表都缺少该条目。

此外,当交换机中缺少 bbbb.bbbb.bbbb 的 MAC 地址表条目时,我在此客户端连接的接口上进行了 SPAN 捕获,并看到以下内容: 跨度捕获

我将此解释为交换机已收到带有封装在其中的 bbbb.bbbb.bbbb 源硬件地址的帧的证据。即使 MAC 条目超时,交换机也应该重新创建它,对吗?

1个回答

寻址到特定机器(ip 192.168.0.20,mac bbbb.bbbb.bbbb)的帧被发送到该 VLAN 中的某些设备。

除非该 MAC 地址是多播地址,否则它在其 VLAN 中必须是唯一的——“某些设备”应该是“某个设备”。

[编辑] 您似乎指的是连接到右侧 Nexus 的设备 - 对此感到抱歉。

另一台机器(ip 192.168.0.10,mac aaaa.aaaa.aaaa)上的wireshark捕获列出了发往(ip 192.168.0.20,mac bbbb.bbbb.bbbb)的数据包。流量是 FTP 流量(包括登录名和密码),所以我很确定它在 192.168.0.10 上没有位置。

交换机不关心 IP 地址,唯一相关的是 MAC 地址——学习的源,转发的目的地。

与您之前的问题一样,当 MAC 地址从其端口关联中删除时

  • 其关联端口失去链接
  • 它在一段时间内看不到并且被交换机老化(该时间通常是可配置的)
  • 它被视为另一个端口的源

当目标 MAC 不在其源地址表中时,交换机会将该帧泛洪到所有端口,就像广播一样,模仿中继器集线器。但是,该 MAC 未解决的所有 NIC 将简单地忽略该帧 - 因此它只会浪费带宽但不会引起问题。

因此,请确保交换机中的 MAC 老化配置正确,并且使用 MAC 的设备在寻址老化之前发出帧。还要检查日志中是否存在任何可能导致 MAC 过早丢弃的链路抖动。作为一种解决方法,您可以尝试每隔几分钟左右触发一次 ARP 查询。

由于右侧 Nexus 从其表中丢失了 MAC 地址,因此您应该确保在老化超时地址(默认为 1800 秒)之前至少有一些来自 192.168.0.20 的流量到达该交换机。通常,有些频繁的广播(例如 ARP)确保所有交换机的可靠更新,但该节点可能不需要/不需要这样做。如果您不能延长老化时间,那么在任一方向上 ping 该开关应该可以解决问题。

您应该尝试设置更长的 MAC 老化超时:

mac 地址表老化时间 秒数[ vlan vlan_id ]

如果这没有帮助,您可以在所需端口上放置一个静态映射:

mac address-table 静态地址 mac_addr vlan vlan_id [接口 类型插槽/端口]

有关详细信息,请参阅https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/layer2/command/cisco_nexus7000_layer2_command_ref/cisco_nexus7000_layer2_command_ref_chapter_011.html

其它你可能感兴趣的问题
上一篇如果模块支持 NB-IoT 和 LTE-M,它是 5G 模块吗? 下一篇思科 MAC 数据包跟踪器中的 IP_PHONE_POWER_ADAPTER