VLAN 间路由问题

网络工程 思科 路由 交换
2021-08-03 04:09:31

如下图所示,服务器之间的 VLAN 间(VLAN 107)与站点位于(VLAN 104)中,实际上,我们可以 ping 站点上的所有 VLAN 间。但我们无法浏览其中的一些,例如雷达和微波,我们无法通过他们的软件浏览它们。只能ping他们。只能通过access VLAN ping 和浏览,inter_VLAN 不能浏览,支持吗??

在此处输入图片说明

开关配置:

version 16.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname CORE-01[SCC-NSE-0002]
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
!
no aaa new-model
clock timezone AST 3 0
switch 1 provision ws-c3850-48xs
!
!
!
!
ip routing
!
!
!
ip multicast-routing
ip multicast auto-enable
ip multicast group-range 10
ip name-server 8.8.8.8 8.8.4.4
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
redundancy
 mode sso
!
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, SGT Cache Full, LOGGING
class-map match-any system-cpp-default
  description DHCP snooping, show forward and rest of traffic
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, Crypto Control, Exception, EGR Exception, NFL SAMPLED DATA, Gold Pkt, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-control-low-priority
  description ICMP redirect and general punt
class-map match-any system-cpp-police-wireless-priority1
  description Wireless priority 1
class-map match-any system-cpp-police-wireless-priority2
  description Wireless priority 2
class-map match-any system-cpp-police-wireless-priority3-4-5
  description Wireless priority 3,4 and 5
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
!
policy-map port_child_policy
 class non-client-nrt-class
  bandwidth remaining ratio 10
policy-map system-cpp-policy
 class system-cpp-police-data
  police rate 200 pps
 class system-cpp-police-sys-data
  police rate 100 pps
 class system-cpp-police-sw-forward
  police rate 1000 pps
 class system-cpp-police-multicast
  police rate 500 pps
 class system-cpp-police-multicast-end-station
  police rate 2000 pps
 class system-cpp-police-punt-webauth
 class system-cpp-police-l2-control
 class system-cpp-police-routing-control
  police rate 1800 pps
 class system-cpp-police-control-low-priority
 class system-cpp-police-wireless-priority1
 class system-cpp-police-wireless-priority2
 class system-cpp-police-wireless-priority3-4-5
 class system-cpp-police-topology-control
 class system-cpp-police-dot1x-auth
 class system-cpp-police-protocol-snooping
 class system-cpp-police-forus
 class system-cpp-default
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 negotiation auto
!
interface TenGigabitEthernet1/0/1
 description <<<<< UPLINK FEC-110>>>>>
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/0/2
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/0/3
 description <<<<< UPLINK FEC-118>>>>>
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/0/4
 description <<<<< UPLINK FEC-124>>>>>
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/0/5
 description <<<<< UPLINK FEC-130>>>>>
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/0/6
 switchport access vlan 102
 switchport mode access
 shutdown
!
interface TenGigabitEthernet1/0/7
 description <<<<<SECTOR-02 LOOP 7 - FEC142 UPLINK>>>>>>
 switchport access vlan 102
 switchport mode access
!
interface TenGigabitEthernet1/0/8
 description <<<<<LOOP 1 - FEC148 UPLINK>>>>>>
 switchport access vlan 104
 switchport mode access
!
interface TenGigabitEthernet1/0/9
 description <<<<<LOOP 2  - FEC154 UPLINK >>>>>>
 switchport access vlan 104
 switchport mode access
!
interface TenGigabitEthernet1/0/10
 description <<<<<LOOP 10 - FECxxxxx UPLINK>>>>>>
 switchport access vlan 104
 switchport mode access
!
interface TenGigabitEthernet1/0/11
 switchport access vlan 103
 switchport mode access
!
interface TenGigabitEthernet1/0/12
 switchport access vlan 103
 switchport mode access
!
interface TenGigabitEthernet1/0/13
 switchport access vlan 103
 switchport mode access
!
interface TenGigabitEthernet1/0/14
 description <<<<<UPLINK FEC-179>>>>>
 switchport access vlan 101
 switchport mode trunk
!
interface TenGigabitEthernet1/0/15
 description To SCC-NSW001
 switchport mode trunk
!
interface TenGigabitEthernet1/0/16
 switchport access vlan 108
 switchport mode access
!
interface TenGigabitEthernet1/0/17
 switchport trunk allowed vlan 120
 switchport mode trunk
!
interface TenGigabitEthernet1/0/18
!
interface TenGigabitEthernet1/0/19
 switchport mode trunk
!
interface TenGigabitEthernet1/0/20
 switchport mode trunk
!
interface TenGigabitEthernet1/0/21
 switchport mode trunk
!
interface TenGigabitEthernet1/0/22
 switchport mode trunk
!
interface TenGigabitEthernet1/0/23
 description <<<<<LOOP 2  - FEC153 UPLINK >>>>>>
 switchport access vlan 104
!
interface TenGigabitEthernet1/0/24
 switchport mode trunk
!
interface TenGigabitEthernet1/0/25
 switchport access vlan 107
 switchport mode access
!
interface TenGigabitEthernet1/0/26
!
interface TenGigabitEthernet1/0/27
 description <<<<Marine Loop1-UPLINK FEC-201>>>>>
 switchport access vlan 105
 switchport mode access
!
interface TenGigabitEthernet1/0/28
 description <<<<Marine Loop1-UPLINK FEC-219>>>>>
 switchport access vlan 106
 switchport mode access
!
interface TenGigabitEthernet1/0/29
 description <<<<<UPLINK FEC-213>>>>>
 switchport access vlan 105
 switchport mode access
!
interface TenGigabitEthernet1/0/30
 description Trunking with Moxa-Test
 switchport trunk allowed vlan 101-104
 switchport mode trunk
!
interface TenGigabitEthernet1/0/31
!
interface TenGigabitEthernet1/0/32
 description <<<<<UPLINK FEC 212 - 225temp >>>>>>
 switchport access vlan 106
 switchport mode access
!
interface TenGigabitEthernet1/0/33
 switchport mode trunk
!
interface TenGigabitEthernet1/0/34
 switchport mode trunk
!
interface TenGigabitEthernet1/0/35
 description <<<<<To SCC-NSW-003>>>>
 switchport mode trunk
!
interface TenGigabitEthernet1/0/36
 description <<<<<MARINE-PIB74 >>>>>>>
 switchport mode trunk
!
interface TenGigabitEthernet1/0/37
!
interface TenGigabitEthernet1/0/38
!
interface TenGigabitEthernet1/0/39
 description <<<<<VIDEOWALL SCC>>>>>
 switchport mode trunk
!
interface TenGigabitEthernet1/0/40
!
interface TenGigabitEthernet1/0/41
 switchport mode dot1q-tunnel
 no cdp enable
!
interface TenGigabitEthernet1/0/42
!
interface TenGigabitEthernet1/0/43
!
interface TenGigabitEthernet1/0/44
!
interface TenGigabitEthernet1/0/45
!
interface TenGigabitEthernet1/0/46
!
interface TenGigabitEthernet1/0/47
!
interface TenGigabitEthernet1/0/48
 description UP-Link with FortiGate1000D
 no switchport
 ip address 192.168.20.253 255.255.255.0
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/5
!
interface TenGigabitEthernet1/1/6
 description <<<<<UPLINK FEC-130>>>>>
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/1/7
!
interface TenGigabitEthernet1/1/8
!
interface TenGigabitEthernet1/1/9
!
interface TenGigabitEthernet1/1/10
!
interface TenGigabitEthernet1/1/11
 switchport access vlan 101
 switchport mode access
!
interface TenGigabitEthernet1/1/12
!
interface TenGigabitEthernet1/1/13
!
interface TenGigabitEthernet1/1/14
!
interface TenGigabitEthernet1/1/15
!
interface TenGigabitEthernet1/1/16
!
interface FortyGigabitEthernet1/1/1
!
interface FortyGigabitEthernet1/1/2
!
interface FortyGigabitEthernet1/1/3
!
interface FortyGigabitEthernet1/1/4
!
interface Vlan1
 ip address 10.0.25.2 255.255.255.0
 standby 1 ip 10.0.25.100
 standby 1 priority 150
 standby 1 preempt
!
interface Vlan12
 no ip address
!
interface Vlan66
 description FAT IP[To be deleted]
 ip address 10.112.6.1 255.255.255.0
!
interface Vlan67
 description SIQURA CAMERA DEFAULT[To be deleted]
 no ip address
!
interface Vlan101
 description RSFIP-001
 ip address 10.0.1.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.1.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan102
 description RSFIP-002
 ip address 10.0.2.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.2.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan103
 description RSFIP-003
 ip address 10.0.3.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.3.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan104
 description RSFIP-004
 ip address 10.0.4.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.4.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan105
 ip address 10.0.5.2 255.255.255.0
 standby 1 ip 10.0.5.254
 standby 1 priority 150
 standby 1 preempt
!
interface Vlan106
 ip address 10.0.6.2 255.255.255.0
 standby 1 ip 10.0.6.254
 standby 1 priority 150
 standby 1 preempt
!
interface Vlan107
 description Head End Equipments
 ip address 10.0.7.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.7.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan108
 description <<<<<BUILDING & GATES>>>>>
 ip address 10.0.8.2 255.255.255.0
 ip pim sparse-dense-mode
 standby 1 ip 10.0.8.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan109
 ip address 10.0.9.2 255.255.255.0
 standby 1 ip 10.0.9.254
 standby 1 priority 150
 standby 1 preempt
 ip igmp join-group 224.16.0.0
!
interface Vlan110
 ip address 10.0.10.2 255.255.255.0
 standby 1 ip 10.0.10.254
 standby 1 priority 150
 standby 1 preempt
!
interface Vlan120
 ip address 172.17.1.1 255.255.0.0
!
interface Vlan200
 ip address 192.168.10.100 255.255.255.0
!
interface Vlan303
 description PELCO
 ip address 192.168.0.254 255.255.255.0
!
ip default-gateway 192.168.20.254
ip forward-protocol nd
ip forward-protocol udp ntp
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 192.168.20.254
ip route 0.0.0.0 0.0.0.0 172.16.1.1
ip route 0.0.0.0 0.0.0.0 192.168.30.254
!
ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
 permit tcp any any eq 22
 permit tcp any any eq 465
 permit tcp any any eq 143
 permit tcp any any eq 993
 permit tcp any any eq 995
 permit tcp any any eq 1914
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq smtp
 permit tcp any any eq pop3
ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
 permit udp any any range 16384 32767
 permit tcp any any range 50000 59999
ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger
 permit tcp any any range 2300 2400
 permit udp any any range 2300 2400
 permit tcp any any range 6881 6999
 permit tcp any any range 28800 29100
 permit tcp any any eq 1214
 permit udp any any eq 1214
 permit tcp any any eq 3689
 permit udp any any eq 3689
 permit tcp any any eq 11999
ip access-list extended AutoQos-4.0-wlan-Acl-Signaling
 permit tcp any any range 2000 2002
 permit tcp any any range 5060 5061
 permit udp any any range 5060 5061
ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
 permit tcp any any eq 443
 permit tcp any any eq 1521
 permit udp any any eq 1521
 permit tcp any any eq 1526
 permit udp any any eq 1526
 permit tcp any any eq 1575
 permit udp any any eq 1575
 permit tcp any any eq 1630
 permit udp any any eq 1630
 permit tcp any any eq 1527
 permit tcp any any eq 6200
 permit tcp any any eq 3389
 permit tcp any any eq 5985
 permit tcp any any eq 8080
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
no vstack
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
line vty 5 15
 login
!
ntp server 10.0.25.100
!
end

CORE-01[SCC-NSE-0002]#
3个回答

根据我建议的所有描述,L3 工作正常,可以支持进一步的故障排除

  1. 在 VLAN 104 中连接一个类 Unix 客户端并执行 nmap 端口扫描以查看 L4 端口目标正在响应的响应。

  2. 检查目标主机配置是否有任何潜在限制

  3. 检查从目标设备到服务器的返回网络访问路径,以确保在任何异步网络路径上

另外: 4. 在目标设备上捕获数据包(SPAN 或内联 Fluke Network)

  1. 如果要消除网络 L2/L3/L4,则可以在同一交换机上的同一 vlan 上连接测试客户端并测试对服务器的网络访问

  2. 如果您知道应该在哪个 L4 端口目标上工作,那么您可以使用任何
    专门的工具来进一步调查/Tshoot

HTH

您的配置没有问题,ping 确认您的配置没问题。因此,您需要检查设备中的配置。除此之外,使用 Traceroute 并确定问题位置。(无权添加评论)

Ping 需要 ICMP 第 3 层协议,这意味着您具有第 3 层连接。对于应该允许浏览端口 80 或 443,请检查您是否有任何阻止这些端口的 ACL。如果没有 ACL,则查看是否可以检查服务器本身。

其它你可能感兴趣的问题
上一篇如何在 GPRS 连接之前识别 MS(移动站)? 下一篇加密 Gre 隧道流量