更改 SFP 后无法 Ping 防火墙

网络工程 转变 防火墙 加强 cisco-3850
2021-07-15 08:53:47

我目前正在处理一个让我感到困惑的问题......我有一个网络 172.16.144.0/20,它通过 Cisco 3850 外部交换机连接到我们的 fortigate 300D 防火墙。由于硬件限制,正在使用的端口具有 100mbps SFP,其余端口使用 1gbps。

问题是我可以从交换机 ping 到我的所有设备,但我无法 ping 防火墙,也无法从防火墙 ping 交换机。使用与交换机相同的 IP 和防火墙端口,我使用笔记本电脑并能够 ping 防火墙。

我假设 SFP 是罪魁祸首,但不确定如何...

Current configuration : 17202 bytes
!
! Last configuration change at 20:16:42 UTC Fri Mar 1 2019
!
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
no service dhcp
service unsupported-transceiver
!
hostname SW
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 --More-- 
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging console critical
logging monitor critical
!
!
aaa session-id common
switch 1 provision ws-c3850-12s
!
!
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!
ip domain-name
ip name-server 172.16.201.101
!
!
qos queue-softmax-multiplier 100
vtp domain
vtp mode transparent
udld aggressive
!
!
errdisable recovery cause udld

errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 32,101,172,201 priority 4096
hw-switch switch 1 logging onboard message level 3
!
redundancy
 mode sso
!
vlan 3
!
vlan 5
 !
vlan 6
 !
vlan 2
 !
Vlan 8
 !
vlan 11
 !
vlan 12
 !
vlan 5
!
vlan 21
 name UNUSED
no cdp run
!
ip tcp synwait-time 10
ip ssh time-out 30
ip ssh version 2
!
!
! 

!
interface Null0
 no ip unreachables
!
 interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet1/0/1
 description spare
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
  switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast

interface GigabitEthernet1/0/3
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport access vlan 8
 switchport mode access
 no logging event link-status

 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
 interface GigabitEthernet1/0/8
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 speed 100
 duplex full
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 8
 switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport access vlan 8
switchport mode access
 no logging event link-status
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport access vlan 8
 switchport mode access
 no logging event link-status
 speed 100
 duplex full
 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport trunk native vlan 55
 switchport trunk allowed vlan 8
 switchport mode trunk
 switchport nonegotiate
 no logging event link-status
 duplex full

 storm-control broadcast level 50.00 20.00
 storm-control multicast level 5.00 2.00
!
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan8
 ip address 172.16.150.200 255.255.240.0
!
interface Vlan3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
!
ip default-gateway 172.16.201.27
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip access-list extended ALL_IP_TRAFFIC
 permit ip any any
!
!
1个回答

speed 100
duplex full

在 GE1/0/8 和 GE1/0/11 上很可能是一个问题。设置固定速度/双工模式会禁用自动协商。如果另一侧未设置为完全相同的模式,则链接将失效。在另一侧激活自动协商时,它会检测速度,但会回退到半双工,造成双工不匹配 - 链接在某种程度上工作,但效果很差。中间有一个媒体转换器(假设是双单工类型,而不是交换类型),“另一端”是媒体转换器的远端。

此外,当其余为 1 Gbit/s 时,您不应使用 100Mbit/s 转换器。更好的是,当您可以使用 SFP 时,根本不要使用转换器。

一般情况下,不要永远强制速度/双工模式,除非有没有其他的解决方案,即。使用古老的预自动硬件。即使您在两侧进行了匹配设置,设备更改(原文如此)也会让它落在您的脚上。

其它你可能感兴趣的问题
上一篇双栈环境中的仅 IPv4 主机 下一篇环回地址在整个网络中应该是唯一的吗?