分类: 网络与安全
我的一台3750G透过单模光纤接2960交换机,今天早上之间网络不通,3750G和2960上的SFP模块指示灯都不亮,查看CISCO 3750G的日志,有如下提示:
Apr 27 05:22:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:22:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:22:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:23:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:23:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:24:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:24:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:24:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:24:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:24:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:24:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:25:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:25:02: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:25:04: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:25:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up
Apr 27 05:25:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down
Apr 27 05:25:14: %PM-4-ERR_DISABLE: link-flap error detected on Gi1/1/1, putting Gi1/1/1 in err-disable state
Apr 27 05:25:15: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to down
解决如下:
conf t
int gi1/1/1
shut
no shut
end
OK!!!
查阅关于link-flap及err-disable的资料如下:
http://www.net130.com/cms/Pub/Tech/tech_zh/2010_11_07_20606.htm
http://shanliren.blog.51cto.com/159454/165595
Cisco网站上关于link-flap的说明:
Link-flap error
Link flap means that the interface continually goes up and down. The interface is put into the errdisabled state if it flaps more than five times in 10 seconds. The common cause of link flap is a Layer 1 issue such as a bad cable, duplex mismatch, or bad Gigabit Interface Converter (GBIC) card. Look at the console messages or the messages that were sent to the syslog server that state the reason for the port shutdown.
我的翻译:
Link flap的意思是接口持续性的up和down。如果一个接口在10秒内发生超过5次up/down,将被置为errdisable状态。link-flap的原因为layer-1层的诸如网线问题、双工不匹配或者故障的千兆GBIC卡。可以查看console或者syslog服务器下的log日志,获取端口shutdwn的原因。
出现了这个问题,我们不得不重视起交换机端口“假死”的现象,寻求在交换机不重启的状态下将该端口“拯救”回来的方法。
拯救步骤1:查看日志/端口的状态
登录进入交换机后,执行show log,会看到如下的提示:
21w6d: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/20.
21w6d: %PM-4-ERR_DISABLE: loopback error detected on Fa0/20, putting Fa0/20 in err-disable state
以上信息就明确表示由于检测到第20端口出现了环路,所以将该端口置于了err-disable状态。
查看端口的状态
Switch# show inter fa0/20 status
Port Name Status Vlan Duplex Speed Type
Fa0/20 link to databackup err-disabled 562 auto auto 10/100BaseTX
这条信息更加明确的表示了该端口处于err-disabled状态。
既然看到了该端口是被置于了错误的状态了,我们就应该有办法将其再恢复成正常的状态。
拯救步骤2:将端口从错误状态中恢复回来
进入交换机全局配置模式,执行errdisable recovery cause ?,会看到如下信息:
Switch(config)#errdisable recovery cause ?
all Enable timer to recover from all causes
bpduguard Enable timer to recover from BPDU Guard error disable state
channel-misconfig Enable timer to recover from channel misconfig disable state
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error disable state
dtp-flap Enable timer to recover from dtp-flap error disable state
gbic-invalid Enable timer to recover from invalid GBIC error disable state
l2ptguard Enable timer to recover from l2protocol-tunnel error disable state
link-flap Enable timer to recover from link-flap error disable state
loopback Enable timer to recover from loopback detected disable state
pagp-flap Enable timer to recover from pagp-flap error disable state
psecure-violation Enable timer to recover from psecure violation disable state
security-violation Enable timer to recover from 802.1x violation disable state
udld Enable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state
vmps Enable timer to recover from vmps shutdown error disable state
从列出的选项中,我们可以看出,有非常多的原因会引起端口被置于错误状态,由于我们明确的知道这台交换机上的端口是由于环路问题而被置于错误状态的,所以就可以直接键入命令:
Switch(config)#errdisable recovery cause loopback
是啊,就这么简单的一条命令,就把困挠我们很长时间的问题解决了,真的就这么神奇。那么如何验证这条命令是生效了呢?
拯救步骤3:显示被置于错误状态端口的恢复情况
Switch# show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
gbic-invalid Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
loopback Enabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Fa0/8 loopback 276
Fa0/17 loopback 267
Fa0/20 loopback 250
从以上显示的信息可以看出,这台交换机有三个端口(Fa0/8、Fa0/17、Fa0/20)会分别在276、267、250秒之后恢复为正常的状态,实际情况也是这样,等了几分钟以后,我们找了一台笔记本电脑,分别接到这几个端口上试了一下,端口都可以正常工作了。这下总算在不重交换机的情况下,将几个处于“假死”状态的端口“拯救”了回来。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~·
以上是一网友提供的解决cisco交换机端口假死的办法,虽然办法可行,但是每次假死后都要手动去恢复有些麻烦
为了让交换机出现此假死故障后能自动恢复,我们也有相应帮忙来解决
在这里我就上面网友的内容进行补充,用于cisco交换机自动恢复端口假死的故障
在特权模式下配置如下:
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
以上这些都是导致端口假死的条件,配置上述可以
%PM-4-ERR_DISABLE: link-flap error detected on Gi4/1, putting Gi4/
1 in err-disable state
Issue this command in order to view the flap values:
cat6knative#show errdisable flap-values
!--- Refer to show errdisable flap-values for more information on the command.
ErrDisable Reason Flaps Time (sec)
----------------- ------ ----------
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10
让端口在出现假死后自动恢复;
关于接口处于err-disable的故障排查
故障症状:
线路不通,物理指示灯灭或者显示为橙色(不同平台指示灯状态不同)
show interface 输出显示接口状态:
FastEthernet0/47 is down, line protocol is down (err-disabled)
接口状态是err-disable。
sw1#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/47 err-disabled 1 auto auto 10/100BaseTX
如果出现了接口状态为err-disable,show interfaces status err-disabled命令能查看触发err-disable的原因。
下面示例原因为bpduguard,在连接了交换机的端口配置了spanning-tree bpduguard enable。
sw1#show interfaces status err-disabled
Port Name Status Reason
Fa0/47 err-disabled bpduguard
接口产生err-disable的原因可以由以下的命令来查看,系统缺省的配置是所有列出的原因都能导致接口被置为err-disable。
sw1#show errdisable detect
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled
bpduguard Enabled
security-violatio Enabled
channel-misconfig Enabled
psecure-violation Enabled
dhcp-rate-limit Enabled
unicast-flood Enabled
vmps Enabled
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
l2ptguard Enabled
gbic-invalid Enabled
loopback Enabled
dhcp-rate-limit Enabled
unicast-flood Enabled
从列表中,我们可以看出常见的原因有udld,bpduguard,link-flap以及loopback等。
具体由什么原因导致当前接口err-disable可以由show interface status err-disable来查看。
在接口模式下采用shutdown,no shutdown进行手动的激活。
在缺省配置下,一旦接口被置为err-disable,IOS将不会试图恢复接口。
这个可以由show errdisable recovery来查看,timer status下面所有的值都是disable。
下面的示例中,由于手工配置了bpduguard恢复,所以timer status的值变为Enable。
sw1#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Enabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
loopback Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Fa0/47 bpduguard 217
配置IOS重新激活errdisable的接口,使用以下命令:
sw1(config)#errdisable recovery cause bpduguard
sw1(config)#errdisable recovery cause ?
all Enable timer to recover from all causes
bpduguard Enable timer to recover from BPDU Guard error disable state
channel-misconfig Enable timer to recover from channel misconfig disable state
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error disable state
dtp-flap Enable timer to recover from dtp-flap error disable state
gbic-invalid Enable timer to recover from invalid GBIC error disable state
l2ptguard Enable timer to recover from l2protocol-tunnel error disable state
link-flap Enable timer to recover from link-flap error disable state
loopback Enable timer to recover from loopback detected disable state
pagp-flap Enable timer to recover from pagp-flap error disable state
psecure-violation Enable timer to recover from psecure violation disable state
security-violation Enable timer to recover from 802.1x violation disable state
udld Enable timer to recover from udld error disable state
unicast-flood Enable timer to recover from unicast flood disable state
vmps Enable timer to recover from vmps shutdown error disable
配置完上述命令后,IOS在一段时间后试图恢复被置为err-disable的接口,这段时间缺省为300秒。
但是,如果引起err-disable的源没有根治,在恢复工作后,接口会再次被置为err-disable。
调整err-disable的超时时间,可以使用以下命令:
sw1(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
可以调整在30-86400秒,缺省是300秒。
如果产生err-disable的原因是udld,下面有一条命令非常管用:
sw1#udld reset
No ports are disabled by UDLD.
同时,接口在被置为err-disable的时候,通常有一系列的日志产生,如下:
*Mar 15 15:47:19.984: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/47 with BPDU Guard enabled. Disabling port.
sw1#
*Mar 15 15:47:19.984: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/47, putting Fa0/47 in err-disable state
sw1#
*Mar 15 15:47:21.996: %LINK-3-UPDOWN: Interface FastEthernet0/47, changed state to down
收集这些日志也非常管用。
所以建议配置一个syslog server,收集log信息。
sw1#show interfaces status
Port Name Status Vlan Du...
开启errdisable功能,这样可以使用show errdisable来查看引发errdisable的原因是什么,再更加信息内容进行解决。
你要是想不影响使用的话,先用 no errdisable detect cause loopback 执行一下,将已经死掉的端口,no sh 一下 如果没问题,肯定是环路了,你可再找时间,对怀疑有问题的switch用拔插法,一个一个拔掉网线去查,当然,有更有效的方法,你可查看有问题的switch的所有rj45和gi口的状态,哪个有errdisable信息哪个就有问题。
switch#show interfaces status err-disabled
Port Name Status Reason
Fa0/22 err-disabled link-flap
Fa0/37 For office in 100K err-disabled link-flap
Fa0/41 unknow err-disabled link-flap
Fa0/42 Training Dc066 err-disabled link-flap
Fa0/45 Production line VM err-disabled link-flap
switch#show errdisable detect
ErrDisable Reason Detection status
----------------- ----------------
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10
( link-flap 这就是因为链路质量不好导致的)
关闭errdisable detectswitch
#no errdisable detect cause all
导致交换机接口出现err-disable的几个常见原因:
1. EtherChannel misconfiguration
2. Duplex mismatch
style="TEXT-INDENT: 2em">3. BPDU port guard
4. UDLD
5. Link-flap error
6. Loopback error
7. Port security violation
第一个当F EC两端配置不匹配的时候就会出现err-disable.假设Switch A把FEC模式配置为on,这时Switch A是不会发送PAgP包和相连的Switch B去协商FEC的,它假设Switch B已经配置好FEC了。但实事上Swtich B并没有配置FEC,当Switch B的这个状态超过1分钟后,Switch A的STP就认为有环路出现,因此也就出现了err-disable.解决办法就是把FEC的模式配置为channel-group 1 mode desirable non-silent这个意思是只有当双方的FEC协商成功后才建立channel,否则接口还处于正常状态。
第二个原因就是双工不匹配。一端配置为half-duplex后,他会检测对端是否在传输数据,只有对端停止传输数据,他才会发送类似于ack的包来让链路up,但对端却配置成了full-duplex,他才不管链路是否是空闲的,他只会不停的发送让链路up的请求,这样下去,链路状态就变成err-disable了。
三、第三个原因BPDU,也就是和portfast和BPDU guard有关。如果一个接口配置了portfast,那也就是说这个接口应该和一个pc连接,pc是不会发送spanning-tree的BPDU帧的,因此这个口也接收BPDU来生成spanning-tree,管理员也是出于好心在同一接口上配置了BPDU guard来防止未知的BPDU帧以增强安全性,但他恰恰不小心把一个交换机接到这个同时配置了portfast和BPDU guard接口上,于是这个接口接到了BPDU帧,因为配置了BPDU guard,这个接口自然要进入到err-disable状态。解决办法:no spanning-tree portfast bpduguard default,或者直接把portfast关了。
第四个原因是UDLD.UDLD是cisco的私有2层协议,用于检测链路的单向问题。有的时候物理层是up的,但链路层就是down,这时候就需要UDLD去检测链路是否是真的up的。当AB两端都配置好UDLD后,A给B发送一个包含自己port id的UDLD帧,B收到后会返回一个UDLD帧,并在其中包含了收到的A的port id,当A接收到这个帧并发现自己的port id也在其中后,认为这链路是好的。反之就变成err-disable状态了。假设A配置了UDLD,而B没有配置UDLD:A给B发送一个包含自己port id的帧,B收到后并不知道这个帧是什么,也就不会返回一个包含A的port id的UDLD帧,那么这时候A就认为这条链路是一个单向链路,自然也就变成err-disable状态了。
第五个原因就是链路的抖动,当链路在10秒内反复up、down五次,那么就进入err-disable状态。
第六个原因就是keepalive loopback.在12.1EA之前,默认情况下交换机会在所有接口都发送keepalive信息,由于一些不通交换机协商spanning-tree可能会有问题,一个接口又收到了自己发出的keepalive,那么这个接口就会变成err-disable了。解决办法就是把keepalive关了。或者把ios升到12.2SE.
最后一个原因,相对简单,就是由于配置了port-security violation shutdown
999
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
