诊断一
AR29的loopback0口无法访问AR28的loopback0口
解答
一、故障根因
LSW6上vlan配置错误,导致AR29与AR28处于不同的广播域中,无法建立正常的ospf邻居关系。
二、故障分析
2.1 故障重现
在AR29上,以AR29的loopback0地址为源,测试与AR28的loopback0接口的连通性,结果如下:
"""
<AR29>ping -a 10.5.1.29 10.5.1.28
PING 10.5.1.28: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.1.28 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
"""
结果显示,AR29与AR28的loopback0接口之间确实无法通信,故障存在。
2.2 检查路由表
AR29要想访问AR28的loopback0接口,首先需要在路由表中存在到达对方接口的路由,查看AR29的路由表,结果如下:
"""
<AR29>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.29/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.33/32 OSPF 10 1 D 10.5.233.33 GigabitEthernet
0/0/1
10.5.128.0/24 Direct 0 0 D 10.5.128.29 GigabitEthernet
0/0/0
10.5.128.29/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.128.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.233.0/24 Direct 0 0 D 10.5.233.29 GigabitEthernet
0/0/1
10.5.233.29/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.5.233.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR29上并不存在到达AR28的loopback0接口的路由。
2.3 检查ospf邻居
AR28与AR29之间运行ospf路由协议,检查AR28与AR29之间的ospf邻居是否正常,结果如下:
"""
<AR29>display ospf peer brief
OSPF Process 1 with Router ID 10.5.1.29
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.2 GigabitEthernet0/0/1 10.5.1.33 Full
----------------------------------------------------------------------------
"""
结果显示,AR29上不存在与AR28的邻居关系。
2.4 检查AR27的ospf邻居与路由
AR27和AR28、AR29处于ospf同一区域中,查看AR27的ospf邻居和路由是否正常,结果如下:
"""
# AR27的ospf邻居
<AR27>display ospf peer brief
OSPF Process 1 with Router ID 10.5.1.27
Peer Statistic Information
----------------------------------------------------------------------------
Area Id Interface Neighbor id State
0.0.0.0 GigabitEthernet0/0/0 10.5.1.28 Full
----------------------------------------------------------------------------
# AR27的路由表
<AR27>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 19 Routes : 19
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 D 10.5.128.27 GigabitEthernet
0/0/0
10.5.1.27/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.28/32 OSPF 10 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.1.30/32 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.1.31/32 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.1.32/32 OSPF 10 2 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.1.34/32 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.128.0/24 Direct 0 0 D 10.5.128.27 GigabitEthernet
0/0/0
10.5.128.27/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.128.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.134.0/24 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.230.0/24 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.231.0/24 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.232.0/24 OSPF 10 2 D 10.5.128.28 GigabitEthernet
0/0/0
10.5.234.0/24 O_ASE 150 1 D 10.5.128.28 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR27与AR28建立了正常的ospf邻居关系,并且AR27的路由表中存在AR28的loopback0接口地址的路由,这说明AR28与AR27之间的ospf配置是正确的。
2.5 对比查看AR27与AR29的ospf配置
AR27的ospf配置为正确的,通过与其对比,查看AR29的ospf是否正确,结果如下:
"""
# AR27的ospf配置
<AR27>display ospf brief
OSPF Process 1 with Router ID 10.5.1.27
OSPF Protocol Information
RouterID: 10.5.1.27 Border Router:
Multi-VPN-Instance is not enabled
Global DS-TE Mode: Non-Standard IETF Mode
Graceful-restart capability: disabled
Helper support capability : not configured
Applications Supported: MPLS Traffic-Engineering
Spf-schedule-interval: max 10000ms, start 500ms, hold 1000ms
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
Route Preference: 10
ASE Route Preference: 150
SPF Computation Count: 7
RFC 1583 Compatible
Retransmission limitation is disabled
Area Count: 1 Nssa Area Count: 0
ExChange/Loading Neighbors: 0
Process total up interface count: 2
Process valid up interface count: 1
Area: 0.0.0.0 (MPLS TE not enabled)
Authtype: MD5 Area flag: Normal
SPF scheduled Count: 7
ExChange/Loading Neighbors: 0
Router ID conflict state: Normal
Area interface up count: 2
Interface: 10.5.128.27 (GigabitEthernet0/0/0)
Cost: 1 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.5.128.27
Backup Designated Router: 10.5.128.28
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Interface: 10.5.1.27 (LoopBack0)
Cost: 0 State: P-2-P Type: P2P MTU: 1500
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
# AR29的ospf配置
<AR29>display ospf brief
OSPF Process 1 with Router ID 10.5.1.29
OSPF Protocol Information
RouterID: 10.5.1.29 Border Router: AREA
Multi-VPN-Instance is not enabled
Global DS-TE Mode: Non-Standard IETF Mode
Graceful-restart capability: disabled
Helper support capability : not configured
Applications Supported: MPLS Traffic-Engineering
Spf-schedule-interval: max 10000ms, start 500ms, hold 1000ms
Default ASE parameters: Metric: 1 Tag: 1 Type: 2
Route Preference: 10
ASE Route Preference: 150
SPF Computation Count: 7
RFC 1583 Compatible
Retransmission limitation is disabled
Area Count: 2 Nssa Area Count: 0
ExChange/Loading Neighbors: 0
Process total up interface count: 3
Process valid up interface count: 2
Area: 0.0.0.0 (MPLS TE not enabled)
Authtype: MD5 Area flag: Normal
SPF scheduled Count: 7
ExChange/Loading Neighbors: 0
Router ID conflict state: Normal
Area interface up count: 2
Interface: 10.5.128.29 (GigabitEthernet0/0/0)
Cost: 1 State: DR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.5.128.29
Backup Designated Router: 0.0.0.0
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Interface: 10.5.1.29 (LoopBack0)
Cost: 0 State: P-2-P Type: P2P MTU: 1500
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
Area: 0.0.0.2 (MPLS TE not enabled)
Authtype: MD5 Area flag: Normal
SPF scheduled Count: 6
ExChange/Loading Neighbors: 0
Router ID conflict state: Normal
Area interface up count: 1
Interface: 10.5.233.29 (GigabitEthernet0/0/1)
Cost: 1 State: BDR Type: Broadcast MTU: 1500
Priority: 1
Designated Router: 10.5.233.33
Backup Designated Router: 10.5.233.29
Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
"""
结果显示,AR27和AR29的GigabitEthernet0/0/0接口均宣告进ospf区域0中,cost值均为1,链路类型均为Broadcast,mtu均为1500,hello时间均为10秒;LoopBack0也均宣告进区域0中,cost均为0,链路类型均为P2P,mtu均为1500,hello时间均为10秒。这说明AR29的ospf配置正确。
2.6 检查ospf错误情况
检查AR29与LSW6相连的接口下ospf错误情况,结果如下:
"""
<AR29>display ospf error interface GigabitEthernet 0/0/0
OSPF Process 1 with Router ID 10.5.1.29
OSPF error statistics
Interface: GigabitEthernet0/0/0 (10.5.128.29)
General packet errors:
0 : Bad version 0 : Bad checksum
0 : Bad area id 0 : Bad authentication type
0 : Bad authentication key 0 : Unknown neighbor
0 : Bad net segment 0 : Extern option mismatch
0 : Router id confusion
HELLO packet errors:
0 : Netmask mismatch 0 : Hello timer mismatch
0 : Dead timer mismatch 0 : Invalid Source Address
DD packet errors:
0 : MTU option mismatch
LS REQ packet errors:
0 : Bad request
LS UPD packet errors:
0 : LSA checksum bad
Receive Grace LSA errors:
0 : Number of invalid LSAs 0 : Number of policy failed LSAs
0 : Number of wrong period LSAs
"""
结果显示,AR29上没有出现任何错误,出现这种情况只有两种情况,一是邻居正常建立,二是AR29没有收到任何报文,显然目前情况是AR29没有收到任何报文。
2.7 检查三层的连通性
ospf邻居的建立依赖三层的连通性,测试AR29与AR28之间三层是否正常通信,结果如下:
"""
# 通过查看AR27的ARP列表获取到AR28的GigabitEthernet0/0/0接口信息
<AR27>display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.5.128.27 00e0-fc0e-3f2e I - GE0/0/0
10.5.128.28 00e0-fc61-5aef 1 D-0 GE0/0/0
------------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1
# 测试三层连通性
<AR29> ping 10.5.128.28
PING 10.5.128.28: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.128.28 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
"""
结果显示,AR28与AR29之间的三层无法正常通信。
2.8 检查ARP列表并进行单播测试
三层正常通信的前提是获取到对方接口的Mac地址,检查AR29的ARP列表中是否存在相应的表项,同时进行单播测试,结果如下:
"""
# ARP列表
<AR29>display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.5.128.29 00e0-fcc1-1b22 I - GE0/0/0
10.5.233.29 00e0-fcc1-1b23 I - GE0/0/1
10.5.233.33 00e0-fc64-44f6 18 D-0 GE0/0/1
------------------------------------------------------------------------------
Total:3 Dynamic:1 Static:0 Interface:2
# 单播测试
<AR29>arp-ping mac 00e0-fc61-5aef interface GigabitEthernet 0/0/0
OutInterface: GigabitEthernet0/0/0 MAC[00-E0-FC-61-5A-EF], press CTRL_C to bre
ak
Error: Request timed out.
Error: Request timed out.
Error: Request timed out.
----- ARP-Ping MAC statistics -----
3 packet(s) transmitted
0 packet(s) received
MAC[00-E0-FC-61-5A-EF] not be used
"""
结果显示,AR29的ARP列表中并不存在AR28的GigabitEthernet0/0/0接口的Mac地址表项,同时单播测试也失败,这表明AR28与AR29的二层也无法正常通信。
2.9 检查接口状态
查看AR29的GigabitEthernet0/0/0的接口状态是否正常,结果如下:
"""
<AR29>display interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2021-01-02 10:23:01 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.5.128.29/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fcc1-1b22
Last physical up time : 2021-01-02 10:23:01 UTC-08:00
Last physical down time : 2021-01-02 10:22:53 UTC-08:00
Current system time: 2021-01-02 10:50:04-08:00
Port Mode: FORCE COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 424 bits/sec, 0 packets/sec
Last 300 seconds output rate 72 bits/sec, 0 packets/sec
Input peak rate 568 bits/sec,Record time: 2021-01-02 10:23:28
Output peak rate 432 bits/sec,Record time: 2021-01-02 10:44:09
Input: 734 packets, 87346 bytes
Unicast: 0, Multicast: 734
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Throttles: 0
Runts: 0, Symbols: 0
Ignoreds: 0, Frames: 0
Output: 159 packets, 14754 bytes
Unicast: 3, Multicast: 150
Broadcast: 6, Jumbo: 0
Discard: 0, Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization : 0%
Output bandwidth utilization : 0%
"""
结果显示,AR29的GigabitEthernet0/0/0接口在物理上和协议上均是up状态,说明AR29的物理层正常。
2.10 结论
通过以上分析,故障的根本原因为LSW6上vlan配置错误,导致AR29与AR28处于不同的广播域中,无法建立正常的ospf邻居关系。
三、故障解决
3.1 LSW6上vlan配置错误,需要在LSW6上执行以下命令:
system-view //进入系统视图
display port vlan active //查看接口Ethernet 0/0/2的vlanID
interface Ethernet 0/0/3 //进入接口视图
port link-type access //设置接口模式为access
port default vlan {Ethernet 0/0/2接口的vlanID} //配置正确的vlanID
执行完上述命令之后需要在AR29上执行以下命令进行检查:
ping 10.5.128.28 //检查三层的连通性
display ospf peer brief //查看ospf邻居是否正常
display ip routing-table //查看路由表中是否存在AR28的loopback0接口的路由
ping -a 10.5.1.29 10.5.1.28 //检查故障是否排除
3.2 如果执行以上命令未能排除故障,则存在以下高可能性故障:
3.2.1 LSW6上配置了mux-vlan,需要在LSW6上执行以下命令:
system-view //进入系统视图
display mux-vlan //查看配置了mux-vlan的接口
interface {配置了mux-vlan的接口} //进入接口视图
undo port mux-vlan enable //删除mux-vlan配置
3.2.2 AR29的ospf区域认证错误,需要在AR29上执行以下命令:
system-view //进入系统视图
interface GigabitEthernet 0/0/0 //进入接口视图
undo ospf authentication-mode //接口认证由于区域认证,需要先删除接口认证
ospf {ospf进程ID} //进入ospf进程下
area 0 //进入区域0
authentication-mode md5 1 cipher {AR28的区域0认证密码} //修改接口认证
3.2.3 AR29与AR28的ospf进程下存在路由过滤,需要在AR28和AR29上执行以下命令:
system-view //进入系统视图
ospf {ospf进程ID} //进入ospf进程下
display this // 查看当前配置
undo filter-policy import //删除路由过滤策略
undo filter-policy export
3.2.4 AR29与AR28的GigabitEthernet 0/0/0接口下配置流量过滤策略,需要在AR28和AR29上执行以下命令:
system-view //进入系统视图
interface GigabitEthernet 0/0/0 //进入接口视图
display this // 查看当前配置
undo traffic-policy inbound //删除流量过滤策略
undo traffic-policy outbound
undo traffic-filter inbound
undo traffic-filter outbound
执行完上述命令之后需要在AR29上执行以下命令进行检查:
ping 10.5.128.28 //检查三层的连通性
display ospf peer brief //查看ospf邻居是否正常
display ip routing-table //查看路由表中是否存在AR28的loopback0接口的路由
ping -a 10.5.1.29 10.5.1.28 //检查故障是否排除
3.3 如果执行以上命令成功排除故障,则需要在执行过命令的设备上继续执行以下命令:
return //回到用户视图
save //保存修改之后的配置
3.4 如果执行以上命令未能排除故障,则需要用户提供完整的设备配置信息或者派遣一线工程师到达用户现场进行现场排障,同时拨打华为400服务热线请求华为专家的协助,谢谢!