诊断五
AR32无法访问isis区域部分设备
TAC5-1:变种1
解答
一、故障根因
AR30的g0/0/0接口的出方向上存在着针对AR32的loopback0接口流量的过滤规则。
二、故障分析
2.1 故障重现
由于未确定不能访问哪些设备,需要进行逐一测试,结果如下:
"""
<AR32>ping -a 10.5.1.32 10.5.134.30
PING 10.5.134.30: 56 data bytes, press CTRL_C to break
Reply from 10.5.134.30: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 10.5.134.30: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.5.134.30: bytes=56 Sequence=3 ttl=254 time=30 ms
Reply from 10.5.134.30: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 10.5.134.30: bytes=56 Sequence=5 ttl=254 time=20 ms
--- 10.5.134.30 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/32/40 ms
....省略部分能够正常通信的测试结果
<AR32>ping -a 10.5.1.32 10.5.1.34
PING 10.5.1.34: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.1.34 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<AR32>ping -a 10.5.1.32 10.5.134.34
PING 10.5.134.34: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.134.34 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
"""
结果显示,AR32无法访问AR34的g0/0/0接口和loopback0接口,故障存在。
2.2 检查路由表
AR32想要访问上述两个接口,首先需要在路由表中存在上述接口地址的路由,检查AR32的路由表,结果如下:
"""
<AR32>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.27/32 OSPF 10 2 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.28/32 OSPF 10 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.30/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.31/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.32/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.34/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.128.0/24 OSPF 10 2 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.134.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.230.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.231.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.232.0/24 Direct 0 0 D 10.5.232.32 GigabitEthernet
0/0/0
10.5.232.32/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.232.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.234.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR32的路由表中存在AR34的上述两个接口地址的路由,同时存在AR28的loopback0接口的路由,这说明AR28和AR32的ospf邻居正常,并且AR28上正确的将isis区域的路由引入ospf进程下。
2.3 检查AR34的路由表
通信是双向的,不仅需要AR32上存在对方的路由,同样需要AR34上存在AR32的loopback0接口地址的路由,查看AR34的路由表,结果如下:
"""
<AR34>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L1 15 10 D 10.5.234.31 GigabitEthernet
0/0/1
ISIS-L1 15 10 D 10.5.134.30 GigabitEthernet
0/0/0
10.5.1.30/32 ISIS-L1 15 10 D 10.5.134.30 GigabitEthernet
0/0/0
10.5.1.31/32 ISIS-L1 15 10 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.1.34/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.134.0/24 Direct 0 0 D 10.5.134.34 GigabitEthernet
0/0/0
10.5.134.34/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.134.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.230.0/24 ISIS-L1 15 20 D 10.5.134.30 GigabitEthernet
0/0/0
10.5.231.0/24 ISIS-L1 15 20 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.234.0/24 Direct 0 0 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.234.34/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.5.234.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR34上并不存在AR32的loopback0接口地址的路由,但是存在两条等价默认路由,分别指向AR31和AR30。
2.4 查看AR31的路由表
由于AR30无法的登录,只能查看AR31的路由表中是否存在AR32的loopback0接口地址的路由,结果如下:
"""
<AR31>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.27/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.28/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.30/32 ISIS-L1 15 20 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.1.31/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.32/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.34/32 ISIS-L1 15 10 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.128.0/24 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.134.0/24 ISIS-L1 15 20 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.230.0/24 ISIS-L1 15 30 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.231.0/24 Direct 0 0 D 10.5.231.31 GigabitEthernet
0/0/2
10.5.231.31/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.5.231.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.5.232.0/24 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.234.0/24 Direct 0 0 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.234.31/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.5.234.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR31的路由表中存在AR32的loopback0接口地址的路由,这说明AR34与AR30、AR31之间的level-1级别的isis邻居正常,AR28与AR30、AR31之间的level-2级别的isis邻居正常,AR28上将ospf区域路由成功进入isis进程。至此,路由控制层面不存在问题,下面需要检查数据层面的问题。
2.5 不带源进行路由追踪
在AR34上,以AR34上无法访问的两个接口地址为目的地址,进行路由追踪,结果如下:
"""
<AR32>tracert 10.5.134.34
traceroute to 10.5.134.34(10.5.134.34), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.5.232.28 30 ms 20 ms 10 ms
2 10.5.230.30 30 ms 20 ms 30 ms
3 10.5.134.34 50 ms 20 ms 20 ms
<AR32>tracert 10.5.1.34
traceroute to 10.5.1.34(10.5.1.34), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 10.5.232.28 30 ms 20 ms 30 ms
2 10.5.230.30 20 ms 10.5.231.31 30 ms 10.5.230.30 20 ms
3 10.5.234.34 30 ms 10.5.134.34 40 ms 10.5.234.34 30 ms
"""
结果显示,AR34在不带源地址的情况下能够正常访问上述两个接口,并且访问AR34的loopback0接口的两条等价路由均正常。
2.6 带源进行路由追踪
在AR34上,以loopback0接口地址为源地址,以AR34上无法访问的两个接口地址为目的地址,进行路由追踪,结果如下:
"""
<AR32>tracert -a 10.5.1.32 10.5.134.34
traceroute to 10.5.134.34(10.5.134.34)
, max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.5.232.28 20 ms 20 ms 30 ms
2 10.5.230.30 30 ms 20 ms 20 ms
3 * * *
<AR32>tracert -a 10.5.1.32 10.5.1.34
traceroute to 10.5.1.34(10.5.1.34), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 10.5.232.28 20 ms 20 ms 10 ms
2 10.5.231.31 40 ms 10.5.230.30 30 ms 10.5.231.31 20 ms
3 * 10.5.234.34 40 ms *
"""
结果显示,AR34在带有源地址的情况下进行路由追踪,追踪AR34的g0/0/0接口时,在第三跳出现无法正常回显的情况,追踪loopback0接口时,第三跳中两条等价的默认路由,经过AR30的那条没有正常回显。种种迹象表明AR34与AR30之间存在针对AR32的loopback0接口的流量过滤
2.7 检查AR34的g0/0/0接口测试前后的接收报文情况
在AR32以loopback0接口地址为源地址,以AR34的g0/0/0接口地址为目的地址,执行ping测试,观察测试前后AR34的g0/0/0接口下的接收报文情况,结果如下:
"""
# 测试前AR34的g0/0/0接口情况
<AR34>display interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2021-01-02 16:44:00 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.5.134.34/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc83-528a
Last physical up time : 2021-01-02 16:44:00 UTC-08:00
Last physical down time : 2021-01-02 16:43:50 UTC-08:00
Current system time: 2021-01-02 17:06:16-08:00
Port Mode: FORCE COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 7576 bits/sec, 0 packets/sec
Last 300 seconds output rate 1208 bits/sec, 0 packets/sec
Input peak rate 12112 bits/sec,Record time: 2021-01-02 16:49:09
Output peak rate 7456 bits/sec,Record time: 2021-01-02 16:44:09
Input: 957 packets, 1245067 bytes
Unicast: 5, Multicast: 950
Broadcast: 2, Jumbo: 0
Discard: 0, Total Error: 0
# 测试
<AR32>ping -a 10.5.1.32 10.5.1.34
PING 10.5.1.34: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.1.34 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
# 测试后AR34的g0/0/0接口情况
<AR34>display interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2021-01-02 16:44:00 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.5.134.34/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc83-528a
Last physical up time : 2021-01-02 16:44:00 UTC-08:00
Last physical down time : 2021-01-02 16:43:50 UTC-08:00
Current system time: 2021-01-02 17:07:15-08:00
Port Mode: FORCE COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 7576 bits/sec, 0 packets/sec
Last 300 seconds output rate 1208 bits/sec, 0 packets/sec
Input peak rate 12112 bits/sec,Record time: 2021-01-02 16:49:09
Output peak rate 7456 bits/sec,Record time: 2021-01-02 16:44:09
Input: 1000 packets, 1301877 bytes
Unicast: 5, Multicast: 993
Broadcast: 2, Jumbo: 0
Discard: 0, Total Error: 0
"""
结果显示,AR34的g0/0/0接口在Input方向上的Unicast报文数量在测试前后一致,即AR34上并没有收到单播测试报文,因此断定流量过滤策略的位置在AR30的g0/0/0接口下。
2.8 检查是否存在反向流量策略
在AR34上以loopback0接口地址为源,以AR32的loopback0接口地址为目的,检查是否存在反方向的流量过滤,结果如下:
"""
<AR34>tracert -a 10.5.1.34 10.5.1.32
traceroute to 10.5.1.32(10.5.1.32), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 10.5.234.31 20 ms 20 ms 20 ms
2 10.5.231.28 20 ms 30 ms 10.5.230.28 20 ms
3 10.5.232.32 20 ms 30 ms 30 ms
"""
结果显示,AR34能够成功访问AR32的loopback0接口地址的路由,并且两条等价默认路由均正常。
2.9 结论
通过以上分析,故障的根本原因为AR30的g0/0/0接口的出方向上存在着针对AR32的loopback0接口流量的过滤规则。
三、故障解决
3.1 AR30的g0/0/0接口的出方向上存在着针对AR32的loopback0接口流量的过滤规则,需要在AR30上执行以下命令:
system-view //进入系统视图
interface GigabitEthernet 0/0/0 //进入接口视图
display this //查看当前配置
undo traffic-policy outbound //删除出方向的流量过滤策略
undo traffic-filter outbound
执行完以上命令,需要在AR34上执行以下命令进行检查:
ping -a 10.5.1.32 10.5.1.34 //查看故障是否解决
3.2 如果执行以上命令未能排除故障,则存在以下高可能性故障:
3.2.1 AR34的g0/0/0接口下存在流量过滤策略
system-view //进入系统视图
interface GigabitEthernet 0/0/0 //进入接口视图
display this //查看当前配置
undo traffic-policy outbound //删除出方向的流量过滤策略
undo traffic-filter outbound
undo traffic-filter inbound
undo traffic-filter inbound
执行完以上命令,需要在AR34上执行以下命令进行检查:
ping -a 10.5.1.32 10.5.1.34 //查看故障是否解决
3.3 如果执行以上命令排除了故障,则需要在执行过命令的设备上继续执行以下命令:
return //返回用户视图
save //保存修改之后的配置
3.4 如果执行以上命令未能排除故障,则需要用户提供完整的设备配置信息或者派遣一线工程师到达用户现场进行现场排障,同时拨打华为400服务热线请求华为专家的协助,谢谢!
TAC5-2:变种2
解答
一、故障根因
AR28的g0/0/2接口在出方向上配置了针对AR32的loopback0接口的流量过滤策略。
二、故障分析
2.1 故障重现
由于未知哪些设备无法访问,需要在AR32上逐一进行测试,结果如下:
"""
<AR32>ping -a 10.5.1.32 10.5.230.30
PING 10.5.230.30: 56 data bytes, press CTRL_C to break
Reply from 10.5.230.30: bytes=56 Sequence=1 ttl=254 time=50 ms
Reply from 10.5.230.30: bytes=56 Sequence=2 ttl=254 time=30 ms
Reply from 10.5.230.30: bytes=56 Sequence=3 ttl=254 time=20 ms
Reply from 10.5.230.30: bytes=56 Sequence=4 ttl=254 time=30 ms
Reply from 10.5.230.30: bytes=56 Sequence=5 ttl=254 time=30 ms
--- 10.5.230.30 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/32/50 ms
.......省略部分能够ping通的结果
<AR32>ping -a 10.5.1.32 10.5.231.31
PING 10.5.231.31: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.231.31 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<AR32>ping -a 10.5.1.32 10.5.1.31
PING 10.5.231.31: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.231.31 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<AR32>ping -a 10.5.1.32 10.5.234.31
PING 10.5.231.31: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.231.31 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<AR32>ping -a 10.5.1.32 10.5.234.34
PING 10.5.231.31: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.231.31 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
"""
结果显示,AR32无法访问AR31的所有接口和AR34的g0/0/1接口,故障存在。
2.2 检查AR32的路由表
AR32想要访问AR31的所有接口和AR34的g0/0/1接口,首先需要在路由表中有其路由,查看AR32的路由表,结果如下:
"""
<AR32>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 18 Routes : 18
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.27/32 OSPF 10 2 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.28/32 OSPF 10 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.30/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.31/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.1.32/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.34/32 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.128.0/24 OSPF 10 2 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.134.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.230.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.231.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
10.5.232.0/24 Direct 0 0 D 10.5.232.32 GigabitEthernet
0/0/0
10.5.232.32/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.232.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.234.0/24 O_ASE 150 1 D 10.5.232.28 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR32的路由表中存在AR31的所有接口和AR34的g0/0/1接口的路由,并且存在AR28的loopback0接口的路由,表明与AR28的ospf邻居正常,并且AR28上正确的将isis区域的路由引入ospf进程中。
2.3 检查AR31和AR34的路由表
通信是双向的,不仅需要AR32的路由表中存在AR31的所有接口和AR34的g0/0/1接口的路由,同样需要AR31和AR34的路由表中存在AR32的loopback0接口地址的路由,检查AR31和AR34的路由表,结果如下:
"""
# AR31的路由表
<AR31>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 20 Routes : 20
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.5.1.27/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.28/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.30/32 ISIS-L1 15 20 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.1.31/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.1.32/32 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.1.34/32 ISIS-L1 15 10 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.128.0/24 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.134.0/24 ISIS-L1 15 20 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.230.0/24 ISIS-L1 15 30 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.231.0/24 Direct 0 0 D 10.5.231.31 GigabitEthernet
0/0/2
10.5.231.31/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.5.231.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/2
10.5.232.0/24 ISIS-L2 15 74 D 10.5.231.28 GigabitEthernet
0/0/2
10.5.234.0/24 Direct 0 0 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.234.31/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.5.234.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
# AR34的路由表
<AR34>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 17
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L1 15 10 D 10.5.134.30 GigabitEthernet
0/0/0
ISIS-L1 15 10 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.1.30/32 ISIS-L1 15 10 D 10.5.134.30 GigabitEthernet
0/0/0
10.5.1.31/32 ISIS-L1 15 10 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.1.34/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.5.134.0/24 Direct 0 0 D 10.5.134.34 GigabitEthernet
0/0/0
10.5.134.34/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.134.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
10.5.230.0/24 ISIS-L1 15 20 D 10.5.134.30 GigabitEthernet
0/0/0
10.5.231.0/24 ISIS-L1 15 20 D 10.5.234.31 GigabitEthernet
0/0/1
10.5.234.0/24 Direct 0 0 D 10.5.234.34 GigabitEthernet
0/0/1
10.5.234.34/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.5.234.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
"""
结果显示,AR31的路由表中存在AR32的loopback0接口地址的路由,AR34的路由表中虽然不存在,但是存在两条等价的默认路由,分别指向AR31和AR30,这表明AR34与AR31、AR30之间的level-1级别的isis邻居正常,AR28与AR31、AR30之间的level-2级别的isis邻居正常,AR28上正确的将ospf区域的路由引入isis进程下。至此,路由控制层面不存在问题,接下来需要检查数据层面的问题。
2.4 不带源进行路由追踪
在AR32上不带源追踪AR31的所有接口和AR34的g0/0/1接口的路由,结果如下:
"""
<AR32>tracert 10.5.231.31
traceroute to 10.5.231.31(10.5.231.31), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.5.232.28 20 ms 20 ms 20 ms
2 10.5.231.31 30 ms 30 ms 30 ms
<AR32>tracert 10.5.1.31
traceroute to 10.5.1.31(10.5.1.31), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 10.5.232.28 20 ms 30 ms 20 ms
2 10.5.231.31 20 ms 20 ms 20 ms
<AR32>tracert 10.5.234.31
traceroute to 10.5.234.31(10.5.234.31), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.5.232.28 30 ms 20 ms 20 ms
2 10.5.231.31 20 ms 20 ms 20 ms
<AR32>tracert 10.5.234.34
traceroute to 10.5.234.34(10.5.234.34), max hops: 30 ,packet length: 40,press
CTRL_C to break
1 10.5.232.28 20 ms 30 ms 20 ms
2 10.5.231.31 20 ms 20 ms 20 ms
3 10.5.234.34 30 ms 20 ms 40 ms
"""
结果显示,AR32在不带源地址的情况下均能正常追踪到AR31的所有接口和AR34的g0/0/1接口的路由。
2.5 带源进行路由追踪
在AR32上以loopback0接口地址为源地址,追踪AR31的所有接口和AR34的g0/0/1接口的路由,结果如下:
"""
<AR32>tracert -a 10.5.1.32 10.5.231.31
traceroute to 10.5.231.31(10.5.231.31)
, max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.5.232.28 10 ms 10 ms 10 ms
2 * * *
<AR32>tracert -a 10.5.1.32 10.5.1.31
traceroute to 10.5.1.31(10.5.1.31), max hops: 30 ,packet length: 40,press CTRL
_C to break
1 10.5.232.28 20 ms 20 ms 30 ms
2 * * *
<AR32>tracert -a 10.5.1.32 10.5.234.31
traceroute to 10.5.234.31(10.5.234.31)
, max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.5.232.28 20 ms 10 ms 10 ms
2 * *
<AR32>tracert -a 10.5.1.32 10.5.234.34
traceroute to 10.5.234.34(10.5.234.34)
, max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.5.232.28 10 ms 10 ms 10 ms
2 * *
"""
结果显示,在AR32带源地址的情况下,路由追踪第二跳出现无法正常回显的状况,这表明AR28与AR31之间存在着针对AR32的loopback0接口的流量过滤策略。
2.6 查看AR31的g0/0/2接口在测试前后接收报文情况
在AR32上以loopback0接口地址为源地址,以AR31的g0/0/2接口地址为目的地址,执行ping测试,查看AR31的g0/0/2接口在测试前后的接收报文情况,结果如下:
"""
# 测试之前AR31的g0/0/2接口情况
<AR31>display interface GigabitEthernet 0/0/2
GigabitEthernet0/0/2 current state : UP
Line protocol current state : UP
Last line protocol up time : 2021-01-02 17:18:42 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/2 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.5.231.31/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fcba-5c14
Last physical up time : 2021-01-02 17:18:42 UTC-08:00
Last physical down time : 2021-01-02 17:18:34 UTC-08:00
Current system time: 2021-01-02 18:02:14-08:00
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 1224 bits/sec, 0 packets/sec
Last 300 seconds output rate 7512 bits/sec, 0 packets/sec
Input peak rate 7624 bits/sec,Record time: 2021-01-02 17:18:48
Output peak rate 12344 bits/sec,Record time: 2021-01-02 17:24:43
Input: 309 packets, 407959 bytes
Unicast: 16, Multicast: 290
Broadcast: 3, Jumbo: 0
Discard: 0, Total Error: 0
# 执行测试
<AR32>ping -a 10.5.1.32 10.5.231.31
PING 10.5.231.31: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.5.231.31 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
# 测试之后AR31的g0/0/2接口情况
<AR31>display interface GigabitEthernet 0/0/2
GigabitEthernet0/0/2 current state : UP
Line protocol current state : UP
Last line protocol up time : 2021-01-02 17:18:42 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/2 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.5.231.31/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fcba-5c14
Last physical up time : 2021-01-02 17:18:42 UTC-08:00
Last physical down time : 2021-01-02 17:18:34 UTC-08:00
Current system time: 2021-01-02 18:03:26-08:00
Port Mode: COMMON COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 1224 bits/sec, 0 packets/sec
Last 300 seconds output rate 7504 bits/sec, 0 packets/sec
Input peak rate 7624 bits/sec,Record time: 2021-01-02 17:18:48
Output peak rate 12344 bits/sec,Record time: 2021-01-02 17:24:43
Input: 316 packets, 418557 bytes
Unicast: 16, Multicast: 297
Broadcast: 3, Jumbo: 0
Discard: 0, Total Error: 0
"""
结果显示,AR31的g0/0/2接口在测试前后input方向上的Unicast报文数量没变,表明AR31的g0/0/2接口没有收到单播测试报文,即流量过滤策略设置在了AR28的g0/0/2接口下。
2.7 查看是否存在反向流量过滤
在AR34上以loopback0接口地址为源地址,以AR32的loopback0接口地址为目的地址,查看是否存在反方向的流量过滤,结果如下:
"""
<AR34>ping -a 10.5.1.34 10.5.1.32
PING 10.5.1.32: 56 data bytes, press CTRL_C to break
Reply from 10.5.1.32: bytes=56 Sequence=1 ttl=253 time=40 ms
Reply from 10.5.1.32: bytes=56 Sequence=2 ttl=253 time=30 ms
Reply from 10.5.1.32: bytes=56 Sequence=3 ttl=253 time=40 ms
Reply from 10.5.1.32: bytes=56 Sequence=4 ttl=253 time=30 ms
Reply from 10.5.1.32: bytes=56 Sequence=5 ttl=253 time=30 ms
--- 10.5.1.32 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/34/40 ms
"""
结果显示,AR34能够正常访问AR32的loopback0接口,即不存在反方向的流量过滤。
2.8 结论
通过以上分析,故障的根本原因为AR28的g0/0/2接口在出方向上配置了针对AR32的loopback0接口的流量过滤策略。
三、故障解决
3.1 AR28的g0/0/2接口在出方向上配置了针对AR32的loopback0接口的流量过滤策略,需要在AR28上执行以下命令:
system-view //进入系统视图
interface GigabitEthernet 0/0/2 //进入接口视图
display this //查看当前配置
undo traffic-policy outbound //删除流量过滤策略
undo traffic-filter outbound
执行完以上命令之后需要在AR32上执行以下命令进行检查:
ping -a 10.5.1.32 10.5.231.31 //检查故障是否排除
ping -a 10.5.1.32 10.5.1.31
ping -a 10.5.1.32 10.5.234.31
ping -a 10.5.1.32 10.5.234.34
3.2 如果执行以上命令未能排除故障,则存在以下高可能性:
3.2.1 AR31的g0/0/2、g0/0/1和AR34的g0/0/1接口下存在流量过滤
system-view //进入系统视图
interface xxx //进入接口视图
display this //查看当前配置
undo traffic-policy outbound //删除流量过滤策略
undo traffic-filter outbound
undo traffic-policy inbound
undo traffic-filter inbound
执行完以上命令之后需要在AR32上执行以下命令进行检查:
ping -a 10.5.1.32 10.5.231.31 //检查故障是否排除
ping -a 10.5.1.32 10.5.1.31
ping -a 10.5.1.32 10.5.234.31
ping -a 10.5.1.32 10.5.234.34
3.3 如果执行以上命令成功的排除故障,则需要在执行过命令的设备上继续执行以下命令:
return //返回用户视图
save //保存修改之后的配置
3.4 如果执行以上命令未能排除故障,则需要用户提供完整的设备配置信息或者派遣一线工程师到达用户现场进行现场排障,同时拨打华为400服务热线请求华为专家的协助,谢谢!