- 論壇徽章:
- 0
|
最近玩<FINAL FANTASY XII>玩的很郁悶,因此換換口味,抽空找了點(diǎn)時(shí)間隨便寫(xiě)寫(xiě).本文描述了交換機(jī)中err-disabled狀態(tài)的產(chǎn)生和解決方法.該特性分別支持運(yùn)行CISCO IOS和CatOS的交換機(jī).轉(zhuǎn)載請(qǐng)保留作者信息:
作者:紅頭發(fā)(aka CCIE#15101/JNCIP Candidate)
出處:http://www.91lab.com
一.err-disabled狀態(tài)的作用:
通常情況下,如果交換機(jī)運(yùn)轉(zhuǎn)正常,其中端口一項(xiàng)顯示為啟用(enable)狀態(tài).但是如果交換機(jī)的軟件(CISCO IOS/CatOS)檢測(cè)到端口的一些錯(cuò)誤,端口將隨即被關(guān)閉.也就是說(shuō),當(dāng)交換機(jī)的操作系統(tǒng)檢測(cè)到交換機(jī)端口發(fā)生些錯(cuò)誤事件的時(shí)候,交換機(jī)將自動(dòng)關(guān)閉該端口.
當(dāng)端口處于err-disabled狀態(tài),將沒(méi)有任何流量從該端口被轉(zhuǎn)發(fā)出去,也將不接收任何進(jìn)站流量.從交換機(jī)外觀上看去,端口相對(duì)應(yīng)的LED狀態(tài)燈也將由正常的綠色變?yōu)榘迭S色(或者叫做橘黃色,本人色盲,官方給的說(shuō)法是amber,琥珀色).同時(shí)使用查看端口狀態(tài)的一些命令,比如show interfaces,也會(huì)看到端口是處于err-disabled狀態(tài)的.還有種情況是,當(dāng)交換機(jī)因一種錯(cuò)誤因素導(dǎo)致端口被禁用(err-disabled),這種情況通常會(huì)看到類(lèi)似如下日志信息:
%SPANTREE-SP-2-BLOCK_BPDUGUARD:
Received BPDU on port GigabitEthernet2/1 with BPDU Guard enabled. Disabling port.
%PM-SP-4-ERR_DISABLE:
bpduguard error detected on Gi2/1, putting Gi2/1 in err-disable state
err-disabled的兩個(gè)作用的:
1.告訴管理員端口狀態(tài)出錯(cuò).
2.消除因某個(gè)端口的錯(cuò)誤導(dǎo)致所有端口,或者整個(gè)模塊功能的出錯(cuò).
二.err-disabled狀態(tài)的起因:
該特性最初是用于處理特定的沖突形勢(shì),比如過(guò)分沖突(excessive collisison)和后期沖突(late collision).由于CSMA/CD機(jī)制的制定,當(dāng)發(fā)生16次沖突后幀將被丟棄,此時(shí)發(fā)生excessive collision;而late collision是指在發(fā)送方發(fā)送了64個(gè)字節(jié)之后,正常的和合法的沖突就不可能發(fā)生了.理論上正常的網(wǎng)絡(luò)傳播一定會(huì)在此之前就完成了,但是如果線路過(guò)長(zhǎng)的話會(huì)在前64個(gè)字節(jié)完成后發(fā)生沖突,后期沖突和發(fā)生在前64個(gè)字節(jié)的沖突最明顯的區(qū)別是后者網(wǎng)卡會(huì)自動(dòng)重新傳輸正常的沖突幀,但不會(huì)重傳后期沖突的幀.后期沖突發(fā)生在時(shí)間超時(shí)和中繼器的遠(yuǎn)端.一般而言,這樣的沖突在本地網(wǎng)段會(huì)簡(jiǎn)單地判斷為一個(gè)幀校驗(yàn)序列(FCS)錯(cuò)誤.引起這種錯(cuò)誤的可能原因有:
1.線纜的不規(guī)范使用,比如超出了最大傳輸距離或者使用了錯(cuò)誤的線纜類(lèi)型.
2.網(wǎng)卡的不正常工作(物理?yè)p壞或者驅(qū)動(dòng)程序的錯(cuò)誤).
3.端口雙工模式的錯(cuò)誤配置,如雙工不匹配.
如下是端口處于err-disabled狀態(tài)的幾種原因:
1.雙工不匹配.
2.端口信道的錯(cuò)誤配置.
3.違反BPDU守護(hù)(BPDU Guard)特性.
4.單向鏈路檢測(cè)(UDLD).
5.檢測(cè)到后期沖突.
6.鏈路振蕩.
7.違反某些安全策略.
8.端口聚合協(xié)議(PAgP)的振蕩.
9.層2隧道協(xié)議(L2TP)守護(hù)(L2TP Guard).
10.DHCP偵聽(tīng)限速.
三.檢驗(yàn)端口是否處于err-disabled狀態(tài):
可以使用show interfaces命令查看端口狀態(tài),如:
NUAIKO#show interfaces gigabitethernet 2/1 status
Port Name Status Vlan Duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000BaseSX
當(dāng)交換機(jī)的某個(gè)端口處于err-disabled狀態(tài)后,交換機(jī)將發(fā)送為什么這么做的日志信息到控制臺(tái)端口.也可以使用show log查看系統(tǒng)日志,如:
%SPANTREE-SP-2-BLOCK_BPDUGUARD:
Received BPDU on port GigabitEthernet2/1 with BPDU Guard enabled. Disabling port.
%PM-SP-4-ERR_DISABLE:
bpduguard error detected on Gi2/1, putting Gi2/1 in err-disable state
%SPANTREE-2-CHNMISCFG: STP loop - channel 11/1-2 is disabled in vlan 1
如果啟用了errdisable recovery功能,可以使用show errdisable recovery命令查看處于err-disabled狀態(tài)的原因,如:
NUAIKO#show errdisable recovery
ErrDisable Reason Timer Status
−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
udld Enabled
bpduguard Enabled
security-violation Enabled
channel-misconfig Enabled
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
l2ptguard Enabled
psecure-violation Enabled
gbic-invalid Enabled
dhcp-rate-limit Enabled
mac-limit Enabled
unicast-flood Enabled
arp-inspection Enabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
−−−−−−−−− −−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
Fa2/4 bpduguard 273
四.恢復(fù)err-disabled狀態(tài):
當(dāng)出現(xiàn)err-disabled狀態(tài)后,首先要做的,是找出引起該狀態(tài)的根源,然后重新啟用該端口;如果順序不一致,將導(dǎo)致該端口再次進(jìn)入err-disabled狀態(tài).
找出問(wèn)題的根源,以比較常見(jiàn)的做為例子:
1.以太網(wǎng)信道(EC)的錯(cuò)誤配置:
如果要讓EC能夠正常工作,參與到EC綁定的端口的配置,必須是一致的,比如處于同一VLAN,trunk模式相同,速率和雙工模式都匹配等等.如果一端配置了EC,而另一端沒(méi)有配置EC,STP將關(guān)閉配置了EC一方的參與到EC中的端口.并且當(dāng)PAgP的模式是處于on模式的時(shí)候,交換機(jī)是不會(huì)向外發(fā)送PAgP信息去進(jìn)行協(xié)商的(它認(rèn)為對(duì)方是處于EC).這種情況下STP判定出現(xiàn)環(huán)路問(wèn)題,因此將端口設(shè)置為err-disabled狀態(tài).如:
%SPANTREE-2-CHNL_MISCFG: Detected loop due to etherchannel misconfiguration
of Gi2/1
如下,查看EC信息顯示使用的信道組數(shù)量為0:
NUAIKO#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
Number of channel-groups in use: 0
Number of aggregators: 0
EC沒(méi)有正常工作是由于端口被設(shè)置為err-disabled狀態(tài):
NUAIKO#show interfaces gigabitethernet 2/1 status
Port Name Status Vlan Duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000BaseSX
為找出為何EC沒(méi)有正常工作,根據(jù)錯(cuò)誤信息暗示,STP檢測(cè)到環(huán)路.之前提到過(guò),這種情況的發(fā)生,是由于一方配置了EC,設(shè)置PAgP模式為on模式,這種模式和desirable模式正好相反,而另一方?jīng)]有配置EC.因此,為了解決這種問(wèn)題的發(fā)生,將EC的PAgP模式設(shè)置為可以主動(dòng)協(xié)商的desirable模式.,然后再重新啟用該端口.如下:
!
interface gigabitethernet 2/1
channel-group 1 mode desirable non-silent
!
2.雙工模式不匹配:
雙工模式不匹配的問(wèn)題比較常見(jiàn),由于速率和雙工模式自動(dòng)協(xié)商的故障,常導(dǎo)致這種問(wèn)題的發(fā)生.可以使用show interfaces命令查看雙方端口的速率和雙工模式.后期版本的CDP也能夠在將端口處于err-disabled狀態(tài)之前發(fā)出警告日志信息.另外,網(wǎng)卡的不正常設(shè)置也將引起雙工模式的不匹配.解決辦法,如雙方不能自動(dòng)協(xié)商,使用duplex命令(CISCO IOS和CatOS有所不同)修改雙方雙工模式使之一致.
3.BPDU Guard:
通常啟用了快速端口(PortFast)特性的端口用于直接連接端工作站這種不會(huì)產(chǎn)生BPDU的末端設(shè)備.由于PortFast特性假定交換機(jī)的端口不會(huì)產(chǎn)生物理環(huán)路,因此,當(dāng)在啟用了PortFast和BPDU Guard特性的端口上收到BPDU后,該端口將進(jìn)入err-disabled狀態(tài),用于避免潛在環(huán)路.
假如我們將兩臺(tái)6509交換機(jī)相連,在其中一臺(tái)上啟用PortFast特性并打開(kāi)BPDU Guard特性:
!
interface gigabitethernet 2/1
spanning-tree bpduguard enable
spanning-tree portfast enable
!
此時(shí)將看到如下日志信息:
%PM-SP-4-ERR_DISABLE: bpduguard error detected on Gi2/1, putting Gi2/1 in
err-disable state.
驗(yàn)證:
NUAIKO#show interfaces gigabitethernet 2/1 status
Port Name Status Vlan Duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000BaseSX
像這種情況,不能啟用PortFast特性,因此禁用該特性可以解決該問(wèn)題.
4.UDLD:
UDLD協(xié)議允許通過(guò)光纖或銅線相連的設(shè)備監(jiān)控線纜的物理配置,并且可以檢測(cè)是否存在單向鏈路.如果檢測(cè)到有單向鏈路,UDLD將關(guān)閉相關(guān)端口并發(fā)出警告日志信息.單向鏈路可以引起一系列的問(wèn)題,最常見(jiàn)的就是STP拓?fù)洵h(huán)路.注意,為了啟用UDLD,雙方必須都支持該協(xié)議,并且要單獨(dú)在每個(gè)端口啟用UDLD.如果你只在一方啟用了UDLD,同樣的會(huì)引起端口進(jìn)入err-disabled狀態(tài),如:
%PM-SP-4-ERR_DISABLE: udld error detected on Gi2/1, putting Gi2/1 in
err-disable state.
5.鏈路振蕩錯(cuò)誤:
鏈路振蕩(flap)是指短時(shí)間內(nèi)端口不停的處于up/down狀態(tài),如果端口在10秒內(nèi)連續(xù)振蕩5次,端口將被設(shè)置為err-disabled狀態(tài),如:
%PM-4-ERR_DISABLE: link-flap error detected on Gi2/1, putting Gi2/1 in
err-disable state
可以使用如下命令查看不同的振蕩的值:
NUAIKO#show errdisable flap-values
ErrDisable Reason Flaps Time (sec)
−−−−−−−−−−−−−−−−− −−−−−− −−−−−−−−−−
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10
引起鏈路震蕩的常見(jiàn)因素,可能是物理層的問(wèn)題,比如GBIC的硬件故障等等.因此解決這種問(wèn)題通常先從物理層入手.
6.回環(huán)(loopback)錯(cuò)誤:
當(dāng)keepalive信息從交換機(jī)的出站端口被發(fā)送出去后,又從該接口收到該信息,就會(huì)發(fā)生回環(huán)錯(cuò)誤.交換機(jī)默認(rèn)情況下會(huì)從所有端口向外發(fā)送keepalive信息.但由于STP沒(méi)能阻塞某些端口,導(dǎo)致這些信息可能會(huì)被轉(zhuǎn)發(fā)回去形成邏輯環(huán)路.因此出現(xiàn)這種情況后,端口將進(jìn)入err-disabled狀態(tài),如:
%PM-4-ERR_DISABLE: loopback error detected on Gi2/1, putting Gi2/1 in
err-disable state
從CISCO IOS 12.2SE之后的版本,keepalive信息將不再?gòu)墓饫w和上行端口發(fā)送出去,因此解決這種問(wèn)題的方案是升級(jí)CISCO IOS軟件版本到12.2SE或后續(xù)版本.更多信息可以參見(jiàn)CISCO BUG ID CSCea46385(需要一定權(quán)限的CCO).
7.違反端口安全(Port Security)策略:
端口安全特性提供了根據(jù)MAC地址,動(dòng)態(tài)的對(duì)交換機(jī)端口進(jìn)行保護(hù)的特性.違反該策略將導(dǎo)致端口進(jìn)入err-disabled狀態(tài).端口安全的原理和配置這里就不再贅述,有興趣的可以去CISCO的Documentation CD里查閱(當(dāng)然如果你比我還懶的話,可以加我Q:13030130,我講給你聽(tīng)).
五.重新啟用進(jìn)入err-disabled狀態(tài)的端口:
再找到引起err-disabled狀態(tài)的根源后,如果沒(méi)有配置errdisable recovery,此時(shí)端口仍然處于禁用狀態(tài).這種情況下,就必須手動(dòng)的重新啟動(dòng)這些端口(在接口下先shutdown再no shutdown).
errdisable recovery允許你根據(jù)錯(cuò)誤類(lèi)型,在一定時(shí)間后(默認(rèn)值是300秒)自動(dòng)的重新啟用該端口.使用show errdisable recovery命令查看該特性的默認(rèn)設(shè)置:
NUAIKO#show errdisable recovery
ErrDisable Reason Timer Status
−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
udld Disabled
bpduguard Disabled
security-violation Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
mac-limit Disabled
unicast-flood Disabled
arp-inspection Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
−−−−−−−−− −−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
Fa2/4 bpduguard 273
默認(rèn)情況下超時(shí)特性是禁用的.如下是啟用errdisable recovery并選擇相應(yīng)的條件:
NUAIKO#errdisable recovery cause ?
其中?對(duì)應(yīng)show errdisable recovery的輸出內(nèi)容中"ErrDisable Reason"一項(xiàng).如下:
NUAIKO#show errdisable recovery
ErrDisable Reason Timer Status
−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
udld Disabled
bpduguard Enabled
security-violation Disabled
channel-misconfig Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
mac-limit Disabled
unicast-flood Disabled
arp-inspection Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
−−−−−−−−− −−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−
Fa2/4 bpduguard 273
注意上面的輸出內(nèi)容,可以看出BPDU Guard是引起Fa2/4進(jìn)入err-disabled狀態(tài)的原因.當(dāng)任意errdisable條件被啟用,默認(rèn)300秒后將重新啟用該端口.該時(shí)間可以通過(guò)errdisable recovery interval {sec}進(jìn)行修改.
最后,還請(qǐng)轉(zhuǎn)載者保留作者信息:
作者:紅頭發(fā)(aka CCIE#15101/JNCIP Candidate)
出處:http://www.91lab.com |
|
免費(fèi)注冊(cè)
發(fā)表于 2007-03-06 15:32
