安全政策 让连接更安全

思科交换机接口err-disable分析与解决方案

一、拓扑结构:

 

  

 

 

二、故障现象:

 

1.  2960交换机端口指示灯状态:现场观察指示灯经常变橙色,过一段时间后,2960上行端口指示灯熄灭,导致上行端口整个模块功能出错。

 

2. 一旦接口被置为err-disable,不会自动恢复接口正常状态,必须人工激活端口(no shutdown),但经过10分钟左右,故障重现;

 

3. 故障信息采集:

 

log 信息:

 

*Mar  1 13:16:04.128: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet0/4.

 

*Mar  1 13:16:04.128: %PM-4-ERR_DISABLE: loopback error detected on Gi0/4, putting Gi0/4 in err-disable state

 

*Mar  1 13:16:05.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/4, changed state to down

 

*Mar  1 13:16:05.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

 

*Mar  1 13:16:05.252: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

 

*Mar  1 13:16:06.158: %LINK-3-UPDOWN: Interface GigabitEthernet0/4, changed state to down

 

*Mar  1 13:16:06.259: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

 

故障端口状态信息:

 

No12_21F_X#sh inter gi 0/4

 

GigabitEthernet0/4 is down, line protocol is down (err-disabled)

 

  Hardware is Gigabit Ethernet, address is 9caf.caa7.9cb4 (bia 9caf.caa7.9cb4)

 

  Description: connect to ibahn router

 

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

 

  Reliability 255/255, txload 1/255, rxload 1/255

 

  Encapsulation ARPA, loopback not set

 

  Keepalive set (10 sec)

 

  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

 

  Input flow-control is off, output flow-control is unsupported

 

  ARP type: ARPA, ARP Timeout 04:00:00

 

  Last input 00:46:56, output 00:46:37, output hang never

 

  Last clearing of "show interface" counters never

 

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

 

  Queueing strategy: fifo

 

  Output queue: 0/40 (size/max)

 

  5 minute input rate 0 bits/sec, 0 packets/sec

 

  5 minute output rate 0 bits/sec, 0 packets/sec

 

   28438 packets input, 17479611 bytes, 0 no buffer

 

   Received 28426 broadcasts (773 multicasts)

 

   0 runts, 0 giants, 0 throttles

 

   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

 

   0 watchdog, 773 multicast, 0 pause input

 

   0 input packets with dribble condition detected

 

   248 packets output, 31625 bytes, 0 underruns

 

   0 output errors, 0 collisions, 5 interface resets

 

   0 babbles, 0 late collision, 0 deferred

 

   0 lost carrier, 0 no carrier, 0 PAUSE output

 

   0 output buffer failures, 0 output buffers swapped out

 

 

三、故障分析:

 

1.  根据Log及接口信息可以判断,下联端口Gi0/4存在单端口环路,导致端口被禁用(err-disabled),(用一跟网线将HUB两个下联端口互联会存在这种情况)

 

2.  当keepalive信息从交换机的出站端口被发送出去后,又从该接口收到该信息,就会发生回环错误.交换机默认情况下会从所有端口向外发送keepalive信息.但由于STP没能阻塞某些端口,导致这些信息可能会被转发回去形成逻辑环路.因此出现这种情况后,端口将进入err-disabled状态,如:


   loopback error detected on Gi0/4, putting Gi0/4 in err-disable state

 

 

四、故障定位:

 

1.  将H3C交换机所有下行端口网线拔掉,只保留上联2960端口的线路,观察指示灯及接口状态,无异常;

 

2.  将H3C交换机连接到公寓楼的所对应的端口逐个接入(大概20根网线),同时观察端口状态,当接入gi 1/0/13端口时,故障重现;将此端口网线拔掉,然后将剩余端口接入H3C交换机,无异常,据此可以判断H3C 交换机gi 1/0/13接口存在环路。

 

3.  然后查找H3C交换机Gi1/0/13端口,发现在公寓楼内客户用一根网线将HUB下联端口进行互联,导致单端口环路,2960上出现err-disabled的状态。导致整个2960下联用户网络中断。

 

 

五、规避措施:

 

1.  关闭keepalive机制(no keepalive),不推荐,没从根本上解决环路;

 

2.  将ios升到12.2SE,目前IOS为Version 12.2(46)SE,故不需升级IOS版本;

 

3.  no errdisable detect cause loopback 把errdisable关掉,不推荐,没从根本上解决环路;

 

4.  IOS在一段时间后试图恢复被置为err-disable的接口,这段时间缺省为300秒。


但是,如果引起err-disable的源没有根治,在恢复工作后,接口会再次被置为err-disable。


调整err-disable的超时时间,可以使用以下命令:(config)#errdisable recovery interval 30

 

 

六、后期处理:

 

告知业主连接HUB时,不要用一根网线连接两个下联端口,不要将两根进线同时连接到HUB上。