雄安网站设计制作,个性化网站建设费用,装修设计师网站,网络运营好学吗Cisco交换机端口假死(err-disable)解决方法 2013-04-27 15:18:07 分类#xff1a; 网络与安全 我的一台3750G透过单模光纤接2960交换机#xff0c;今天早上之间网络不通#xff0c;3750G和2960上的SFP模块指示灯都不亮#xff0c;查看CISCO 3750G的日志#xff0c;有如下… Cisco交换机端口假死(err-disable)解决方法 2013-04-27 15:18:07 分类 网络与安全 我的一台3750G透过单模光纤接2960交换机今天早上之间网络不通3750G和2960上的SFP模块指示灯都不亮查看CISCO 3750G的日志有如下提示 Apr 27 05:22:03: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:22:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:22:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:23:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:23:54: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:24:32: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:24:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:24:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:24:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:24:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:24:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:25:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:25:02: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:25:04: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:25:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to up Apr 27 05:25:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1/1, changed state to down Apr 27 05:25:14: %PM-4-ERR_DISABLE: link-flap error detected on Gi1/1/1, putting Gi1/1/1 in err-disable state Apr 27 05:25:15: %LINK-3-UPDOWN: Interface GigabitEthernet1/1/1, changed state to down 解决如下 conf t int gi1/1/1 shut no shut end OK!!! 查阅关于link-flap及err-disable的资料如下 http://www.net130.com/cms/Pub/Tech/tech_zh/2010_11_07_20606.htm http://shanliren.blog.51cto.com/159454/165595 Cisco网站上关于link-flap的说明 Link-flap error Link flap means that the interface continually goes up and down. The interface is put into the errdisabled state if it flaps more than five times in 10 seconds. The common cause of link flap is a Layer 1 issue such as a bad cable, duplex mismatch, or bad Gigabit Interface Converter (GBIC) card. Look at the console messages or the messages that were sent to the syslog server that state the reason for the port shutdown. 我的翻译 Link flap的意思是接口持续性的up和down。如果一个接口在10秒内发生超过5次up/down将被置为errdisable状态。link-flap的原因为layer-1层的诸如网线问题、双工不匹配或者故障的千兆GBIC卡。可以查看console或者syslog服务器下的log日志获取端口shutdwn的原因。 出现了这个问题我们不得不重视起交换机端口“假死”的现象寻求在交换机不重启的状态下将该端口“拯救”回来的方法。 拯救步骤1查看日志/端口的状态 登录进入交换机后执行show log会看到如下的提示 21w6d: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/20. 21w6d: %PM-4-ERR_DISABLE: loopback error detected on Fa0/20, putting Fa0/20 in err-disable state 以上信息就明确表示由于检测到第20端口出现了环路所以将该端口置于了err-disable状态。 查看端口的状态 Switch# show inter fa0/20 status Port Name Status Vlan Duplex Speed Type Fa0/20 link to databackup err-disabled 562 auto auto 10/100BaseTX 这条信息更加明确的表示了该端口处于err-disabled状态。 既然看到了该端口是被置于了错误的状态了我们就应该有办法将其再恢复成正常的状态。 拯救步骤2将端口从错误状态中恢复回来 进入交换机全局配置模式执行errdisable recovery cause ?会看到如下信息 Switch(config)#errdisable recovery cause ? all Enable timer to recover from all causes bpduguard Enable timer to recover from BPDU Guard error disable state channel-misconfig Enable timer to recover from channel misconfig disable state dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error disable state dtp-flap Enable timer to recover from dtp-flap error disable state gbic-invalid Enable timer to recover from invalid GBIC error disable state l2ptguard Enable timer to recover from l2protocol-tunnel error disable state link-flap Enable timer to recover from link-flap error disable state loopback Enable timer to recover from loopback detected disable state pagp-flap Enable timer to recover from pagp-flap error disable state psecure-violation Enable timer to recover from psecure violation disable state security-violation Enable timer to recover from 802.1x violation disable state udld Enable timer to recover from udld error disable state unicast-flood Enable timer to recover from unicast flood disable state vmps Enable timer to recover from vmps shutdown error disable state 从列出的选项中我们可以看出有非常多的原因会引起端口被置于错误状态由于我们明确的知道这台交换机上的端口是由于环路问题而被置于错误状态的所以就可以直接键入命令 Switch(config)#errdisable recovery cause loopback 是啊就这么简单的一条命令就把困挠我们很长时间的问题解决了真的就这么神奇。那么如何验证这条命令是生效了呢 拯救步骤3显示被置于错误状态端口的恢复情况 Switch# show errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- udld Disabled bpduguard Disabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dtp-flap Disabled link-flap Disabled gbic-invalid Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhcp-rate-limit Disabled unicast-flood Disabled loopback Enabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------- ----------------- -------------- Fa0/8 loopback 276 Fa0/17 loopback 267 Fa0/20 loopback 250 从以上显示的信息可以看出这台交换机有三个端口Fa0/8、Fa0/17、Fa0/20会分别在276、267、250秒之后恢复为正常的状态实际情况也是这样等了几分钟以后我们找了一台笔记本电脑分别接到这几个端口上试了一下端口都可以正常工作了。这下总算在不重交换机的情况下将几个处于“假死”状态的端口“拯救”了回来。 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~· 以上是一网友提供的解决cisco交换机端口假死的办法虽然办法可行但是每次假死后都要手动去恢复有些麻烦 为了让交换机出现此假死故障后能自动恢复我们也有相应帮忙来解决 在这里我就上面网友的内容进行补充用于cisco交换机自动恢复端口假死的故障 在特权模式下配置如下 errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause l2ptguard errdisable recovery cause psecure-violation errdisable recovery cause dhcp-rate-limit errdisable recovery cause unicast-flood errdisable recovery cause vmps errdisable recovery cause storm-control errdisable recovery cause inline-power errdisable recovery cause arp-inspection errdisable recovery cause loopback 以上这些都是导致端口假死的条件配置上述可以 %PM-4-ERR_DISABLE: link-flap error detected on Gi4/1, putting Gi4/ 1 in err-disable state Issue this command in order to view the flap values: cat6knative#show errdisable flap-values !--- Refer to show errdisable flap-values for more information on the command. ErrDisable Reason Flaps Time (sec) ----------------- ------ ---------- pagp-flap 3 30 dtp-flap 3 30 link-flap 5 10 让端口在出现假死后自动恢复 关于接口处于err-disable的故障排查 故障症状 线路不通物理指示灯灭或者显示为橙色(不同平台指示灯状态不同) show interface 输出显示接口状态 FastEthernet0/47 is down, line protocol is down (err-disabled) 接口状态是err-disable。 sw1#show interfaces status Port Name Status Vlan Duplex Speed Type Fa0/47 err-disabled 1 auto auto 10/100BaseTX 如果出现了接口状态为err-disableshow interfaces status err-disabled命令能查看触发err-disable的原因。 下面示例原因为bpduguard在连接了交换机的端口配置了spanning-tree bpduguard enable。 sw1#show interfaces status err-disabled Port Name Status Reason Fa0/47 err-disabled bpduguard 接口产生err-disable的原因可以由以下的命令来查看系统缺省的配置是所有列出的原因都能导致接口被置为err-disable。 sw1#show errdisable detect ErrDisable Reason Detection status ----------------- ---------------- udld Enabled bpduguard Enabled security-violatio Enabled channel-misconfig Enabled psecure-violation Enabled dhcp-rate-limit Enabled unicast-flood Enabled vmps Enabled pagp-flap Enabled dtp-flap Enabled link-flap Enabled l2ptguard Enabled gbic-invalid Enabled loopback Enabled dhcp-rate-limit Enabled unicast-flood Enabled 从列表中我们可以看出常见的原因有udldbpduguardlink-flap以及loopback等。 具体由什么原因导致当前接口err-disable可以由show interface status err-disable来查看。 在接口模式下采用shutdown,no shutdown进行手动的激活。 在缺省配置下一旦接口被置为err-disableIOS将不会试图恢复接口。 这个可以由show errdisable recovery来查看timer status下面所有的值都是disable。 下面的示例中由于手工配置了bpduguard恢复所以timer status的值变为Enable。 sw1#show errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- udld Disabled bpduguard Enabled security-violatio Disabled channel-misconfig Disabled vmps Disabled pagp-flap Disabled dtp-flap Disabled link-flap Disabled l2ptguard Disabled psecure-violation Disabled gbic-invalid Disabled dhcp-rate-limit Disabled unicast-flood Disabled loopback Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------- ----------------- -------------- Fa0/47 bpduguard 217 配置IOS重新激活errdisable的接口使用以下命令 sw1(config)#errdisable recovery cause bpduguard sw1(config)#errdisable recovery cause ? all Enable timer to recover from all causes bpduguard Enable timer to recover from BPDU Guard error disable state channel-misconfig Enable timer to recover from channel misconfig disable state dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error disable state dtp-flap Enable timer to recover from dtp-flap error disable state gbic-invalid Enable timer to recover from invalid GBIC error disable state l2ptguard Enable timer to recover from l2protocol-tunnel error disable state link-flap Enable timer to recover from link-flap error disable state loopback Enable timer to recover from loopback detected disable state pagp-flap Enable timer to recover from pagp-flap error disable state psecure-violation Enable timer to recover from psecure violation disable state security-violation Enable timer to recover from 802.1x violation disable state udld Enable timer to recover from udld error disable state unicast-flood Enable timer to recover from unicast flood disable state vmps Enable timer to recover from vmps shutdown error disable 配置完上述命令后IOS在一段时间后试图恢复被置为err-disable的接口这段时间缺省为300秒。 但是如果引起err-disable的源没有根治在恢复工作后接口会再次被置为err-disable。 调整err-disable的超时时间可以使用以下命令 sw1(config)#errdisable recovery interval ? 30-86400 timer-interval(sec) 可以调整在3086400秒缺省是300秒。 如果产生err-disable的原因是udld下面有一条命令非常管用 sw1#udld reset No ports are disabled by UDLD. 同时接口在被置为err-disable的时候通常有一系列的日志产生如下 *Mar 15 15:47:19.984: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/47 with BPDU Guard enabled. Disabling port. sw1# *Mar 15 15:47:19.984: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/47, putting Fa0/47 in err-disable state sw1# *Mar 15 15:47:21.996: %LINK-3-UPDOWN: Interface FastEthernet0/47, changed state to down 收集这些日志也非常管用。 所以建议配置一个syslog server收集log信息。 sw1#show interfaces status Port Name Status Vlan Du... 开启errdisable功能这样可以使用show errdisable来查看引发errdisable的原因是什么再更加信息内容进行解决。 你要是想不影响使用的话先用 no errdisable detect cause loopback 执行一下将已经死掉的端口no sh 一下 如果没问题肯定是环路了你可再找时间对怀疑有问题的switch用拔插法一个一个拔掉网线去查当然有更有效的方法你可查看有问题的switch的所有rj45和gi口的状态哪个有errdisable信息哪个就有问题。 switch#show interfaces status err-disabled Port Name Status Reason Fa0/22 err-disabled link-flap Fa0/37 For office in 100K err-disabled link-flap Fa0/41 unknow err-disabled link-flap Fa0/42 Training Dc066 err-disabled link-flap Fa0/45 Production line VM err-disabled link-flap switch#show errdisable detect ErrDisable Reason Detection status ----------------- ---------------- pagp-flap 3 30 dtp-flap 3 30 link-flap 5 10 ( link-flap 这就是因为链路质量不好导致的) 关闭errdisable detectswitch #no errdisable detect cause all 导致交换机接口出现err-disable的几个常见原因 1. EtherChannel misconfiguration 2. Duplex mismatch styleTEXT-INDENT 2em3. BPDU port guard 4. UDLD 5. Link-flap error 6. Loopback error 7. Port security violation 第一个当F EC两端配置不匹配的时候就会出现err-disable.假设Switch A把FEC模式配置为on这时Switch A是不会发送PAgP包和相连的Switch B去协商FEC的它假设Switch B已经配置好FEC了。但实事上Swtich B并没有配置FEC当Switch B的这个状态超过1分钟后Switch A的STP就认为有环路出现因此也就出现了err-disable.解决办法就是把FEC的模式配置为channel-group 1 mode desirable non-silent这个意思是只有当双方的FEC协商成功后才建立channel否则接口还处于正常状态。 第二个原因就是双工不匹配。一端配置为half-duplex后他会检测对端是否在传输数据只有对端停止传输数据他才会发送类似于ack的包来让链路up但对端却配置成了full-duplex他才不管链路是否是空闲的他只会不停的发送让链路up的请求这样下去链路状态就变成err-disable了。 三、第三个原因BPDU也就是和portfast和BPDU guard有关。如果一个接口配置了portfast那也就是说这个接口应该和一个pc连接pc是不会发送spanning-tree的BPDU帧的因此这个口也接收BPDU来生成spanning-tree管理员也是出于好心在同一接口上配置了BPDU guard来防止未知的BPDU帧以增强安全性但他恰恰不小心把一个交换机接到这个同时配置了portfast和BPDU guard接口上于是这个接口接到了BPDU帧因为配置了BPDU guard这个接口自然要进入到err-disable状态。解决办法no spanning-tree portfast bpduguard default或者直接把portfast关了。 第四个原因是UDLD.UDLD是cisco的私有2层协议用于检测链路的单向问题。有的时候物理层是up的但链路层就是down这时候就需要UDLD去检测链路是否是真的up的。当AB两端都配置好UDLD后A给B发送一个包含自己port id的UDLD帧B收到后会返回一个UDLD帧并在其中包含了收到的A的port id当A接收到这个帧并发现自己的port id也在其中后认为这链路是好的。反之就变成err-disable状态了。假设A配置了UDLD而B没有配置UDLDA给B发送一个包含自己port id的帧B收到后并不知道这个帧是什么也就不会返回一个包含A的port id的UDLD帧那么这时候A就认为这条链路是一个单向链路自然也就变成err-disable状态了。 第五个原因就是链路的抖动当链路在10秒内反复up、down五次那么就进入err-disable状态。 第六个原因就是keepalive loopback.在12.1EA之前默认情况下交换机会在所有接口都发送keepalive信息由于一些不通交换机协商spanning-tree可能会有问题一个接口又收到了自己发出的keepalive那么这个接口就会变成err-disable了。解决办法就是把keepalive关了。或者把ios升到12.2SE. 最后一个原因相对简单就是由于配置了port-security violation shutdown
