大家来讨论下这个两台Catalyst4503做HSRP的奇怪问题-附拓扑

目前的情况如下：防火墙双机，在防火墙上做透明，内部全部是校园网地址并且是一个网段（暂时使用），4503的地址是251，4503-2的地址是252，虚拟地址是250，45下面的服务器双千兆网卡邦定分别连到4503，4503做hsrp，4503中间有一对光纤连接，
问题如下：从服务器上面ping虚拟地址250，时通时不通，如果关掉一台4503，切换正常，而且可以一直ping通，如果再打开的话，过了几十分钟，又不通了，在45上面用clear arp的命令，通了有不到10个ping包，继续不通，在校园网内的任何地址都可以ping通250，在4503-1上面用show spanning-tree detail查看，发现4503-1上面和另外一台4503连接的端口gi3/1状态blocking，说明他们目前协商包是通过上面的防火墙来传递的，就是在ping不通的时候，我通过debug standby
查看协商，包也是正常的，in  out
可能情况：1、ios的bug
          2、服务器---〉4503——〉服务器中间 出现环路，网络不稳定
一些配置：
CISCO4503-1#show standby
Vlan2 - Group 1
  Local state is Active, priority 180, may preempt
  Hellotime 3 sec, holdtime 10 sec
  Next hello sent in 0.528
  Virtual IP address is 202.197.191.250 configured
  Active router is local
  Standby router is 202.197.191.252 expires in 7.784
  Virtual mac address is 0000.0c07.ac01
  1 state changes, last state change 00:41:49
  IP redundancy name is "hsrp-Vl2-1" (default)
CISCO4503-1#show span
CISCO4503-1#show spanning-tree de
VLAN0002 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 2, address 0012.dabc.1600
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32768, address 0011.bc64.d402
  Root port is 131 (GigabitEthernet3/3), cost of root path is 8
  Topology change flag not set, detected flag not set
  Number of topology changes 6 last change occurred 00:21:58 ago
          from GigabitEthernet3/6
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300
Port 2 (GigabitEthernet1/2) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.2.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.2, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1288, received 0
  Port 4 (GigabitEthernet1/4) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.4.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.4, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1288, received 0
Port 8 (GigabitEthernet1/8) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.8.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.8, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1289, received 0
Port 129 (GigabitEthernet3/1) of VLAN0002 is blocking
  Port path cost 4, Port priority 128, Port Identifier 128.129.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.129, designated path cost 8
   Timers: message age 2, forward delay 0, hold 0
   Number of transitions to forwarding state: 0
   Link type is point-to-point by default
   BPDU: sent 1, received 1286
Port 131 (GigabitEthernet3/3) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.131.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32769, address 0090.fb01.6e92
   Designated port id is 128.4, designated path cost 4
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 6, received 1290
Port 132 (GigabitEthernet3/4) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.132.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.132, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0
Port 134 (GigabitEthernet3/6) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.134.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.134, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 683, received 0
Port 135 (GigabitEthernet3/7) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.135.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.135, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0
Port 136 (GigabitEthernet3/8) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.136.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.136, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0
Port 138 (GigabitEthernet3/10) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.138.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.1600
   Designated port id is 128.138, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1290, received 0
4503-2的配置：
how spn an
VLAN0002
  Spanning tree enabled protocol ieee
  Root ID    Priority    32768
             Address     0011.bc64.d402
             Cost        8
             Port        131 (GigabitEthernet3/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     0012.dabc.15c0
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300
Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/1            Desg FWD 19        128.1    P2p
Gi3/1            Desg FWD 4         128.129  P2p
Gi3/3            Root FWD 4         128.131  P2p
Gi3/4            Desg FWD 4         128.132  Edge P2p
Gi3/5            Desg FWD 4         128.133  Edge P2p
Gi3/6            Desg FWD 4         128.134  Edge P2p
Gi3/7            Desg FWD 4         
Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi3/9            Desg FWD 4         128.137  Edge P2p
CISCO4503-2#show span
CISCO4503-2#show spanning-tree de
VLAN0002 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 2, address 0012.dabc.15c0
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32768, address 0011.bc64.d402
  Root port is 131 (GigabitEthernet3/3), cost of root path is 8
  Topology change flag not set, detected flag not set
  Number of topology changes 6 last change occurred 00:23:51 ago
          from GigabitEthernet1/3
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300
Port 1 (GigabitEthernet1/1) of VLAN0002 is forwarding
   Port path cost 19, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.1, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 31588, received 0
  Port 129 (GigabitEthernet3/1) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.129.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.129, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1151, received 1
Port 131 (GigabitEthernet3/3) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.131.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32769, address 0090.fb01.6e92
   Designated port id is 128.3, designated path cost 4
   Timers: message age 1, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 6, received 31591
Port 132 (GigabitEthernet3/4) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.132.
   Designated root has priority 32768, address 0011.bc64.d402
Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.132, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 2977, received 0
Port 133 (GigabitEthernet3/5) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.133.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.133, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 31591, received 0
Port 134 (GigabitEthernet3/6) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.134.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.134, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 31591, received 0
Port 135 (GigabitEthernet3/7) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.135.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.135, designated path cost 8
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 806, received 0
Port 137 (GigabitEthernet3/9) of VLAN0002 is forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.137.
   Designated root has priority 32768, address 0011.bc64.d402
   Designated bridge has priority 32770, address 0012.dabc.15c0
   Designated port id is 128.137, designated path cost 8
    Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   The port is in the portfast mode
   Link type is point-to-point by default
   BPDU: sent 1258, received 0
CISCO4503-2#  show span
CISCO4503-2#show spanning-tree roo
                                        Root Hello Max Fwd
Vlan                   Root ID          Cost  Time Age Dly  Root Port
---------------- -------------------- ------ ----- --- ---  ----------------
VLAN0002         32768 0011.bc64.d402542789000    2   20  15  Gi3/3

难道没人来看看?？？？
交流也不敢？？　　　woshihaike
来看看　　说说

由图可看出这套方案为级联多个二级交换机的结构
足以负担沉重的数据传输量
VLAN依靠用户的逻辑设定将原来物理上互连的一个局域网络划分为多个虚拟网段
划分的依据可为设备所连的端口、用户节点的MAC地址等
划分的结果个人觉得怪怪的
还请 慕容 兄指教！

是防火墙的事.本人上半年也碰到了类似这样的情况.估计代理没做好导致的
因为不清楚你防火墙的规划,所以才估计,也不能肯定是不是ios的原因,但出现的环路是不可能的.
小坏说的那点我认为不至于把,如果这样的数据量就如此的话,肯定是水货了.
慕容兄,你可不可以把防火墙坼了,在如此配置下.我也期待把问题彻底搞明白~~
ps:慕容,下次不要点名叫偶了,偶现在不是经常在线,也要向你学习考IE的安全啊~

因为没人理我~所以……
这个问题是我们几个朋友的同学做的时候出来了~下面我说下我的看发

首先服务器都是双网卡绑定,服务器双网卡的模式是做成出错冗余方式,还是负载均衡方式,还是链路汇聚方式?这几种方式协议标准和工作方式都是有区别的,当然有些也是要交换机也支持,就比如链路汇聚一样,所以我初步估计是在服务器那边做了链路汇聚或负载均衡,而交换机那边的端口又没有正确配置.

[这个贴子最后由慕容豪情在 2005/08/11 06:19pm 第 1 次编辑]

不过还应该注意到4503-1里面的3/1（对端连的是另外一台4503）端口已经bloking掉了，之所以bloking之后两台45还可以协商主备信息，是由于协商包走的是上面的防火墙，防火墙上面还有一台6506，这样6506（root） 与两台4503组成一个环路，就把3/1bloking掉了，我把4503的priority改为4096让它成为根交换机，这样问题就解决了，此时standby信息走的才是中间的级联线。

还有一种意见是
1.对服务器接入这个区域建议采用802.1ad来做
2.防火墙是HA模式有个问题是只有一台墙处于主模式,根据图上的连接方式很难保证来去路径一致,所以违背了防火墙的基本工作原理,为了解决这个问题建议严格控制链路的COST.
3.4503在这样的环境下建议采用VRRP的方式
4.网络设计违背设计原则-----防火墙成为了网络的核心!
5.防火墙是否支持OSPF或者802.1ad协议?可以通过别的方式解决.

看看大家还有什么意见没

不对把,6506（root） 与两台4503组成一个环路，就把3/1bloking掉了,请问这样防火墙的规则怎么设置啊~~~是不是有点智能了.

早说下面的方法撒,搞的偶思考了半天.
不过好象更麻烦~~~
我觉得你这个图是以防火墙为中心.
个人认为,让两台4503进出防火墙都走一条线,虽然数据量变大了,但cisco的设备不成问题.

这个我也做不了这个施工~~看他们了~~~
不过我以前见的类似的问题是  通过我说的那个方法解决的~~
等他试验完了，我来告诉大家

总理支持你，多发