简介
本文档介绍如何在Nexus 9000上发生mac移动时进行故障排除以及如何防止发生移动。
先决条件
背景信息
2018 Nov 14 15:53:26.943 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:27.769 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
您了解了mac学习的概念,以及交换机收到帧后如何在交换机上维护表,并将发送方的MAC地址与收到该地址的LAN端口相关联。在环路情况下,可能会通过交换机上的两个不同端口获知相同的MAC。
拓扑
+-----------+ Po6 +------------+
| N9K_1 +----------+ N9K_2 |
| +----------+ |
+-----------+ +--+---------+
1/3 | | 2/1
| |
| |
+-+---------------+--+
| Server |
+--------------------+
0000.117d.e02e
如何进行故障排除
当BCM ASIC在短时间内获取过多的MAC地址时,BCM_USD可以在硬件中禁用/启用MAC学习,您可以看到此消息出现。如果mac移动/摆动/循环过多或新的mac学习/移动超过某个阈值,则可能会造成这种情况。默认情况下,在Nexus9K上,您看不到明确告诉您交换机经历mac-moves的日志。但是,如果这些移动量很大,您最终会看到这些日志。
2018 Nov 14 15:53:26.943 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:27.769 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
2018 Nov 14 15:53:27.863 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:28.770 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
这些消息表示MAC表中的事件。当环境中存在连续的mac移动时,可以看到这些消息。基本上,交换机在两个或多个接口上以极高的速率接收具有相同源MAC的帧。交换机具有一种机制,可对MAC回移次数进行计数,并根据MAC地址移动的次数来权衡回移次数。交换机禁用动态MAC学习以保护控制平面。
此时,您可以检查mac-move计数,了解设备上是否经历了mac-move以及经历了mac-move的数量。
N9K# sh mac address-table notification mac-move
MAC Move Notify Triggers: 1
Number of MAC Addresses added: 612336
Number of MAC Addresses moved: 612328
Number of MAC Addresses removed: 0
Number of MAC Addresses moved(移动的MAC地址数量)的输出表明,交换机经历了mac-moves。
配置
接下来,显而易见的是,找出导致此问题的mac地址、vlan以及遇到此问题的接口信息。要查找此信息,您需要在N9K平台上将L2FM的日志记录级别从默认值2提高至5。
N9K# sho logging level l2fm
Facility Default Severity Current Session Severity
-------- ---------------- ------------------------
l2fm 2 2
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
N9K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# logging level l2fm 5
N9K(config)# end
N9K# sho logging level l2fm
Facility Default Severity Current Session Severity
-------- ---------------- ------------------------
l2fm 2 5
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
Any mac moves at this point can be seen in the syslogs:
2018 Nov 14 16:04:23.881 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 0000.117d.e02e in vlan 741 has moved between Po6 to Eth1/3
2018 Nov 14 16:04:23.883 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 0000.117d.e02e in vlan 741 has moved between Po6 to Eth1/3
在这种情况下,您可以检测和限制MAC地址从一个端口移动到另一个端口的次数。
在Cisco NX-OS版本6.0(2)U3(1)之前,当在两个端口之间检测到环路时,禁用MAC学习180秒。
但是,从7.0(3)I7(3)开始,现在可以在使用mac address-table loop-detect port-down命令检测到此类环路时,将交换机配置为关闭接口索引较低的端口。
N9K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# mac address-table loop-detect port-down
N9K(config)# exit
N9K#
现在,在启用此命令后,进一步的环路检测会关闭接口索引较低的接口。
2018 Nov 13 19:33:54.773 N9K %ETHPORT-5-IF_DOWN_NONE: Interface port-channel6 is down (None)
2018 Nov 13 19:33:59.046 N9K %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel6: Ethernet2/1 is down
2018 Nov 13 19:33:59.049 N9K %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel6: Ethernet2/2 is down
2018 Nov 13 19:33:59.166 N9K %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel6: first operational port changed from Ethernet2/1 to none
2018 Nov 13 19:33:59.235 N9K %ETHPORT-5-IF_DOWN_ERROR_DISABLED: Interface port-channel6 is down (Error disabled. Reason:error)
2018 Nov 13 19:33:59.244 N9K %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet2/2 is down(Config change)
2018 Nov 13 19:33:59.252 N9K %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet2/1 is down(Config change)
2018 Nov 13 19:34:05.269 N9K %ETHPORT-5-IF_DOWN_CHANNEL_ERR_DISABLED: Interface Ethernet2/2 is down (Channel error disabled)
2018 Nov 13 19:34:05.303 N9K last message repeated 1 time
2018 Nov 13 19:34:05.303 N9K %ETHPORT-5-IF_DOWN_CHANNEL_ERR_DISABLED: Interface Ethernet2/1 is down (Channel error disabled)
验证
使用此命令验证当前配置的操作。
N9K# show mac address-table loop-detect
Port Down Action Mac Loop Detect : disabled
您可以确认接口的索引,以根据功能验证是否禁用了正确的接口。
N9K# show system internal l2fm l2dbg macdb address 0000.117d.e02e vlan 741
Legend
------
Db: 0-MACDB, 1-GWMACDB, 2-SMACDB, 3-RMDB, 4-SECMACDB 5-STAGEDB
Src: 0-UNKNOWN, 1-L2FM, 2-PEER, 3-LC, 4-HSRP
5-GLBP, 6-VRRP, 7-STP, 8-DOTX, 9-PSEC 10-CLI 11-PVLAN
12-ETHPM, 13-ALW_LRN, 14-Non_PI_MOD, 15-MCT_DOWN, 16 - SDB
17-OTV, 18-Deounce Timer, 19-AM, 20-PCM_DOWN, 21 - MCT_UP
22-VxLAN, 23-L2RIB 24-CTRL, 25-UFDM
Slot:0 based for LCS 31-MCEC 20-OTV/ORIB
VLAN: 741 MAC: 0000.117d.e02e
Time If/swid Db Op Src Slot FE
Wed Nov 14 16:04:28 2018 0x16000005 0 UPDATE 3 0 0
Wed Nov 14 16:04:28 2018 0x16000005 0 REFRESH_DETECT 3 0 15
Wed Nov 14 16:04:28 2018 0x1a000400 0 UPDATE 3 0 0
Wed Nov 14 16:04:28 2018 0x1a000400 0 REFRESH_DETECT 3 0 15
Wed Nov 14 16:04:28 2018 0x16000005 0 UPDATE 3 0 0
N9K# show int snmp-ifindex
--------------------------------------------------------------------------------
Port IFMIB Ifindex (hex)
--------------------------------------------------------------------------------
mgmt0 83886080 (0x5000000 )
Eth1/1 436207616 (0x1a000000)
Eth1/2 436208128 (0x1a000200)
Eth1/3 436208640 (0x1a000400)
<snip>
Po6 369098757 (0x16000005)
其他平台
您可以使用这些命令在其他Nexus平台上启用MAC移动通知。
N3K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N5K/N6K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N7K/N9K:
logging level l2fm 5
IOS:
mac address table notification mac-move
Note: To revert/remove these commands, simply use the `no` version of each command.
以下命令在运行版本6.0(2)N2(1)及更高版本的Nexus5K/6K中也可用,用于关闭端口:
N5K(config)# mac address-table loop-detect ?
port-down Take port-down action for mac loop detection
N5K(config)# mac address-table loop-detect port-down
Further, the following command is available on the platform to err-disable the edge-port on the MAC move loop detection,
N5K(config)# mac address-table loop-detect port-down edge-port
在Nexus 3000上的NX-OS版本6.0(2)A8(1)中,您可以配置操作以在检测到此类环路时关闭接口索引较低的端口。
N3K(config)# mac address-table loop-detect ?
port-down Take port-down action for mac loop detection
N3K(config)# mac address-table loop-detect port-down
The following command is available on this platform as well, to err-disable the edge-port on the MAC move loop detection,
N5K(config)# mac address-table loop-detect port-down edge-port
相关信息
反馈