簡介
本文描述如何在Nexus 9000上發生mac移動時進行故障排除,以及如何防止該故障。
必要條件
背景資訊
2018 Nov 14 15:53:26.943 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:27.769 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
您瞭解了mac learning的概念,以及當交換機收到幀時,如何在交換機上維護表,並將傳送方的MAC地址與收到該幀的LAN埠相關聯。在環路情況下,可能會通過交換機上的兩個不同埠獲知相同的MAC。
拓撲
+-----------+ Po6 +------------+
| N9K_1 +----------+ N9K_2 |
| +----------+ |
+-----------+ +--+---------+
1/3 | | 2/1
| |
| |
+-+---------------+--+
| Server |
+--------------------+
0000.117d.e02e
如何疑難排解
當BCM ASIC在較短持續時間內獲取過多的MAC地址時,BCM_USD可以在硬體中禁用/啟用MAC學習,您可以看到此消息。如果mac移動/擺動/環路太多或新的mac學習/移動超過某個閾值,則可能會造成這種情況。預設情況下,在Nexus9K上,您看不到明確告訴您交換機經歷了mac移動的日誌。但是,如果這些移動量很大,您最終會看到這些日誌。
2018 Nov 14 15:53:26.943 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:27.769 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
2018 Nov 14 15:53:27.863 N9K %-SLOT1-5-BCM_L2_LEARN_DISABLE: MAC Learning Disabled unit=0
2018 Nov 14 15:53:28.770 N9K %-SLOT1-5-BCM_L2_LEARN_ENABLE: MAC Learning Enabled unit=0
這些消息指示MAC表中的事件。當環境中有連續的mac移動時,可以看到這些消息。基本上,交換機在兩個或多個介面上以非常高的速率接收具有相同源MAC的幀。交換機具有一種機制,可對MAC回移次數進行計數,並根據MAC地址移動次數對回移次數進行權重。為了保護控制平面,交換機禁用動態MAC學習。
此時,您可以檢查mac-move計數以瞭解裝置是否經歷了mac-move以及經歷了mac-move的數量。
N9K# sh mac address-table notification mac-move
MAC Move Notify Triggers: 1
Number of MAC Addresses added: 612336
Number of MAC Addresses moved: 612328
Number of MAC Addresses removed: 0
Number of MAC Addresses moved(已移動的MAC地址數)的輸出表明,交換機經歷了mac-moves。
組態
下一個明顯的方法是找出導致此問題的mac地址、vlan以及遇到此問題的介面資訊。要查詢此資訊,您需要在N9K平台上將L2FM的日誌記錄級別從預設值2提高到5。
N9K# sho logging level l2fm
Facility Default Severity Current Session Severity
-------- ---------------- ------------------------
l2fm 2 2
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
N9K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# logging level l2fm 5
N9K(config)# end
N9K# sho logging level l2fm
Facility Default Severity Current Session Severity
-------- ---------------- ------------------------
l2fm 2 5
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
Any mac moves at this point can be seen in the syslogs:
2018 Nov 14 16:04:23.881 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 0000.117d.e02e in vlan 741 has moved between Po6 to Eth1/3
2018 Nov 14 16:04:23.883 N9K %L2FM-4-L2FM_MAC_MOVE2: Mac 0000.117d.e02e in vlan 741 has moved between Po6 to Eth1/3
在這種情況下,您可以檢測和限制MAC地址從一個埠移動到另一個埠的次數。
在Cisco NX-OS版本6.0(2)U3(1)之前,當在兩個埠之間檢測到環路時,MAC學習被禁用180秒。
但是,從7.0(3)I7(3)開始,現在可以在使用mac address-table loop-detect port-down 命令時檢測到此類環路時,將交換機配置為關閉介面索引較低的埠。
N9K# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N9K(config)# mac address-table loop-detect port-down
N9K(config)# exit
N9K#
現在,在啟用此命令後,進一步的環路檢測會關閉介面索引較低的介面。
2018 Nov 13 19:33:54.773 N9K %ETHPORT-5-IF_DOWN_NONE: Interface port-channel6 is down (None)
2018 Nov 13 19:33:59.046 N9K %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel6: Ethernet2/1 is down
2018 Nov 13 19:33:59.049 N9K %ETH_PORT_CHANNEL-5-PORT_DOWN: port-channel6: Ethernet2/2 is down
2018 Nov 13 19:33:59.166 N9K %ETH_PORT_CHANNEL-5-FOP_CHANGED: port-channel6: first operational port changed from Ethernet2/1 to none
2018 Nov 13 19:33:59.235 N9K %ETHPORT-5-IF_DOWN_ERROR_DISABLED: Interface port-channel6 is down (Error disabled. Reason:error)
2018 Nov 13 19:33:59.244 N9K %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet2/2 is down(Config change)
2018 Nov 13 19:33:59.252 N9K %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet2/1 is down(Config change)
2018 Nov 13 19:34:05.269 N9K %ETHPORT-5-IF_DOWN_CHANNEL_ERR_DISABLED: Interface Ethernet2/2 is down (Channel error disabled)
2018 Nov 13 19:34:05.303 N9K last message repeated 1 time
2018 Nov 13 19:34:05.303 N9K %ETHPORT-5-IF_DOWN_CHANNEL_ERR_DISABLED: Interface Ethernet2/1 is down (Channel error disabled)
驗證
使用此命令驗證當前配置的操作。
N9K# show mac address-table loop-detect
Port Down Action Mac Loop Detect : disabled
您可以確認介面的索引,以根據功能驗證是否已停用正確的介面。
N9K# show system internal l2fm l2dbg macdb address 0000.117d.e02e vlan 741
Legend
------
Db: 0-MACDB, 1-GWMACDB, 2-SMACDB, 3-RMDB, 4-SECMACDB 5-STAGEDB
Src: 0-UNKNOWN, 1-L2FM, 2-PEER, 3-LC, 4-HSRP
5-GLBP, 6-VRRP, 7-STP, 8-DOTX, 9-PSEC 10-CLI 11-PVLAN
12-ETHPM, 13-ALW_LRN, 14-Non_PI_MOD, 15-MCT_DOWN, 16 - SDB
17-OTV, 18-Deounce Timer, 19-AM, 20-PCM_DOWN, 21 - MCT_UP
22-VxLAN, 23-L2RIB 24-CTRL, 25-UFDM
Slot:0 based for LCS 31-MCEC 20-OTV/ORIB
VLAN: 741 MAC: 0000.117d.e02e
Time If/swid Db Op Src Slot FE
Wed Nov 14 16:04:28 2018 0x16000005 0 UPDATE 3 0 0
Wed Nov 14 16:04:28 2018 0x16000005 0 REFRESH_DETECT 3 0 15
Wed Nov 14 16:04:28 2018 0x1a000400 0 UPDATE 3 0 0
Wed Nov 14 16:04:28 2018 0x1a000400 0 REFRESH_DETECT 3 0 15
Wed Nov 14 16:04:28 2018 0x16000005 0 UPDATE 3 0 0
N9K# show int snmp-ifindex
--------------------------------------------------------------------------------
Port IFMIB Ifindex (hex)
--------------------------------------------------------------------------------
mgmt0 83886080 (0x5000000 )
Eth1/1 436207616 (0x1a000000)
Eth1/2 436208128 (0x1a000200)
Eth1/3 436208640 (0x1a000400)
<snip>
Po6 369098757 (0x16000005)
其他平台
您可以使用這些命令在其他Nexus平台上啟用mac移動通知。
N3K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N5K/N6K:
mac address table notification mac-move
logging level fwm 6
logging monitor 6
N7K/N9K:
logging level l2fm 5
IOS:
mac address table notification mac-move
Note: To revert/remove these commands, simply use the `no` version of each command.
在運行6.0(2)N2(1)及更高版本的Nexus5K/6K中,也可以使用以下命令關閉埠:
N5K(config)# mac address-table loop-detect ?
port-down Take port-down action for mac loop detection
N5K(config)# mac address-table loop-detect port-down
Further, the following command is available on the platform to err-disable the edge-port on the MAC move loop detection,
N5K(config)# mac address-table loop-detect port-down edge-port
在Nexus 3000上的NX-OS版本6.0(2)A8(1)中,您可以配置操作以在檢測到此類環路時關閉介面索引較低的埠。
N3K(config)# mac address-table loop-detect ?
port-down Take port-down action for mac loop detection
N3K(config)# mac address-table loop-detect port-down
The following command is available on this platform as well, to err-disable the edge-port on the MAC move loop detection,
N5K(config)# mac address-table loop-detect port-down edge-port
相關資訊
意見