設定和驗證 Firepower 設備上的連接埠通道
目錄
簡介
本文件說明如何設定、驗證及疑難排解 Firepower 設備的連接埠通道。
必要條件
需求
思科建議您瞭解以下主題:
- Firepower Management Center (FMC)
- Firepower Chassis Manager (FCM)
- Firepower eXtensible 作業系統 (FXOS)
- Firepower Threat Defense (FTD)
- EtherChannel (EC)
注意:在本文檔中,EtherChannel和Port-Channel (PC)這兩個術語互換使用。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 2個FPR4120 (FXOS 2.2 (2.17)、FTD 6.2.0.2.51)
- 1個FPR4110 (FXOS 2.1 (0.159)、FTD 6.1.0.330)
- 1個FPR2110 (FTD 6.2.1) (建置341)
- 1個FPR1150 (FTD 6.5.0)
- WS-C3750X-24 on15.2(4)E5
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
本文件說明如何對 Firepower 設備(FPR1xxx、FPR21xx、FPR41xx、FPR93xx)的連接埠通道進行組態設定、驗證及疑難排解。文檔配置示例基於Firepower威脅防禦(FTD),但許多概念(例如驗證和故障排除)也完全適用於自適應安全裝置(ASA)。
設定
FPR4100/FPR9300 的連接埠通道
網路圖表
從 FXOS 使用者介面設定連接埠通道 (FPR4100/FPR9300)
Firepower 設備的 FTD 連接埠通道是採用 FXOS 代碼加以管理。在 FPR4100/FPR9300 上,組態設定是透過 Firepower Chassis Manager 完成:
連接埠通道已關閉(失敗狀態),直到將其指派給邏輯裝置:
將連接埠通道指派給邏輯裝置:
結果:
主要重點:
- 在 FXOS 2.4.x 版本之前,FPR4100/FPR9300 僅支援 LACP(無「開啟」或「PAGP」模式)。從 FXOS 2.4.1.101 開始,資料和資料共用 EtherChannel 支援「模式開啟」。
- 請確保要增加到Port-Channel的介面尚未增加到邏輯裝置。如果是,則在增加Port-Channel時,它們不會顯示在介面中。
- 您無法啟用/停用個別的連接埠通道成員,只能啟用/停用連接埠通道本身。
- 不能刪除邏輯裝置使用的埠通道(例如,ASA或FTD)。您必須先將其解除關聯。
- 在您將連接埠通道指派給邏輯裝置之前,該連接埠通道不會啟動。如果從邏輯裝置移除 EtherChannel 或刪除邏輯裝置,則連接埠通道會還原為暫停狀態。
- 將連線到活動模式的交換機埠設定為最佳相容性。
交換機配置
設定交換器時,為了避免連接埠通道不穩定,建議您:
- 使用介面範圍命令。
- 在進行影響埠通道操作的更改之前(例如,如果埠通道模式已更改),請關閉埠通道介面成員。
範例
Switch(config)# interface range g1/0/2 - 3 Switch(config-if-range)# shutdown Switch(config-if-range)# switchport trunk encapsulation dot1q Switch(config-if-range)# switchport mode trunk Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# no shutdown
註:請始終參閱交換機型號配置指南部分以瞭解其他詳細資訊。
從 FXOS CLI 設定連接埠通道 (FPR4100/FPR9300)
步驟 1.驗證已分配給FTD邏輯裝置的介面。
FP4110-7-A# scope ssa
FP4110-7-A /ssa # show logical-device
Logical Device:
Name Description Slot ID Mode Oper State Template Name
---------- ----------- ---------- ---------- ------------------------ -------------
mzafeiro_FTD 1 Standalone Ok ftd
FP4110-7-A /ssa # scope logical-device mzafeiro_FTD
FP4110-7-A /ssa/logical-device # show external-port-link
External-Port Link:
Name Port or Port Channel Name App Name Description
--------------- ------------------------- ---------- -----------
Ethernet11_ftd Ethernet1/1 ftd
Ethernet16_ftd Ethernet1/6 ftd
步驟 2.驗證機箱介面。
FP4110-7-A# scope eth-uplink
FP4110-7-A /eth-uplink # scope fabric a
FP4110-7-A /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
--------------- ------------------ ----------- ---------------- ------------
Ethernet1/1 Mgmt Enabled Up
Ethernet1/2 Data Disabled Admin Down Administratively down
Ethernet1/3 Data Disabled Admin Down Administratively down
Ethernet1/4 Data Disabled Failed SFP checksum error
Ethernet1/5 Data Disabled Sfp Not Present Unknown
Ethernet1/6 Data Disabled Sfp Not Present Unknown
Ethernet1/7 Data Disabled Sfp Not Present Unknown
Ethernet1/8 Data Disabled Sfp Not Present Unknown
Ethernet3/1 Data Disabled Admin Down Administratively down
Ethernet3/2 Data Disabled Admin Down Administratively down
Ethernet3/3 Data Disabled Admin Down Administratively down
Ethernet3/4 Data Disabled Admin Down Administratively down
Ethernet3/5 Data Disabled Admin Down Administratively down
Ethernet3/6 Data Disabled Admin Down Administratively down
FP4110-7-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
48 Port-channel48 Cluster Disabled Admin Down Administratively down
步驟 3.建立Port-Channel。
bsns-4110-2-A# scope eth-uplink bsns-4110-2-A /eth-uplink # scope fabric a bsns-4110-2-A /eth-uplink/fabric # create port-channel 15 bsns-4110-2-A /eth-uplink/fabric/port-channel* # create member-port Ethernet1/5 bsns-4110-2-A /eth-uplink/fabric/port-channel/member-port* # exit bsns-4110-2-A /eth-uplink/fabric/port-channel* # create member-port Ethernet1/6 bsns-4110-2-A /eth-uplink/fabric/port-channel/member-port* # exit bsns-4110-2-A /eth-uplink/fabric/port-channel* # set port-type data bsns-4110-2-A /eth-uplink/fabric/port-channel* # set speed 1gbps bsns-4110-2-A /eth-uplink/fabric/port-channel* # enable bsns-4110-2-A /eth-uplink/fabric/port-channel* # commit-buffer
步驟 4.將介面指派給FTD邏輯裝置:
FP4110-7-A# scope ssa FP4110-7-A /ssa # scope logical-device mzafeiro_FTD FP4110-7-A /ssa/logical-device # create external-port-link PC15_ftd Port-channel15 ftd FP4110-7-A /ssa/logical-device/external-port-link* # commit-buffer FP4110-7-A /ssa/logical-device/external-port-link #
驗證
FP4110-7-A# scope ssa
FP4110-7-A /ssa # scope logical-device mzafeiro_FTD
FP4110-7-A /ssa/logical-device # show external-port-link
External-Port Link:
Name Port or Port Channel Name App Name Description
--------------- ------------------------- ---------- -----------
Ethernet11_ftd Ethernet1/1 ftd
Ethernet16_ftd Ethernet1/6 ftd
PC15_ftd Port-channel15 ftd
FP4110-7-A# scope eth-uplink
FP4110-7-A /eth-uplink # scope fabric a
FP4110-7-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
15 Port-channel15 Data Enabled Up
48 Port-channel48 Cluster Disabled Admin Down Administratively down
FP4110-7-A /eth-uplink/fabric # enter port-channel 15
FP4110-7-A /eth-uplink/fabric/port-channel # show member-port
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/2 Up Up
Ethernet1/3 Up Up
從FXOS CLI (FPR4100/FPR9300)刪除Port-Channel。
FP4110-7-A# scope eth-uplink FP4110-7-A /eth-uplink # scope fabric a FP4110-7-A /eth-uplink/fabric # delete port-channel 15 FP4110-7-A /eth-uplink/fabric* # commit-buffer
FPR21xx/FPR1xxx 的連接埠通道
網路圖表
FPR21xx/FPR1xxx 設備的 FTD 連接埠通道是採用 FXOS 代碼加以管理,但組態設定是從 FMC 完成,因為 FTD 和 FXOS 代碼已內建於單一軟體套件中:
從「進階」標籤設定模式(LACP「主動」或「開啟」):
從「硬體組態」標籤設定「雙工」和「速度」設定:
注意:在FPR2100上,除非將ASA用作邏輯裝置,否則不能從FXOS CLI建立埠通道。在ASA 9.13.x之後,僅在平台模式下會出現這種情況。在「設備模式」(11xx/21xx)下沒有 FCM,且所有介面組態設定都是直接在 ASA CLI 中執行。
Fp2110 /eth-uplink/fabric* # create port-channel 16 Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/10 Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/11 Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit Fp2110 /eth-uplink/fabric/port-channel* # commit-buffer Error: Changes not allowed. use: 'connect ftd' to make changes.
如果實體介面已關閉,而您想要將其啟用,請執行下列動作:
firepower-2110# scope eth-uplink
firepower-2110 /eth-uplink # scope fabric a
firepower-2110 /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/3 Data Enabled Up Up
Ethernet1/4 Data Disabled Link Down Down
Ethernet1/5 Data Disabled Link Down Down
Ethernet1/6 Data Disabled Link Down Down
Ethernet1/7 Data Disabled Link Down Down
Ethernet1/8 Data Disabled Link Down Down
Ethernet1/9 Data Disabled Link Down Down
Ethernet1/10 Data Disabled Link Down Down
Ethernet1/11 Data Disabled Link Down Down
Ethernet1/12 Data Disabled Link Down Down
Ethernet1/13 Data Disabled Link Down Down
Ethernet1/14 Data Disabled Link Down Down
Ethernet1/15 Data Disabled Link Down Down
Ethernet1/16 Data Disabled Link Down Down
firepower-2110 /eth-uplink/fabric # enter interface Ethernet1/4
firepower-2110 /eth-uplink/fabric/interface # show
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/4 Data Disabled Link Down Down
firepower-2110 /eth-uplink/fabric/interface # enable
firepower-2110 /eth-uplink/fabric/interface* # commit-buffer
firepower-2110 /eth-uplink/fabric/interface # show
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/4 Data Enabled Link Down Down
firepower-2110 /eth-uplink/fabric/interface #
FDM 組態
請考慮使用此拓樸:
您可以從6.5軟體版本開始設定使用FDM的EtherChannel介面。導覽至「裝置」>「介面」>「EtherChannel」,然後新增 EtherChannel。由於 EtherChannel 在此案例中為主幹,因此請指定 EtherChannel ID,將其啟用 (狀態),然後新增成員。EtherChannel 支援 LACP「主動」和「模式開啟」(無 LACP)。在此案例中,已設定 LACP「主動」模式。
新增子介面:
結果:
部署預期的變更。
驗證
驗證 FPR4100/FPR9300 的連接埠通道
網路圖表
FTD(或 ASA)未察覺到連接埠通道個別成員。在 FMC 上設定邏輯介面(子介面):
> system support diagnostic-cli firepower# show interface ip brief Interface IP-Address OK? Method Status Protocol Internal-Data0/0 unassigned YES unset up up Internal-Data0/1 unassigned YES unset up up Internal-Data0/2 169.254.1.1 YES unset up up Port-channel15 unassigned YES unset up up
firepower# show nameif Interface Name Security Port-channel15 INSIDE 0 Ethernet1/1 diagnostic 0
firepower# show interface Port-channel15 detail
Interface Port-channel15 "INSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
MAC address 2c33.118e.07de, MTU 1500
IP address unassigned
Traffic Statistics for "INSIDE":
6767 packets input, 566328 bytes
0 packets output, 0 bytes
6736 packets dropped
1 minute input rate 4 pkts/sec, 375 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 4 pkts/sec
5 minute input rate 4 pkts/sec, 401 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 4 pkts/sec
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
要檢查Port-Channel及其成員的狀態,請導航到FXOS模式:
FP4110-7-A# connect fxos
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SU) Eth LACP Eth1/2(P) Eth1/3(P)
48 Po48(SD) Eth NONE --
若要檢視連接埠通道的狀態以及最後的狀態記錄:
FP4110-7-A(fxos)# show port-channel database
port-channel15
Last membership update is successful
2 ports in total, 2 ports up
First operational port is Ethernet1/3
Age of the port-channel is 0d:00h:35m:00s
Time since last bundle is 0d:00h:34m:56s
Last bundled member is Ethernet1/3
Ports: Ethernet1/2 [active ] [up]
Ethernet1/3 [active ] [up] *
port-channel48
Last membership update is successful
0 ports in total, 0 ports up
Age of the port-channel is 5d:06h:35m:27s
若要檢查連接埠通道介面成員之間的的流量分佈:
FP4110-7-A(fxos)# show port-channel traffic
ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ --------- ------- ------- ------- ------- ------- -------
15 Eth1/2 20.83% 49.71% 17.75% 43.67% 20.11% 49.94%
15 Eth1/3 79.16% 50.28% 82.24% 56.32% 79.88% 50.05%
LACP 相鄰驗證
FP4110-7-A(fxos)# show lacp neighbor
Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
port-channel15 neighbors
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,28-6f-7f-ec-59-800x103 1984 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3f
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/3 32768,28-6f-7f-ec-59-800x104 2221 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3f
Partner Oper Key 0x5 =交換機配置有埠通道ID 5。
在交換器上:
Switch# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 5 neighbors
Partner's information:
LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/2 FA 32768 2c33.118e.07b3 0s 0x0 0xE 0x42 0x3F
Gi1/0/3 FA 32768 2c33.118e.07b3 0s 0x0 0xE 0x43 0x3F
注意:在相鄰交換機上,儘管FXOS配置了Port-Channel ID 15,但Partner Oper Key顯示為0xE (14)。
Wireshark 中的 LACP 封包擷取:
| 合作夥伴狀態 |
||||||||
| 狀態 |
已到期 |
已預設 |
已發佈 |
已收集 |
同步 |
彙總 |
LACP 逾時 |
LACP 活動 |
| 價值 |
0 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
| 十六進位 |
3 |
思 |
||||||
驗證 FPR21xx/FPR1xxx 的連接埠通道
網路圖表
連接埠通道基本驗證
> connect fxos
FP2110-2# connect local-mgmt
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(U) Eth LACP Eth1/1(P) Eth1/2(P)
其他驗證:
FP2110-2# scope eth-uplink
FP2110-2 /eth-uplink # scope fabric a
FP2110-2 /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
11 Port-channel11 Data Enabled Up Up
驗證連接埠通道詳細資料:
FP2110-2 /eth-uplink/fabric # show port-channel detail
Port Channel:
Port Channel Id: 11
Name: Port-channel11
Port Type: Data
Description:
Admin State: Enabled
Oper State: Up
Auto negotiation: Yes
Speed: 1 Gbps
Duplex: Full Duplex
Oper Speed: 1 Gbps
Band Width (Gbps): 2
State Reason: Up
flow control policy: default
LACP policy name: default
oper LACP policy name: org-root/lacp-default
Lacp Mode: Active
Inline Pair Admin State: Enabled
Inline Pair Peer Port Name:
驗證連接埠通道成員詳細資料:
FP2110-2# scope eth-uplink
FP2110-2 /eth-uplink # scope fabric a
FP2110-2 /eth-uplink/fabric # scope port-channel 11 FP2110-2 /eth-uplink/fabric/port-channel # show member-port Member Port: Port Name Membership Oper State State Reason --------------- ------------------ ---------------- ------------ Ethernet1/1 Up Up Up Ethernet1/2 Up Up Up
成員連接埠詳細資料:
FP2110-2 /eth-uplink/fabric/port-channel # show member-port detail
Member Port:
Port Name: Ethernet1/1
Membership: Up
Oper State: Up
State Reason: Up
Ethernet Link Profile name: default
Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default
Udld Oper State: Unknown
Current Task:
Port Name: Ethernet1/2
Membership: Up
Oper State: Up
State Reason: Up
Ethernet Link Profile name: default
Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default
Udld Oper State: Unknown
Current Task:
LACP 驗證
FP2110-2(local-mgmt)# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group: 11
Partner (internal) information:
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/1 32768,286f.7fec.5980 0x10e 13 s FA <-- the peer is requesting Fast Rate
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,286f.7fec.5980 0x10f 5 s FA <-- the peer is requesting Fast Rate
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
註:在FPR21xx/FPR1xxx上,預設LACP速率是「慢」且無法更改。
LACP 計數器
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4435 3532 0 0 0 0 0
Eth1/2 4566 3532 0 0 0 0 0
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4436 3532 0 0 0 0 0
Eth1/2 4567 3532 0 0 0 0 0
FPR2100 介面驗證
如何將實體介面對應到 FPR2100 內部交換器:
| 介面 |
FPR2110/FPR2120 的內部交換器 |
FPR2130/FPR2140 的內部交換器 |
| E1/1 |
1 |
1 |
| E1/2 |
0 |
0 |
| E1/3 |
3 |
3 |
| E1/4 |
2 |
2 |
| E1/5 |
5 |
5 |
| E1/6 |
4 |
4 |
| E1/7 |
7 |
7 |
| E1/8 |
6 |
6 |
| E1/9 |
9 |
49 |
| E1/10 |
8 |
48 |
| E1/11 |
11 |
51 |
| E1/12 |
10 |
50 |
| E1/13 |
12 |
59 |
| E1/14 |
13 |
58 |
| E1/15 |
14 |
57 |
| E1/16 |
15 |
56 |
| E2/1 |
- |
70 |
| E2/2 |
- |
71 |
| E2/3 |
- |
69 |
| E2/4 |
- |
68 |
| E2/5 |
- |
66 |
| E2/6 |
- |
67 |
| E2/7 |
- |
65 |
| E2/8 |
- |
64 |
驗證實體介面狀態:
FP2110-2(local-mgmt)# show portmanager port-info ethernet 1 1
port_info:
if_index: 0x1081000
type: PORTMGR_IPC_MSG_PORT_TYPE_PHYSICAL
mac_address: 70:df:2f:18:d8:04
flowctl: PORTMGR_IPC_MSG_FLOWCTL_NONE
role: PORTMGR_IPC_MSG_PORT_ROLE_NPU
admin_state: PORTMGR_IPC_MSG_PORT_STATE_ENABLED
oper_state: PORTMGR_IPC_MSG_PORT_STATE_UP
admin_speed: PORTMGR_IPC_MSG_SPEED_AUTO
oper_speed: PORTMGR_IPC_MSG_SPEED_1GB
admin_mtu: 9216
admin_duplex: PORTMGR_IPC_MSG_PORT_DUPLEX_FULL
oper_duplex: PORTMGR_IPC_MSG_PORT_DUPLEX_FULL
pc_if_index: 0x200000b
pc_membership_status: PORTMGR_IPC_MSG_MMBR_UP
pc_protocol: PORTMGR_IPC_MSG_PORT_CHANNEL_PRTCL_LACP_ACTIVE
native_vlan: 1011
num_allowed_vlan: 1
allowed_vlan[0]: 1011
實體介面計數器:
FP2110-2(local-mgmt)# show portmanager counters ethernet 1 1 Good Octets Received : 2692986 Bad Octets Received : 0 MAC Transmit Error : 0 Good Packets Received : 37038 Bad Packets Received : 0 BRDC Packets Received : 22290 MC Packets Received : 12538 Size 64 : 34193 Size 65 to 127 : 1531 Size 128 to 255 : 1515 Size 256 to 511 : 374 Size 512 to 1023 : 95 Size 1024 to Max : 0 Good Octets Sent : 87296 Good Packets Sent : 682 Excessive Collision : 0 MC Packets Sent : 682 BRDC Packets Sent : 0 Unrecognized MAC Received : 0 FC Sent : 0 Good FC Received : 0 Drop Events : 0 Undersize Packets : 0 Fragments Packets : 0 Oversize Packets : 0 Jabber Packets : 0 MAC RX Error Packets Received : 0 Bad CRC : 0 Collisions : 0
FPR2100 內部交換器 MAC 資料表。
註:01:80:C2:00:00:02 = LACP
FP2110-2(local-mgmt)# show portmanager switch mac-filters
port ix MAC mask action packets bytes
00 03e 70:DF:2F:18:D8:05 FF:FF:FF:FF:FF:FF FORWARD
043 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD 687 87936
044 70:DF:2F:18:D8:2D FF:FF:FF:FF:FF:FF FORWARD
045 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 5501 385360
3d0 00:00:00:00:00:00 01:00:00:00:00:00 DROP 2101 141426
3e8 01:00:00:00:00:00 01:00:00:00:00:00 DROP 7946 1524820
01 03f 70:DF:2F:18:D8:04 FF:FF:FF:FF:FF:FF FORWARD
040 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD 687 87936
041 70:DF:2F:18:D8:2D FF:FF:FF:FF:FF:FF FORWARD
042 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 22351 1451504
3d1 00:00:00:00:00:00 01:00:00:00:00:00 DROP 2215 154542
3e9 01:00:00:00:00:00 01:00:00:00:00:00 DROP 11886 1006067
02 03c 70:DF:2F:18:D8:07 FF:FF:FF:FF:FF:FF FORWARD
049 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD
04a 70:DF:2F:18:D8:6D FF:FF:FF:FF:FF:FF FORWARD
04b FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD
3d2 00:00:00:00:00:00 01:00:00:00:00:00 DROP
3ea 01:00:00:00:00:00 01:00:00:00:00:00 DROP
連接埠 e1/1 和 e1/2 對應到內部交換器的 0/0 和 0/1:
FP2110-2(local-mgmt)# show portmanager switch status Dev/Port Mode Link Speed Duplex Loopback Mode --------- ---------------- ----- ----- ------ ------------- 0/0 QSGMII Up 1G Full None 0/1 QSGMII Up 1G Full None 0/2 QSGMII Down 1G Half None 0/3 QSGMII Down 1G Half None 0/4 QSGMII Down 1G Half None 0/5 QSGMII Down 1G Half None 0/6 QSGMII Down 1G Half None 0/7 QSGMII Down 1G Half None 0/8 QSGMII Down 1G Half None 0/9 QSGMII Down 1G Half None 0/10 QSGMII Down 1G Half None 0/11 QSGMII Down 1G Half None 0/12 QSGMII Down 10 Half None 0/13 QSGMII Down 10 Half None 0/14 QSGMII Down 10 Half None 0/15 QSGMII Down 10 Half None 0/16 n/a Down n/a Full N/A 0/17 n/a Down n/a Full N/A 0/18 n/a Down n/a Full N/A 0/19 n/a Down n/a Full N/A 0/20 n/a Down n/a Full N/A 0/21 n/a Down n/a Full N/A 0/22 n/a Down n/a Full N/A 0/23 n/a Down n/a Full N/A 0/24 KR Up 10G Full None 0/25 KR Up 10G Full None 0/26 KR Down 10G Full None 0/27 KR Up 10G Full None
疑難排解
LACP 概觀
LACP事實:
- IEEE 標準(802.3ad) 連結彙總控制通訊協定 (LACP) 是用於連接埠通道交涉的 L2 通訊協定。
- LACP 使用目的地 MAC 0180.c200.0002 和乙太網路類型 0x8809。
- Firepower 設備僅支援「LACP」和「模式開啟」(無 LACP)(在 2.4.x FXOS 版本中,已在 FP4100/FP9300 上新增「模式開啟」)。
- 您可以在其中一個模式(「主動」或「被動」)下設定 LACP。FXOS 一律使用「主動」模式。
- LACP 的主要目的是防止連接埠通道組態設定錯誤。
- 為了讓 LACP PC 啟動,連接埠介面成員中的「速度」/「雙工」設定必須相同。在 FXOS 上,您要將速度設定在連接埠通道層級。
- LACP 執行者 = 本機裝置
- LACP 合作夥伴 = 遠端裝置
- 每台裝置都有一個LACP系統ID,通常為機箱的MAC。系統會在每個 LACP 封包內傳送 LACP 系統 ID。
- 每個 LACP 封包的大小約為 110 位元組。
- LACP 可以在「快速」或「慢速」(正常)速率下運作。如果是 FXOS,預設值為「快速」(1xxx/21xx 除外,這些型號一律為「慢速」),但也可以設定為「慢速」。交換器端的 LACP 模式取決於使用的交換器型號和軟體。舉例來說,從 15.2(4)E 開始,Cat3750 支援「慢速」和「快速」。請查看交換器確認指南瞭解詳細資料。
- 在LACP檢測週期中,無論LACP速率如何,LACP都每1秒傳送一次。介面啟動後,LACP 速率只會影響 LACP 存留間隔。
LACP保持連線的優點
在遠端介面不再運作但仍處於啟動狀態(未偵測到任何直接失敗)的情況下,LACP 存留相當實用。這可能是驅動程式/L2問題,或者路徑中有些裝置(例如IPS)不允許偵測遠端連結失敗。LACP Keepalive的對等速率超時為x 3。例如,如果遠端對等體每隔1秒傳送一次,則當在3秒內未收到LACP資料包時,本地裝置會宣告遠端對等體關閉。在「慢速」情況下,則此時間為 90 秒之後。
Wireshark 中顯示的所有 LACP 封包欄位:
注意:當FTD上的連線埠通道終止時,FXOS擷取不會顯示LACP封包(輸入或輸出)。
LACP 快速與慢速
一般而言,建議在兩端使用「快速」(4100/9300 上的 FXOS 預設為使用「快速」,FPR2100 上的預設 LACP 傳送速率為「慢速」)。快速的 LACP 速率可以提高連接埠通道連結速度。
| FXOS 設定為「慢速」 |
FXOS 設定為「快速」 |
|
| 交換器設定為「慢速」 |
交換器要求「慢速」 FXOS 要求「慢速」 交換器每 30 秒傳送 1 個 LACP FXOS 每 30 秒傳送 1 個 LACP |
交換器要求「慢速」 FXOS 要求「快速」 交換器每秒傳送 1 個 LACP FXOS 每 30 秒傳送 1 個 LACP |
| 交換器設定為「快速」 |
交換器要求「快速」 FXOS 要求「慢速」 交換器每 30 秒傳送 1 個 LACP FXOS 每秒傳送 1 個 LACP |
交換器要求「快速」 FXOS 要求「快速」 交換器每秒傳送 1 個 LACP FXOS 每秒傳送 1 個 LACP |
若要在 FXOS (41xx/93xx) 上設定 LACP 模式:
KSEC-FPR4100-1# scope org
KSEC-FPR4100-1 /org # show lacppolicy
LACP policy:
Name LACP rate
---------- ---------
default Fast
KSEC-FPR4100-1 /org # scope lacppolicy default
KSEC-FPR4100-1 /org/lacppolicy # set lacp-rate
fast lacp rate fast
normal lacp rate normal
對 FPR4100/FPR9300 的連接埠通道進行疑難排解
網路圖表
FPR4100 和 FPR9300 機箱包含連接埠通道已終止的內部交換器。由於內部交換器與 Nexus 5K 類似且 FXOS 僅支援 LACP,因此疑難排解方法與 Nexus 5K 類似。
檢查1 -驗證埠通道狀態。
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SU) Eth LACP Eth1/2(P) Eth1/3(P)
確認 FXOS 介面狀態:
FP4110-7-A(fxos)# show interface brief -------------------------------------------------------------------------------- Ethernet VLAN Type Mode Status Reason Speed Port Interface Ch # -------------------------------------------------------------------------------- Eth1/1 1 eth 1qtunl up none 1000(D) -- Eth1/2 1 eth 1qtunl up none 1000(D) 15 Eth1/3 1 eth 1qtunl up none 1000(D) 15 Eth1/4 1 eth 1qtunl down SFP not inserted 10G(D) -- Eth1/5 1 eth 1qtunl down Administratively down 1000(D) -- Eth1/6 1 eth 1qtunl down Administratively down 1000(D) -- Eth1/7 1 eth 1qtunl down Administratively down 10G(D) -- Eth1/8 1 eth 1qtunl down SFP not inserted 10G(D) -- Eth1/9 1 eth vntag up none 40G(D) -- Eth1/10 1 eth access down Administratively down 40G(D) -- Eth1/11 1 eth access down Administratively down 1000(D) -- Eth1/12 1 eth access down Administratively down 1000(D) --
檢查2 -驗證FXOS是否傳送和接收LACP(運行該命令幾次)。
FP4110-7-A(fxos)# show lacp counters interface port-channel 15
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 223019 207280 0 0 0 0 0
Ethernet1/3 296532 207744 0 0 0 0 0
確認與交換器是否相同:
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 627 596 0 0 0 0 0
Gi1/0/3 623 593 0 0 0 0 0
確認個別 FXOS 介面的 LACP 詳細資料:
FP4110-7-A(fxos)# show lacp interface ethernet 1/2 Interface Ethernet1/2 is up Channel group is 15 port channel is Po15 PDUs sent: 222828 PDUs rcvd: 207074 Markers sent: 0 Markers rcvd: 0 Marker response sent: 0 Marker response rcvd: 0 Unknown packets rcvd: 0 Illegal packets rcvd: 0 Lag Id: [ [(8000, 28-6f-7f-ec-59-80, 5, 8000, 103), (8000, 2c-33-11-8e-7-b3, e, 8000, 42)] ] Operational as aggregated link since Tue Oct 31 19:14:57 2017 Local Port: Eth1/2 MAC Address= 2c-33-11-8e-7-b3 System Identifier=0x8000,2c-33-11-8e-7-b3 Port Identifier=0x8000,0x42 Operational key=14 LACP_Activity=active LACP_Timeout=Short Timeout (1s) Synchronization=IN_SYNC Collected=true Distributing=true
檢查3 -檢驗本地和遠端裝置的LACP ID。
FP4110-7-A(fxos)# show lacp port-channel interface port-channel 15 port-channel15 System Mac=2c-33-11-8e-7-b3 Local System Identifier=0x8000,2c-33-11-8e-7-b3 Admin key=0xe Operational key=0xe Partner System Identifier=0x8000,28-6f-7f-ec-59-80 Operational key=0x5 Max delay=0 Aggregate or individual=1 Member Port List=
檢查4 (可選) -收集此輸出(可供Cisco TAC使用)。
FP4110-7-A(fxos)# show lacp internal event-history errors
1) Event:E_DEBUG, length:74, at 574387 usecs after Tue Oct 31 19:14:57 2017
[102] lacp_proto_set_ntt(1780): Restarting periodic tx timer in 0x210 msecs
2) Event:E_DEBUG, length:467, at 544757 usecs after Tue Oct 31 19:14:57 2017
[102] lacp_ac_init_port_channel_member(1660): TYPE1 UPDATE lacp_ac_init_port
_channel_member port-channel port-channel15(0x1600000e) lacp_mcec_type1_upd_sent
...
檢查 5 – 檢查有問題之特定連接埠的 LACP FSM 轉換。顯示的消息中最早的顯示在輸出頂部。
FP4110-7-A(fxos)# show lacp internal event-history interface ethernet 1/2
>>>>FSM: <Ethernet1/2> has 975 logged transitions<<<<<
1) FSM:<Ethernet1/2> Transition at 257150 usecs after Sun Oct 29 12:35:16 2017
Previous state: [LACP_ST_WAIT_FOR_HW_TO_PROGRAM_RECEIVE_PATH]
Triggered event: [LACP_EV_PORT_RECEIVE_PATH_ENABLED_AS_CHANNEL_MEMBER_MESSAGE]
Next state: [LACP_ST_PORT_MEMBER_RECEIVE_ENABLED]
...
4) FSM:<Ethernet1/2> Transition at 966987 usecs after Sun Oct 29 12:35:19 2017
Previous state: [LACP_ST_PORT_MEMBER_COLLECTING_AND_DISTRIBUTING_ENABLED]
Triggered event: [LACP_EV_PARTNER_PDU_IN_SYNC] <--- Good (Received LACP with ‘Synchronization = 1’
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
...
207) FSM:<Ethernet1/4> Transition at 482767 usecs after Sun Oct 29 13:18:40 2017
Previous state: [LACP_ST_ATTACHED_TO_AGGREGATOR]
Triggered event: [LACP_EV_PARTNER_PDU_OUT_OF_SYNC]
Next state: [FSM_ST_NO_CHANGE]
208) FSM:<Ethernet1/4> Transition at 363720 usecs after Sun Oct 29 13:18:41 2017
Previous state: [LACP_ST_ATTACHED_TO_AGGREGATOR]
Triggered event: [LACP_EV_PARTNER_PDU_OUT_OF_SYNC] <--- Bad (Received LACP with ‘Synchronization = 0’
Next state: [FSM_ST_NO_CHANGE]
檢查6 -收集埠通道事件歷史記錄(可供Cisco TAC使用)。
FP4110-7-A(fxos)# show port-channel internal event-history all
Low Priority Pending queue: len(0), max len(1) [Tue Oct 31 19:37:03 2017] High Priority Pending queue: len(0), max len(12) [Tue Oct 31 19:37:03 2017] PCM Control Block info: pcm_max_channels : 4096 pcm_max_channel_in_use : 48 pc count : 2 hif-pc count : 0 Max PC Cnt : 104 Load-defer timeout : 120 ==================================================== PORT CHANNELS: 2LvPC PO in system : 0 port-channel15 channel : 15 bundle : 65535 ... >>>>FSM: <eth-port-channel 15> has 66 logged transitions<<<<< 1) FSM:<eth-port-channel 15> Transition at 174796 usecs after Tue Oct 31 18:05:0 8 2017 Previous state: [PCM_PC_ST_INIT] Triggered event: [PCM_PC_EV_CREATE_INIT] Next state: [FSM_ST_NO_CHANGE] 2) Event:ESQ_START length:38, at 174810 usecs after Tue Oct 31 18:05:08 2017 Instance:369098766, Seq Id:0x1, Ret:SUCCESS Seq Type:SERIAL ...
對 FPR21xx/FPR1xxx 的連接埠通道進行疑難排解
網路圖表
檢查1。在使用LACP的情況下,驗證LACP計數器。
您會看到兩端(交換器和 FXOS)傳送和接收:
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4435 3532 0 0 0 0 0
Eth1/2 4566 3532 0 0 0 0 0
另一種確認相同的方法:
FP2110-2(local-mgmt)# show pktmgr counters
Ports Tx Tx Tx Rx Rx Rx Rx
Packets Drops Bytes Packets Drops Bytes Forwards
----------------------------------------------------------------------------
Eth1/1 4575 0 567300 3537 0 452736 3537 < LACP PDUs forwarded internally to LACP process
Eth1/2 4706 0 583544 3537 0 452736 3537 < LACP PDUs forwarded internally to LACP process
Eth1/3 0 0 0 0 0 0 0
Eth1/4 0 0 0 0 0 0 0
Eth1/5 0 0 0 0 0 0 0
Eth1/6 0 0 0 0 0 0 0
Eth1/7 0 0 0 0 0 0 0
Eth1/8 0 0 0 0 0 0 0
Eth1/9 0 0 0 0 0 0 0
Eth1/10 0 0 0 0 0 0 0
Eth1/11 0 0 0 0 0 0 0
Eth1/12 0 0 0 0 0 0 0
Eth1/13 0 0 0 0 0 0 0
Eth1/14 0 0 0 0 0 0 0
Eth1/15 0 0 0 0 0 0 0
Eth1/16 0 0 0 0 0 0 0
Misc. 0 0 0 0 0 0 n/a
檢查2。檢驗上游交換機狀態。
FP2110-2(local-mgmt)# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group: 11
Partner (internal) information:
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/1 32768,286f.7fec.5980 0x10e 9 s FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,286f.7fec.5980 0x10f 24 s FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributed: Defaulted: Expired:
Yes Yes No No
註:如果「已收集」和「已分佈」不是「是」,而「預設」是「否」,則LACP未收斂。
檢查3。檢驗本地LACP系統ID是否為0。
FP2110-2(local-mgmt)# show lacp sys-id 32768, 70df.2f18.d813
其他疑難排解(常見於所有平台)
檢查 1
確保兩端(防火牆和交換機)具有匹配的設定(例如,速度相同,埠通道模式相同)。
檢查 2
檢查是否發生 FXOS 故障。您可以從機箱使用者介面(UI)或使用此指令的CLI執行此檢查:
FPR4100# show fault Severity Code Last Transition Time ID Description --------- -------- ------------------------ -------- ----------- Major F0479 2020-03-19T11:50:44.322 543322 Virtual interface 781 link state is down Major F0373 2020-03-19T10:55:13.778 34178 Fan 1 in Fan Module 1-5 under chassis 1 operability: inoperable Minor F0480 2020-03-19T10:55:13.777 34177 Fan module 1-5 in chassis 1 operability: degraded Major F1767 2020-03-19T10:54:04.162 531228 The password encryption key has not been set. Major F0727 2020-03-19T09:50:02.891 522921 lan Member 1/5 of Port-Channel 10 on fabric interconnect A is down, membership: suspended Major F0282 2020-03-19T09:49:31.462 522922 lan port-channel 10 on fabric interconnect A oper state: failed, reason: No operational members Major F0277 2020-03-19T09:49:31.437 522929 ether port 1/5 on fabric interconnect A oper state: failed, reason: Other Info F0279 2020-01-17T11:06:45.472 300958 ether port 1/7 on fabric interconnect A oper state: sfp-not-present Info F0279 2020-01-17T11:06:37.941 300903 ether port 1/6 on fabric interconnect A oper state: sfp-not-present Minor F1437 2020-01-16T10:11:39.675 291723 Config backup may be outdated
故障會依時間順序顯示。嚴重性反映出故障的重要性,而說明則提供了簡要的概觀。重點主要在於嚴重性、時間戳記及說明。故障嚴重性從最嚴重到最不嚴重的順序為:
- 嚴重
- 主要
- 輕微
- 警告
- 資訊/狀況
- 已清除
有關每個故障的詳細資訊,請檢視「FXOS故障和錯誤消息」指南: FXOS錯誤和系統消息
檢查 3
如果您最近對FMC上的連線埠通道組態進行了一些變更,請確定原則已從FMC部署到FTD。
檢查 4
如果Port-Channel處於Failed狀態,並且裝置屬於集群,則確保裝置上已啟用集群。啟用叢集的裝置通常都有處於失敗狀態的連接埠通道.
檢查 5
如果組態正確,但介面無法啟動,請檢查並更換纜線和/或小型可插拔 (SFP) 收發器.
檢查 6
查看 Firepower 版本資訊,以瞭解與連接埠通道相關的已知問題。例如,若您執行 FXOS 版本 2.6.1.169 和 FTD 6.4.0.6,請查看以下章節:
此外,請查看相關的 FMC/FTD 版本資訊。在此範例中,由於 FTD 執行 6.4.0.5,因此必須查看 6.4.x 版本資訊:
常見問題
案例 1.EtherChannel模式不匹配
請考慮使用此拓樸:
問題症狀
在 Firepower 上,連接埠通道已關閉且交涉通訊協定為 LACP:
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(D) Eth LACP Eth1/1(D) Eth1/2(D)
在FXOS上,LACP Sent計數器每30秒遞增,但Receive計數器不會:
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 11356 3762 0 0 0 0 0
Eth1/2 11393 3761 0 0 0 0 0
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 11357 3762 0 0 0 0 0
Eth1/2 11394 3761 0 0 0 0 0
根本原因
交換器的連接埠通道已啟動,但請注意缺少交涉通訊協定:
Switch# show etherchannel 22 summary … Number of channel-groups in use: 15 Number of aggregators: 15 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 22 Po22(SU) - Gi1/0/13(P) Gi1/0/14(P)
交換器連接埠組態會確認以下內容:
Switch# show run int g1/0/13 interface GigabitEthernet1/0/13 lacp rate fast channel-group 22 mode on end Switch# show run int g1/0/14 interface GigabitEthernet1/0/14 lacp rate fast channel-group 22 mode on end
解決方案
由於這是FPR21xx裝置,因此有兩種可能的解決方案:
- 將交換器端的連接埠通道模式從「開啟」變更為「LACP」(主動或被動)。
- 將 FTD 端的連接埠通道模式從「LACP」變更為「開啟」(主動或被動)。
在此案例中,選擇第二個解決方案(將FTD連線埠通道設為開啟模式):
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(U) Eth ON Eth1/1(P) Eth1/2(P)
未顯示更多 LACP 計數器:
FP2110-2(local-mgmt)# show lacp counters FP2110-2(local-mgmt)#
案例 2.錯誤的埠通道設計
問題症狀
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SD) Eth LACP Eth1/2(P) Eth1/3(s)
48 Po48(SD) Eth NONE --
FXOS LACP 計數器朝兩個方向增加:
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 419219 451268 0 0 0 0 0
Ethernet1/3 419215 446806 0 0 0 0 0
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 419219 451269 0 0 0 0 0
Ethernet1/3 419216 446807 0 0 0 0 0
根本原因
show lacp neighbor 的輸出顯示每個連接埠上的不同合作夥伴系統 ID:
FP4110-7-A(fxos)# show lacp neighbor
Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
port-channel15 neighbors
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,28-6f-7f-ec-59-800x103 419611 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3d
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/3 32768,4-62-73-d2-65-0 0x12f 419610 SA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0xd
其視覺化結果為:
解決方案
- 如果是 2960,您必須設定堆疊 (FlexStack)。
- 若使用3750-X/3850等交換器,則需要設定堆疊(StackWise Plus)。
- 對於4500、6500、6800,您需要使用虛擬交換系統(VSS)。
- 對於Nexus 5K、7K或9K,您需要使用虛擬埠通道(vPC)。
- 在其他情況下,您必須將 FXOS 連線至相同的實體交換器。
案例 3.FXOS埠通道未分配
網路圖表
問題症狀
在 FXOS 端,連接埠通道成員已暫停:
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SD) Eth LACP Eth1/2(s) Eth1/3(s)
48 Po48(SD) Eth NONE --
在交換器端亦同:
Switch# show etherchannel 5 summary … Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 5 Po5(SD) LACP Gi1/0/2(s) Gi1/0/3(s)
FXOS LACP計數器顯示傳送和接收的資料包:
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 420839 452531 0 0 0 0 0
Ethernet1/3 420793 447409 0 0 0 0 0
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 421026 452537 0 0 0 0 0
Ethernet1/3 420981 447416 0 0 0 0 0
在交換機端,LACP計數器還會顯示已傳送但未接收的資料包:
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 452539 420223 0 0 0 0 0
Gi1/0/3 447232 415274 0 0 0 0 0
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 452540 420223 0 0 0 0 0
Gi1/0/3 447233 415274 0 0 0 0 0
根本原因
在此案例中,問題在於未將 FXOS 連接埠通道指派給邏輯裝置(FTD 應用程式):
解決方案
將連接埠通道指派給邏輯裝置.
案例 4.有關埠通道的運行狀況警報未收到任何資料包
裝置 (FTD) 每 5 分鐘就會傳送有關在已設定名稱且已啟動的每個介面上所接收之介面流量的資訊。如果在上一個間隔中未接收到任何封包,則 FMC UI 上會出現此類訊息:
建議的動作
從FTD CLI,檢查show traffic輸出並專注於5分鐘的輸入速率。例如,
Interface Port-channel10.14
INSIDE:
received (in 237938.740 secs):
2 packets 84 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 237938.740 secs):
5 packets 140 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
案例 5.FMC健康警示:連線埠通道已取消關聯或已新增介面
運行狀況警報表示:「Interface with physical-name: "Port-Channel" disassociated.」或「」Interface with physical-name: \"name_if\"已增加。」
建議的動作
這是思科漏洞ID CSCvb跟蹤的已知裝飾問題15074
埠通道注意事項
設計注意事項
案例 1.HA中的FTD/ASA刀片
不支援此設定。原因是交換機端的埠通道配置不正確,導致備用裝置上的流量阻塞。只有在「叢集合併」模式下設定 ASA 或 FTD 時,系統才支援此類設計。
警告:此案例在故障切換中不正確(高可用性)。
這是高可用性的正確連接埠通道設計:
相關資訊
案例 2.集群中的FTD/ASA
每個防火牆資料介面連接埠通道均使用「合併」模式(這是 Firepower 平台唯一支援的模式)。從設計的角度來看,在交換器端,單一資料介面的交換器連接埠屬於一個連接埠通道。
舉例來說,如果是 FP9300(2 個機箱、6 個刀鋒),則可以採用這類方式設定資料連接埠:
另一方面,集群控制鏈路(CCL)使用單個埠通道模式,並且根據最佳實踐,頻寬必須符合每個成員的最大容量。此外,如果是 Nexus,則每個連接埠通道屬於不同的 vPC。
同樣地,如果是 FP41xx:
CCL 則如下:
案例 3.Port-Channel在FXOS上終止
終止 FXOS 機箱上的連接埠通道。以下是此設計的範例:
案例 4.透過FXOS的埠通道
Port-Channel透過FXOS機箱。以下是此設計的範例:
注意:在第二個場景中,Firepower裝置上未配置埠通道。
終止 FXOS 上的連接埠通道和通過 FXOS 的連接埠通道
| 功能 |
意見 |
| 終止 FXOS 機箱 (MIO) 的連接埠通道 |
從 FXOS 2.1.1 開始可以使用 |
| 埠通道透過FXOS機箱(MIO) |
|
其他考量事項
LACP 正常融合
對於集群設定(ASA或FTD),建議在Nexus上啟用LACP平滑融合。
常見問題 (FAQ)
問:SSP埠通道雜湊分配是固定還是自適應?
FXOS 使用具復原能力的雜湊分佈。這似乎等同於 Nexus 7000/9k 線上文件說明中所述的固定型雜湊分佈。在彈性雜湊中,如果鏈路發生故障,則分配給該故障鏈路的流將在活動鏈路之間均勻地重新分配。流經活動鏈路的當前流不會重新雜湊,其資料包也不會順序混亂。將鏈路增加到port-channel或ECMP組時,雜湊到當前鏈路的某些流會重新雜湊到新鏈路,但不會跨所有當前鏈路。
問:如果連線到Port-Channel的交換機埠斷開,會發生什麼情況?FTD會監控實體連結或連線埠通道嗎?
如果所有連接埠通道介面成員均停止運作,則連接埠通道也會關閉。連接埠通道操作狀態會顯示為「失敗」。從 FTD 的角度來看,連接埠通道會顯示為「關閉」。另一方面,在此規則中,有一個例外:當交換機使用堆疊時。透過 LACP,系統 ID 會使用來自作用中交換器的 MAC 位址,如果作用中交換器變更,則 LACP 系統 ID 也會變更。如果 LACP 系統 ID 變更,則整個 EtherChannel 都會翻動,並會產生 STP 重新融合。使用stack-mac persistent timer命令控制堆疊MAC地址在活動交換機故障切換後是否更改。
問:希望使用命令「port-channel min-bundle 2」,這樣,如果port-channel中的一個鏈路斷開,則port-channel斷開,並且防火牆進行故障切換。
此選項不適用於 FXOS 機箱。做為因應措施,請盡可能在對等交換器上設定 lacp min-links 命令。
問:如何捕獲LACP資料包?
案例 1.在邏輯裝置(FTD/ASA)上終止的Port-Channel
- 連接埠通道實際上已於機箱層級 (FXOS) 終止。
- 您無法在機箱層級 (FXOS) 或應用程式層級 (FTD/ASA) 擷取 LACP 封包(輸入或輸出)。
案例 2.透過FTD的連線埠通道- FTD介面部署為內嵌集:
inline-set set1
snort fail-open down
interface-pair INSIDE OUTSIDE
!
interface Ethernet1/2
nameif INSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface Ethernet1/3
nameif OUTSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
LACP Ethertype is 0x8809 (dec 34825):
firepower# capture CAP interface INSIDE ethernet-type 34825
firepower# show capture CAP
1: 21:15:00.403131 2894.0f57.271d 0180.c200.0002 0x8809 Length: 124 <-- LACP packet
0101 0114 8000 0017 dfd6 ec00 0016 8000
0223 3d00 0000 0214 8000 0017 dfd6 ec00
0015 8000 0222 3d00 0000 0310 8000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
案例 3.透過FTD的連線埠通道- FTD介面已部署為橋接群組模式:
interface Ethernet1/2
bridge-group 1
nameif INSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/3
bridge-group 1
nameif OUTSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface BVI1
ip address 192.168.201.134 255.255.255.0
firepower# capture CAP interface INSIDE ethernet-type 34825
firepower# show capture CAP
1 packet captured
1: 21:21:29.731987 2894.0f57.271c 0180.c200.0002 0x8809 Length: 124 <-- LACP packet
0101 0114 8000 0017 dfd6 ec00 0015 8000
0222 7d00 0000 0214 0000 0000 0000 0000
0000 0000 0000 0000 0000 0310 8000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
1 packet shown
問:如何從單個埠遷移到Port-Channel?
此變更需要使用維護時段 (MW) 且具有侵入性。從單一介面移轉至連接埠通道後,有關單一介面的所有組態均會與其解除關聯。建立埠通道後,需要將相同的配置重新關聯到新配置的埠通道,例如NAT、路由、VPN等。若為 FTD,此文件含有相關注意事項:
設定 EtherChannel
若為 ASA 裝置,此文件說明了相關程序:
將使用中介面轉換成備援或 EtherChannel 介面
問:如何將FTD高可用性(HA)連結變更為Port-Channel?
此變更需要使用維護時段 (MW) 且具有侵入性。您必須分割 HA 並重新設定。在新的 HA 配對中,將連接埠通道指定為 HA 連結。相關文件:
在 Firepower 設備上設定 FTD 高可用性
問:Firepower與ASA一起顯示埠通道打開,物理介面狀態關閉
這與思科漏洞ID CSCvp相關03354
問:為FMC上的埠通道ID選擇什麼重要嗎? 是否必須符合交換器端的任何項目?
否,不重要。您可以使用任何想要的連接埠通道 ID。
問:在Port-Channel Advanced頁籤下,是否需要為活動/備用MAC執行任何操作?
如果計畫在接入模式(無中繼)下使用埠通道,並且使用高可用性(HA)設定,則強烈建議配置活動/備用MAC。此建議並非限定於連接埠通道,而是適用於任何 HA 設定。
問:是否可以配置埠通道的介面成員的描述?
目前(FXOS 2.13.x)不支援。請查看最新的 FXOS 組態設定指南,以取得其他詳細資料。
問:是否可以更改FXOS埠通道負載均衡演算法?
目前(FXOS 2.13.x)不支援。請查看最新的 FXOS 組態設定指南,以取得其他詳細資料。
問:是否可以在埠通道中配置成員介面的最小數量(最小鏈路),以便將埠通道轉換為捆綁狀態?
目前(FXOS 2.13.x)不支援。請查看最新的 FXOS 組態設定指南,以取得其他詳細資料。
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
4.0 |
11-Apr-2024 |
已更新樣式要求和格式。 |
3.0 |
15-May-2023 |
更新的格式和語言 |
1.0 |
26-Mar-2020 |
初始版本 |
意見