配置并验证Firepower设备上的端口通道
目录
简介
本文档介绍如何配置、验证Firepower设备上的端口通道并对其进行故障排除。
先决条件
要求
Cisco 建议您了解以下主题:
- Firepower Management Center (FMC)
- Firepower Chassis Manager (FCM)
- Firepower eXtensible Operating System (FXOS)
- Firepower Threat Defense (FTD)
- EtherChannel (EC)
注意:在本文档中,EtherChannel和Port-Channel (PC)这两个术语可互换使用。
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 2个FXOS 2.2(2.17)、FTD 6.2.0.2.51上的FPR4120
- 1个FXOS 2.1(0.159)、FTD 6.1.0.330上的FPR4110
- 1个用于FTD 6.2.1的FPR2110(内部版本341)
- 1台FTD 6.5.0上的FPR1150
- WS-C3750X-24 on15.2(4)E5
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
背景信息
本文档介绍如何在 Firepower 设备(如 FPR1xxx、FPR21xx、FPR41xx、FPR93xx)上配置、验证端口通道并进行故障排除。本文档的配置示例基于Firepower威胁防御(FTD),但许多概念(例如验证和故障排除)也完全适用于自适应安全设备(ASA)。
配置
在 FPR4100/FPR9300 上配置端口通道
网络图
通过 FXOS 用户界面配置端口通道 (FPR4100/FPR9300)
Firepower 设备上的 FTD 端口通道由 FXOS 代码管理。在 FPR4100/FPR9300 上,可通过 Firepower Chassis Manager 完成配置:
在分配给逻辑设备之前,端口通道一直处于关闭状态(故障状态):
要将端口通道分配给逻辑设备,请按下图操作:
结果:
要点
- 在 FXOS 2.4.x 之前的版本中,FPR4100/FPR9300 仅支持 LACP,无“开启”模式或 PAGP。自 FXOS 2.4.1.101 版本开始,数据和数据共享 EtherChannel 支持“开启”模式。
- 请确保要添加到Port-Channel的接口尚未添加到逻辑设备。如果是,则在添加Port-Channel时,它们不会显示在接口中。
- 无法启用/禁用单个端口通道成员,只能启用/禁用端口通道本身。
- 不能删除逻辑设备(例如,ASA或FTD)使用的端口通道。必须先取消二者的关联。
- 除非已分配给逻辑设备,否则端口通道无法正常运行。如果从逻辑设备中移除 EtherChannel 或删除逻辑设备,该端口通道将恢复为挂起状态。
- 将连接到活动模式的交换机端口设置为最佳兼容性。
交换机配置
配置交换机时,为避免端口通道不稳定,建议执行以下操作:
- 使用 interface range 命令。
- 在进行影响端口信道操作的更改之前(例如,如果端口信道模式已更改),请关闭端口信道接口成员。
示例
Switch(config)# interface range g1/0/2 - 3 Switch(config-if-range)# shutdown Switch(config-if-range)# switchport trunk encapsulation dot1q Switch(config-if-range)# switchport mode trunk Switch(config-if-range)# channel-group 5 mode active Switch(config-if-range)# no shutdown
注意:请始终参阅交换机型号配置指南部分以了解其他详细信息。
通过 FXOS CLI 配置端口通道 (FPR4100/FPR9300)
步骤1:检验已分配给FTD逻辑设备的接口。
FP4110-7-A# scope ssa
FP4110-7-A /ssa # show logical-device
Logical Device:
Name Description Slot ID Mode Oper State Template Name
---------- ----------- ---------- ---------- ------------------------ -------------
mzafeiro_FTD 1 Standalone Ok ftd
FP4110-7-A /ssa # scope logical-device mzafeiro_FTD
FP4110-7-A /ssa/logical-device # show external-port-link
External-Port Link:
Name Port or Port Channel Name App Name Description
--------------- ------------------------- ---------- -----------
Ethernet11_ftd Ethernet1/1 ftd
Ethernet16_ftd Ethernet1/6 ftd
第二步:验证机箱接口。
FP4110-7-A# scope eth-uplink
FP4110-7-A /eth-uplink # scope fabric a
FP4110-7-A /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
--------------- ------------------ ----------- ---------------- ------------
Ethernet1/1 Mgmt Enabled Up
Ethernet1/2 Data Disabled Admin Down Administratively down
Ethernet1/3 Data Disabled Admin Down Administratively down
Ethernet1/4 Data Disabled Failed SFP checksum error
Ethernet1/5 Data Disabled Sfp Not Present Unknown
Ethernet1/6 Data Disabled Sfp Not Present Unknown
Ethernet1/7 Data Disabled Sfp Not Present Unknown
Ethernet1/8 Data Disabled Sfp Not Present Unknown
Ethernet3/1 Data Disabled Admin Down Administratively down
Ethernet3/2 Data Disabled Admin Down Administratively down
Ethernet3/3 Data Disabled Admin Down Administratively down
Ethernet3/4 Data Disabled Admin Down Administratively down
Ethernet3/5 Data Disabled Admin Down Administratively down
Ethernet3/6 Data Disabled Admin Down Administratively down
FP4110-7-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
48 Port-channel48 Cluster Disabled Admin Down Administratively down
第三步:创建Port-Channel。
bsns-4110-2-A# scope eth-uplink bsns-4110-2-A /eth-uplink # scope fabric a bsns-4110-2-A /eth-uplink/fabric # create port-channel 15 bsns-4110-2-A /eth-uplink/fabric/port-channel* # create member-port Ethernet1/5 bsns-4110-2-A /eth-uplink/fabric/port-channel/member-port* # exit bsns-4110-2-A /eth-uplink/fabric/port-channel* # create member-port Ethernet1/6 bsns-4110-2-A /eth-uplink/fabric/port-channel/member-port* # exit bsns-4110-2-A /eth-uplink/fabric/port-channel* # set port-type data bsns-4110-2-A /eth-uplink/fabric/port-channel* # set speed 1gbps bsns-4110-2-A /eth-uplink/fabric/port-channel* # enable bsns-4110-2-A /eth-uplink/fabric/port-channel* # commit-buffer
第四步:将接口分配给FTD逻辑设备:
FP4110-7-A# scope ssa FP4110-7-A /ssa # scope logical-device mzafeiro_FTD FP4110-7-A /ssa/logical-device # create external-port-link PC15_ftd Port-channel15 ftd FP4110-7-A /ssa/logical-device/external-port-link* # commit-buffer FP4110-7-A /ssa/logical-device/external-port-link #
确认
FP4110-7-A# scope ssa
FP4110-7-A /ssa # scope logical-device mzafeiro_FTD
FP4110-7-A /ssa/logical-device # show external-port-link
External-Port Link:
Name Port or Port Channel Name App Name Description
--------------- ------------------------- ---------- -----------
Ethernet11_ftd Ethernet1/1 ftd
Ethernet16_ftd Ethernet1/6 ftd
PC15_ftd Port-channel15 ftd
FP4110-7-A# scope eth-uplink
FP4110-7-A /eth-uplink # scope fabric a
FP4110-7-A /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
15 Port-channel15 Data Enabled Up
48 Port-channel48 Cluster Disabled Admin Down Administratively down
FP4110-7-A /eth-uplink/fabric # enter port-channel 15
FP4110-7-A /eth-uplink/fabric/port-channel # show member-port
Member Port:
Port Name Membership Oper State State Reason
--------------- ------------------ ---------------- ------------
Ethernet1/2 Up Up
Ethernet1/3 Up Up
从FXOS CLI (FPR4100/FPR9300)删除端口通道。
FP4110-7-A# scope eth-uplink FP4110-7-A /eth-uplink # scope fabric a FP4110-7-A /eth-uplink/fabric # delete port-channel 15 FP4110-7-A /eth-uplink/fabric* # commit-buffer
在 FPR21xx/FPR1xxx 上配置端口通道
网络图
FPR21xx/FPR1xxx 设备上的 FTD 端口通道由 FXOS 代码管理,但由于 FTD 和 FXOS 代码集成在同一软件捆绑包中,因此配置是从 FMC 完成:
通过高级选项卡配置模式(LACP“主动”或“开启”):
通过硬件配置选项卡配置“双工”和“速度”设置:
注意:在FPR2100上,除非将ASA用作逻辑设备,否则无法从FXOS CLI创建端口通道。在ASA 9.13.x之后,仅在平台模式下出现这种情况。“设备”模式 (11xx/21xx) 下没有 FCM,所有接口均直接在 ASA CLI 中配置。
Fp2110 /eth-uplink/fabric* # create port-channel 16 Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/10 Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/11 Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit Fp2110 /eth-uplink/fabric/port-channel* # commit-buffer Error: Changes not allowed. use: 'connect ftd' to make changes.
如果物理接口关闭,要启用该接口,请按如下所示操作:
firepower-2110# scope eth-uplink
firepower-2110 /eth-uplink # scope fabric a
firepower-2110 /eth-uplink/fabric # show interface
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/3 Data Enabled Up Up
Ethernet1/4 Data Disabled Link Down Down
Ethernet1/5 Data Disabled Link Down Down
Ethernet1/6 Data Disabled Link Down Down
Ethernet1/7 Data Disabled Link Down Down
Ethernet1/8 Data Disabled Link Down Down
Ethernet1/9 Data Disabled Link Down Down
Ethernet1/10 Data Disabled Link Down Down
Ethernet1/11 Data Disabled Link Down Down
Ethernet1/12 Data Disabled Link Down Down
Ethernet1/13 Data Disabled Link Down Down
Ethernet1/14 Data Disabled Link Down Down
Ethernet1/15 Data Disabled Link Down Down
Ethernet1/16 Data Disabled Link Down Down
firepower-2110 /eth-uplink/fabric # enter interface Ethernet1/4
firepower-2110 /eth-uplink/fabric/interface # show
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/4 Data Disabled Link Down Down
firepower-2110 /eth-uplink/fabric/interface # enable
firepower-2110 /eth-uplink/fabric/interface* # commit-buffer
firepower-2110 /eth-uplink/fabric/interface # show
Interface:
Port Name Port Type Admin State Oper State State Reason
-------------- ------------------ ----------- ---------------- ------------
Ethernet1/4 Data Enabled Link Down Down
firepower-2110 /eth-uplink/fabric/interface #
FDM 配置
请思考以下拓扑:
从6.5软件版本开始,可以配置使用FDM的EtherChannel接口。导航至设备 > 接口 > EtherChannel,然后添加 EtherChannel。在这种情况下,EtherChannel 是中继,因此请指定 EtherChannel ID,启用该 ID(状态),然后添加成员。EtherChannel 支持 LACP“主动”和“开启”模式(无 LACP)。在这种情况下,系统会配置 LACP“主动”模式。
添加子接口:
结果:
部署预期更改。
验证
验证 FPR4100/FPR9300 上的端口通道
网络图
FTD(或 ASA)并不了解端口通道单个成员。在 FMC 中配置逻辑接口(子接口):
> system support diagnostic-cli firepower# show interface ip brief Interface IP-Address OK? Method Status Protocol Internal-Data0/0 unassigned YES unset up up Internal-Data0/1 unassigned YES unset up up Internal-Data0/2 169.254.1.1 YES unset up up Port-channel15 unassigned YES unset up up
firepower# show nameif Interface Name Security Port-channel15 INSIDE 0 Ethernet1/1 diagnostic 0
firepower# show interface Port-channel15 detail
Interface Port-channel15 "INSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 20000 Mbps, DLY 1000 usec
MAC address 2c33.118e.07de, MTU 1500
IP address unassigned
Traffic Statistics for "INSIDE":
6767 packets input, 566328 bytes
0 packets output, 0 bytes
6736 packets dropped
1 minute input rate 4 pkts/sec, 375 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 4 pkts/sec
5 minute input rate 4 pkts/sec, 401 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 4 pkts/sec
Control Point Interface States:
Interface number is 6
Interface config status is active
Interface state is active
要检查端口信道及其成员的状态,请导航到FXOS模式:
FP4110-7-A# connect fxos
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SU) Eth LACP Eth1/2(P) Eth1/3(P)
48 Po48(SD) Eth NONE --
要查看端口通道的状态以及上次状态历史记录:
FP4110-7-A(fxos)# show port-channel database
port-channel15
Last membership update is successful
2 ports in total, 2 ports up
First operational port is Ethernet1/3
Age of the port-channel is 0d:00h:35m:00s
Time since last bundle is 0d:00h:34m:56s
Last bundled member is Ethernet1/3
Ports: Ethernet1/2 [active ] [up]
Ethernet1/3 [active ] [up] *
port-channel48
Last membership update is successful
0 ports in total, 0 ports up
Age of the port-channel is 5d:06h:35m:27s
要检查端口通道接口成员之间的流量分布:
FP4110-7-A(fxos)# show port-channel traffic
ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ --------- ------- ------- ------- ------- ------- -------
15 Eth1/2 20.83% 49.71% 17.75% 43.67% 20.11% 49.94%
15 Eth1/3 79.16% 50.28% 82.24% 56.32% 79.88% 50.05%
LACP 邻居验证
FP4110-7-A(fxos)# show lacp neighbor
Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
port-channel15 neighbors
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,28-6f-7f-ec-59-800x103 1984 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3f
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/3 32768,28-6f-7f-ec-59-800x104 2221 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3f
Partner Oper Key 0x5 =交换机配置了Port-Channel ID 5。
在交换机上:
Switch# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 5 neighbors
Partner's information:
LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/2 FA 32768 2c33.118e.07b3 0s 0x0 0xE 0x42 0x3F
Gi1/0/3 FA 32768 2c33.118e.07b3 0s 0x0 0xE 0x43 0x3F
注意:在邻接交换机上,尽管FXOS配置了Port-Channel ID 15,但Partner Oper Key显示为0xE (14)。
Wireshark 中的 LACP 数据包捕获:
| 合作伙伴状态 |
||||||||
| 状态 |
已到期 |
已违约 |
已分发 |
已收集 |
同步 |
汇聚 |
LACP 超时 |
LACP 活动 |
| 价值 |
0 |
0 |
1 |
1 |
1 |
1 |
1 |
1 |
| 十六进制 |
3 |
f |
||||||
验证 FPR21xx/FPR1xxx 上的端口通道
网络图
端口通道基本验证
> connect fxos
FP2110-2# connect local-mgmt
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(U) Eth LACP Eth1/1(P) Eth1/2(P)
其他验证:
FP2110-2# scope eth-uplink
FP2110-2 /eth-uplink # scope fabric a
FP2110-2 /eth-uplink/fabric # show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
11 Port-channel11 Data Enabled Up Up
验证端口通道详细信息:
FP2110-2 /eth-uplink/fabric # show port-channel detail
Port Channel:
Port Channel Id: 11
Name: Port-channel11
Port Type: Data
Description:
Admin State: Enabled
Oper State: Up
Auto negotiation: Yes
Speed: 1 Gbps
Duplex: Full Duplex
Oper Speed: 1 Gbps
Band Width (Gbps): 2
State Reason: Up
flow control policy: default
LACP policy name: default
oper LACP policy name: org-root/lacp-default
Lacp Mode: Active
Inline Pair Admin State: Enabled
Inline Pair Peer Port Name:
验证端口通道成员详细信息:
FP2110-2# scope eth-uplink
FP2110-2 /eth-uplink # scope fabric a
FP2110-2 /eth-uplink/fabric # scope port-channel 11 FP2110-2 /eth-uplink/fabric/port-channel # show member-port Member Port: Port Name Membership Oper State State Reason --------------- ------------------ ---------------- ------------ Ethernet1/1 Up Up Up Ethernet1/2 Up Up Up
成员端口详细信息:
FP2110-2 /eth-uplink/fabric/port-channel # show member-port detail
Member Port:
Port Name: Ethernet1/1
Membership: Up
Oper State: Up
State Reason: Up
Ethernet Link Profile name: default
Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default
Udld Oper State: Unknown
Current Task:
Port Name: Ethernet1/2
Membership: Up
Oper State: Up
State Reason: Up
Ethernet Link Profile name: default
Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default
Udld Oper State: Unknown
Current Task:
LACP 验证
FP2110-2(local-mgmt)# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group: 11
Partner (internal) information:
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/1 32768,286f.7fec.5980 0x10e 13 s FA <-- the peer is requesting Fast Rate
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,286f.7fec.5980 0x10f 5 s FA <-- the peer is requesting Fast Rate
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
注意:在FPR21xx/FPR1xxx上,默认LACP速率为缓慢且无法更改。
LACP 计数器
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4435 3532 0 0 0 0 0
Eth1/2 4566 3532 0 0 0 0 0
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4436 3532 0 0 0 0 0
Eth1/2 4567 3532 0 0 0 0 0
FPR2100 接口验证
物理接口与 FPR2100 内部交换机的对应关系:
| 接口 |
FPR2110/FPR2120 上的内部交换机 |
FPR2130/FPR2140 上的内部交换机 |
| E1/1 |
1 |
1 |
| E1/2 |
0 |
0 |
| E1/3 |
3 |
3 |
| E1/4 |
2 |
2 |
| E1/5 |
5 |
5 |
| E1/6 |
4 |
4 |
| E1/7 |
7 |
7 |
| E1/8 |
6 |
6 |
| E1/9 |
9 |
49 |
| E1/10 |
8 |
48 |
| E1/11 |
11 |
51 |
| E1/12 |
10 |
50 |
| E1/13 |
12 |
59 |
| E1/14 |
13 |
58 |
| E1/15 |
14 |
57 |
| E1/16 |
15 |
56 |
| E2/1 |
- |
70 |
| E2/2 |
- |
71 |
| E2/3 |
- |
69 |
| E2/4 |
- |
68 |
| E2/5 |
- |
66 |
| E2/6 |
- |
67 |
| E2/7 |
- |
65 |
| E2/8 |
- |
64 |
验证物理接口状态
FP2110-2(local-mgmt)# show portmanager port-info ethernet 1 1
port_info:
if_index: 0x1081000
type: PORTMGR_IPC_MSG_PORT_TYPE_PHYSICAL
mac_address: 70:df:2f:18:d8:04
flowctl: PORTMGR_IPC_MSG_FLOWCTL_NONE
role: PORTMGR_IPC_MSG_PORT_ROLE_NPU
admin_state: PORTMGR_IPC_MSG_PORT_STATE_ENABLED
oper_state: PORTMGR_IPC_MSG_PORT_STATE_UP
admin_speed: PORTMGR_IPC_MSG_SPEED_AUTO
oper_speed: PORTMGR_IPC_MSG_SPEED_1GB
admin_mtu: 9216
admin_duplex: PORTMGR_IPC_MSG_PORT_DUPLEX_FULL
oper_duplex: PORTMGR_IPC_MSG_PORT_DUPLEX_FULL
pc_if_index: 0x200000b
pc_membership_status: PORTMGR_IPC_MSG_MMBR_UP
pc_protocol: PORTMGR_IPC_MSG_PORT_CHANNEL_PRTCL_LACP_ACTIVE
native_vlan: 1011
num_allowed_vlan: 1
allowed_vlan[0]: 1011
物理接口计数器:
FP2110-2(local-mgmt)# show portmanager counters ethernet 1 1 Good Octets Received : 2692986 Bad Octets Received : 0 MAC Transmit Error : 0 Good Packets Received : 37038 Bad Packets Received : 0 BRDC Packets Received : 22290 MC Packets Received : 12538 Size 64 : 34193 Size 65 to 127 : 1531 Size 128 to 255 : 1515 Size 256 to 511 : 374 Size 512 to 1023 : 95 Size 1024 to Max : 0 Good Octets Sent : 87296 Good Packets Sent : 682 Excessive Collision : 0 MC Packets Sent : 682 BRDC Packets Sent : 0 Unrecognized MAC Received : 0 FC Sent : 0 Good FC Received : 0 Drop Events : 0 Undersize Packets : 0 Fragments Packets : 0 Oversize Packets : 0 Jabber Packets : 0 MAC RX Error Packets Received : 0 Bad CRC : 0 Collisions : 0
FPR2100 内部交换机 MAC 表。
注意:01:80:C2:00:00:02 = LACP
FP2110-2(local-mgmt)# show portmanager switch mac-filters
port ix MAC mask action packets bytes
00 03e 70:DF:2F:18:D8:05 FF:FF:FF:FF:FF:FF FORWARD
043 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD 687 87936
044 70:DF:2F:18:D8:2D FF:FF:FF:FF:FF:FF FORWARD
045 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 5501 385360
3d0 00:00:00:00:00:00 01:00:00:00:00:00 DROP 2101 141426
3e8 01:00:00:00:00:00 01:00:00:00:00:00 DROP 7946 1524820
01 03f 70:DF:2F:18:D8:04 FF:FF:FF:FF:FF:FF FORWARD
040 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD 687 87936
041 70:DF:2F:18:D8:2D FF:FF:FF:FF:FF:FF FORWARD
042 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 22351 1451504
3d1 00:00:00:00:00:00 01:00:00:00:00:00 DROP 2215 154542
3e9 01:00:00:00:00:00 01:00:00:00:00:00 DROP 11886 1006067
02 03c 70:DF:2F:18:D8:07 FF:FF:FF:FF:FF:FF FORWARD
049 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD
04a 70:DF:2F:18:D8:6D FF:FF:FF:FF:FF:FF FORWARD
04b FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD
3d2 00:00:00:00:00:00 01:00:00:00:00:00 DROP
3ea 01:00:00:00:00:00 01:00:00:00:00:00 DROP
端口 E1/1 和 E1/2 对应内部交换机上的 0/0 和 0/1:
FP2110-2(local-mgmt)# show portmanager switch status Dev/Port Mode Link Speed Duplex Loopback Mode --------- ---------------- ----- ----- ------ ------------- 0/0 QSGMII Up 1G Full None 0/1 QSGMII Up 1G Full None 0/2 QSGMII Down 1G Half None 0/3 QSGMII Down 1G Half None 0/4 QSGMII Down 1G Half None 0/5 QSGMII Down 1G Half None 0/6 QSGMII Down 1G Half None 0/7 QSGMII Down 1G Half None 0/8 QSGMII Down 1G Half None 0/9 QSGMII Down 1G Half None 0/10 QSGMII Down 1G Half None 0/11 QSGMII Down 1G Half None 0/12 QSGMII Down 10 Half None 0/13 QSGMII Down 10 Half None 0/14 QSGMII Down 10 Half None 0/15 QSGMII Down 10 Half None 0/16 n/a Down n/a Full N/A 0/17 n/a Down n/a Full N/A 0/18 n/a Down n/a Full N/A 0/19 n/a Down n/a Full N/A 0/20 n/a Down n/a Full N/A 0/21 n/a Down n/a Full N/A 0/22 n/a Down n/a Full N/A 0/23 n/a Down n/a Full N/A 0/24 KR Up 10G Full None 0/25 KR Up 10G Full None 0/26 KR Down 10G Full None 0/27 KR Up 10G Full None
故障排除
LACP 概述
LACP事实:
- IEEE 标准 (802.3ad) 链路聚合控制协议 (LACP) 是用于端口通道协商的第 2 层协议。
- LACP 使用目的 MAC 0180.c200.0002 和以太网类型 0x8809。
- Firepower 设备仅支持 LACP 和“开启”模式(无 LACP)(采用 2.4.x FXOS 版本的 FP4100/FP9300 中已添加“开启”模式)。
- LACP 可以配置为两种模式(“主动”或“被动”)中的任意一种。FXOS 始终使用“主动”模式。
- LACP 的主要目标是防止端口通道配置错误。
- 为确保 LACP PC 正常运行,端口通道接口成员需要具有相同的速度/双工设置。在 FXOS 中,可以在端口通道级别设置速度。
- LACP 攻击者 = 本地设备
- LACP 合作伙伴 = 远程设备
- 每个设备有一个LACP系统ID,通常为机箱的MAC。LACP 系统 ID 随每个 LACP 数据包发送。
- 每个 LACP 数据包的大小约为 110 字节。
- LACP 支持“快速”和“慢速(正常)”速率。FXOS 默认使用“快速”(1xxx/21xx 除外,始终为“慢速”),但也可配置为“慢速”。交换机端的 LACP 模式取决于所使用的交换机型号和软件。例如,自 15.2(4)E 开始,Cat3750 同时支持“慢速”和“快速”。有关详细信息,请参阅交换机确认指南。
- 在LACP检测期间,无论LACP速率是多少,都会每1秒发送一次LACP。启用接口后,LACP 速率仅影响 LACP 保持连接的间隔。
LACP Keepalive的优点
LACP 保持连接在远程接口不再正常工作但仍处于运行状态(未检测到直接故障)时非常有用。这可能属于驱动程序/L2问题,或者路径中存在某些不允许检测远程链路故障的设备(例如IPS)。LACP Keepalive的对等体速率超时为x 3。例如,如果远程对等体每1秒发送一次,则如果在3秒内没有收到LACP数据包,则本地设备会声明远程对等体关闭。在“慢速”情况下,本地设备会于 90 秒后声明远程对等体关闭。
Wireshark 中 LACP 数据包的所有字段如下所示:
注意:当port-channel在FTD上终止时,FXOS捕获不显示LACP数据包(入口或出口)。
LACP“快速”与“慢速”的区别
通常情况下,建议两端均使用“快速”(4100/9300 上的 FXOS 默认使用“快速”;FPR2100 上 LACP 发送速率默认为“慢速”)。“快速”LACP 可以提高端口通道捆绑速度。
| FXOS 配置为“慢速” |
FXOS 配置为“快速” |
|
| 交换机配置为“慢速” |
交换机请求为“慢速” FXOS 请求为“慢速” 交换机每 30 秒发送 1 次 LACP FXOS 每 30 秒发送 1 次 LACP |
交换机请求为“慢速” FXOS 请求为“快速” 交换机每秒发送 1 次 LACP FXOS 每 30 秒发送 1 次 LACP |
| 交换机配置为“快速” |
交换机请求为“快速” FXOS 请求为“慢速” 交换机每 30 秒发送 1 次 LACP FXOS 每秒发送 1 次 LACP |
交换机请求为“快速” FXOS 请求为“快速” 交换机每秒发送 1 次 LACP FXOS 每秒发送 1 次 LACP |
要在 FXOS (41xx/93xx) 上配置 LACP 模式:
KSEC-FPR4100-1# scope org
KSEC-FPR4100-1 /org # show lacppolicy
LACP policy:
Name LACP rate
---------- ---------
default Fast
KSEC-FPR4100-1 /org # scope lacppolicy default
KSEC-FPR4100-1 /org/lacppolicy # set lacp-rate
fast lacp rate fast
normal lacp rate normal
对 FPR4100/FPR9300 上的端口通道执行故障排除
网络图
FPR4100 和 FPR9300 机箱包含端口通道端接的内部交换机。由于内部交换机与 Nexus 5K 类似,而且 FXOS 仅支持 LACP,因此内部交换机与 Nexus 5K 的故障排除方法也比较相似。
检查1 -验证端口通道状态。
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SU) Eth LACP Eth1/2(P) Eth1/3(P)
验证 FXOS 接口状态:
FP4110-7-A(fxos)# show interface brief -------------------------------------------------------------------------------- Ethernet VLAN Type Mode Status Reason Speed Port Interface Ch # -------------------------------------------------------------------------------- Eth1/1 1 eth 1qtunl up none 1000(D) -- Eth1/2 1 eth 1qtunl up none 1000(D) 15 Eth1/3 1 eth 1qtunl up none 1000(D) 15 Eth1/4 1 eth 1qtunl down SFP not inserted 10G(D) -- Eth1/5 1 eth 1qtunl down Administratively down 1000(D) -- Eth1/6 1 eth 1qtunl down Administratively down 1000(D) -- Eth1/7 1 eth 1qtunl down Administratively down 10G(D) -- Eth1/8 1 eth 1qtunl down SFP not inserted 10G(D) -- Eth1/9 1 eth vntag up none 40G(D) -- Eth1/10 1 eth access down Administratively down 40G(D) -- Eth1/11 1 eth access down Administratively down 1000(D) -- Eth1/12 1 eth access down Administratively down 1000(D) --
检查2 -验证FXOS是否发送和接收LACP(多次运行该命令)。
FP4110-7-A(fxos)# show lacp counters interface port-channel 15
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 223019 207280 0 0 0 0 0
Ethernet1/3 296532 207744 0 0 0 0 0
验证交换机是否发送和接收 LACP:
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 627 596 0 0 0 0 0
Gi1/0/3 623 593 0 0 0 0 0
验证单个 FXOS 接口的 LACP 详细信息:
FP4110-7-A(fxos)# show lacp interface ethernet 1/2 Interface Ethernet1/2 is up Channel group is 15 port channel is Po15 PDUs sent: 222828 PDUs rcvd: 207074 Markers sent: 0 Markers rcvd: 0 Marker response sent: 0 Marker response rcvd: 0 Unknown packets rcvd: 0 Illegal packets rcvd: 0 Lag Id: [ [(8000, 28-6f-7f-ec-59-80, 5, 8000, 103), (8000, 2c-33-11-8e-7-b3, e, 8000, 42)] ] Operational as aggregated link since Tue Oct 31 19:14:57 2017 Local Port: Eth1/2 MAC Address= 2c-33-11-8e-7-b3 System Identifier=0x8000,2c-33-11-8e-7-b3 Port Identifier=0x8000,0x42 Operational key=14 LACP_Activity=active LACP_Timeout=Short Timeout (1s) Synchronization=IN_SYNC Collected=true Distributing=true
检查3 -检验本地和远程设备的LACP ID。
FP4110-7-A(fxos)# show lacp port-channel interface port-channel 15 port-channel15 System Mac=2c-33-11-8e-7-b3 Local System Identifier=0x8000,2c-33-11-8e-7-b3 Admin key=0xe Operational key=0xe Partner System Identifier=0x8000,28-6f-7f-ec-59-80 Operational key=0x5 Max delay=0 Aggregate or individual=1 Member Port List=
检查4(可选)-收集此输出(可由思科TAC使用)。
FP4110-7-A(fxos)# show lacp internal event-history errors
1) Event:E_DEBUG, length:74, at 574387 usecs after Tue Oct 31 19:14:57 2017
[102] lacp_proto_set_ntt(1780): Restarting periodic tx timer in 0x210 msecs
2) Event:E_DEBUG, length:467, at 544757 usecs after Tue Oct 31 19:14:57 2017
[102] lacp_ac_init_port_channel_member(1660): TYPE1 UPDATE lacp_ac_init_port
_channel_member port-channel port-channel15(0x1600000e) lacp_mcec_type1_upd_sent
...
检查 5 – 检查出现问题的特定端口的 LACP FSM 转换。显示的消息中,最旧的在输出的顶部。
FP4110-7-A(fxos)# show lacp internal event-history interface ethernet 1/2
>>>>FSM: <Ethernet1/2> has 975 logged transitions<<<<<
1) FSM:<Ethernet1/2> Transition at 257150 usecs after Sun Oct 29 12:35:16 2017
Previous state: [LACP_ST_WAIT_FOR_HW_TO_PROGRAM_RECEIVE_PATH]
Triggered event: [LACP_EV_PORT_RECEIVE_PATH_ENABLED_AS_CHANNEL_MEMBER_MESSAGE]
Next state: [LACP_ST_PORT_MEMBER_RECEIVE_ENABLED]
...
4) FSM:<Ethernet1/2> Transition at 966987 usecs after Sun Oct 29 12:35:19 2017
Previous state: [LACP_ST_PORT_MEMBER_COLLECTING_AND_DISTRIBUTING_ENABLED]
Triggered event: [LACP_EV_PARTNER_PDU_IN_SYNC] <--- Good (Received LACP with ‘Synchronization = 1’
Next state: [LACP_ST_PORT_IS_DOWN_OR_LACP_IS_DISABLED]
...
207) FSM:<Ethernet1/4> Transition at 482767 usecs after Sun Oct 29 13:18:40 2017
Previous state: [LACP_ST_ATTACHED_TO_AGGREGATOR]
Triggered event: [LACP_EV_PARTNER_PDU_OUT_OF_SYNC]
Next state: [FSM_ST_NO_CHANGE]
208) FSM:<Ethernet1/4> Transition at 363720 usecs after Sun Oct 29 13:18:41 2017
Previous state: [LACP_ST_ATTACHED_TO_AGGREGATOR]
Triggered event: [LACP_EV_PARTNER_PDU_OUT_OF_SYNC] <--- Bad (Received LACP with ‘Synchronization = 0’
Next state: [FSM_ST_NO_CHANGE]
检查6 -收集端口通道事件历史记录(可由思科TAC使用)。
FP4110-7-A(fxos)# show port-channel internal event-history all
Low Priority Pending queue: len(0), max len(1) [Tue Oct 31 19:37:03 2017] High Priority Pending queue: len(0), max len(12) [Tue Oct 31 19:37:03 2017] PCM Control Block info: pcm_max_channels : 4096 pcm_max_channel_in_use : 48 pc count : 2 hif-pc count : 0 Max PC Cnt : 104 Load-defer timeout : 120 ==================================================== PORT CHANNELS: 2LvPC PO in system : 0 port-channel15 channel : 15 bundle : 65535 ... >>>>FSM: <eth-port-channel 15> has 66 logged transitions<<<<< 1) FSM:<eth-port-channel 15> Transition at 174796 usecs after Tue Oct 31 18:05:0 8 2017 Previous state: [PCM_PC_ST_INIT] Triggered event: [PCM_PC_EV_CREATE_INIT] Next state: [FSM_ST_NO_CHANGE] 2) Event:ESQ_START length:38, at 174810 usecs after Tue Oct 31 18:05:08 2017 Instance:369098766, Seq Id:0x1, Ret:SUCCESS Seq Type:SERIAL ...
对 FPR21xx/FPR1xxx 上的端口通道执行故障排除
网络图
检查1。如果使用LACP,请验证LACP计数器。
您会发现两端(交换机和 FXOS)都在发送和接收 LACP:
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 4435 3532 0 0 0 0 0
Eth1/2 4566 3532 0 0 0 0 0
另一种验证方法:
FP2110-2(local-mgmt)# show pktmgr counters
Ports Tx Tx Tx Rx Rx Rx Rx
Packets Drops Bytes Packets Drops Bytes Forwards
----------------------------------------------------------------------------
Eth1/1 4575 0 567300 3537 0 452736 3537 < LACP PDUs forwarded internally to LACP process
Eth1/2 4706 0 583544 3537 0 452736 3537 < LACP PDUs forwarded internally to LACP process
Eth1/3 0 0 0 0 0 0 0
Eth1/4 0 0 0 0 0 0 0
Eth1/5 0 0 0 0 0 0 0
Eth1/6 0 0 0 0 0 0 0
Eth1/7 0 0 0 0 0 0 0
Eth1/8 0 0 0 0 0 0 0
Eth1/9 0 0 0 0 0 0 0
Eth1/10 0 0 0 0 0 0 0
Eth1/11 0 0 0 0 0 0 0
Eth1/12 0 0 0 0 0 0 0
Eth1/13 0 0 0 0 0 0 0
Eth1/14 0 0 0 0 0 0 0
Eth1/15 0 0 0 0 0 0 0
Eth1/16 0 0 0 0 0 0 0
Misc. 0 0 0 0 0 0 n/a
检查2。检验上游交换机状态。
FP2110-2(local-mgmt)# show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group: 11
Partner (internal) information:
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/1 32768,286f.7fec.5980 0x10e 9 s FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributing: Defaulted: Expired:
Yes Yes No No
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,286f.7fec.5980 0x10f 24 s FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0x3f
Port State Flags Decode:
Activity: Timeout: Aggregation: Synchronization:
Active Long Yes Yes
Collected: Distributed: Defaulted: Expired:
Yes Yes No No
注意:如果“已收集和分发”字段不是“是”,而“默认”字段是“否”,则LACP未收敛。
检查3。检验本地LACP系统ID是否为0。
FP2110-2(local-mgmt)# show lacp sys-id 32768, 70df.2f18.d813
其他故障排除(所有平台通用)
检查 1
确保两端(防火墙和交换机)具有匹配的设置(例如,速度相同,端口通道模式相同)。
检查 2
检查 FXOS 是否发生故障。您可以从机箱用户界面(UI)或使用此命令的CLI执行此检查:
FPR4100# show fault Severity Code Last Transition Time ID Description --------- -------- ------------------------ -------- ----------- Major F0479 2020-03-19T11:50:44.322 543322 Virtual interface 781 link state is down Major F0373 2020-03-19T10:55:13.778 34178 Fan 1 in Fan Module 1-5 under chassis 1 operability: inoperable Minor F0480 2020-03-19T10:55:13.777 34177 Fan module 1-5 in chassis 1 operability: degraded Major F1767 2020-03-19T10:54:04.162 531228 The password encryption key has not been set. Major F0727 2020-03-19T09:50:02.891 522921 lan Member 1/5 of Port-Channel 10 on fabric interconnect A is down, membership: suspended Major F0282 2020-03-19T09:49:31.462 522922 lan port-channel 10 on fabric interconnect A oper state: failed, reason: No operational members Major F0277 2020-03-19T09:49:31.437 522929 ether port 1/5 on fabric interconnect A oper state: failed, reason: Other Info F0279 2020-01-17T11:06:45.472 300958 ether port 1/7 on fabric interconnect A oper state: sfp-not-present Info F0279 2020-01-17T11:06:37.941 300903 ether port 1/6 on fabric interconnect A oper state: sfp-not-present Minor F1437 2020-01-16T10:11:39.675 291723 Config backup may be outdated
故障按时间顺序显示。严重程度反映故障的重要性,说明中会提供简要概述。请重点关注严重程度、时间戳和说明。故障严重程度由高到低依次为:
- 关键
- 重大
- Minor(轻微)
- 警告
- 信息/条件
- 已清除
有关每个故障的详细信息,请查看FXOS故障和错误消息指南: FXOS错误和系统消息
检查 3
如果您最近对FMC上的端口通道配置进行了一些更改,请确保将策略从FMC部署到FTD。
检查 4
如果Port-Channel处于Failed状态,并且设备属于集群,请确保在设备上启用集群。对于被逐出集群的设备而言,其端口通道处于故障状态非常正常.
检查 5
如果配置正确,但接口未启动,请检查并更换电缆和/或小型封装热插拔 (SFP) 收发器.
检查 6
有关与端口通道相关的已知问题,请查看 Firepower 版本说明。例如,如果运行 FXOS 2.6.1.169 和 FTD 6.4.0.6 版本,请查看以下部分:
此外,请查看相关的 FMC/FTD 版本说明。在本例中,FTD 运行 6.4.0.5,因此需要查看 6.4.x 版本说明:
常见问题
例 1.EtherChannel模式不匹配
请思考以下拓扑:
问题症状
Firepower 上端口通道关闭,协商协议为 LACP:
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(D) Eth LACP Eth1/1(D) Eth1/2(D)
在FXOS上,LACP Sent计数器每30秒增加一次,但Receive计数器不会:
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 11356 3762 0 0 0 0 0
Eth1/2 11393 3761 0 0 0 0 0
FP2110-2(local-mgmt)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 11
Eth1/1 11357 3762 0 0 0 0 0
Eth1/2 11394 3761 0 0 0 0 0
根本原因
交换机上的端口通道已启用,但缺少协商协议:
Switch# show etherchannel 22 summary … Number of channel-groups in use: 15 Number of aggregators: 15 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 22 Po22(SU) - Gi1/0/13(P) Gi1/0/14(P)
交换机端口配置证实了这一点:
Switch# show run int g1/0/13 interface GigabitEthernet1/0/13 lacp rate fast channel-group 22 mode on end Switch# show run int g1/0/14 interface GigabitEthernet1/0/14 lacp rate fast channel-group 22 mode on end
解决方案
由于这是FPR21xx设备,因此有两种可能的解决方案:
- 将交换机端的端口通道模式从“开启”更改为“LACP”(“主动”或“被动”均可)。
- 将 FTD 端的端口通道模式从“LACP”更改为“开启”。
在此场景中,选择了第二个解决方案(将FTD端口通道设置为开启模式):
FP2110-2(local-mgmt)# show portchannel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
11 Po11(U) Eth ON Eth1/1(P) Eth1/2(P)
LACP 计数器不再显示:
FP2110-2(local-mgmt)# show lacp counters FP2110-2(local-mgmt)#
案例 2.错误的端口通道设计
问题症状
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SD) Eth LACP Eth1/2(P) Eth1/3(s)
48 Po48(SD) Eth NONE --
FXOS LACP 计数器双向增加:
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 419219 451268 0 0 0 0 0
Ethernet1/3 419215 446806 0 0 0 0 0
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 419219 451269 0 0 0 0 0
Ethernet1/3 419216 446807 0 0 0 0 0
根本原因
show lacp neighbor 的输出结果表明各端口的合作伙伴系统 ID 不同:
FP4110-7-A(fxos)# show lacp neighbor
Flags: S - Device is sending Slow LACPDUs F - Device is sending Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
port-channel15 neighbors
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/2 32768,28-6f-7f-ec-59-800x103 419611 FA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x5 0x3d
Partner's information
Partner Partner Partner
Port System ID Port Number Age Flags
Eth1/3 32768,4-62-73-d2-65-0 0x12f 419610 SA
LACP Partner Partner Partner
Port Priority Oper Key Port State
32768 0x16 0xd
上述内容可以图形表示为:
解决方案
- 对于 2960,需要配置堆栈 (FlexStack)。
- 对于3750-X/3850等,您需要配置堆叠(StackWise Plus)。
- 对于4500、6500、6800,您需要使用虚拟交换系统(VSS)。
- 对于Nexus 5K、7K或9K,您需要使用虚拟端口通道(vPC)。
- 在其他情况下,需要将 FXOS 连接到同一物理交换机。
案例 3.FXOS端口通道未分配
网络图
问题症状
在 FXOS 端,端口通道成员处于挂起状态:
FP4110-7-A(fxos)# show port-channel summary
Flags: D - Down P - Up in port-channel (members)
I - Individual H - Hot-standby (LACP only)
s - Suspended r - Module-removed
S - Switched R - Routed
U - Up (port-channel)
M - Not in use. Min-links not met
--------------------------------------------------------------------------------
Group Port- Type Protocol Member Ports
Channel
--------------------------------------------------------------------------------
15 Po15(SD) Eth LACP Eth1/2(s) Eth1/3(s)
48 Po48(SD) Eth NONE --
在交换机端也是如此:
Switch# show etherchannel 5 summary … Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 5 Po5(SD) LACP Gi1/0/2(s) Gi1/0/3(s)
FXOS LACP计数器显示发送和接收的数据包:
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 420839 452531 0 0 0 0 0
Ethernet1/3 420793 447409 0 0 0 0 0
FP4110-7-A(fxos)# show lacp counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
port-channel15
Ethernet1/2 421026 452537 0 0 0 0 0
Ethernet1/3 420981 447416 0 0 0 0 0
在交换机端,LACP计数器还会显示已发送但未接收的数据包:
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 452539 420223 0 0 0 0 0
Gi1/0/3 447232 415274 0 0 0 0 0
Switch# show lacp 5 counters
LACPDUs Marker Marker Response LACPDUs
Port Sent Recv Sent Recv Sent Recv Pkts Err
---------------------------------------------------------------------
Channel group: 5
Gi1/0/2 452540 420223 0 0 0 0 0
Gi1/0/3 447233 415274 0 0 0 0 0
根本原因
在本例中,问题在于 FXOS 端口通道未分配给逻辑设备(FTD 应用):
解决方案
将端口通道分配给逻辑设备.
案例 4.有关Port-Channel的运行状况警报未收到任何数据包
设备 (FTD) 每 5 分钟发送一次各接口(已配置名称并处于运行状态)收到的接口流量信息。如果在上一时间间隔中未收到数据包,则 FMC UI 中会显示如下消息:
建议操作
从FTD CLI中,检查show traffic输出并专注于5分钟输入速率。例如,
Interface Port-channel10.14
INSIDE:
received (in 237938.740 secs):
2 packets 84 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 237938.740 secs):
5 packets 140 bytes
0 pkts/sec 0 bytes/sec
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
案例 5.FMC上的运行状况警报:端口通道取消关联或接口已添加
运行状况警报状态:“Interface with physical-name: "Port-Channel" disassociated.”或“”Interface with physical-name: \"name_if\"已添加。"
建议操作
端口通道注意事项
设计注意事项
例 1.FTD/ASA刀片在高可用性中
此设置不受支持。原因是交换机端的端口通道配置不正确,导致备用设备上的流量阻塞。仅在“集群跨网络”模式下配置 ASA 或 FTD 时,才支持此设计。
警告:此场景在故障切换(高可用性)中不正确。
适合高可用性的端口通道设计如下:
相关信息
案例 2.集群中的FTD/ASA
每个防火墙数据接口端口通道均使用“跨网络”模式(Firepower 平台支持的唯一模式)。从设计角度来看,在交换机端,单个数据接口的交换机端口属于一个端口通道。
例如,对于 FP9300(2 个机箱、6 个刀片),数据端口可按如下方式配置:
另一方面,集群控制链路(CCL)使用单个端口通道模式,根据最佳实践,带宽必须与每个成员的最大容量相匹配。此外,对于 Nexus,每个端口通道都属于不同的 vPC。
同样,对于 FP41xx:
CCL:
案例 3.Port-Channel在FXOS上终止
端口通道在 FXOS 机箱上端接。此设计的示例如下:
案例 4.通过FXOS的端口通道
端口通道通过FXOS机箱。此设计的示例如下:
注意:在第二个场景中,Firepower设备上未配置Port-Channel。
“端口通道在 FXOS 上端接”与“端口通道穿过 FXOS”的区别
| 功能 |
备注 |
| 端口通道在 FXOS 机箱上端接 (MIO) |
适用于 FXOS 2.1.1 及以上版本 |
| 端口通道通过FXOS机箱(MIO) |
|
其他注意事项
LACP 平稳收敛
在集群设置(ASA或FTD)的情况下,建议在Nexus上启用LACP平稳融合。
常见问题解答 (FAQ)
问:SSP端口通道散列分发是固定的,还是自适应的?
FXOS 使用弹性散列分布。这大概相当于 Nexus 7000/9000 在线文档中介绍的固定散列分布模式。在弹性散列中,如果链路发生故障,分配给故障链路的流将在活动链路之间均匀地重新分配。流经活动链路的当前流不会重新散列,其数据包也不会顺序混乱。将链路添加到port-channel或ECMP组时,散列到当前链路的某些流会重新散列到新链路,但不会跨所有当前链路。
问:如果连接到Port-Channel的交换机端口断开,会发生什么情况?FTD是否监控物理链路或port-channel?
如果所有端口通道接口成员都关闭,则端口通道也会关闭。端口通道操作状态显示为故障。从 FTD 的角度来看,端口通道显示为关闭。另一方面,在此规则中,有一个例外:交换机使用堆叠时。使用 LACP 时,系统 ID 使用主用交换机的堆栈 MAC 地址;如果主用交换机发生变化,则 LACP 系统 ID 也会发生变化。如果 LACP 系统 ID 发生变化,则整个 EtherChannel 均会摆动,并且出现 STP 重新收敛。使用stack-mac persistent timer命令控制堆叠MAC地址在主用交换机故障切换后是否更改。
Q.希望使用“port-channel min-bundle 2”命令,这样,如果port-channel中的一个链路断开,则port-channel断开,并且防火墙进行故障切换。
此选项在 FXOS 机箱上不可用。要解决此问题,请尽可能在对等交换机上配置 lacp min-links 命令。
问:如何捕获LACP数据包?
例 1.端口通道在逻辑设备(FTD/ASA)上终止
- 端口通道实际上在机箱级别 (FXOS) 端接。
- 无法在机箱级别 (FXOS) 和应用程序级别 (FTD/ASA) 捕获 LACP 数据包(入口或出口)。
案例 2.通过FTD的端口通道- FTD接口部署为内联集:
inline-set set1
snort fail-open down
interface-pair INSIDE OUTSIDE
!
interface Ethernet1/2
nameif INSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
!
interface Ethernet1/3
nameif OUTSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
LACP Ethertype is 0x8809 (dec 34825):
firepower# capture CAP interface INSIDE ethernet-type 34825
firepower# show capture CAP
1: 21:15:00.403131 2894.0f57.271d 0180.c200.0002 0x8809 Length: 124 <-- LACP packet
0101 0114 8000 0017 dfd6 ec00 0016 8000
0223 3d00 0000 0214 8000 0017 dfd6 ec00
0015 8000 0222 3d00 0000 0310 8000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
案例 3.通过FTD的端口通道- FTD接口部署为网桥组模式:
interface Ethernet1/2
bridge-group 1
nameif INSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/3
bridge-group 1
nameif OUTSIDE
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface BVI1
ip address 192.168.201.134 255.255.255.0
firepower# capture CAP interface INSIDE ethernet-type 34825
firepower# show capture CAP
1 packet captured
1: 21:21:29.731987 2894.0f57.271c 0180.c200.0002 0x8809 Length: 124 <-- LACP packet
0101 0114 8000 0017 dfd6 ec00 0015 8000
0222 7d00 0000 0214 0000 0000 0000 0000
0000 0000 0000 0000 0000 0310 8000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
1 packet shown
问:如何从单个端口迁移到端口通道?
此变更需要维护窗口 (MW),且具有侵入性。从单个接口迁移到端口通道后,所有与该单个接口相关的配置都会与之取消关联。创建Port-Channel后,需要将相同的配置重新与新配置的端口通道相关联,例如NAT、路由、VPN等。对于 FTD,相关说明详见文档:
配置 EtherChannel
对于 ASA 设备,相关流程详见文档:
将使用中的接口转换为冗余或 EtherChannel 接口
问:如何将FTD高可用性(HA)链路更改为Port-Channel?
此变更需要维护窗口 (MW),且具有侵入性。必须中断 HA 并进行重新配置。在新的 HA 对中,请将端口通道指定为 HA 链路。相关文档:
在 Firepower 设备上配置 FTD 高可用性
问:带ASA的Firepower显示端口通道打开,物理接口状态关闭
这与思科漏洞ID CSCvp相关03354
问:为FMC上的端口通道ID选择什么重要吗? 是否必须与交换机端的内容相匹配?
不,这并不重要。可以随心所欲使用任何端口通道 ID。
问:在Port-Channel Advanced选项卡下,是否需要对主用/备用MAC执行任何操作?
如果您计划在接入模式(无中继)下使用端口通道,并且使用高可用性(HA)设置,则强烈建议配置主用/备用MAC。此建议并不针对某种端口通道,但适用于任何 HA 设置。
问:能否配置Port-Channel的接口成员的描述?
目前(FXOS 2.13.x),不支持此功能。有关更多详细信息,请查看最新 FXOS 配置指南。
问:是否可以更改FXOS端口通道负载均衡算法?
目前(FXOS 2.13.x),不支持此功能。有关更多详细信息,请查看最新 FXOS 配置指南。
问:能否在port-channel中配置成员接口的最小数量(min-links),以便将port-channel转换为捆绑状态?
目前(FXOS 2.13.x),不支持此功能。有关更多详细信息,请查看最新 FXOS 配置指南。
相关信息
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
4.0 |
11-Apr-2024 |
已更新样式要求和格式。 |
3.0 |
15-May-2023 |
更新的格式和语言 |
1.0 |
26-Mar-2020 |
初始版本 |
反馈