目 录
1 MAC地址表故障处理·························································································································· 1-1
1.1 源MAC地址攻击导致端口流量瞬断故障处理 ····················································································· 1-1
1.1.1 故障描述 ································································································································· 1-1 1.1.2 故障处理步骤 ·························································································································· 1-1 1.2 故障诊断命令 ····································································································································· 1-3
i
1 MAC地址表故障处理
1.1 源MAC地址攻击导致端口流量瞬断故障处理
1.1.1 故障描述
如图1-1所示,Switch下接DSLAM(Digital Subscriber Line Access Multiplexer,数字用户线接入复用器),Switch上接BAS(Broadband Access Server,宽带接入服务器),由BAS终结用户的拨号PPPoE报文。在Switch上配置灵活QinQ功能,对应的用户侧VLAN为824,网络侧VLAN为1003。BAS上作为网关的MAC地址为0090-1aa0-d47a。
故障现象为:DSLAM下挂用户不定时大规模掉线。出现问题时,发现端口Ethernet3/0/4的流量急剧下降。大约5分钟左右,端口Ethernet3/0/4的流量开始慢慢回升,证明此时大规模掉线已经结束,DSLAM下挂用户又在逐步恢复连接,网络在逐步恢复正常状态。 图1-1 源MAC地址攻击导致端口流量瞬断故障处理组网图
1.1.2 故障处理步骤
(1) 检查接口信息
执行display interface命令显示端口Ethernet3/0/4的相关信息:
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e200-8048 Description: Ethernet3/0/4 Interface Loopback is not set Media type is twisted pair, port hardware type is 100_BASE_TX 100Mbps-speed mode, full-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9022 1-1 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Port link-type: trunk VLAN passing : 824 VLAN permitted: 824 Trunk port encapsulation: IEEE 802.1q Port priority: 0 Last clearing of counters: Never Peak value of input: 4 bytes/sec, at 2012-04-26 12:07:48 Peak value of output: 81 bytes/sec, at 2012-04-26 12:09:24 Last 300 seconds input: 1 packets/sec 147 bytes/sec Last 300 seconds output: 1 packets/sec 179 bytes/sec Input (total): 271 packets, 12250 bytes 0 unicasts, 150 broadcasts, 121 multicasts, 0 pauses Input (normal): 271 packets, 12250 bytes 0 unicasts, 150 broadcasts, 121 multicasts, 0 pauses Input: 0 input errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 frame, - overruns, 0 aborts - ignored, - parity errors Output (total): 1522 packets, 183608303 bytes 0 unicasts, 13 broadcasts, 860 multicasts, 0 pauses Output (normal): 1522 packets, - bytes 0 unicasts, 13 broadcasts, 860 multicasts, 0 pauses Output: 0 output errors, - underruns, 1 buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier 可以看到, 端口在故障时只有组播和广播报文的记数。 (2) 原因分析 从现象上看,Switch的端口Ethernet3/0/4的入方向报文计数在故障时只有组播和广播报文,基本上可以确定:由于某种原因,导致从Switch的端口Ethernet3/0/4进来的单播报文被全部丢弃了。DSLAM下挂用户正常通信的流量以单播报文为主,这种丢弃行为导致用户下线,然后重新认证,所以端口流量大大减小。 因此从报文被丢弃的原因着手分析问题。这种报文丢弃特征和“源端口返回报文”丢弃很吻合,也就是说很可能端口收到了目的MAC地址和本端口学习到的目的MAC地址一致的报文。正常工作状态下,BAS的MAC地址(也就是从Switch的端口Ethernet3/0/4上来的PPPoE单播流量的目的MAC地址)只会学习到Switch的端口GigabitEthernet2/0/1上的VLAN 1003,不会学习到用户侧端口,除非网络中有环路或者其他原因。 下面是正常情况下Switch的MAC地址表信息: MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0090-1aa0-d47a 1003 Learned GE2/0/1 AGING 0090-1aa0-d47a 1101 Learned GE2/0/1 AGING 0090-1aa0-d47a 1201 Learned GE2/0/1 AGING 0090-1aa0-d47a 4093 Learned GE2/0/1 AGING 再看看出故障时学习到Switch的端口Ethernet3/0/4的MAC地址: 1-2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 0090-1aa0-d47a 824 Learned Eth3/0/4 AGING 这个MAC地址是BAS的MAC地址,却学习到了用户侧Switch的端口Ethernet3/0/4的VLAN 824。这时,从Switch的端口Ethernet3/0/4上来的PPPoE正常业务报文的目的MAC地址正是这个MAC地址,结果被作为源端口返回报文全部丢弃。 重新检视故障前后的定位信息,发现了这样的规律:大规模掉线时(端口大量丢包),BAS的MAC地址学习到了Switch的端口Ethernet3/0/4,而在业务流量逐渐恢复到正常的期间,这个MAC地址被老化掉了。 因为DSLAM和Switch是直连,中间没有其他交换机导致环路,网络拓扑一直处于稳定状态,因此可以得出结论:DSLAM下挂用户通过仿冒网关MAC地址的方法对Switch进行攻击,导致该DSLAM下面用户大规模掉线。从用户的攻击心理看,攻击大多数是为了获取更大的带宽,把其他用户踢下线,让网络系统重新来一次初始化,攻击者会明显感觉网速比以前要快了。 (3) 解决故障 在Switch的上行口GigabitEthernet2/0/1配置一个用户侧VLAN 824的静态网关MAC地址,这样网关MAC地址就永远不会学习到Switch的端口Ethernet3/0/4了,攻击者仿冒MAC地址的攻击也就不起作用了,方法如下: # 把端口GigabitEthernet2/0/1加入到VLAN 824。 [Switch] interface gigabitethernet 2/0/1 [Switch-GigabitEthernet2/0/1] port link-type trunk [Switch-GigabitEthernet2/0/1] port trunk permit vlan 824 [Switch-GigabitEthernet2/0/1] quit # 在端口GigabitEthernet2/0/1的VLAN 824设置一个网关静态MAC地址。 [Switch] mac-address static 0090-1aa0-d47a interface gigabitethernet 2/0/1 vlan 824 配置了静态MAC地址后,DSLAM下挂的用户运行很稳定,再未出现掉线的情况。 • 在使能灵活QinQ的情况下,为了防止用户进行源MAC地址攻击,建议在设备的上行口配置网 关的静态MAC地址。 • 在有多个上行口的情况下,在任意一个上行口配置该静态MAC地址即可。 1.2 故障诊断命令 命令 display interface display mac-address 说明 显示以太网接口的相关信息 显示MAC地址表信息 1-3 因篇幅问题不能全部显示,请点此查看更多更全内容