兩臺防火墻連接核心交換機出現環路-有解無憂

網路拓撲：

兩臺防火墻作業在透明模式的介面配置為brige，分別屬于vlan100與vlan200。

防火墻-1的GE 0/2口屬于truns域接核心交換機的GE 0/0/27口VLAN538;GE 0/3口屬于untruns域接運營商主用鏈路（ip：172.19.11.150）。
防火墻-2的GE 0/2口屬于truns域接核心交換機的GE 0/0/28口VLAN638;GE 0/3口屬于untruns域接運營商備用鏈路（ip：172.19.12.150）。

核心交換機的vlan538介面 ip：172.19.11.149
核心交換機的vlan638 介面ip：172.19.12.149

核心交換機的vlan4介面ip：10.11.55.254/24和10.11.66.254/24，vlan4下接入終端，終端ip：10.11.55.0/24 GW:10.11.55.254；10.11.66.0/24 GW:10.11.66.254

核心交換機組態檔：

<UYX_S7503E>dis cu
#
version 5.20, Release 6616P05
#
sysname UYX_S7503E
#
super password level 3 cipher -MA#A:<]W7F[R=`>X.&STA!!
#
domain default enable system
#
router id 172.20.2.112
#
telnet server enable
#
lldp enable
#
mirroring-group 1 local
#
switch-mode standard
#
acl number 4000
rule 1 deny source-mac 001a-a941-3c88 ffff-ffff-ffff
rule 2 deny source-mac 000e-a300-7425 ffff-ffff-ffff
rule 3 deny source-mac e468-a386-0a29 ffff-ffff-ffff
#
vlan 1
#
vlan 2
description UPlink
#
vlan 4
description LAN
#
vlan 5
#
vlan 6
description Internet
#
vlan 7
description NetworkManagement
#
vlan 239
description RemoteVideoConference
#
vlan 538
#
vlan 638
#
radius scheme system
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
#
interface NULL0
#
interface LoopBack0
ip address 172.20.2.112 255.255.255.255
#
interface Vlan-interface2--------------------------------------未使用
description to_AR4640
ip address 172.19.9.42 255.255.255.248
#
interface Vlan-interface4
description to_lan
ip address 10.11.55.254 255.255.255.0
ip address 10.11.66.254 255.255.255.0 sub
#
interface Vlan-interface5--------------------------------------視頻會議
description to_localvideo conference
ip address 10.11.254.169 255.255.255.248
#
interface Vlan-interface6--------------------------------------未使用
description to_Internet
shutdown
ip address 172.19.7.150 255.255.255.252
#
interface Vlan-interface7
ip address 192.168.255.254 255.255.255.0
#
interface Vlan-interface239--------------------------------------視頻會議
description to_RemoteVideoConference
ip address 172.19.2.149 255.255.255.252
#
interface Vlan-interface538--------------------------------------主用鏈路
ip address 172.19.11.149 255.255.255.252
ospf network-type broadcast
#
interface Vlan-interface638--------------------------------------備用鏈路
ip address 172.19.12.149 255.255.255.252
ospf cost 20
ospf network-type p2p
#
interface GigabitEthernet0/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 4 7
shutdown
#
interface GigabitEthernet0/0/2
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0/3
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0/4
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
dhcp-snooping trust
#
interface GigabitEthernet0/0/6
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/7
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/8
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/9
port link-mode bridge
port access vlan 4
mirroring-group 1 monitor-port
#
interface GigabitEthernet0/0/10
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet0/0/11
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/12
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/13
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/14
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/15
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0/16
port link-mode bridge
shutdown
#
interface GigabitEthernet0/0/17
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/18
port link-mode bridge
port access vlan 5
#
interface GigabitEthernet0/0/19
port link-mode bridge
description to_VideoServer
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/20
port link-mode bridge
description to_WebServer
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/21
port link-mode bridge
description to_RAID-1
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/22
port link-mode bridge
description to_RAID-2
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/23
port link-mode bridge
description to_NVR-1
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/24
port link-mode bridge
description to_NVR-2
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/25
port link-mode bridge
description to_RemoteVideoConference
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 239
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/26
port link-mode bridge
description to_VillagesAndTownsOpticalModem
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet0/0/27
port link-mode bridge
description to_FireWall_Bei
port access vlan 638
#
interface GigabitEthernet0/0/28
port link-mode bridge
description to_F100-M-G
port access vlan 538
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/5
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/6
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/7
port link-mode bridge
port link-type trunk
port trunk permit vlan all
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/8
port link-mode bridge
port access vlan 4
packet-filter 4000 inbound
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/9
port link-mode bridge
port access vlan 4
stp disable
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/11
port link-mode bridge
#
interface GigabitEthernet1/0/12
port link-mode bridge
#
interface GigabitEthernet1/0/13
port link-mode bridge
#
interface GigabitEthernet1/0/14
port link-mode bridge
#
interface GigabitEthernet1/0/15
port link-mode bridge
#
interface GigabitEthernet1/0/16
port link-mode bridge
#
interface GigabitEthernet1/0/17
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/18
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/19
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/20
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/21
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/22
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/23
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/24
port link-mode bridge
shutdown
#
interface GigabitEthernet1/0/25
port link-mode bridge
#
interface GigabitEthernet1/0/26
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/27
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/28
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/29
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/30
port link-mode bridge
port access vlan 4
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet1/0/31
port link-mode bridge
port access vlan 4
#
interface GigabitEthernet1/0/32
port link-mode bridge
port access vlan 4
#
interface M-Ethernet0/0/0
#
ospf 1
area 0.0.0.0
  network 172.19.11.148 0.0.0.3
  network 172.20.2.112 0.0.0.0
  network 172.19.12.148 0.0.0.3
area 0.0.0.8
  network 10.11.55.0 0.0.0.255
  network 10.11.66.0 0.0.0.255
#
dhcp-snooping
#
mac-address blackhole f46a-9233-ab4d vlan 4
mac-address blackhole 0030-180b-73e5 vlan 4
#
ip route-static 0.0.0.0 0.0.0.0 172.19.12.150 preference 1
ip route-static 10.11.254.0 255.255.255.128 172.19.12.150 preference 1
#
snmp-agent
snmp-agent local-engineid 800063A20374258A36DD70
snmp-agent community read cisco
snmp-agent community write quidway
snmp-agent sys-info version all
#
undo arp check enable
#
load xml-configuration
#
user-interface aux 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher Z5]''P62*I^[R=`>X.&STA!!
idle-timeout 3 0
user-interface vty 5 15

故障問題：

兩臺防火墻接入后，備用鏈路不通，開啟防火墻stp協議后，發現產生環路。
將防火墻-1和防火墻-2全部甩開后，主備用鏈路直接接三層交換機的vlan538和vlan638，兩條鏈路均正常。
保留其中任意一臺防火墻，其備用鏈路都會down掉。

請各位大神不吝賜教！！！

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/255709.html

標籤：網絡維護與管理

上一篇：Python-pptx內的圖片如何提取出來

下一篇：ipsec DPD總是失敗，是什么原因