phanx.com: November, 2008

Phanx's profilephanx.comBlogListsGuestbookMore

Tools

Help

<< First < Previous Next > Last >>

11/21/2008

nslookup 解析域名的一点发现

========phanx.com=========
Author: phanx
Updated: 2008-11-21
=========================

C:\Documents and Settings\Administrator>nslookup bbs.scu.edu.cn
Server: 68.128.128.61.cq.cq.cta.net.cn
Address: 61.128.128.68

Non-authoritative answer:
Name: bbs.scu.edu.cn.huawei.com1
Address: 219.153.42.248

C:\Documents and Settings\Administrator>ping bbs.scu.edu.cn

Pinging bbs.scu.edu.cn [125.69.85.16] with 32 bytes of data:

Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54
Reply from 125.69.85.16: bytes=32 time=8ms TTL=54

Ping statistics for 125.69.85.16:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 8ms, Average = 8ms

C:\Documents and Settings\Administrator>

用nslookup解析的时候为什么会多出一个 huawei.com1的后缀呢？

原来nslookup解析域名的时候会自动把domain附加在输入的名字后面

在nslookup中用set all检查参数

> set all
Default Server: 68.128.128.61.cq.cq.cta.net.cn
Address: 61.128.128.68

Set options:
nodebug
defname
search
recurse
nod2
novc
noignoretc
port=53
type=A
class=IN
timeout=2
retry=1
root=A.ROOT-SERVERS.NET.
domain=huawei.com1
MSxfr
IXFRversion=1
srchlist=huawei.com1

>
原来附加了一个huawei.com1

修改一下set nosearch

然后再解析就对了

> bbs.scu.edu.cn
Server: 68.128.128.61.cq.cq.cta.net.cn
Address: 61.128.128.68

Non-authoritative answer:
Name: bbs.scu.edu.cn
Address: 125.69.85.16

1:29 AM | Add a comment | Permalink | Blog it | 计算机与 Internet

11/13/2008

7600 SPA-IPSEC-2G和SPA-5xGE-V2配合之小问题

========phanx.com=========
Author: phanx
Updated: 2008-11-13

2009-03-08
=========================

某用户需要用SPA-IPSEC-2G在7600上实现到n多节点的IPSec Site-to-Site VPN, 由于7600引擎上的以太口做子接口配合IPSEC SPA不支持CBWFQ,

故又弄了块SPA-5xGE-V2.

说起SPA-5xGE-V2这卡也怪,在6500机框上要用7600-SIP-600来装,在7600上就非得用7600-SIP-400来装. 当然SPA-IPSEC-2G只能装在7600-SSC-400 上
弄得之复杂.

SPA-IPSEC-2G是采用的Vlan Connect方式,即一个在传统直连链路上将IPSEC加速模块嵌入进去.以前是用一个以太口的子接口连接对方.现在则将以太口子接口上的地址移到inside interface vlan上. 然后再用 outside vlan或者一个子接口去连接对方,最后通过connect方式将inside vlan和outside vlan/sub-interface桥接起来.

以前是 sub-interface ------> 对端或者 interface vlan & switchport trunk -------> 对端

interface Vlan2
ip address 1.1.1.1 255.255.255.252
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk
或者
interface G4/0/0.2
encapsulation dot1q 2
ip address 1.1.1.1 255.255.255.252

现在是 interface Vlan.inside ---[connect engine]--- [SPA-IPSEC-2G] --- [connect vlan.inside] -- vlan outside in switchoport trunk ------>对端

或者是 interface Vlan.inside ---[connect engine]--- [SPA-IPSEC-2G] --- [connect vlan.inside] -- sub-interface.outside ------>对端

interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface Vlan2
crypto connect vlan 102
interface G1/1
switchport trunk encapsulation dot1q
switchport mode trunk

或者
interface Vlan102
ip address 1.1.1.1 255.255.255.252
crypto engine slot 2/0
interface G4/0/0.2
encapsulation dot1q 2
crypto connect vlan 102

配置方式就说到这里. Guide上写的很明确,but 遇到一个Bug..

CSCsg49757 Bug Details

Combining Gig-Sub-intf & crypto connect & vlan with crypto engine
Symptom: Unable to get the VPN configuration working with a GigabitEthernet SPA module. In addition, clear text connectivity outside the 7600/6500 does not work Conditions: This problem only occurs if sub-interfaces are used on the GigabiotEthernet SPA module Workaround: Configure 'cdp enable' on the sub-interface

什么意思呢,简单说就是用子接口方式做就ping不通对端,IPSec也不行.... 解决方法是在子接口下多配一个 cdp enable.... //寒...

仿佛SPA的GE卡默认就没有开起cdp. 查了Bug Toolkit,发现还没有版本修复这个BUG的(到12.2(33)SRC1为止). 就用Workaround凑合吧.

又遇到另外一个不知道是不是Bug的问题. 由于对端节点较多,所以子接口数目较多, 别人贴配置的时候一不留神把某几个子接口的配置多贴了一次.

贴完发现crypto connect语句重复的地方有提示 xxxx already connect to vlan xxx, 然后发现重复的子接口下的OSPF neighber就起不来了.ping也能ping通对端,就是OSPF无法建立邻接关系. Debug看本端有OSPF的Hello出去,但是在对端Debug却没有收到. 无奈之下,no掉子接口下crypto connect语句重新配上,好了.

依此办法对其他贴重复的子端口重配crypto connect语句, OSPF Neighbor就全部正常了.

看来SIP/SPA的bug还真不少....!

再补充一个SPA-IPSEC-2G的BUG，在Catalyst 6500 Series Switches Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases中提到：Note SPA-IPSEC-2G does not support TACACS+ authentication for IPsec. (CSCee33200)

也就是说用SPA-IPSEC-2G来做Remote Access VPN的时侯没法用TACACS来做XAuth。我同事就很走运的遇到这个BUG了。

2950/2960 Port Manager Internal Software Error

========phanx.com=========
Author: phanx
Updated: 2008-11-13
=========================

一台2950出现大量的Port Manager Internal Software Error. LOG如下:

CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid
< PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 564: pm_vlan_get_vlan_data)

-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:02.052 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:04.048 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)
-Traceback= 5B7438 60A1E0 617A48 B36EB8 B3A5BC AE7380 AE840C BDD138 BD470C
*Mar 1 08:06:06.053 CST: %PM-3-INTERNALERROR: Port Manager Internal Software Error (vlanid >=0 && vlanid < PM_MAX_VLANS: ../switch/pm/pm_vlan.c: 609: pm_vlan_get_vlan_data)

开始以为是软件BUG,遂即升级到最新的12.1(22)EA12,故障依旧.

后来,更换成一台2960,仍然报错.

检查STP.

2960#sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    49152
             Address     00b0.8e21.9400
             Cost        3004
             Port        49 (GigabitEthernet0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    49153 (priority 49152 sys-id-ext 1)
             Address     0021.1c7a.8380
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300
UplinkFast enabled but inactive in rapid-pvst mode

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/23           Desg FWD 3019      128.23   P2p
Fa0/47           Desg BKN*3019      128.47   P2p *PVID_Inc
Fa0/48           Desg BKN*3019      128.48   P2p *PVID_Inc
Gi0/1            Root FWD 3004      128.49   P2p Peer(STP)

Fa0/47和Fa0/48连接的是同一台设备2811的HWIC-4ESW模块的Fa0/0/0和Fa0/0/1端口.

我检查了2811上的配置,发现用户将vlan 99上的STP关闭了.询问原因是2811上的vlan99和其他H3C的设备连接时,运行生成树会有一些问题,所以将其关闭.

经过测试,发现打开2811上的vlan99的生成树则2950上不会出现报错,所以恢复2811上的生成树就可以解决这个问题,但是又会造成H3C设备的问题.

由于*PVID_Inc是说两边STP的Vlan数目不一致,导致端口的Vlan1被Block,

鉴于用户没有使用vlan1,所以我采用了在2950上Fa0/47和Fa0/48上将vlan1从trunk中remove后,设备不再报错.

另外说一下,发现HWIC-4ESW模块上的口子无法做Port Channel....... 囧rz

12:05 PM | Add a comment | Permalink | Blog it | CiscoTechnology