IPSEC VPN 설정 지점 등록 안될 때
1. 현상
- v3.X를 v4.X로 패치 후
'vpn_config.lua:427: attempt to perform arithmetic on field 'idx'(a nil value)' 오류 창 뜸
2. 원인
- /secui/etc/vpn.conf 파일 내에 'idx' 필드가 v4.0 이후에 추가되어 발생함
- HA 환경에서만 발생하며 Stand-Alone 환경에서는 발생하지 않음
3. 조치 방법
- cli -g -u root -c 'conf t' -c 'vpn apply-for-update idx'
- cli -g -u root -c 'conf t' -c 'vpnv6 apply-for-update idx'
※ 주의 사항
- cli 명령어 수행 시 VPN 터널 설정이 재적용 되므로, 서비스에 영향을 줄 수 있음
- 패치 후 서비스 확인 전에 반드시 위 명령어 수행
STP(Spanning Tree Protocol) Port 상태 및 장애 발생
(Disable, Blocking, Listening, Learning, Forwarding)
출처: https://m.blog.naver.com/PostView.naver?isHttpsRedirect=true&blogId=printf7&logNo=10174569569, 2013. 8. 17. 17:48
@ Pre-config
#SW1
enable
conf t
!
no ip domain-lookup
!
line console 0
logging sync
exec-timeout 0 0
!
line vty 0 4
password cisco
no login
!
enable secret cisco
!
interface vlan 1
no shutdown
ip address 192.168.1.1 255.255.255.0
!
hostname SW1
!
#SW1
interface fa1/0/23
shutdown
!
@ 정보확인
show int status
* STP Port 상태
1) Disable [DIS]
. Port가 동작하지 않는 상태를 의미 (Port가 "shutdown" 상태이거나 No Cable 상태인 경우)
. BPDU 수신 : X
. Mac-Address 학습 : X
. 데이터 전송 : X
ex)
SWx(config)# interface fa1/0/1
SWx(config)# shutdown
SWx(config)# end
SW1#show interface status
Port Name Status Vlan Duplex Speed Type
Fa1/0/1 disabled 1 auto auto 10/100BaseTX
Fa1/0/2 notconnect 1 auto auto 10/100BaseTX
Fa1/0/3 notconnect 1 auto auto 10/100BaseTX
2) Blocking [BLK]
. Switch가 Loop를 방지하기 위해서 Port를 논리적으로 차단한 상태
. BPDU 수신 : O
. Mac-Address 학습 : X
. 데이터 전송 : X
3) Listening [LSI]
. Switch의 Port로 새로운 장비가 연결되거나, Block Port가 Topology의 변경으로 활성화 되는 첫번째 단계 [15초간 진행]
=> Loop가 있나 없나 일단 체크한다는 의미 (장비가 돌아가면 무조건 STP가 돔)
=> Loop가 감지 되면 Block // 감지되지 않으면 Learning
. BPDU 수신 : O
. Mac-Address 학습 : X
. 데이터 전송 : X
4) Learning [LRN]
. 통신을 위해서 Mac-address를 학습하는 단계 [15초간 진행]
. BPDU 수신 : O
. Mac-Address 학습 : O
. 데이터 전송 : X
5) Forwarding [FWD]
. Frame을 전송할 수 있는 상태 [30초 소요] (Forwarding 상태에서만 데이터를 전송할 수 있음)
. BPDU 수신 : O
. Mac-Address 학습 : O
. 데이터 전송 : O
* 장애 발생 시 동작 과정
- SW 2 : Root-Bridge = VLAN Priority 4096
- SW 3 : Backup Root-Bridge = VLAN Priority 16384
- SW 1 : NonRoot-Bridge = VLAN Priority 32768
# SW 2
no vlan 2-1000
!
spanning-tree vlan 1 priority 4096
!
# SW 3
no vlan 2-1000
!
spanning-tree vlan 1 priority 16384
!
## 정보확인
SW1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0018.19bc.6d80
Cost 19
Port 26 (FastEthernet1/0/24)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.e05d.ec80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/20 Altn BLK 19 128.22 P2p <=== AP (Block)
Fa1/0/24 Root FWD 19 128.26 P2p <=== RP
* Root-bridge와 Non Root-bridge 구간 장애 발생 시 동작 과정
# 현재상태
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/20 Altn BLK 19 128.22 P2p <=== AP (Block)
Fa1/0/24 Root FWD 19 128.26 P2p <=== RP
# 순서
0. Blcoking [BLK]
------ 여기서 장애 발생 -------
1. Listening [LIS : 15초]
2. Learning [LRN : 15초]
3. Forwarding [FWD : 총 30초 소요]
SW1#debug spanning-tree events
Spanning Tree event debugging is on
SW1#conf t
SW1(config)#interface fa1/0/24
SW1(config-if)#shutdown // fastethernet 1/0/24를 shutdown해서 장애를 발생시킴
*Mar 1 01:46:06.106: STP: VLAN0001 new root port Fa1/0/20, cost 38
*Mar 1 01:46:06.106: STP: VLAN0001 Fa1/0/20 -> listening
*Mar 1 01:46:06.106: STP[1]: Generating TC trap for port FastEthernet1/0/24
*Mar 1 01:46:06.122: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down // 1계층이 다운되면 2계층도 다운됨
*Mar 1 01:46:08.094: %LINK-5-CHANGED: Interface FastEthernet1/0/24, changed state to administratively down
*Mar 1 01:46:08.110: STP: VLAN0001 sent Topology Change Notice on Fa1/0/20 // TCN을 보냄
*Mar 1 01:46:09.100: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to down
*Mar 1 01:46:21.113: STP: VLAN0001 Fa1/0/20 -> learning
*Mar 1 01:46:36.120: STP[1]: Generating TC trap for port FastEthernet1/0/20
*Mar 1 01:46:36.120: STP: VLAN0001 Fa1/0/20 -> forwarding
*Mar 1 01:46:36.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
SW1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0018.19bc.6d80
Cost 38
Port 22 (FastEthernet1/0/20)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.e05d.ec80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/20 Root FWD 19 128.22 P2p
=> 장애 복구
SW1(config)#interface fa1/0/24
SW1(config-if)#no shutdown
*Mar 1 01:51:15.737: %SYS-5-CONFIG_I: Configured from console by console
*Mar 1 01:51:17.189: %LINK-3-UPDOWN: Interface FastEthernet1/0/24, changed state to up
*Mar 1 01:51:19.823: set portid: VLAN0001 Fa1/0/24: new port id 801A
*Mar 1 01:51:19.823: STP: VLAN0001 Fa1/0/24 -> listening
*Mar 1 01:51:20.829: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to up
*Mar 1 01:51:21.517: STP: VLAN0001 new root port Fa1/0/24, cost 19
*Mar 1 01:51:21.517: STP: VLAN0001 sent Topology Change Notice on Fa1/0/24
*Mar 1 01:51:21.517: STP[1]: Generating TC trap for port FastEthernet1/0/20
*Mar 1 01:51:21.517: STP: VLAN0001 Fa1/0/20 -> blocking
*Mar 1 01:51:21.526: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar 1 01:51:34.830: STP: VLAN0001 Fa1/0/24 -> learning
*Mar 1 01:51:49.837: STP[1]: Generating TC trap for port FastEthernet1/0/24
*Mar 1 01:51:49.837: STP: VLAN0001 Fa1/0/24 -> forwarding
SW1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 0018.19bc.6d80
Cost 19
Port 26 (FastEthernet1/0/24)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0017.e05d.ec80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/20 Desg FWD 19 128.22 P2p
Fa1/0/24 Root FWD 19 128.26 P2p <= 복구
* Root-bridge와 Backup Root-bridge 구간 장애 발생 시 동작 과정
# 순서
0. Blcoking [BLK]
--------- 여기서 장애 발생 ----------
0. Blcoking [BLK : 20초 = Max-age 20초]
1. Listening [LIS : 15초]
2. Learning [LRN : 15초]
3. Forwarding [FWD : 총 50초 소요]
*Mar 1 02:26:40.454: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:41.738: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:43.743: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:45.748: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:47.752: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:49.757: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:51.771: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:53.767: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:55.772: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:57.777: STP: VLAN0001 heard root 16385-001b.0c09.b600 on Fa1/0/20
*Mar 1 02:26:58.448: STP: VLAN0001 Fa1/0/20 -> listening
*Mar 1 02:26:59.505: STP: VLAN0001 Topology Change rcvd on Fa1/0/20
*Mar 1 02:26:59.505: STP: VLAN0001 sent Topology Change Notice on Fa1/0/24
*Mar 1 02:27:13.455: STP: VLAN0001 Fa1/0/20 -> learning
*Mar 1 02:27:28.462: STP[1]: Generating TC trap for port FastEthernet1/0/20
*Mar 1 02:27:28.462: STP: VLAN0001 sent Topology Change Notice on Fa1/0/24
*Mar 1 02:27:28.462: STP: VLAN0001 Fa1/0/20 -> forwarding
=> 다른 실습을 위해서 reload
=> show startup-config
(만약 reload하고 NVRAM이 아직 저장되어 있다면 erase startup-config)