新的 Cisco 设备是否具有一些我不知道的新特性?为了管理我的交换机,我通常必须分配一个 VLAN 1 接口并添加一个默认路由(或 ip default-gateway)来访问其他子网。
我插入了此交换机并简单地给它一个 VLAN 1 IP 地址(10.0.0.50 255.255.255.0),然后我就能神奇地访问子网外的东西了。
这是便宜的 2960:
编辑,配置如下:
switch1#sh run
Building configuration...
Current configuration : 6835 bytes
!
! Last configuration change at 18:00:35 EST Wed Aug 21 2013 by user
! NVRAM config last updated at 18:01:23 EST Wed Aug 21 2013 by user
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname switch1
!
boot-start-marker
boot-end-marker
!
logging buffered 65536
enable secret 5 OMIT
!
username OMIT privilege 15 secret 5 OMIT
!
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa accounting commands 15 default stop-only group tacacs+
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
switch 1 provision ws-c2960s-48ts-l
!
!
no ip domain-lookup
ip domain-name nope.com.net.org
vtp mode off
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 61440
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/2
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/3
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/4
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/5
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/6
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/7
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/8
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/9
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/10
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/11
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/12
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/13
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/14
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/15
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/16
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/17
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/18
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/19
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/20
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/21
switchport mode access
no cdp enable
!
interface GigabitEthernet1/0/22
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/23
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/24
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/25
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/26
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/27
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/28
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/29
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/30
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/31
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/32
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/33
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/34
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/35
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/36
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/37
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/38
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/39
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/40
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/41
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/42
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/43
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/44
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/45
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/46
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/47
switchport mode access
shutdown
no cdp enable
!
interface GigabitEthernet1/0/48
description trunk to switch2-Gi1/0/48
switchport mode trunk
!
interface GigabitEthernet1/0/49
shutdown
!
interface GigabitEthernet1/0/50
shutdown
!
interface GigabitEthernet1/0/51
shutdown
!
interface GigabitEthernet1/0/52
description trunk to switch3-1/45
switchport mode trunk
!
interface Vlan1
ip address 10.191.2.61 255.255.255.0
!
no ip http server
no ip http secure-server
logging source-interface Vlan1
logging 10.191.4.65
snmp-server community NOPE RO 3
snmp-server community NOPE RO 23
snmp-server trap-source Vlan1
snmp-server contact NOPE
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps envmon fan shutdown supply temperature status
snmp ifmib ifindex persist
tacacs-server host 10.191.5.102
tacacs-server directed-request
tacacs-server key 7 NOPE
!
line con 0
session-timeout 120
privilege level 15
password 7 NOPE
logging synchronous
transport output none
stopbits 1
line vty 0 4
session-timeout 120
privilege level 15
password 7 NOPE
logging synchronous
transport input ssh
line vty 5 15
session-timeout 120
privilege level 15
password 7 NOPE
logging synchronous
transport input ssh
!
ntp clock-period 22518669
ntp source Vlan1
ntp server 10.191.4.39
end
子网 ping 示例:
ping 10.191.4.39
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.191.4.39, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/6 ms
答案1
连接到交换机某个活动接口的路由器可能正在执行代理 ARP。由于缺少路由配置,您的交换机正在广播 10.191.4.39 的 ARP 请求。该地址不在本地网段上,但您的路由器知道如何到达该地址。运行代理 ARP 的路由器会回复交换机说:“我可以为您到达该地址;请将该地址的数据包发送给我。”您可以通过检查路由器上的配置来确认这一点。
答案2
tl;dr:Cisco 交换机向其他子网中的主机发送 ARP 请求,Cisco 路由器默认启用代理 ARP。
我知道我来晚了,但我最近偶然发现了这个问题,做了一些研究,并在过程中发现了这个问题。第一个答案实际上是正确的。不幸的是,我没有足够的声誉来添加评论,所以我必须添加自己的答案。
我使用运行 IOS 12.2(35r)SE2 的 Cisco WS-C2960G-8TC-L 交换机和运行 IOS 12.4(15)T6 的 Cisco 1812W 路由器来重现和调查该问题。
路由器配置的相关部分是(其余配置为默认):
interface FastEthernet0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
Fa0 连接到交换机,Fa1 连接到计算机。两个设备都配置了各自子网中的其他 IP 地址。计算机通过路由器 (10.1.1.0/24 via 10.1.2.2 dev eth1) 具有到 Fa0 网络的路由表条目。交换机配置的相关部分是:
interface Vlan1
ip address 10.1.1.1 255.255.255.0
no ip route-cache
其余配置为默认配置,即所有端口都在 VLAN 1 中,没有默认网关。另外:
Switch#sh ip default-gateway
0.0.0.0
现在我尝试从交换机 ping 计算机:
Switch#ping 10.1.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Switch#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.2.1 25 0021.d8c8.6b36 ARPA Vlan1
Internet 10.1.1.2 33 0021.d8c8.6b36 ARPA Vlan1
Internet 10.1.1.1 - 0022.0cea.1540 ARPA Vlan1
使用 Wireshark,我确认交换机确实在向计算机的 IP 地址发送 ARP 请求,尽管它位于另一个子网中。然后,它从路由器获得该 IP 地址的 ARP 回复,从而将所有发往计算机 IP 地址的数据包发送到路由器,然后路由器转发该数据包。
这是因为 Cisco 路由器默认启用了代理 ARP:
必须将 Cisco 的接口配置为接受并响应代理 ARP。默认情况下启用此功能。
(http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html)
还:
Router#sh ip int fa0
FastEthernet0 is up, line protocol is up
Internet address is 10.1.1.2/24
[...]
Proxy ARP is enabled
[...]