一台CentOS6.10机器忽然ping不通192.168.255.1网关,能ping通192.168.255.2的DNS服务器和同网段机器,192.168.254、10.254.254.x段的机器不通,公网也可以ping通;
后反复测试发现重启网络服务以后正常,当然重启机器也正常,但是20分钟以后故障会浮现,该机器已经运行180多天,一直很正常,重启后继续检查,步骤如下:

[root@hongsin-monitor ~]# dmesg | grep eth0
e1000 0000:02:00.0: eth0: (PCI:66MHz:32-bit) 00:50:56:be:17:a9
e1000 0000:02:00.0: eth0: Intel(R) PRO/1000 Network Connection
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
eth0: no IPv6 routers present
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
ADDRCONF(NETDEV_UP): eth0: link is not ready
ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
eth0: no IPv6 routers present

有网卡报错,继续检查

[root@hongsin-monitor ~]# cat  /etc/udev/rules.d/70-persistent-net.rules
# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x8086:0x100f (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:be:17:a9", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

查看网卡配置文件

[root@hongsin-monitor ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:50:56:BE:17:A9
TYPE=Ethernet
UUID=690f4b51-36b8-405c-9d40-4f4d5bbfeaeb
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.255.209
NETMASK=255.255.255.0
GATEWAY=192.168.255.1
DNS1=192.168.255.2

将ifcfg-eth0文件中HWADDR地址修改成和70-persistent-net.rules文件中一致,为方便测试,直接重启机器,网关正常
20分钟后故障出现问题依旧;
最后定位到是vm网络里面有机器中病毒发起了arp攻击,解决如下:

获取正确的网关MAC地址后,使用网关IP到MAC的静态绑定
arp -s 192.168.255.1 00:00:5e:00:01:01
发送ARP包到网关
arping -U -I eth1 -s 192.168.255.209 192.168.255.1

恢复正常,当然最后还得找出发生ARP请求的机器进行处理。