Physical Network Topology
Fault Description
As shown in the picture, the server has require to access the Internet, the server connects to the access layer SwitchB, and then access the core layer SwitchC. In order to ensure the security of company data and network, users want to ensure the security of all traffic of Internet to server. So SwitchA is hung near the SwitchA to filter the traffic safely.
After configuring the traffic policy, we find that the traffic is not sent to SwitchC.
Configuration Files
l SwitchA
!Software Version V100R005C10SPC200
#
bgp 10088
peer 102.1.1.1 as-number 10086
#
ipv4-family unicast
import-route direct
peer 102.1.1.1 enable
#
ospf 100
import-route direct
import-route static
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 102.1.1.0 0.0.0.255
#
l SwitchB
[~R4U13-CE12800-SWITCH-B]dis cu
#
traffic classifier test type or
if-match ipv6 acl 3000
#
ospfv3 100
area 0.0.0.0
#
interface 10GE3/0/2
undo portswitch
mtu 1300
ipv6 enable
ip address 107.1.1.2 255.255.255.0
ipv6 address 100::2/64
ospfv3 100 area 0.0.0.0
jumboframe enable 1536
device transceiver 1000BASE-X
#
interface Tunnel1
ipv6 enable
ip address 13.13.13.14 255.255.255.0
ipv6 address 100:100::100/64
tunnel-protocol gre
source 107.1.1.2
destination 107.1.1.1
ospfv3 100 area 0.0.0.0
#
ospf 100
import-route direct
import-route static
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 13.13.13.0 0.0.0.255
network 107.1.1.0 0.0.0.255
#
l SwitchC
!Software Version V100R005C10SPC200
#
traffic classifier test type or
if-match ipv6 acl 3000
#
traffic behavior test
redirect interface 10GE3/0/9
#
traffic policy test
classifier test behavior test precedence 5
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
ospfv3 100
area 0.0.0.0
#
interface Tunnel1
ipv6 enable
ip address 13.13.13.14 255.255.255.0
ipv6 address 100:100::100/64
tunnel-protocol gre
source 107.1.1.2
destination 107.1.1.1
ospfv3 100 area 0.0.0.0
#
bgp 10089
peer 107.1.1.1 as-number 10086
#
ipv4-family unicast
import-route direct
peer 107.1.1.1 enable
#
ospf 100
import-route direct
import-route static
area 0.0.0.0
network 5.5.5.5 0.0.0.0
network 13.13.13.0 0.0.0.255
network 107.1.1.0 0.0.0.255
#
l Server
!Software Version V100R005C10SPC200
#
ip route-static 0.0.0.0 0.0.0.0 100.100.1.101
#
ipv6 route-static :: 0 1000:1000::1000
#
Troubleshooting Procedure
Step 1 Check the traffic classifier/behavior/policy on switch by the command “display traffic classifier", “display traffic behavior" & “display traffic policy”:
[~R4U13-CE12800-SWITCH-B]display
traffic classifier
Traffic Classifier Information:
Classifier: test
Type: OR
Rule(s):
if-match ipv6 acl 3000
Total classifier number is 1
[~R4U13-CE12800-SWITCH-B]display
traffic behavior
Traffic Behavior Information:
Behavior: test
Redirect:
Redirect interface 10GE3/0/9
Total behavior number is 1
[~R4U13-CE12800-SWITCH-B]display traffic
policy
Traffic Policy Information:
Policy: test
Classifier: test
Type: OR
Behavior: test
Redirect:
Redirect interface
10GE3/0/9
Step 2 Check whether it is existed in the chip forwarding engine by the command “display system tcam service brief slot 3”, we do not find this ACL rules in the chip, so it is failed and cause this problem.
Step 3 Run the display traffic-policy applied-record command to find the failure reason of ACL rules.
Run the display system tcam fail-recordcommand to check why traffic policy is failed.
To make sure of the root cause, run the command to check the alarm information.
----End
NOTE
t is optimized only to reduce the ACL rules on switch, but it is not resolved when there are so many business on switch.
Solution:
1. If the problem occurs in the V1R5C00 version or before the V1R5C00 version, it is Optimized V2R1C00 version, we advise to upgrade the version to V2R1C00 or the last version and resolve it.
2. We will redesign the ACL rules on switch, it is recommended to delete its ACL rules for the unimportant or unused ACL rules, such as various types of traffic statistics, VLAN traffic statistics, VLAN interface traffic statistics and tunnel traffic statistics.
Root Cause
On SwitchA, The traffic policy is configured, and it relies on the ACL to complete the redirection operation matching the characteristics of the packets, and then redirecting the packets to the corresponding outbound port. For this problem, caused by insufficient ACL resources, the traffic flow is not effective and the packets mismatch the rules