[Troubleshooting Series] Case 31 MQC Configuration is invaild

356 0 0 0


Physical Network Topology

140121d4kalsa2wwly0awj.png

 

Fault Description

As shown in the picture, the server has require to access the Internet, the server connects to the access layer SwitchB, and then access the core layer SwitchC. In order to ensure the security of company data and network, users want to ensure the security of all traffic of Internet to server. So SwitchA is hung near the SwitchA to filter the traffic safely.

After configuring the traffic policy, we find that the traffic is not sent to SwitchC.

Configuration Files

l   SwitchA

!Software Version V100R005C10SPC200
#
bgp 10088
 peer 102.1.1.1 as-number 10086
 #
 ipv4-family unicast
  import-route direct  
  peer 102.1.1.1 enable
#
ospf 100
 import-route direct
 import-route static
 area 0.0.0.0   
  network 5.5.5.5 0.0.0.0
  network 102.1.1.0 0.0.0.255

l   SwitchB

[~R4U13-CE12800-SWITCH-B]dis cu 

#
traffic classifier test type or
 if-match ipv6 acl 3000
#
ospfv3 100
 area 0.0.0.0
#
interface 10GE3/0/2
 undo portswitch
 mtu 1300
 ipv6 enable
 ip address 107.1.1.2 255.255.255.0
 ipv6 address 100::2/64
 ospfv3 100 area 0.0.0.0
 jumboframe enable 1536
 device transceiver 1000BASE-X
#
interface Tunnel1
 ipv6 enable
 ip address 13.13.13.14 255.255.255.0
 ipv6 address 100:100::100/64
 tunnel-protocol gre
 source 107.1.1.2
 destination 107.1.1.1
 ospfv3 100 area 0.0.0.0
#
ospf 100
 import-route direct
 import-route static
 area 0.0.0.0
  network 5.5.5.5 0.0.0.0
  network 13.13.13.0 0.0.0.255
  network 107.1.1.0 0.0.0.255

l   SwitchC

!Software Version V100R005C10SPC200 

#
traffic classifier test type or
 if-match ipv6 acl 3000
#
traffic behavior test
 redirect interface 10GE3/0/9
#
traffic policy test
 classifier test behavior test precedence 5
#
aaa
 #
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
 domain default_admin
#
ospfv3 100
 area 0.0.0.0
#
interface Tunnel1
 ipv6 enable
 ip address 13.13.13.14 255.255.255.0
 ipv6 address 100:100::100/64
 tunnel-protocol gre
 source 107.1.1.2
 destination 107.1.1.1
 ospfv3 100 area 0.0.0.0
#
bgp 10089
 peer 107.1.1.1 as-number 10086
 #
 ipv4-family unicast
  import-route direct  
  peer 107.1.1.1 enable
#
ospf 100
 import-route direct
 import-route static
 area 0.0.0.0
  network 5.5.5.5 0.0.0.0
  network 13.13.13.0 0.0.0.255
  network 107.1.1.0 0.0.0.255

l   Server

!Software Version V100R005C10SPC200
#
ip route-static 0.0.0.0 0.0.0.0 100.100.1.101
#
ipv6 route-static :: 0 1000:1000::1000

Troubleshooting Procedure

                               Step 1      Check the traffic classifier/behavior/policy  on switch by the command “display traffic classifier", “display traffic behavior" & “display traffic policy”:

[~R4U13-CE12800-SWITCH-B]display  traffic classifier
  Traffic Classifier Information:
    Classifier: test
      Type: OR 
      Rule(s):
        if-match ipv6 acl 3000
Total classifier  number is 1

 [~R4U13-CE12800-SWITCH-B]display traffic behavior
  Traffic Behavior Information:
    Behavior: test
      Redirect:
        Redirect interface 10GE3/0/9
Total behavior number is 1

[~R4U13-CE12800-SWITCH-B]display traffic policy
  Traffic Policy Information:
    Policy: test
      Classifier: test
        Type: OR 
      Behavior: test
        Redirect:
          Redirect interface 10GE3/0/9

                               Step 2      Check whether it is existed in the chip forwarding engine by the command “display system tcam service brief slot 3”, we do not find this ACL rules in the chip, so it is failed and cause this problem.

140121yg44ced4r1jfdxfd.jpg

                               Step 3      Run the display traffic-policy applied-record command to find the failure reason of ACL rules.

140122a1xz3h72z4zqitd6.png

Run the display system tcam fail-record command to check why traffic policy is failed.

140123zg4c8cfguah46hhg.png

To make sure of the root cause, run the command to check the alarm information.

140124ul2l6409sosty00n.jpg

----End

NOTE

t is optimized only to reduce the ACL rules on switch, but it is not resolved when there are so many business on switch.

Solution:

1.         If the problem occurs in the V1R5C00 version or before the V1R5C00 version, it is Optimized V2R1C00 version, we advise to upgrade the version to V2R1C00 or the last version and resolve it.

2.         We will redesign the ACL rules on switch, it is recommended to delete its ACL rules for the unimportant or unused ACL rules, such as various types of traffic statistics, VLAN traffic statistics, VLAN interface traffic statistics and tunnel traffic statistics.

Root Cause

On SwitchA, The traffic policy is configured, and it relies on the ACL to complete the redirection operation matching the characteristics of the packets, and then redirecting the packets to the corresponding outbound port. For this problem, caused by insufficient ACL resources, the traffic flow is not effective and the packets mismatch the rules


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login