某局点S7606设备IPv6业务转发不通

设备及版本：S7606  R7557P02

不涉及组网

相关配置：

#

acl ipv6 number 3002

 rule 10 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:501:21:1401::/80

 rule 20 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:50A:21:1401::/80

 rule 30 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:50A:21:1402::/80

 rule 40 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:50A:21:1403::/80

 rule 50 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:590:1021:1401::/80

 rule 60 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:530:1021:1401::/80

 rule 70 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:570:1021:1401::/80

 rule 80 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:510:1021:1401::/80

 rule 90 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:520:1021:1401::/80

 rule 100 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:580:1021:1401::/80

 rule 110 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:540:1021:1401::/80

 rule 120 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:5A0:1021:1401::/80

 rule 130 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:5B0:1021:1401::/80

 rule 140 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:5C0:1021:1401::/80

 rule 150 permit ipv6 source 2409:8087:590:1021:1401::/80 destination 2409:8087:550:1021:1401::/80

 rule 300 permit tcp source 2409:8087:590:1021:1401::/80 source-port eq 6410

 rule 310 permit tcp source 2409:8087:590:1021:1401::/80 source-port eq 6610

 rule 320 permit tcp source 2409:8087:590:1021:1401::/80 source-port eq 6060

 rule 330 permit icmpv6 source 2409:8087:590:1021:1401::/80

 rule 520 deny ipv6

#

#

interface Ten-GigabitEthernet5/0/5

 port link-mode bridge

 description TO-[HESJ-PS-CDN-SV321-HPDL380]-1*10G

 port access vlan 110

 packet-filter 3002 inbound

 packet-filter ipv6 3002 inbound 

#

不涉及告警

1、某时刻发现交换机7606上服务器IPv6地址不通。

2、其后测试发现解绑IPv6 的ACL 3002可以解决问题。重新绑上ACL3002 后问题复现。

3、后再交换机1上去掉ACL3002的最后一套rule 520 后，问题解决

由于芯片限制，包过滤同时匹配IPv4源目的ip和掩码大于64位的v6源目的ip时，会存在资源冲突，无法在同一个group下发，引起group分裂。

IPV6的ACL rule在底层下发时分裂成了2个group，Slot 4槽位的底层信息，rule 520在优先级更高的group 4中，会优先匹配，就会被deny掉

====debug qacl show acl-resc slot 4 chip 0==== 

Acl Hw Resource: IFP, Pipe:0

------------------------------------------------------

  Pri  3, Group  6,usedEntries 16 ,mode Double, physlice 0/1/

  =========================================

    acl type                   usedEntries[16]

  =========================================

    [23 ]RX Low                      13 

    [25 ]Super_RX Low                1  

    [27 ]TCP_RX_MISS_LOWEST          1  

    [148]PDT LOW INITIAL             1  

  ======================================

------------------------------------------------------

  Pri  5, Group  5,usedEntries 19 ,mode Double, physlice 4/5/

  =========================================

    acl type                   usedEntries[19]

  =========================================

    [141]PktFilter IPV6 on PORT        19 

  ======================================

------------------------------------------------------

  Pri  7, Group  4,usedEntries 38 ,mode Single, physlice 7/

  =========================================

    acl type                   usedEntries[38]

  =========================================

    [99 ]PktFilter IP on PORT        37 

    [141]PktFilter IPV6 on PORT        1  

  ======================================

------------------------------------------------------

====debug qacl show acl-resc slot 5 chip 0==== 

------------------------------------------------------

  Pri  5, Group  7,usedEntries 19 ,mode Double, physlice 4/5/

  =========================================

    acl type                   usedEntries[19]

  =========================================

    [141]PktFilter IPV6 on PORT        19 

  ======================================

------------------------------------------------------

 Pri  7, Group  5,usedEntries 38 ,mode Single, physlice 7/

  =========================================

    acl type                   usedEntries[38]

  =========================================

    [99 ]PktFilter IP on PORT        37 

    [141]PktFilter IPV6 on PORT        1  

  ======================================

------------------------------------------------------

[HESJ-PS-CDN-SW02-H3CS7606-probe]debug qacl show slot 4 chip 0 verbose 0 acl-type 141

Acl-Type PktFilter IPV6 on PORT, Stage IFP, Pipe 0, SinglePort, Installed, Active

Prio Mjr/Sub 520/34, Group 5 [5], Slice/Idx 4/18, Entry 1380, Double: 530/786

ACL GroupNo : 3002, RuleID : 330

Rule Match --------

        Ports: 0x00000000000010000; 0x20000000000ffffff

        Lookup: STP forwarding, 0x18, 0x18

        IPv6 Source Addr: 24098087-05901021-14010000-00000000, ffffffff-ffffffff-ffff0000-00000000

        IP Type: IPv6 packet

        Next Header: 0x3a, 0xff

Actions --------

        Permit

========

Acl-Type PktFilter IPV6 on PORT, Stage IFP, Pipe 0, SinglePort, Installed, Active

Prio Mjr/Sub 520/34, Group 4 [4], Slice/Idx 7/37, Entry 1381, Single: 1317

ACL GroupNo : 3002, RuleID : 520

Rule Match --------

        Ports: 0x00000000000010000; 0x20000000000ffffff

        Lookup: STP forwarding, 0x18, 0x18

        IP Type: IPv6 packet

Actions --------

将ipv4或者ipv6的包过滤修改成MQC方式

1）  配置好MQC的CB对

2）  删除单板端口下的ipv4、ipv6包过滤配置

3）  然后再在端口下重新下发ipv6包过滤和MQC配置