暂无
暂无
现场测试发现接口下下发包过滤不生效,查看底层信息,包过滤也正常下发到底层
debug qacl show s 1 c 0 v 0 acl-type 128 pipe 1
Acl-Type PktFilter IPV4 on RPORT, Stage IFP, Pipe 1, SinglePort, Installed, Active
Prio Mjr/Sub 522/1577058303, Group 18 [18], Slice/Idx 5/0, Entry 680816, IntraDb: 3840/4608
ACL GroupNo: 637534217, RuleID: 0, RuleOffset: 0 RulePri: 0x5dff0000
Rule Match --------
Rule Property : 0
Ports: 0x0000000000000000000000000000000000008000000000000000000000000000; 0x0000000000000000000000000000000000000000000000000000000000000000
Lookup: STP forwarding, 0x18, 0x18
Source IP: 10.67.0.0, 255.255.0.0 Dest IP: 10.0.0.0, 255.0.0.0 IP Type: Any IPv4 packet Number-of-tags: 0x0, 0x1 Account or Logging
Actions -------- Deny Account mode packets, green and non-green
Copy_to_cpu : Switch and Copy to Cpu Cancel
包过滤底层正常下发,怀疑报文被其他协议抓走了,和现场确定是方案的组网,控制器侧看openflow实例下有下发一条配置:
openflow instance 1
fail-open mode smart
default table-miss permit
description SDN_INSTANCE_2e2814b9-d942-46ef-93f4-7c1141e7b75a
forbidden port vlan-interface L3-physical-interface //z这一命令主要是对三层口转发的流量不上送到控制器,导致现场流量被该底层高优的acl 将流量抓走了,所以包过滤未生效
permit-port-type member-port
flow-table mac-ip 0 extensibility 1 extensibility 2
classification global
controller 1 address ip 10.52.1.13 local address ip 10.50.120.1 vrf mgmt
controller 2 address ip 10.52.1.14 local address ip 10.50.120.1 vrf mgmt
active instance
配置openflow permit-flag ignore 来忽略 forbidden port vlan-interface L3-physical-interface命令对报文打上的permit字段,这样就可以正常命中下发包过滤
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作