某广电S7600-X DHCP地址获取异常问题定位的经验案例

某广电S7600-X DHCP地址获取异常问题定位的经验案例

一    组网：

某广电无线城域网核心为两台S7600-X IRF，无线终端的IP地址由接在上端S5500的BRAS设备提供，S7600-X对此类DHCP报文是二层透传的。

二    问题描述：

业务高峰期无线终端获取地址很慢。

三    过程分析：

检查相关设备并未发现有超带宽和拥塞发生。

在S7600-X下接入终端（mac-address 38bc-1a0f-9f33），通过DHCP获取地址，同时在拓扑中的位置点1和位置点2抓包分析。

位置点1收包如下：

位置点2收包如下：

两边对比发现DHCP报文通过S7600-X后确实出现了丢弃。

进一步检查配置发现，S7600-X本身全局也使能了DHCP服务，关闭全局的DHCP服务后再次测试发现问题消失，DHCP完全透传无任何丢弃情况发生。

S7600-X上使能的DHCP服务是用户前期用来做测试用的，测试后并未删除掉相关配置。那为何全局使能DHCP服务后会导致透传的DHCP报文出现丢弃呢？

通过查看设备底层ACL发现了问题所在：

当全局使能DHCP ENABLE后，业务板会下发一规则，该规则根据报文类型匹配DHCP报文，并对每个端口入DHCP报文进行限速，报文限速为256kbps，底层下发规则如下：

[H3C]probe                                                                       

[H3C-probe]debug qacl  show  chassis  1 slot 1 c 0 verbose  0  sysidx 34                                                                                       

========                                                                        

Acl-Type RX IPv4 High Shadow, Stage IFP, SinglePort, Installed, Active         

Prio Mjr/Sub 523/25, Group 1 [1], Slice/Idx 0/2, Entry 136, Double: 2/514      

Rule Match --------                                                            

         Ports: 0x00004000; 0xffffffff                                         

         Lookup: VLAN ID valid[y], STP forwarding, 0x1c, 0x1c                  

         Dest IP: 255.255.255.255, 255.255.255.255                             

         IP protocol: udp                                                      

         L4 Dst Port: 67, 0xffff                                               

         IP Fragment: 0x3                                                      

Actions --------                                                                

         CAR cir 0x100, cbs 0x800, pir 0x100, pbs 0x800, mode srTCM color blind    //16进制0x100为256kbps

         Account mode  packets,  green and non-green                           

         Copy_to_cpu : Yes                                                     

         Change CPU pkt COS 18                                                 

         Permit                                                                

         Red Deny                                                               

         Red_Copy_to_cpu : No                                                  

         Yel Deny                                                              

         Yel_Copy_to_cpu : No                                                   

MatchedName:34, DHCP_RELAY_SERVER                                              

          Color Independent 1                                                  

Accounting: Hi 5870, LO 19860408

目前在S10500上由于ACL资源限制，无法根据Vlan来分离出本地终结和二层透传的DHCP报文，全局使能DHCP后只能同时做限速处理。

一般应用下256kbps都可满足要求，对于高密度的DHCP环境下建议关闭本地的DHCP服务，这样就不会在业务板上下发限速动作。

现场在业务量大的时候出现DHCP丢包，可以实际评估下现场环境，适当放开DHCP限速值为默认值的2到3倍。

四    解决方法：

 

如果要放大报文速率，可以配置control-plane放大限速：

放大报文限制配置举例：从256kbps放到512kbps：

traffic classifier dhcptest operator and                                       

 if-match control-plane protocol dhcp                                          

#                                                                              

traffic behavior dhcptest                                                       

 car cir 512 cbs 32256 ebs 512 green pass red discard yellow pass              

#                                                                              

qos policy dhcptest                                                             

 classifier dhcptest behavior dhcptest                                         

#                                                                              

control-plane chassis 1 slot 1    //对1号槽位业务单板放大                                           

 qos apply policy dhcptest inbound                                             

#                                                                      

另外也可以通过关闭本地DHCP服务来解决。