现场有V7 S5560X 和 V5 S5800,有相同的限速策略,在V5 S5800使用正常,在V7 S5560X下发之后会导致直连无法ping通。
现场有V7 S5560X 和 V5 S5800,有相同的限速策略,在V5 S5800使用正常,在V7 S5560X下发之后会导致直连无法ping通。
策略如下:
traffic classifier YiZhanHuLian-Tel operator and
if-match acl 3004
traffic behavior 10m
car cir 10240 cbs 163840 ebs 10240 green pass red discard yellow discard
traffic classifier any operator and
if-match any
traffic behavior deny
filter deny
acl number 3004 name YiZhanHuLian-Tel
rule 10 permit ip source 120.1.1.0 0.0.0.255
qos policy YiZhanHuLian-Tel
classifier YiZhanHuLian-Tel behavior 10m
classifier any behavior deny
由于现场的acl匹配的是ip,所以arp报文无法匹配上acl,从而匹配上了any的类被deny。
traffic classifier any operator and
if-match any
traffic behavior deny
filter deny
现场无法学习arp所以无法ping通。但是经过测试在V5 5800却是可以ping通,正常收发arp的。所以进一步排查
下发的mqc的acl-type 是2
[Access-2-diagnose]debug qacl show acl-resc 1 0
---------------Qacl Group UsedResc Info---------------
------------------------------------------------------
Group 7,usedEntries 2,physlice 7,mode Single
=========================================
acl type usedEntries[2]
=========================================
[2 ]MQC Port 2
======================================
系统下发匹配arp的acl sys-index是29和30
[Access-2-diagnose]debug rxtx softcar show 1
29 ARP 0 167086 100 S On SMAC 8
30 ARP_REPLY 0 0 100 S On SMAC 8
通过对比下发的acl发现, mqc下发在了slice7上组优先级是7,arp的系统acl下发在了slice10,组优先级是10,所以系统acl优先级更高,从而无法匹配mqc,不会被deny。
[Access-2-diagnose]debug qacl show 1 0 verbose 0 acl-type 2
========
Acl-Type MQC Port, Stage IFP, GroupPri 7, EntryID 206, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 14,Slice 7,SliceIdx 0
Policy YiZhanHuLian-Tel, Classifier YiZhanHuLian-Tel, Behavior 10m
ACL GroupNo : 3004, RuleID : 10
Rule Match --------
Ports: 0x002000000, 0x01fffffff
Lookup: STP forwarding, 0x18, 0x18
Source IP: 120.1.1.0, 255.255.255.0
IP Type: Any IPv4 packet
Actions --------
CAR cir 0x2800, cbs 0x51e, pir 0x2800, pbs 0x51, mode srTCM color blind
Account mode packets, green and red
Grn Permit
Red Deny
Yel Deny
Accounting: Hi 15, LO 0
========
Acl-Type MQC Port, Stage IFP, GroupPri 7, EntryID 207, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 518, Prio_Sub 14,Slice 7,SliceIdx 1
Policy YiZhanHuLian-Tel, Classifier any, Behavior deny
Rule Match --------
Ports: 0x002000000, 0x01fffffff
Actions --------
Deny
[Access-2-diagnose]debug qacl show 1 0 verbose 0 sy
[Access-2-diagnose]debug qacl show 1 0 verbose 0 sysidx 29
========
Acl-Type RX IPv4 High, Stage IFP, GroupPri 10, EntryID 153, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 523, Prio_Sub 11,Slice 10,SliceIdx 0
Rule Match --------
Ports: 0x01ffffffe, 0x01fffffff
Lookup: VLAN ID valid, STP forwarding, 0x1c, 0x1c
Dest mac: FFFF-FFFF-FFFF, FFFF-FFFF-FFFF
EtherType: 0x806, 0xffff
SysmRule Index : 29
Vlan Class id: 0xa
Actions --------
CAR cir 0x100, cbs 0x800, pir 0x100, pbs 0x800, mode srTCM color blind
Account mode packets, green and non-green
Copy_to_cpu : Yes
Change CPU pkt COS 6
Permit
Remark DROPPRE 0
Red_Copy_to_cpu : No
Yel_Copy_to_cpu : No
MatchedName:29, ARP
Accounting: Hi 0, LO 0
[Access-2-diagnose]debug qacl show 1 0 verbose 0 sysidx 30
========
Acl-Type RX IPv4 High, Stage IFP, GroupPri 10, EntryID 154, Active
Health 1, PoolFree 0, PoolID 0, Prio_Mjr 523, Prio_Sub 11,Slice 10,SliceIdx 1
Rule Match --------
Ports: 0x01ffffffe, 0x01fffffff
Lookup: VLAN ID valid, STP forwarding, 0x1c, 0x1c
EtherType: 0x806, 0xffff
SysmRule Index : 30
DstMac Class id: 0xb
Actions --------
CAR cir 0x100, cbs 0x800, pir 0x100, pbs 0x800, mode srTCM color blind
Account mode packets, green and non-green
Copy_to_cpu : Yes
Change CPU pkt COS 10
Permit
Remark DROPPRE 0
Red_Copy_to_cpu : No
Yel_Copy_to_cpu : No
MatchedName:30, ARP_REPLY
Accounting: Hi 0, LO 0
取消如下配置
if-match any
traffic behavior deny
filter deny
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作