SecPath M9000-S(V7)web镜像抓包与qos重定向之浅谈分析
- 0关注
- 1收藏 1690浏览
组网及说明
不涉及组网说明
问题描述
过程分析
M9K在D032新分支版本后,web页面需要实现抓包,需要先将流量镜像到blade板卡,与此同时,现场由于设备公网地址不足,通过MQC引流的组网模型。
假设极端条件下,同一个流:
traffic classifier local operator and(抓包的)
if-match acl 3000
traffic classifier nat operator and (重定向的)
if-match acl 3000
traffic behavior local
mirror-to interface Ten-GigabitEthernet2/3/0/25
#
traffic behavior nat
redirect interface Bridge-Aggregation3
#
qos policy local
classifier local behavior local
#重定向全局下发
qos policy nat/local
classifier nat behavior nat
qos apply policy nat/local global inbound enhancement //全局下的重定向
interface Ten-GigabitEthernet2/3/0/26
port link-mode bridge
qos apply policy local inbound enhancement//接口下的,mirror-to
#
底层下发情况,配置两个CB对,因为占用的一个slice,并且底层下发的优先级不一样,看底层信息只执行一个动作的,就是mirror-to,这样如果同条流到达设备后,就无法执行重定向动作
[H3C-probe]debug qacl show chassis 2 s 3 c 0 verbose 0 acl-type 1
========
Acl-Type MQC Global, Stage IFP, Pipe 0, OuterPort, Installed, Active
Prio Mjr/Sub 518/2, Group 9 [9], Slice/Idx 10/1, Entry 720, Single: 5121
PolicyID 102, CBMapID 0, ClassID 103, BehaviorID 105 [IN]
ACL GroupNo : 3000, RuleID : 0
Rule Match --------
Ports: 0x0ffffffe; 0xffffffff
Lookup: STP forwarding, 0x18, 0x18
Source IP: 10.0.0.0, 255.0.0.0
IP Type: Any IPv4 packet
Actions --------
Redirect bridge port 0x48f9
L3Switch Cancel L3Switch NextHopIndex 0x2
Color Independent 1
[H3C-probe]debug qacl show chassis 2 s 3 c 0 verbose 0 acl-type 2
========
Acl-Type MQC Port, Stage IFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 518/5, Group 9 [9], Slice/Idx 10/0, Entry 721, Single: 5120 //mjr一样,sub越大优先,执行镜像抓包动作
PolicyID 103, CBMapID 0, ClassID 104, BehaviorID 106 [IN]
ACL GroupNo : 3000, RuleID : 0
Rule Match --------
Ports: 0x08000000; 0xffffffff
Lookup: STP forwarding, 0x18, 0x18
Source IP: 10.0.0.0, 255.0.0.0
IP Type: Any IPv4 packet
Actions --------
Mirror to INTF[0x0000000000000001] :
([0]mod 38,port 26)
情况2:两个CB对,同样的全局下发,type一样,同Slice之间,执行single id小的动作,执行redirect的动作
qos policy nat/local
classifier nat behavior nat
classifier local behavior local
qos apply policy nat/local global inbound //全局下发
[H3C-probe]debug qacl show chassis 2 s 3 c 0 verbose 0 acl-type 1
========
Acl-Type MQC Global, Stage IFP, Pipe 0, OuterPort, Installed, Active
Prio Mjr/Sub 518/2, Group 9 [9], Slice/Idx 10/0, Entry 718, Single: 5120
PolicyID 102, CBMapID 0, ClassID 103, BehaviorID 105 [IN]
ACL GroupNo : 3000, RuleID : 0
Rule Match --------
Ports: 0x0ffffffe; 0xffffffff
Lookup: STP forwarding, 0x18, 0x18
Source IP: 10.0.0.0, 255.0.0.0
IP Type: Any IPv4 packet
Actions --------
Redirect bridge port 0x48f9
L3Switch Cancel L3Switch NextHopIndex 0x2
Color Independent 1
========
Acl-Type MQC Global, Stage IFP, Pipe 0, OuterPort, Installed, Active
Prio Mjr/Sub 518/2, Group 9 [9], Slice/Idx 10/1, Entry 719, Single: 5121
PolicyID 102, CBMapID 1, ClassID 104, BehaviorID 106 [IN]
ACL GroupNo : 3000, RuleID : 0
Rule Match --------
Ports: 0x0ffffffe; 0xffffffff
Lookup: STP forwarding, 0x18, 0x18
Source IP: 10.0.0.0, 255.0.0.0
IP Type: Any IPv4 packet
Actions --------
Mirror to INTF[0x0000000000000001] :
([0]mod 38,port 26)
解决方法
结论:MQC下重定向和镜像的动作会冲突,使用时候需要注意,以免业务异常。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作