No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Wrong CP-CAR configuration causes MPLS L3VPN ping failure between local PE and remote CE

Publication Date:  2014-11-04 Views:  16 Downloads:  0
Issue Description

Software Version:

1. NE40 V3.1 R2358;

2. NE80E V300R001C01B052

Working Topology:

             PC --------NE40A--------NE80E--------NE40B--------server

                                               |                       |
                                       4 pos links        2 GE links


Networking description:

NE80E connects to NE40A using 4 POS interfaces while it's using 2 GE Ports to connect  NE40B.one PC access to VPN1 through PE NE40A and the server connected to another PE NE40B Access to the same VPN,VPN1.NE80E works as P router, the working IGP is OSPF.

 

Problem phenomenon:

For PC,the IP address on the other end of link is pingable.but the ping to the IP on NE40B interface which connect to the server fails

Handling Process
  1. There's load balance on intermediate links, but for LSP, If there's no such configuration about load balance, The default value should be 1 and there's only 1 LDP LSP should be chosen, so load balance won't be the cause of this issue;
  2. 'On NE40B, the IP of interface on NE40A connected to PC is pingable', it indicates that there's no errors on dual ends LSP between NE40A and NE40B .
  3. Check devices' configuration, one command line 'apply system - bucket 4 31 traffic - rate 0' appears on NE40B, and the right interface could not ping on NE40B is in the same slot, slot 4. Remove this command line and the problem solved.
  4. The command cause this issue which added by the customer is about to protect the ICMP attack, but the value sets to be 0, it will drop all the ICMP packets which the destination IP belongs to Slot 4 on NE40B(the bandwidth of those ICMP packets is setting to 0kbit/s).
Root Cause

The secure configuration to protect IGMP attack on live network, it limited the ICMP uploading bandwidth to 0kbit/s.

Solution
  1. Remove configuration related to ICMP uploading bandwidth limitation which is set to 0
Suggestions

1. About No.31 system-bucket,to prevent the attack,it can be set to 4K, the smaller one(0K or 2K)is not suggested.

 

2. To protect CPU against ICMP attack, ICMP fast reply is a suggestion.

[_d]icmp fast

All the ICMP packets which destination is router itself will reply by LPU Card and won't send to CPU to process them, the ICMP packet originated from router itself will not be affected.

 

3. To change ICMP packet uploading bandwidth.

Apply system car cir cbs slot type ipv4-redirect-icmp

 

4. To check NE40 discard count

]display system only-discard

#

 The slot number:6

 The Protocol type:IPV4-redirect-icmp

 The time of the last packets arrive:17:03:27

 The number of present tokens:196526

 The number of the discarded packets:269

 The number of the passed packets:579274

 The bucket alarm enable flag:disable apply system cir 64k cbs 196608

END