S12708做CSS堆叠插入IPS、NGFW板卡流量无法进行2次引流故障

发布时间:  2015-03-27 浏览次数:  972 下载次数:  22
问题描述

设备版本信息:

S12700版本为S12700-V200R006C00SPC500


IPS板卡版本为IPSModuleV100R001C20SPC700


NGFW板卡版本为NGFWModuleV100R001C20SPC700


1-1 现网运行拓扑图(示意图)
1-1 预期流量走向拓扑图(示意图)


问题描述:

S12708*2CSS堆叠虚拟为一台设备,核心设备上内置IPS*2NGFW*2板卡,当内网的流量访问外网的业务时,流量从NGFW上出去之后就无法重定向到IPS板卡上。


脚本配置信息:

引流配置

======================================================================

acl number 3001

 description YinLiu

 rule 5 permit ip source 10.XX.0.0 0.255.255.255

#

traffic classifier CL1 operator or precedence 5

 if-match acl 3001

#

traffic behavior BH1

 permit

 redirect ip-nexthop 10.XX.201.244 10.XX.201.245

#

traffic policy PL1 match-order config

 classifier CL1 behavior BH1

#

traffic-redirect inbound acl 3001 ip-nexthop 10.XX.201.230

#

内部互联配置信息

=====================================================================

vlan 21

 description To-NGFW-Usg6650-Eth

vlan 22

 description To-NGFW-Usg6650-Eth

#

interface Vlanif21

 description To_NGFW_Eth-Trunk1.21

 ip address 10.XX.201.227 255.255.255.248

#

interface Vlanif22

 description To_NGFW_Eth-Trunk1.22

 ip address 10.XX.201.235 255.255.255.248

#

interface Vlanif23

 description To_IPS

 ip address 10.XX.201.243 255.255.255.248

#

interface Vlanif24

 description To_IPS

 ip address 10.XX.201.251 255.255.255.248


捆绑组配置

=================================================================

#

interface Eth-Trunk4

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 2 to 4094

 stp disable

 traffic-policy PL1 inbound

#

interface Eth-Trunk5

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 2 to 4094

 stp disable

 traffic-policy PL1 inbound

#

interface Eth-Trunk6

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 10 23 to 24

 stp disable

#

interface Eth-Trunk7

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 10 23 to 24

 stp disable

#

接口配置信息

=================================================================

#

interface GigabitEthernet1/1/0/24

 description ith

 port link-type access

 port default vlan 999

#

interface GigabitEthernet1/1/0/25

 port link-type access

 port default vlan 888

#

interface XGigabitEthernet1/7/0/0

 description TO_NGFW Model-Eth1

 eth-trunk 4

 carrier up-hold-time 10000

#

interface XGigabitEthernet1/7/0/1

 description TO_NGFW Model-Eth1

 eth-trunk 4

 carrier up-hold-time 10000

#

interface XGigabitEthernet1/8/0/0

 description ith

 eth-trunk 6

 carrier up-hold-time 10000

#

interface XGigabitEthernet1/8/0/1

 description ith

 eth-trunk 6

 carrier up-hold-time 10000

#

interface XGigabitEthernet2/7/0/0

 eth-trunk 5

 carrier up-hold-time 10000

#

interface XGigabitEthernet2/7/0/1

 eth-trunk 5

 carrier up-hold-time 10000

#

interface XGigabitEthernet2/8/0/0

 description ith

 eth-trunk 7

 carrier up-hold-time 10000

#

interface XGigabitEthernet2/8/0/1

 description ith

 eth-trunk 7

 carrier up-hold-time 10000

#

interface NULL0

=================================================================
               
告警信息




处理过程

1、在汇聚交换机上查看内置绑定的Eth-trunk 6/7


2.查看S12708设备上引流问题是否正常。


3.查看NGFW板卡到IPS地址是否正常。

经过PING测试,可以确定NGFW到达IPS 10.0.201.244的地址可达。

 

4.去掉IPS板卡流量引流测试,确认NGFW内部配置是否正确。

根据现场测试把IPS板卡去电后,流量经过NGFW板卡再到外部网络时,业务正常运行

ping不通现象。

5.根据原测试方法再对IPSNGFW的内置端口捆绑组加引流过滤策略

#

interface Eth-Trunk6

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 10 23 to 24

 stp disable

 traffic-filter inbound acl 3001

#

interface Eth-Trunk7

 description ith

 port link-type trunk

 undo port trunk allow-pass vlan 1

 port trunk allow-pass vlan 10 23 to 24

 stp disable

 traffic-filter inbound acl 3001

根因

从NGFW板卡出来的流量无法重定向到IPS板卡上面:在Eth-trunk6/Eth-trunk7上没有配置traffic-filter inbound acl 3001,重定向到IPS板卡的流量又匹配到全局的重定向策略上。

解决方案

在IPS板卡与S12708设备的内置捆绑组Eth-trunk6/7上 配置traffic-filter inbound acl 3001

建议与总结

根据现场故障排除与定位分析,对流量进行二次引流的时候,可能会导致流量的环路,在全局命令示图下重定向到NGFW板卡的流量会被多次引用,需要在NGFWS127上进行流量的过滤手段,以达到traffic policy能对出来的流量重新引流到IPS板卡上,通过此次的项目经验告诉我,业务的流量需要更精细的控制。

END