AR3260(V200R005C20SPC200)替换思科路由器PE后无法访问专网问题

发布时间:  2015-08-04 浏览次数:  330 下载次数:  0
问题描述
先将思科路由器配置翻译成华为AR3260的配置,然后将线路切换到华为AR3260后检查和比对路由信息及arp信息。割接完之后检查ospf邻居表、bgp、邻居表、mpls转发表、arp表、路由表及实例路由表信息完整无误,但是进行ping测试时发现vpn实例与省海关服务器无法ping通,再次检查vpn下所有业务均无法通信。
告警信息
处理过程
分析过程如下
一、 检查ospf邻居、bgp vpnv4邻居、mpls lsp均正常;
二、 检查路由表、实例路由表路由均有学习到;
三、 对运行网vpn实例和管理网vpn实例进行ping测试,发现无法ping通
<XX_WN_PE_3260_02>ping -vpn-instance YX 10.23.2.1
  PING 10.23.2.1: 56  data bytes, press CTRL_C to break
    Request time out
  --- 10.23.2.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
<XX_WN_PE_3260_02>ping -vpn-instance GL 10.73.1.18
  PING 10.73.1.18: 56  data bytes, press CTRL_C to break
    Request time out
  --- 10.73.1.18 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss
四、经过以上分析PE设备接收vpnv4路由没有问题,并且路由被优选并加入实例路由表,且mpls转发表没有问题。进一步分析路由发送是否存在问题。通过debugging bgp packet send查看bgp报文发送情况。
Jul 1 2015 20:01:49.992.1-08:00 Huawei RM/6/RMDEBUG:
        BGP.Public: Send OPEN MSG to peer 172.16.0.253, Version: 4
        Local AS: 65000, HoldTime: 180, Router ID: 172.16.5.254
Jul 1 2015 20:01:49.992.2-08:00 Huawei RM/6/RMDEBUG:
        OPT Type:   2 (Capability)   
        CAP Type:   1 (Multiprotocol)  CAP Len:  4  
                                       IPv4-UNC (1/1)
                                       IPv4-VPN (1/128)
        CAP Type:   2 (RouteRefresh)   CAP Len:  0  
        CAP Type:  65 (4-byte-as)      CAP Len:  4   AS number: 65000

        Total CAPB Len    : 20
        Total OPT Len     : 22
        Total Message Len : 51
Jul 1 2015 20:01:50.132.1-08:00 Huawei RM/6/RMDEBUG:
        BGP.Public: Send OPEN MSG to peer 172.16.0.253, Version: 4
        Local AS: 65000, HoldTime: 180, Router ID: 172.16.5.254

Jul 1 2015 20:01:50.132.2-08:00 Huawei RM/6/RMDEBUG:
        OPT Type:   2 (Capability)   
        CAP Type:   1 (Multiprotocol)  CAP Len:  4  
                                       IPv4-UNC (1/1)
                                       IPv4-VPN (1/128)
        CAP Type:   2 (RouteRefresh)   CAP Len:  0  
        CAP Type:  65 (4-byte-as)      CAP Len:  4   AS number: 65000

        Total CAPB Len    : 20
        Total OPT Len     : 22
        Total Message Len : 51
Jul 1 2015 20:01:50.142.1-08:00 Huawei RM/6/RMDEBUG:
        BGP.Public: Send KEEPALIVE MSG to peer 172.16.0.253
        Length 19
Jul 1 2015 20:01:50-08:00 Huawei %%01BGP/3/STATE_CHG_UPDOWN(l)[12]:The status of the peer 172.16.0.253 changed from OPENCONFIRM to ESTABLISHED. (InstanceName=Public, StateChangeReason=Up)
检查bgp报文发生过程中并未发生update更新报文。问题定位为路由器未发生update报文导致对端pe设备未学习到本设备的路由信息导致数据包有去无回,因此无法建立通信。
五、检查bgp路由策略配置翻译,发现bgp未发送路由更新的原因为acl匹配未携带vpn实例导致。
思科bgp路由策略配置:
router bgp 65000
bgp router-id 172.16.5.254
bgp log-neighbor-changes
neighbor 172.16.0.253 remote-as 65000
neighbor 172.16.0.253 update-source Loopback0
neighbor 172.16.0.254 remote-as 65000
neighbor 172.16.0.254 update-source Loopback0
!
address-family vpnv4
  neighbor 172.16.0.253 activate
  neighbor 172.16.0.253 send-community extended
  neighbor 172.16.0.253 route-map SET-LOCAL-PREFERENCE out
  neighbor 172.16.0.254 activate
  neighbor 172.16.0.254 send-community extended
  neighbor 172.16.0.254 route-map SET-LOCAL-PREFERENCE out
exit-address-family
!
address-family ipv4 vrf GL
  redistribute ospf 200 match internal external 1 external 2
exit-address-family
!
address-family ipv4 vrf YX
  redistribute ospf 100 match internal external 1 external 2
exit-address-family
!
ip access-list extended YX
permit ip 10.23.0.0 0.0.255.255 any
!
ip access-list extended GL
permit ip 10.73.0.0 0.0.255.255 any
route-map SET-LOCAL-PREFERENCE permit 10
match ip address YX
set local-preference 90
!
route-map SET-LOCAL-PREFERENCE permit 20
match ip address GL
set local-preference 110
!
华为bgp路由策略配置
acl name GL 3998
rule 5 permit ip source 10.73.0.0 0.0.255.255   //此处未携带vpn实例,因此未匹配到实例路由表中的路由条目
acl name YX 3999
rule 5 permit ip source 10.23.0.0 0.0.255.255
#
route-policy SET-LOCAL-PREFERENCE permit node 10
if-match acl YX
apply local-preference 90
#
route-policy SET-LOCAL-PREFERENCE permit node 20
if-match acl GL
apply local-preference 110
#
bgp 65000
router-id 172.16.5.254
peer 172.16.0.253 as-number 65000
peer 172.16.0.253 connect-interface LoopBack0
peer 172.16.0.254 as-number 65000
peer 172.16.0.254 connect-interface LoopBack0
#
ipv4-family unicast
  undo synchronization
  peer 172.16.0.253 enable
  peer 172.16.0.254 enable
#
ipv4-family vpnv4
  policy vpn-target
  peer 172.16.0.253 enable
  peer 172.16.0.253 route-policy SET-LOCAL-PREFERENCE export
  peer 172.16.0.253 advertise-community
  peer 172.16.0.254 enable
  peer 172.16.0.254 route-policy SET-LOCAL-PREFERENCE export
  peer 172.16.0.254 advertise-community
#
ipv4-family vpn-instance GL
  import-route ospf 200
#
ipv4-family vpn-instance YX
  import-route ospf 100
#
解决方案
在acl中添加vpn实例,问题解决,配置如下:
acl name GL 3998
rule 5 permit ip vpn-instance GL source 10.73.0.0 0.0.255.255
acl name YX 3999
rule 5 permit ip vpn-instance YX source 10.23.0.0 0.0.255.255
#
建议与总结
当acl用作路由策略匹配路由时,注意路由条目位于全局路由表还是实例路由表,如果需要匹配的路由在实例路由表中,此时acl匹配时需要加上vpn实例名来区分。

END