【S12700-V200R010C00SPC600】ipv6直连不通

发布时间:  2017-05-03 浏览次数:  91 下载次数:  0
问题描述


S12708ping不通2405:D900:FFFF:FE03::2/642405:D900:FFFF:FE03::3/64,在S12712和锐捷交换机之间可以互相ping通ipv6地址。

S12708版本【S12700-V200R010C00SPC600】;

S12712版本【S12700 V200R008C00SPC500】;

配置信息如下:

S12708:

#

interface XGigabitEthernet2/8/0/1.1001

 dot1q termination vid 1001

 ipv6 enable

 ipv6 address 2405:D900:FFFF:FE03::1/64

#

S12712:

#

interface Vlanif1001

 ipv6 enable

 ipv6 address 2405:D900:FFFF:FE03::2/64

#

其它略。

处理过程

1.         故障验证:

S12708上对2405:D900:FFFF:FE03::22405:D900:FFFF:FE03::3ping测试,结果不通,分别在S12712和锐捷SWping对方ipv6地址可以通;

2.         S12708S12712和锐捷交换机上查看配置,确认没有配置任何流量过滤;

3.         S12708上查看ipv6 neighbor,结果显示没有2405:D900:FFFF:FE03::22405:D900:FFFF:FE03::2的表项,判断地址解析失败。

4.         在S12708的XGigabitEthernet2/8/0/1.1001接口下通过静态绑定ipv6 neighbor验证第三步:

ipv6 neighbor 2405:D900:FFFF:FE03::2 xxxx-xxxx-xxxx vid 1001

ipv6 neighbor 2405:D900:FFFF:FE03::3 xxxx-xxxx-xxxx vid 1001

结果可以ping2405:D900:FFFF:FE03::22405:D900:FFFF:FE03::3,由此判断ipv6 ND地址解析有问题;验证结束,删除静态绑定。

检查S12708S12712上接口下配置如下:

S12708:

#

interface XGigabitEthernet2/8/0/1.1001

 dot1q termination vid 1001

 ipv6 enable

 ipv6 address 2405:D900:FFFF:FE03::1/64

#

S12712:

#

interface Vlanif1001

 ipv6 enable

 ipv6 address 2405:D900:FFFF:FE03::2/64

#

  结果显示配置一致,但是考虑到S12708上是vlan终结子接口,而S12712上是Vlanif接口,接口类型不一样,默认配置可能会有不同,应查看双方默认配置;

5.         查看S12708S12712相关接口下默认配置,如下:

[ShuGateway-XGigabitEthernet2/8/0/1.1000]dis this inc

#

interface XGigabitEthernet2/8/0/1.1000

 undo shutdown

 enable snmp trap updown

 undo set flow-stat interval

 mtu 1500

 dot1q termination vid 1000

 undo arp direct-route enable

 ipv6 enable

 icmp host-unreachable send

 icmp redirect send

 icmp port-unreachable send

 icmp ttl-exceeded send

 undo ip verify source-address

 undo ip forward-broadcast

 undo clear ip df

 undo discard srr

 undo discard rr

 undo discard ra

 undo discard ts

 ipv6 address 2405:D900:FFFF:FE02::8/64

 ipv6 mtu 1500

 undo ipv6 nd nud reachable-time

 undo ipv6 nd ns retrans-timer

 undo ipv6 nd stale-timeout              

 ipv6 nd ra Max-interval 600

 ipv6 nd ra Min-interval 200

 ipv6 nd ra router-lifetime 1800

 undo ipv6 nd ra prefix default no-advertise

 ipv6 nd ra preference medium

 undo ipv6 nd ra halt

 undo ipv6 nd ra hop-limit

 undo ipv6 nd autoconfig managed-address-flag

 undo ipv6 nd autoconfig other-flag

 ipv6 nd dad attempts 1

 undo ipv6 nd ns multicast-enable

 ipv6 neighbor 2405:D900:FFFF:FE02::1 0881-f4ef-22e7 vid 1000

 arp learning strict trust

 undo arp-proxy enable

 undo arp-proxy inter-sub-vlan-proxy enable

 undo arp-proxy inner-sub-vlan-proxy enable

 undo arp broadcast enable

 undo rrpp snooping enable

 undo rrpp snooping all-vsi

 undo vrrp track bfd gratuitous-arp send enable

 undo urpf

 diffserv-mode uniform

 undo ip address bootp-alloc             

 undo ip address dhcp-alloc

#

return

[ShuGateway-XGigabitEthernet2/8/0/1.1000]

[SHU_12712-Vlanif1000]dis this incl

#

interface Vlanif1000

 undo shutdown

 undo set flow-stat interval

 mtu 1500

 undo arp detect-mode unicast

 arp-fake expire-time 3

 undo arp learning disable

 undo arp purge slowly

 ipv6 enable

 icmp host-unreachable send

 icmp redirect send

 icmp port-unreachable send

 icmp ttl-exceeded send

 undo ip verify source-address

 undo ip forward-broadcast

 undo clear ip df

 undo discard srr

 undo discard rr

 undo discard ra

 undo discard ts

 ipv6 address 2405:D900:FFFF:FE02::2/64

 ipv6 mtu 1500

 undo ipv6 nd nud reachable-time

 undo ipv6 nd ns retrans-timer           

 undo ipv6 nd stale-timeout

 ipv6 nd ra Max-interval 600

 ipv6 nd ra Min-interval 200

 ipv6 nd ra router-lifetime 1800

 undo ipv6 nd ra prefix default no-advertise

 ipv6 nd ra halt

 undo ipv6 nd ra hop-limit

 undo ipv6 nd autoconfig managed-address-flag

 undo ipv6 nd autoconfig other-flag

 ipv6 nd dad attempts 1

 ipv6 nd neighbor-limit 128000

 ipv6 nd learning strict trust

 damping time 0

 arp learning strict trust

 undo arp-proxy enable

 undo arp-proxy inter-sub-vlan-proxy enable

 undo arp-proxy inner-sub-vlan-proxy enable

 undo arp broadcast disable

 undo rrpp snooping enable

 undo ip forward-mode dstmac-independent

 diffserv-mode uniform

 undo arp anti-attack gratuitous-arp drop

 undo arp gratuitous-arp send enable

 undo arp anti-attack entry-check enable 

 undo ip address bootp-alloc

 undo ip address dhcp-alloc

 undo statistic enable both

#

  经过比对发现,S12708接口XGigabitEthernet2/8/0/1.1001下有一条缺省命令【undo ipv6 nd ns multicast-enable】,去使能终结子接口发送NS组播报文的功能,影响到ipv6 ND地址解析功能,从而导致无法学习到对端MAC地址;

6.         S12708上对应子接口下执行命令【ipv6 nd ns multicast-enable】后测试,S12708、S12712和锐捷交换机之间ipv6可以互通,故障解除;


根因

设备的终结子接口可以通过发送组播NS报文的方式主动学习ND表项或者通过响应NS报文的方式被动学习ND表项。当NS组播报文需要从终结子接口发出(即主动学习ND表项),但是没有相应的ND表项时,需要执行该命令使能终结子接口发送NS组播报文的功能。

  • 如果终结子接口上没有配置本命令,那么系统会直接把NS组播报文丢弃。

  • 如果终结子接口上配置了本命令,那么系统会构造带TagNS组播报文,然后再从该终结子接口发出。

由于系统发送NS组播报文时会占用CPU,因此当系统的CPU性能较低时,建议不要使能终结子接口发送NS组播报文的功能主动学习ND表项,而是通过响应NS报文被动学习ND表项。

解决方案

方案一:在dot1q终结子接口下使能发送NS组播报文的功能;

ipv6 nd ns multicast-enable

方案二:此环境中邻居节点较少,且比较固定,可以考虑静态绑定,提高稳定性、安全性,降低开销;

ipv6 neighbor 2405:D900:FFFF:FE03::2 xxxx-xxxx-xxxx vid 1001

ipv6 neighbor 2405:D900:FFFF:FE03::3 xxxx-xxxx-xxxx vid 1001

建议与总结

较【S12700 V200R008C00SPC500】及更早版本,【S12700-V200R010C00SPC600】版本新增dot1q终结子接口使能ipv6功能,但是缺省情况下,dot1q终结子接口发送NS组播报文的功能处于未使能状态,与物理接口和vlanif接口缺省状态不一致,需要手动开启。

END