CE6851替换思科交换机后,走vpn-instances接口,由有丢包现象

发布时间:  2017-05-18 浏览次数:  409 下载次数:  0
问题描述


CE5855上挂服务器,用户可以访问服务器,服务器之间隔离,服务器在同一网段,于是通过VRF来实现,之前ce6851是思科设备,思科替换成华为后,在hillstoneping服务器通一个包,丢一个包.

配置:

CE6851:

#

vlan batch 1001 2001 to 2100 4002 4041

#

telnet ipv6 server disable

#

diffserv domain default

#

ip vpn-instance QuanShang04

 ipv4-family 

  route-distinguisher 65001:4

  vpn-target 4:101 export-extcommunity

  vpn-target 4:101 import-extcommunity

#

ip vpn-instance QuanShang08

 ipv4-family 

  route-distinguisher 65001:8

  vpn-target 8:101 export-extcommunity

  vpn-target 8:101 import-extcommunity

#

ip vpn-instance QuanShang09

 ipv4-family 

  route-distinguisher 65001:9

  vpn-target 9:101 export-extcommunity

  vpn-target 9:101 import-extcommunity

#

acl number 2000

 rule 10 permit source 10.131.0.192 0.0.0.63

 rule 20 permit source 10.131.80.128 0.0.0.127

 rule 30 deny

#

acl number 2001

 rule 10 permit source 10.131.0.192 0.0.0.63

 rule 20 deny

#

acl number 2088

 rule 10 permit source 10.131.80.144 0

 rule 20 deny

#

aaa

 local-user superman password irreversible-cipher $1a$3W[7Ie(5Q,$hv~"/q2U=PSDrz:q3fpQ/2({$'C8=SQ2M];Z1vW/$

 local-user superman service-type terminal telnet

 local-user superman level 15

 local-user xinxinet password irreversible-cipher $1a$W8#jL@&9^>$`cfz0[gL,01F<#KT[]DGNMS<@Ox\*!2VF(T:BYaL$

 local-user xinxinet service-type terminal telnet

 local-user xinxinet level 1

 #

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

 domain default_admin

#

stack

#

interface Vlanif1001

 ip address 10.11.13.253 255.255.255.252

#

interface Vlanif2004

 ip binding vpn-instance QuanShang04

 ip address 10.81.79.254 255.255.255.0

#

interface Vlanif2008

 ip binding vpn-instance QuanShang08

 ip address 10.81.79.254 255.255.255.0

#

interface Vlanif2009

 ip binding vpn-instance QuanShang09

 ip address 10.81.79.254 255.255.255.0

#

interface Vlanif4002

 ip address 10.131.80.144 255.255.255.128

 traffic-filter acl 2088 outbound 

#

interface Vlanif4041

 ip address 10.81.79.254 255.255.255.0

#

interface MEth0/0/0

#

interface Eth-Trunk1

 port default vlan 1001

#

interface Eth-Trunk2

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface 10GE1/0/1

 eth-trunk 1

 device transceiver 1000BASE-X

#

interface 10GE1/0/2

 eth-trunk 1

 device transceiver 1000BASE-X

#

interface 10GE1/0/3

 eth-trunk 2

 device transceiver 10GBASE-FIBER

#

interface 10GE1/0/4

 eth-trunk 2

 device transceiver 10GBASE-FIBER

#

#

ip route-static 0.0.0.0 0.0.0.0 Vlanif1001 10.11.13.254

ip route-static 10.81.79.0 255.255.255.240 Vlanif2008

ip route-static 10.81.79.16 255.255.255.240 Vlanif2004

ip route-static 10.81.79.32 255.255.255.240 Vlanif2009

ip route-static 10.131.0.192 255.255.255.192 Vlanif4002 10.131.80.202

ip route-static 192.168.71.192 255.255.255.192 Vlanif4002 10.131.80.201

ip route-static 192.168.79.192 255.255.255.192 Vlanif4002 10.131.80.201

ip route-static vpn-instance QuanShang04 0.0.0.0 0.0.0.0 Vlanif1001 10.11.13.254

ip route-static vpn-instance QuanShang08 0.0.0.0 0.0.0.0 Vlanif1001 10.11.13.254

ip route-static vpn-instance QuanShang09 0.0.0.0 0.0.0.0 Vlanif1001 10.11.13.254

#

CE5855:

#

vlan batch 2001 to 2100 4002 4041

#

telnet ipv6 server disable

#

diffserv domain default

#

acl number 2000

 rule 10 permit source 10.131.0.192 0.0.0.63

 rule 20 permit source 10.131.80.128 0.0.0.127

 rule 30 deny

#

acl number 2001

 rule 10 permit source 10.131.0.192 0.0.0.63

 rule 20 deny

#

acl number 2088

 rule 10 permit source 10.131.80.151 0

 rule 20 deny

#

aaa

 local-user superman password irreversible-cipher $1a$p~Q9Fkx@u4$ct\%$p+g(CiukQ9vnfVP~/Ah:&ZL@(*c,^Dvjrd-$

 local-user superman service-type terminal telnet

 local-user superman level 15

 local-user xinxinet password irreversible-cipher $1a$$xz$17KgH7$3A'}SLliS>qr/>RzS_C#3s,q6cDJP*PJ3DK@k|MI$

 local-user xinxinet service-type terminal telnet

 local-user xinxinet level 1

 #

 authentication-scheme default

 #

 authorization-scheme default

 #

 accounting-scheme default

 #

 domain default

 #

 domain default_admin

#

stack

#

interface Vlanif4002

 ip address 10.131.80.151 255.255.255.128

 traffic-filter acl 2088 outbound 

#

interface MEth0/0/0

#

interface Eth-Trunk1

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/1

 port default vlan 4002

#

interface GE1/0/2

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/3

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/4

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/5

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/6

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/7

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/8

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/9

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/10

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/11

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/12

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/13

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/14

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/15

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/16

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/17

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

interface GE1/0/18

 port link-type trunk

 port trunk pvid vlan 4041

 port trunk allow-pass vlan 2001 to 2100 4041

#

#

interface 10GE1/0/1

 eth-trunk 1

 device transceiver 10GBASE-FIBER

#

interface 10GE1/0/2

 eth-trunk 1

 device transceiver 10GBASE-FIBER

#


告警信息


处理过程
1,通过对现网抓包数据分析,发现CE6851设备回给服务器的应答消息丢失,如下:


2进一步查看报文怎么丢弃的,发现当时出现大量的ARP miss报文,如下:

3, 存在ARP miss应该存在新增ARP记录,查询设备上的ARP表,发现ARP表项中没有新增记录,如下:
4,从而判断应该是单板底层将报文丢弃了,同时通过查看底层的命令,发现确实存在报文丢弃,如下:

根因

问题根因是指向配置出端口为vlanif的静态路由掩码和对应该vlanif下配置ip的掩码不一致引起的(如下面的红色部分)


解决方案

现网解决方案有两种,如下:

方案一:

配置静态路由时在vlanif后指定服务器ip (该方案每新增服务器时需要在设备上配置)

如:ip route-static 10.81.79.16 255.255.255.240 Vlanif2004  X.X.X.X(服务器IP)

方案二:

将上行的vlanif下的ip地址和出端口为该vlanif的静态路由的掩码配置成一样。

END