No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Redirection Configuration Does Not Take Effect on the S7700 Running V200R010C00SPC600

Publication Date:  2019-03-26 Views:  119 Downloads:  0

Issue Description

The redirection configuration does not take effect on the S7700 running V200R010C00SPC600.

Handling Process

1. Check whether the redirection configuration is applied and whether the rule for allowing packets to pass through is configured correctly. No configuration error is found.

2. Check whether the next hop can learn ARP entries and whether the redirection function takes effect.

[HLW-HJ-S7703-1]dis arp | 172.30.254.6      

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE

                                          VLAN/CEVLAN

------------------------------------------------------------------------------

172.30.254.6    40ee-dda2-eb03  15        D-0         GE1/0/0       

------------------------------------------------------------------------------

Total:126       Dynamic:116     Static:0     Interface:10  

3. Run the traffic statistics command in the traffic behavior view to check whether statistics about incoming packets matching the redirection rule are collected.

acl name pbr-test 3901 

 rule 5 permit ip source 172.30.6.100 0

#

traffic classifier pbr-test operator or precedence 75

if-match acl pbr-test

#

traffic behavior pbr-test

permit

redirect ip-nexthop 172.30.254.6

statistic enable

#

traffic policy PBR-TEST match-order auto

classifier pbr-test behavior pbr-test

#

interface GigabitEthernet3/0/12

traffic-policy PBR-TEST inbound

#

[HLW-HJ-S7703-1]dis arp | in 172.30.6.100

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE

                                          VLAN/CEVLAN

------------------------------------------------------------------------------

172.30.6.100    6c0b-840b-a5a8  16        D-0         GE3/0/12

------------------------------------------------------------------------------

Total:126       Dynamic:116     Static:0     Interface:10  

[HLW-HJ-S7703-1]

[HLW-HJ-S7703-1]dis traffic policy statistics interface g3/0/12 inbound

 

Interface: GigabitEthernet3/0/12

Traffic policy inbound: PBR-TEST

Rule number: 1

Current status: success

Statistics interval: 300

---------------------------------------------------------------------

Board : 3

---------------------------------------------------------------------

Matched          |      Packets:                             0

                  |      Bytes:                               0

                  |      Rate(pps):                           0

                  |      Rate(bps):                           0

---------------------------------------------------------------------

   Passed         |      Packets:                             0

                  |      Bytes:                               0

                  |      Rate(pps):                           0

                  |      Rate(bps):                           0

---------------------------------------------------------------------

   Dropped        |      Packets:                             0

                  |      Bytes:                               0

                  |      Rate(pps):                           0

                  |      Rate(bps):                           0

---------------------------------------------------------------------

     Filter       |      Packets:                             0

                  |      Bytes:                               0

4. Check the traffic-filter configuration on the interface. After ACL rule 200 is deleted, the redirection function takes effect.

acl number 3155 

 rule 5 deny tcp destination-port eq 445

 rule 200 permit ip

interface GigabitEthernet3/0/12

 description To_HL-29-12F-1_G0/0/49

 port link-type trunk

 port trunk allow-pass vlan 2 to 200

 stp root-protection

 traffic-filter inbound acl 3155

 traffic-policy PBR-TEST inbound

Root Cause

Both traffic-filter and traffic-policy are configured on the same interface. The traffic-filter configuration takes precedence over the traffic-policy configuration and is preferentially used to match traffic. On the interface, rule 2000 permit ip for matches all packets is configured in ACL 3155. As a result, the switch cannot match the packets based on the traffic policy.

Suggestions

When configuring an ACL to filter packets using the traffic-filter command, you are advised to configure only the ACL rules with the deny action specified, instead of permit ip. In this way, packets that match no ACL rule are allowed to pass through by default.

 

Note:

After the traffic-filter command is run on an interface, the switch filters packets based on ACL rules:

If the action in an ACL rule is deny, the switch discards packets matching the rule.

If the action in an ACL rule is permit, the device forwards packets matching the rule.

If no rule is matched, packets are allowed to pass through.

END