1. Checking Whether the Traffic Policy Is Configured Correctly
Check the traffic policy configuration.
<HUAWEI> display traffic policy user-defined User Defined Traffic Policy Information: Policy: wz //Traffic policy name Classifier: wz //Traffic classifier name Operator: AND //Logical relationship between rules in the traffic classifier Behavior: wz //Traffic behavior name Redirect: no forced Redirect ip-nexthop //Action in the traffic behavior 1.1.1.1 Total policy number is 1
Policy-based routing (PBR) is a mechanism that makes routing decisions based on user-defined routing policies. If the traffic behavior or traffic classifier referenced by a traffic policy is incorrect, clear the existing configuration and then modify the traffic policy configuration.
Delete the traffic classifier referenced by a traffic policy.
[HUAWEI] traffic policy wz [HUAWEI-trafficpolicy-wz] undo classifier wz
Modify the traffic classifier referenced by a traffic policy.
[HUAWEI-trafficpolicy-wz] classifier c1 behavior wz
Check the traffic classifier configuration.
[HUAWEI] traffic policy wz [HUAWEI-trafficpolicy-wz] undo classifier wz
User Defined Classifier Information:
Classifier: wz
Operator: AND
Rule(s) : if-match acl 3000 //ACL rule
Check whether the ACL configuration is consistent with the characteristics of redirected packets.
<HUAWEI> display acl 3000 Advanced ACL 3000, 2 rules Acl's step is 5 rule 5 permit ip source 172.16.115.0 0.0.0.255 (match-counter 0) rule 10 permit ip source 172.16.0.0 0.0.7.255 (match-counter 0)
If the ACL configuration is inconsistent with the characteristics of redirected packets, run the following commands to modify the ACL configuration:
[HUAWEI] acl 3000 [HUAWEI-acl-adv-3000] rule 10 permit ip source 172.16.8.0 0.0.0.255 [HUAWEI-acl-adv-3000] quit [HUAWEI] display acl 3000 Advanced ACL 3000, 2 rules Acl's step is 5 rule 5 permit ip source 172.16.115.0 0.0.0.255 (match-counter 0) rule 10 permit ip source 172.16.8.0 0.0.0.255 (match-counter 0)
If the mask is specified to match the source or destination IP address, ensure that the mask configuration is consistent with the matched service traffic range. For example, to configure PBR on packets with the source network segment 10.20.113.x and destination network segment 10.20.81.x, run the following command:
acl number 3003 rule 5 permit ip source 10.20.113.0 0.0.0.255 destination 10.20.81.0 0.0.0.255
Check the traffic behavior configuration.
The traffic behavior can be redirection to a single or multiple next hops. Check whether next-hop addresses are configured correctly. Next-hop addresses must be Layer 3 interface addresses on the remote device.
If a VLANIF interface on the switch is bound to a VPN, VPN information must be specified during the redirection next-hop configuration.
Redirect packets to a single next hop:
[HUAWEI] traffic behavior wz [HUAWEI-behavior-b1] redirect ip-nexthop 10.0.0.1
Redirect packets to multiple next hops:
[HUAWEI] traffic behavior wz [HUAWEI-behavior-b1] redirect ip-multihop nexthop 10.1.42.1 nexthop 10.2.12.3 nexthop 10.1.1.2
After redirection to multiple next hops is configured, if the outbound interface for the current next hop becomes Down or the current route changes, traffic can be quickly switched to the outbound interface for an available next hop. If all configured next hops are unavailable, the switch forwards packets according to their destination addresses. If packets match multiple ACLs, the switch preferentially performs the behavior in the first ACL. If behavior execution fails, the switch performs the behavior in subsequently matched ACL.
2. Checking Whether the Traffic Policy Is Applied Correctly
Check the use records of the traffic policy.
<HUAWEI> display traffic-policy applied-record wz //Display the records of a specified traffic policy, named wz for example. ------------------------------------------------- Policy Name: wz // Traffic policy name Policy Index: 4 Classifier:wz Behavior:wz ------------------------------------------------- *interface Eth-Trunk11 //Apply the traffic policy on an interface. traffic-policy wz inbound //Apply the traffic policy in the inbound direction. slot 1/1 : success //Indicate whether the traffic policy is applied successfully. slot 2/1 : success ------------------------------------------------- Policy total applied times: 1
Generally, a traffic policy can be applied globally, on an interface, or in a VLAN in the inbound or outbound direction. PBR can only be applied globally, on an interface, or in a VLAN in the inbound direction.
Apply the traffic policy on a specified interface in the inbound direction.
[HUAWEI] interface Eth-Trunk11 [HUAWEI-Eth-Trunk11] traffic-policy wz inbound
3. Checking Whether ACL Resources Are Sufficient
Check ACL resource usage.
If the system prompts that ACL resources are insufficient when you configure PBR, the use of ACL resources on the switch needs to be optimized.
Error: The configuration failed due to insufficient resources in slot 5.
Run the following command to check ACL resource usage.
[HUAWEI] display acl resource slot 5 //Display ACL resources in slot 5. Slot 5 Vlan-ACL Inbound-ACL Outbound-ACL ------------------------------------------------------------------ Rule Used 10 344 6 //Number of used ACLs Rule Free 2038 7848 1018 //Number of available ACLs Rule Total 2048 8192 1024 //Total number of ACLs Meter Used 0 58 0 //Number of used meter resources Meter Free 0 8134 1024 //Number of available meter resources Meter Total 0 8192 1024 //Total number of meter resources Counter Used 0 58 0 //Nnumber of used counter resources Counter Free 0 8134 1024 //Number of available counter resources Counter Total 0 8192 1024 //Total number of counter resources ------------------------------------------------------------------
On an S5720EI/S5320EI, S6720EI/S6320EI, S6720S-EI, or modular switch using non-X1E cards, you can also run the following command in the diagnostic view to check ACL resource usage.
[HUAWEI] diagnose [HUAWEI-diagnose] display fpi resource slot 0 acl rule all Query Result: TotalRes:20992 //Total number of ACLs UsedRes:120 //Number of used ACLs FreeRes:20872 //Number of available ACLs
In addition to deleting unneeded services to release ACL resources, you can adjust the ACL application range or combine ACL rules for the services.
For example, the following content is included in 1K ACL rules:
acl number 3009 rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0 rule 2 permit ip source 10.1.1.2 0 destination 10.10.1.1 0 rule 3 permit ip source 10.1.1.3 0 destination 10.10.1.1 0 rule 4 permit ip source 10.1.1.4 0 destination 10.10.1.1 0 ... rule 255 permit ip source 10.1.1.255 0 destination 10.10.1.1 0 rule 256 permit ip source 10.1.2.1 0 destination 10.10.1.1 0 ... rule 510 permit ip source 10.1.2.255 0 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port eq www //Port 80 rule 802 deny tcp destination-port eq 81 rule 803 deny tcp destination-port eq 82 ... rule 830 deny tcp destination-port eq pop2 //Port 109 rule 831 deny tcp destination-port eq pop3 //Port 110 ... rule 1000 xxx
Rules 1 through 510 use source and destination IP addresses as matching conditions. Source IP addresses are all IP addresses on network segments 10.1.1.0/24 and 10.1.2.0/24. Therefore, rules 1 through 510 can be combined into the following two rules using the IP address wildcard mask.
acl number 3009 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ...
After combination, rules 1 through 510 are reduced to 492 rules.
4. Checking Whether the ARP Entry of the Next-Hop IP Address Is Learned
If the switch does not forward packets according to the next hop specified by PBR, check whether the ARP entry of the next-hop IP address is learned.
[HUAWEI] display arp all IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE ------------------------------------------------------------------------------ 100.100.100.1 101b-5498-d3eb I - Vlanif100 101.101.101.1 101b-5498-d3ec I - Vlanif101 200.1.1.1 101b-5498-d3e6 I - Vlanif200 200.1.1.251 0026-cbbd-7da6 20 D-0 GE8/0/12
In the preceding command output, IP ADDRESS indicates a next-hop IP address, MAC ADDRESS indicates a destination MAC address, TYPE indicates an ARP entry type, and INTERFACE indicates the corresponding outbound interface.
If the switch does not have the ARP entry that matches the specified next-hop IP address specified by PBR, the switch triggers ARP learning. If it cannot learn the ARP entry, it forwards packets along the previous forwarding path without redirecting the packets.
If the switch does not have the ARP entry of the specified next-hop IP address, perform the following operations to rectify the fault:
If the switch is connected to the device with the next-hop IP address across a Layer 2 network, check whether the intermediate link failure causes the switch unable to receive ARP reply packets and learn ARP entries. Perform ping operations to check whether the link fails. If so, rectify the link failure.
Check whether ARP strict learning is enabled on the switch. After this function is enabled, the switch learns only the ARP reply packets in response to the ARP request packets sent by itself. If the remote device does not respond to the ARP request packets sent by the switch, run the undo arp learning strict command in the system or interface view to disable ARP strict learning.
Check whether the switch has too many ARP entries. If so, rectify the fault according to ARP Attack.
5. Collecting Information and Seeking Technical Support
If the fault persists, collect related information and seek technical support.
Collecting Fault Information
Collect operation results of the preceding steps and record the results in a file.
Collect all diagnostic information and export the information to a file.
Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.
<HUAWEI> display diagnostic-information dia-info.txt Now saving the diagnostic information to the device 100% Info: The diagnostic information was saved to the device successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTICE:
You can run the dir command in the user view to check whether the file is generated.
You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk.
If this command displays a long output, press Ctrl+C to abort this command.
This command displays diagnostic information, which helps locate faults but may affect system performance. For example, CPU usage may become high. Therefore, do not use this command when the system is running properly.
Running the display diagnostic-information command simultaneously on multiple terminals connected to the device is prohibited. This is because CPU usage of the device may obviously increase and the device performance may be degraded.
Collect the log and trap information on the device and export the information to files.
Run the save logfile all command in the user view to save the logs in the user log buffer area and diagnostic log buffer area to the user log file and diagnostic log file, respectively.
<HUAWEI> save logfile all Info: Save logfile successfully. Info: Save diagnostic logfile successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTE:
You can also run the display logbuffer and display trapbuffer commands to view the log and trap information on the device, and save the information in diagnostic files on a disk.
If any question, please contact csd@telecomate.com to seek technical support.
NOTE:
Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.
Leave a comment