交换机在江湖GRE隧道配置keepalive后隧道不up怎么办?

Posted 华为悦读汇

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了交换机在江湖GRE隧道配置keepalive后隧道不up怎么办?相关的知识,希望对你有一定的参考价值。

涉及产品和版本

S全系列交换机所有版本


组网情况


现象描述

Switch_1上配置keepalive检测功能后,Switch_1上GRE隧道协议down,Switch_2上GRE隧道协议仍可以up。


原因分析

查看两端交换机的tunnel配置。

<Switch_1>display current-configuration interface Tunnel 1


interface Tunnel1 
ip address 192.168.230.1 255.255.255.252 
tunnel-protocol gre 
keepalive 
source 183.203.53.12 
destination 183.203.48.197 
#

<Switch_2>display current-configuration interface Tunnel 1


interface Tunnel1 
ip address 192.168.230.2 255.255.255.252 
tunnel-protocol gre 
source 183.203.48.197 
destination 183.203.53.12 
#

查看两端交换机上的配置,以Switch_2上为例。

[Switch_2]display current-configuration interface Eth-Trunk1


interface Eth-Trunk1 
description TO-PC/MB-eth-trunk-3*10G 
port link-type access 
port default vlan 1000 
traffic-policy ABC inbound 
mode lacp 
#

[Switch_2]display traffic policy user-defined

User Defined Traffic Policy Information: 
Policy: ABC 
Classifier: guolv 
Operator: OR 
Behavior: guolv 
Permit 
Total policy number is 1

[Switch_2]display traffic classifier user-defined

User Defined Classifier Information: 
Classifier: guolv 
Precedence: 5 
Operator: OR 
Rule(s) : if-match acl 3001 
Total classifier number is 1

[Switch_2]display acl 3001

Advanced ACL 3001, 18 rules 
Acl's step is 5 
rule 5 permit ip source 183.203.46.0 0.0.0.255 (match-counter 0) 
rule 10 permit ip source 183.203.47.0 0.0.0.128 (match-counter 0) 
rule 15 permit ip source 183.203.48.0 0.0.0.64 (match-counter 0) 
rule 20 permit ip source 183.203.49.0 0.0.0.32 (match-counter 0) 
rule 25 permit tcp source 183.203.52.0 0.0.0.255 (match-counter 0) 
rule 30 permit tcp source 221.131.53.2 0 (match-counter 0) 
rule 35 permit ip source 10.231.140.0 0.0.0.255 (match-counter 0) 
rule 40 permit ip source 10.231.138.0 0.0.0.255 (match-counter 0) 
rule 45 permit ip source 10.231.137.0 0.0.0.255 (match-counter 0) 
rule 50 permit ip source 10.231.136.0 0.0.0.255 (match-counter 0) 
rule 55 permit ip source 10.231.141.0 0.0.0.255 (match-counter 0) 
rule 60 permit ip source 10.231.142.0 0.0.0.255 (match-counter 0) 
rule 65 permit ip source 10.231.143.0 0.0.0.255 (match-counter 0) 
rule 70 permit ip source 10.231.144.0 0.0.0.255 (match-counter 0) 
rule 100 permit tcp destination-port eq www (match-counter 0) 
rule 10000 permit tcp tcp-flag ack (match-counter 0) 
rule 10001 permit tcp tcp-flag rst (match-counter 0) 
rule 4294967294 deny ip (match-counter 0)

在Switch_2匹配ACL获取报文信息,可以看出Switch_1发送的keepalive报文如下:

【交换机在江湖】GRE隧道配置keepalive后隧道不up怎么办?

报文到达Switch_2后,首先进行GRE解封装,去掉GRE头,内层的IP头的目的IP不是本机IP,于是会匹配traffic policy ABC,该报文会命中ACL3001的最后1个rule,报文被丢弃。Switch_1收不到回应的keepalive报文,GRE隧道down。

keepalive报文是不上送的,而是直接转发,因此重定向对keepalive报文是生效的。


处理步骤

修改重定向的ACL规则,使keepalive报文不被丢弃。


总结与建议

GRE隧道两端设备为SwitchA和SwitchB,SwitchA上配置keepalive后,SwitchA发送的keepalive报文在SwitchB上是不上送的,而是直接转发,到SwitchA后再上送。这点和普通的协议报文是不同的。

GRE的keepalive检测是单向的,不是双向的。


往期疑难故障处理案例:



以上是关于交换机在江湖GRE隧道配置keepalive后隧道不up怎么办?的主要内容,如果未能解决你的问题,请参考以下文章

配置GRE 隧道

华为防火墙GRE隧道配置

重温GRE隧道❄️

重温GRE隧道❄️

GRE隧道配置

基于eBPF实现对GRE keepalive包的回复