排除ACI L3Out — 子网0.0.0.0/0和系统PcTag 15故障
目录
简介
本文档介绍在L3Out EPG中定义0.0.0.0/0子网的PcTag派生。
背景信息
ACI合同指南的“L3Out EPG with 0.0.0.0/0 subnet”部分将0.0.0.0/0与“外部EPG的外部子网”范围流量分类总结为:
- 将来自与已配置的0.0.0.0/0子网匹配的最长前缀的L3Out的流量分配给VRF PcTag的源类ID(s类)。
- 发往与已配置的0.0.0.0/0子网匹配的最长前缀的L3Out EPG的流量将目标类ID(dclass)指定为15,即系统PcTag。
ACI L3Out 白皮书的“外部EPG的外部子网的例外情况”(An exception for 0.0.0.0/0 with External Subnets for the External EPG)部分包含警告:
“……尽管不建议这样做,但您可以在同一VRF中的多个L3Out EPG中将0.0.0.0/0配置为“外部EPG的外部子网”…… 允许此配置时,会发生意外的合同部署……”
本文深入介绍这种非预期的合同部署。
配置
拓扑图
配置要点
- 枝叶节点301和303是边界枝叶节点
- 枝叶节点302是非边界枝叶
- 边界枝叶301上的L3Out-1-EEPG有一个0.0.0.0/0子网,其中包含“外部EPG的外部子网”
- L3Out-1-EEPG提供合同
- 非边界枝叶302上的EPG使用相同的合同
验证
实施“入口”策略的VRF
非边界枝叶分区规则
如“背景信息”部分突出显示的那样,发往此L3Out后网络的流量,其中已配置0.0.0.0/0子网中最长前缀匹配项的目标类(pcTag)为15。
这是VRF "v1"(网段ID 2129920)的非边界枝叶302上的分区规则表:
Leaf-302# show zoning-rule scope 2129920 +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | 4107 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4106 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4105 | 0 | 49155 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | | 4108 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4112 | 16386 | 49156 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4111 | 49156 | 15 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+
由于L3Out-1-EEPG和EPG(49156)之间的合同,安装了两个规则:
- 规则4112适用于从L3Out EPG发往EPG的外部流量,其中0.0.0.0/0 LPM发往EPG。
- 流量按VRF PcTag(16386)和EPG(49156)的类别分类。
- 规则4111适用于从EPG发往0.0.0.0/0 LPM的L3Out EPG的流量。
- 流量按EPG类别(49156)和System PcTag 15类别分类
边界枝叶分区 — 规则
由于VRF策略实施设置为“入口”(默认值),边界枝叶节点301没有与非边界枝叶节点302相同的分区规则。 这些类型的流的策略预期将应用于非边界枝叶节点。
Leaf-301# show zoning-rule scope 2129920 +---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+ | 4105 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4107 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4106 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4108 | 0 | 16387 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | +---------+--------+--------+----------+---------+---------+---------+------+----------+----------------------+
*No entry for 16386 to 49156 , or 49156 to 15*
EPG到L3Out ELAM
从EPG终端192.168.1.1 ping L3Out-1-EEPG后面的IP成功:
Host# ping 10.1.1.1 count 10000 int 1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=252 time=1.063 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=252 time=0.92 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=252 time=0.963 ms
非边界枝叶302(EPG网关)上EPG到L3Out流量的ELAM确认:
- 数据包具有预期的源IP和目标IP:源IP:192.168.1.1,目的IP:10.1.1.1
- 源类(sclass)是EPG PcTag类49156
- 目标类(dclass)为系统PcTag 15,因为10.1.1.0/24最长前缀匹配L3Out-1-EEPG上的0.0.0.0/0子网
- 在此节点302(非边界枝叶节点)上应用了策略。
Leaf-302# ereport
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
...snip...
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L2 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
Destination MAC : 0022.BDF8.19FF
Source MAC : AAAA.AAAA.2222
802.1Q tag is valid : yes( 0x1 )
CoS : 0( 0x0 )
Access Encap VLAN : 192( 0xC0 )
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
L3 Type : IPv4
...
IP Protocol Number : ICMP
IP CheckSum : 63781( 0xF925 )
Destination IP : 10.1.1.1
Source IP : 192.168.1.1
...
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 2048( 0x800 )
L4 Dst Port : 43014( 0xA806 )
sclass (src pcTag) : 49156( 0xC004 )
dclass (dst pcTag) : 15( 0xF )
src pcTag is from local table : yes
...
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : yes
Contract Hit : yes
Contract Aclqos Stats Index : 81875
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81875" )
可以输入ereport提供的命令,以便对命中的Zoning-Rule进行其他验证:
module-1(DBG-elam-insel6)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81875"
===========================================
Rule ID: 4111 Scope 6 Src EPG: 49156 Dst EPG: 15 Filter 65535
unit_id: 0
=== Region priority: 2462 (rule prio: 9 entry: 158)===
sw_index = 46 | hw_index = 45 | stats_idx = 81875
Curr TCAM resource:
=============================
=== SDK Info ===
Result/Stats Idx: 81875
L3Out到EPG ELAM
返回流获取在非边界枝叶节点302上应用的策略。当VRF策略实施设置为“入口”时,这是预期结果。
Leaf-302# ereport
... ------------------------------------------------------------------------------------------------------------------------------------------------------ Inner L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ L3 Type : IPv4 DSCP : 0 Don't Fragment Bit : 0x0 TTL : 254 IP Protocol Number : ICMP Destination IP : 192.168.1.1 Source IP : 10.1.1.1 ====================================================================================================================================================== Contract Lookup ( FPC ) ====================================================================================================================================================== ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Lookup Key ------------------------------------------------------------------------------------------------------------------------------------------------------ IP Protocol : ICMP( 0x1 ) L4 Src Port : 0( 0x0 ) L4 Dst Port : 60691( 0xED13 ) sclass (src pcTag) : 16386( 0x4002 ) dclass (dst pcTag) : 49156( 0xC004 ) src pcTag is from local table : no derived from group-id in iVxLAN header of incoming packet Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Result ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Drop : no Contract Logging : no Contract Applied : yes Contract Hit : yes Contract Aclqos Stats Index : 81874 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
进一步验证:
module-1(DBG-elam-insel14)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874"
===========================================
Rule ID: 4112 Scope 6 Src EPG: 16386 Dst EPG: 49156 Filter 65535
unit_id: 0
=== Region priority: 2462 (rule prio: 9 entry: 158)===
sw_index = 47 | hw_index = 46 | stats_idx = 81874
Curr TCAM resource:
=============================
=== SDK Info ===
Result/Stats Idx: 81874
module-1(DBG-elam-insel14)#
实施“出口”策略的VRF
非边界枝叶分区规则
当VRF策略实施设置为“出口”时,L3Out的合同规则在边界枝叶节点和非边界枝叶节点上部署。因此,与“入口”实施相比,此配置会消耗额外的TCAM空间。此配置不是默认值,如果使用,必须认真考虑。
非边界枝叶节点302有两个分区规则,每个流方向性一个:
Leaf-302# show zoning-rule scope 2129920 +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | 4107 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4106 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4105 | 0 | 49155 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | | 4108 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4112 | 16386 | 49156 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4111 | 49156 | 15 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+
边界枝叶分区 — 规则
通过“出口”策略实施,边界枝叶节点301还有另外两个分区规则:
Leaf-301# show zoning-rule scope 2129920 +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | 4105 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4107 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4106 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4108 | 0 | 16387 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | | 4109 | 16386 | 49156 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4110 | 49156 | 15 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+
EPG到L3Out ELAM
从终端192.168.1.1 ping L3Out后面的网络成功:
Host# ping 10.1.1.1 count 10000 int 1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=252 time=1.319 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=252 time=0.962 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=252 time=0.958 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=252 time=1.093 ms
非边界枝叶节点302上的ELAM指示策略未应用到此枝叶上。此外,它获取了System PcTag 1类,以允许流命中流中的下一个枝叶节点:
Leaf-302# ereport
======================================================================================================================================================
Captured Packet
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
IP CheckSum : 26943( 0x693F )
Destination IP : 10.1.1.1
Source IP : 192.168.1.1
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 2048( 0x800 )
L4 Dst Port : 27360( 0x6AE0 )
sclass (src pcTag) : 49156( 0xC004 )
dclass (dst pcTag) : 1( 0x1 )
...
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : no
Contract Hit : yes
Contract Aclqos Stats Index : 81903
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81903" )
边界枝叶节点301上的ELAM指示策略已应用于此节点。它还选择了System PcTag 15类。这意味着0.0.0.0/0 L3Out子网条目上匹配的最长前缀:
Leaf-301# ereport
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Inner L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
Destination IP : 10.1.1.1
Source IP : 192.168.1.1
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 2048( 0x800 )
L4 Dst Port : 40498( 0x9E32 )
sclass (src pcTag) : 49156( 0xC004 )
dclass (dst pcTag) : 15( 0xF )
src pcTag is from local table : no
derived from group-id in iVxLAN header of incoming packet
Unknown Unicast / Flood Packet : no
If yes, Contract is not applied here because it is flooded
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : yes
Contract Hit : yes
Contract Aclqos Stats Index : 81874
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
...
module-1(DBG-elam-insel14)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874"
===========================================
Rule ID: 4110 Scope 6 Src EPG: 49156 Dst EPG: 15 Filter 65535
unit_id: 0
=== Region priority: 2462 (rule prio: 9 entry: 158)===
sw_index = 47 | hw_index = 46 | stats_idx = 81874
Curr TCAM resource:
=============================
=== SDK Info ===
Result/Stats Idx: 81874
L3Out到EPG ELAM
在此设置中,存在有关返回流的警告:
- 边界枝叶节点301没有针对192.168.1.1的终端学习。
Leaf-301# show endpoint ip 192.168.1.1
Legend:
S - static s - arp L - local O - peer-attached
V - vpc-attached a - local-aged p - peer-aged M - span
B - bounce H - vtep R - peer-attached-rl D - bounce-to-proxy
E - shared-service m - svc-mgr
+-----------------------------------+---------------+-----------------+--------------+-------------+
VLAN/ Encap MAC Address MAC Info/ Interface
Domain VLAN IP Address IP Info
+-----------------------------------+---------------+-----------------+--------------+-------------+
...empty...
因此,对于此流,策略未应用于边界枝叶节点301,必须隐式允许它到达下一个枝叶:
Leaf-301# ereport
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
IP CheckSum : 25157( 0x6245 )
Destination IP : 192.168.1.1
Source IP : 10.1.1.1
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 0( 0x0 )
L4 Dst Port : 33570( 0x8322 )
sclass (src pcTag) : 16386( 0x4002 )
dclass (dst pcTag) : 1( 0x1 )
src pcTag is from local table : yes
derived from a local table on this node by the lookup of src IP or MAC
Unknown Unicast / Flood Packet : no
If yes, Contract is not applied here because it is flooded
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : no
Contract Hit : yes
Contract Aclqos Stats Index : 81903
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81903" )
相反,策略应用于非边界枝叶节点302:
Leaf-302# ereport
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Inner L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
Destination IP : 192.168.1.1
Source IP : 10.1.1.1
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 0( 0x0 )
L4 Dst Port : 61057( 0xEE81 )
sclass (src pcTag) : 16386( 0x4002 )
dclass (dst pcTag) : 49156( 0xC004 )
src pcTag is from local table : no
derived from group-id in iVxLAN header of incoming packet
Unknown Unicast / Flood Packet : no
If yes, Contract is not applied here because it is flooded
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : yes
Contract Hit : yes
Contract Aclqos Stats Index : 81874
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874" )
...
module-1(DBG-elam-insel14)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81874"
===========================================
Rule ID: 4112 Scope 6 Src EPG: 16386 Dst EPG: 49156 Filter 65535
unit_id: 0
=== Region priority: 2462 (rule prio: 9 entry: 158)===
sw_index = 47 | hw_index = 46 | stats_idx = 81874
Curr TCAM resource:
=============================
=== SDK Info ===
Result/Stats Idx: 81874
如果边界枝叶节点301有一个终端获知192.168.1.1,则应该已在该节点上应用策略。
故障排除
场景 — 非预期的允许
在同一VRF中部署多个L3Outs时,如果使用0.0.0.0/0子网和“外部EPG的外部子网”进行配置,则会允许流量意外传递到外部目标。
为此,请在L3Out-2-EEPG下添加0.0.0.0/0子网,该子网与L3Out-1-EEPG位于同一VRF中。
L3Out-2-EEPG上没有合同,因此我们预计默认情况下所有流量都会被丢弃:
但是,从EPG终端192.168.1.1到L3Out-2-EEPG后目标10.2.2.2的ping操作是成功的。这是意外的!
Host# ping 10.2.2.2 PING 10.2.2.2 (10.2.2.2): 56 data bytes 64 bytes from 10.2.2.2: icmp_seq=0 ttl=252 time=0.881 ms 64 bytes from 10.2.2.2: icmp_seq=1 ttl=252 time=0.801 ms 64 bytes from 10.2.2.2: icmp_seq=2 ttl=252 time=0.877 ms 64 bytes from 10.2.2.2: icmp_seq=3 ttl=252 time=0.827 ms
转发路由和policy-mgr前缀都显示此VRF中发往10.2.2.2的流量被分配系统PcTag 15
Leaf-302# vsh_lc -c "show forward route 10.2.2.2 platform vrf tn1:v1" ... Policy Prefix 0.0.0.0/0 SDK Information: vrf: 7(0x7), routed_if: 0x0 epc_class: 15(0xf) ... Leaf-302# vsh -c "show system internal policy-mgr prefix" Requested prefix data Vrf-Vni VRF-Id Table-Id Table-State VRF-Name Addr Class Shared Remote Complete Svc_ena ======= ====== =========== ======= ============================ ================================= ====== ====== ====== ======== ======== ... 2129920 7 0x7 Up tn1:v1 0.0.0.0/0 15 False False False False 2129920 7 0x80000007 Up tn1:v1 ::/0 15 False False False False Leaf-302#
非边界枝叶节点302上的ELAM验证使用系统PcTag 15分类的数据流。
Leaf-302# ereport
====================================================================================================================================================== Captured Packet ====================================================================================================================================================== ------------------------------------------------------------------------------------------------------------------------------------------------------ Outer L3 Header ------------------------------------------------------------------------------------------------------------------------------------------------------ ... IP Protocol Number : ICMP IP CheckSum : 14444( 0x386C ) Destination IP : 10.2.2.2 Source IP : 192.168.1.1 ====================================================================================================================================================== Contract Lookup ( FPC ) ====================================================================================================================================================== ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Lookup Key ------------------------------------------------------------------------------------------------------------------------------------------------------ IP Protocol : ICMP( 0x1 ) L4 Src Port : 2048( 0x800 ) L4 Dst Port : 33134( 0x816E ) sclass (src pcTag) : 49156( 0xC004 ) dclass (dst pcTag) : 15( 0xF ) src pcTag is from local table : yes derived from a local table on this node by the lookup of src IP or MAC Unknown Unicast / Flood Packet : no If yes, Contract is not applied here because it is flooded ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Result ------------------------------------------------------------------------------------------------------------------------------------------------------ Contract Drop : no Contract Logging : no Contract Applied : yes Contract Hit : yes Contract Aclqos Stats Index : 81875 ( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81875" ) ...
module-1(DBG-elam-insel6)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81875" =========================================== Rule ID: 4111 Scope 6 Src EPG: 49156 Dst EPG: 15 Filter 65535 unit_id: 0 === Region priority: 2462 (rule prio: 9 entry: 158)=== sw_index = 46 | hw_index = 45 | stats_idx = 81875 Curr TCAM resource: ============================= === SDK Info === Result/Stats Idx: 81875
VRF“v1”的Zoning-Rules未显示EPG和L3Out-2的任何新条目:
Leaf-302# show zoning-rule scope 2129920 +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ | 4107 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4106 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4105 | 0 | 49155 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | | 4108 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4112 | 16386 | 49156 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4111 | 49156 | 15 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | +---------+--------+--------+----------+---------+---------+---------+------------------+----------+----------------------+ Leaf-302#
由于L3Out-2-EEPG只配置了0.0.0.0/0子网,因此所有发往它的流量都使用System PcTag 15分类进行分类。
Zoning-Rules ID 4111和4112被编程为L3Out-1-EEPG同时具有0.0.0.0/0子网并提供EPG使用的合同。
由于此配置,意外地允许流向L3Out-2-EEPG!
解决方案 — 非预期的允许
要防止此行为,请执行以下操作:
- 强烈建议每个VRF仅在一个L3Out EPG上使用0.0.0.0/0子网
- 如果可能,在同一VRF中为其他L3Outs使用特定子网。这允许流量提取唯一的L3Out PcTag值作为其类。
应用这些更改以缓解意外允许:
- 在L3Out-2-EEPG上,将0.0.0.0/0子网替换为10.2.2.0/24子网
- 在L3Out-2-EEPG上,提供合同
- 在EPG上,使用相同的合同
完成后,在非边界枝叶节点302上观察这些更改:
- 对于10.2.2.0/24,有一个更具体的policy-mgr前缀与L3Out-2-EEPG PcTag连接关32771
- 有一个Zoning-Rules ID 4109条目
- 此条目允许从EPG PcTag路由49156L3Out-2-EEPG PcTag路由的流32771
- 有一个Zoning-Rules ID 4110条目
- 此条目允许从L3Out-2-EEPG PcTag到EPG 32771的流49156
更新的转发路由和policy-mgr前缀,其中显示10.2.2.2分配了32771的L3Out-2-EEPG PgTag:
Leaf-302# vsh_lc -c "show forward route 10.2.2.2 platform vrf tn1:v1" ... Policy Prefix 10.2.2.0/24 ... SDK Information: vrf: 7(0x7), routed_if: 0x0 epc_class: 32771(0x8003) attributes: SUP_CP DST_POL_IC SRC_POL_IC
Leaf-302# vsh -c "show system internal policy-mgr prefix" Requested prefix data Vrf-Vni VRF-Id Table-Id Table-State VRF-Name Addr Class Shared Remote Complete Svc_ena ======= ====== =========== ======= ============================ ================================= ====== ====== ====== ======== ======== ... 2129920 7 0x7 Up tn1:v1 0.0.0.0/0 15 False False False False 2129920 7 0x80000007 Up tn1:v1 ::/0 15 False False False False 2129920 7 0x7 Up tn1:v1 10.2.2.0/24 32771 False True False False
Leaf-302# show zoning-rule scope 2129920 +---------+--------+--------+----------+----------------+---------+---------+------------------+----------+----------------------+ | Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority | +---------+--------+--------+----------+----------------+---------+---------+------------------+----------+----------------------+ | 4107 | 0 | 0 | implarp | uni-dir | enabled | 2129920 | | permit | any_any_filter(17) | | 4106 | 0 | 0 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_any_any(21) | | 4105 | 0 | 49155 | implicit | uni-dir | enabled | 2129920 | | permit | any_dest_any(16) | | 4108 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) | | 4112 | 16386 | 49156 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4111 | 49156 | 15 | default | uni-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4109 | 49156 | 32771 | default | bi-dir | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | | 4110 | 32771 | 49156 | default | uni-dir-ignore | enabled | 2129920 | tn1:EPG_to_L3Out | permit | src_dst_any(9) | +---------+--------+--------+----------+----------------+---------+---------+------------------+----------+----------------------+
从EPG主机ping L3Out-2-EEPG后的外部目标成功:
Host# ping 10.2.2.2 PING 10.2.2.2 (10.2.2.2): 56 data bytes
64 bytes from 10.2.2.2: icmp_seq=0 ttl=252 time=0.854 ms
64 bytes from 10.2.2.2: icmp_seq=1 ttl=252 time=0.669 ms
64 bytes from 10.2.2.2: icmp_seq=2 ttl=252 time=0.716 ms
64 bytes from 10.2.2.2: icmp_seq=3 ttl=252 time=0.669 ms
64 bytes from 10.2.2.2: icmp_seq=4 ttl=252 time=0.666 ms
非边界枝叶节点302上icmp请求的ELAM指示该类现在为32771 - L3Out-2-EEPG的PcTag。
Leaf-302# ereport
======================================================================================================================================================
Captured Packet
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Outer L3 Header
------------------------------------------------------------------------------------------------------------------------------------------------------
...
IP Protocol Number : ICMP
IP CheckSum : 4095( 0xFFF )
Destination IP : 10.2.2.2
Source IP : 192.168.1.1
======================================================================================================================================================
Contract Lookup ( FPC )
======================================================================================================================================================
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Lookup Key
------------------------------------------------------------------------------------------------------------------------------------------------------
IP Protocol : ICMP( 0x1 )
L4 Src Port : 2048( 0x800 )
L4 Dst Port : 49837( 0xC2AD )
sclass (src pcTag) : 49156( 0xC004 )
dclass (dst pcTag) : 32771( 0x8003 )
src pcTag is from local table : yes
derived from a local table on this node by the lookup of src IP or MAC
Unknown Unicast / Flood Packet : no
If yes, Contract is not applied here because it is flooded
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Result
------------------------------------------------------------------------------------------------------------------------------------------------------
Contract Drop : no
Contract Logging : no
Contract Applied : yes
Contract Hit : yes
Contract Aclqos Stats Index : 81873
( show sys int aclqos zoning-rules | grep -B 9 "Idx: 81873" )
...
ereport提供的aclqos命令显示此流到达其中一个新的分区规则,特别是规则ID 4109:
module-1(DBG-elam-insel6)# show sys int aclqos zoning-rules | grep -B 9 "Idx: 81873"
===========================================
Rule ID: 4109 Scope 6 Src EPG: 49156 Dst EPG: 32771 Filter 65535
unit_id: 0
=== Region priority: 2462 (rule prio: 9 entry: 158)===
sw_index = 48 | hw_index = 47 | stats_idx = 81873
Curr TCAM resource:
=============================
=== SDK Info ===
Result/Stats Idx: 81873
修订历史记录
| 版本 | 发布日期 | 备注 |
|---|---|---|
2.0 |
01-Sep-2022 |
添加了转发路由和policy-mgr前缀输出 |
1.0 |
30-Aug-2022 |
初始版本 |
反馈