active phisical rp address: backup phisical rp address: 截取部分 TOPO 图说明到 不通的问题 : internet internet tengige 0/0/0/0 tengige

ASR9000 ping 丢包 troubleshooting 目录 硬件平台软件版本案例介绍问题分析思路问题总结经验总结相关命令 硬件平台 ASR9000 软件版本 4.2.0 案例介绍 拓扑示例 : 问题, 客户从外网 internet ping 3 个 vrrp subnet 的地址时候始终只能通一个 IP 地址 : vrrp virtual IP :2.2.2.129 其他不能 ping 通的 IP 地址

active phisical rp address: 2.2.2.130 backup phisical rp address: 2.2.2.131 截取部分 TOPO 图说明到 2.2.2.131 不通的问题 : internet internet tengige 0/0/0/0 tengige 0/0/0/0 (1.1.1.48)RID (1.1.1.49)RID GigabitEthernet0/1/0/6.313 GigabitEthernet 0/1/0/6.313 ----------- vrrp ------------ 2.2.2.130 2.2.2.131 vrrp virtual IP :2.2.2.129 RP/0/RSP0/CPU0:r1#show run router vrrp interface gigabitethernet 0/1/0/6.313 Tue Mar 27 11:35:27.676 Bejing router vrrp address-family ipv4 vrrp 113 priority 120 preempt delay 10 address 2.2.2.129 RP/0/RSP0/CPU0:r2# RP/0/RSP0/CPU0:r2#show run router vrrp interface gigabitethernet 0/1/0/6.313 Tue Mar 27 11:35:27.676 Bejing router vrrp address-family ipv4 vrrp 113 preempt delay 10 address 2.2.2.129 问题分析思路 A. 数据包丢在什么地方 1.1.1.48(R1) 其中一个上行接口 tengige 0/0/0/0 :ipv4 address 3.3.3.66 255.255.255.252 1.1.1.48: vrrp active

RP/0/RSP0/CPU0:r1# RP/0/RSP0/CPU0:r1#show run interface gigabitethernet 0/1/0/6.313 Tue Mar 27 09:52:10.186 Bejing service-policy input default ipv4 address 2.2.2.130 255.255.255.240 route-tag 500 ipv4 verify unicast source reachable-via any encapsulation dot1q 313 RP/0/RSP0/CPU0:r1# RP/0/RSP0/CPU0:r1#show vrrp interface gigabitethernet 0/1/0/6.313 detail utility egrep Master Tue Mar 27 09:51:00.516 Bejing State is Master Mar 23 03:04:57.960 Bejing Backup -> Master Master down timer expired Master router is local Master Down Timer 3.531 (3 x 1 + 136/256) 1.1.1.49(R2) 其中一个上行接口 tengige 0/0/0/0 :ipv4 address 3.3.3.74 255.255.255.252 1.1.1.49: vrrp backup RP/0/RSP0/CPU0:r2#show run int gigabitethernet 0/1/0/6.313 Tue Mar 27 09:42:58.874 UTC service-policy input default ipv4 address 2.2.2.131 255.255.255.240 route-tag 500 ipv4 verify unicast source reachable-via any==========================================> encapsulation dot1q 313 RP/0/RSP0/CPU0:r2#show vrrp interface gigabitethernet 0/1/0/6.313 detail utility egrep Master Tue Mar 27 09:51:41.125 UTC Master router is 2.2.2.130, priority 120 Master Down Timer 3.609 (3 x 1 + 156/256) 测试 Server 的源地址网段 : route-server>show ip route c 12.0.0.0/8 is variably subnetted, 2509 subnets, 11 masks C 12.0.1.0/24 is directly connected, GigabitEthernet0/1 route-server> 1.1.1.49: R2 12.0.1.0 : RP/0/RSP0/CPU0:r2#show route ipv4 12.0.1.0 Tue Mar 27 09:56:01.428 UTCRouting entry for 0.0.0.0/0 ========================================================> Known via "ospf 100", distance 110, metric 1, candidate default path Tag 100, type extern 2 Installed Mar 22 15:51:04.265 for 4d18h Routing Descriptor Blocks 3.3.3.73, from 2.2.2.8, via TenGigE0/0/0/0 Route metric is 1 3.3.3.77, from 2.2.2.9, via TenGigE0/1/0/0 Route metric is 1 No advertising protos. RP/0/RSP0/CPU0:r2# route-server>trace 2.2.2.131 Type escape sequence to abort. Tracing the route to 2.2.2.131 1 gateway.cbbtier3.att.net (12.0.1.202) [AS 7018] 4 0 4 2 n54ny401me3- cbbtier3.ip.att.net (12.89.5.13) [AS 7018] 8 16 16 3 cr1.n54ny.ip.att.net (12.123.2.6) [MPLS: Label 16092 Exp 1] 80 80 76 4 cr2.cgcil.ip.att.net (12.122.1.2) [MPLS: Labels 23252/16494 Exp 1] 80 80 84 5 cr1.cgcil.ip.att.net

(12.122.2.53) [MPLS: Labels 23524/16494 Exp 1] 80 80 76 6 cr2.dvmco.ip.att.net (12.122.31.85) [MPLS: Labels 23794/16494 Exp 1] 80 80 80 7 cr1.slkut.ip.att.net (12.122.30.25) [MPLS: Labels 16216/16494 Exp 1] 80 80 80 8 cr2.la2ca.ip.att.net (12.122.30.30) [MPLS: Labels 0/16494 Exp 1] 80 84 80 9 cr84.la2ca.ip.att.net (12.123.30.249) [MPLS: Labels 0/16333 Exp 1] 76 80 80 10 gar2.lsrca.ip.att.net (12.122.129.49) 80 80 80 11 12.118.130.86 [AS 7018] 388 388 384 12 219.158.96.221 [AS 4837] 380 396 392 13 219.158.96.229 [AS 4837] 384 376 376 14 219.158.10.38 [AS 4837] 368 372 372 15 120.84.0.50 [AS 17816] 380 388 376 16 3.3.3.66 [AS 17622] 384 380 404 =================> [ (1.1.1.48)R1, (1.1.1.48) R1 gigabitethernet 0/1/0/6.313 (1.1.1.49) R2 gigabitethernet 0/1/0/6.313 ] 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 检查 : r2 的 gigabitethernet 0/1/0/6.313 RP/0/RSP0/CPU0:r2#show cef ipv4 drops location 0/1/CPU0 inc RPF Tue Mar 27 10:06:02.511 UTC RPF drops packets : 38410840 RPF suppressed drops packets : 0 RP/0/RSP0/CPU0:r2# RP/0/RSP0/CPU0:r2#show cef ipv4 drops location 0/1/CPU0 inc RPF Tue Mar 27 10:06:09.591 UTC RPF drops packets : 38412257 RPF suppressed drops packets : 0 RP/0/RSP0/CPU0:r2# B. 关于到 2.2.2.130 不通的问题 : route-server>trace 2.2.2.130 Type escape sequence to abort. Tracing the route to 2.2.2.130 1 gateway.cbbtier3.att.net (12.0.1.202) [AS 7018] 0 0 0 2 n54ny401me3-cbbtier3.ip.att.net (12.89.5.13) [AS 7018] 8 16 16 3 cr1.n54ny.ip.att.net (12.123.2.6) [MPLS: Label 16092 Exp 1] 80 108 84 4 cr2.cgcil.ip.att.net (12.122.1.2) [MPLS: Labels 23256/16494 Exp 1] 80 80 80 5 cr1.cgcil.ip.att.net (12.122.2.53) [MPLS: Labels 21629/16494 Exp 1] 80 80 80 6 cr2.dvmco.ip.att.net (12.122.31.85) [MPLS: Labels 21370/16494 Exp 1] 84 80 80 7 cr1.slkut.ip.att.net (12.122.30.25) [MPLS: Labels 20076/16494 Exp 1] 80 76 80 8 cr2.la2ca.ip.att.net (12.122.30.30) [MPLS: Labels 0/16494 Exp 1] 80 80 80 9 cr84.la2ca.ip.att.net (12.123.30.249) [MPLS: Labels 0/16333 Exp 1] 76 72 84 10 gar2.lsrca.ip.att.net (12.122.129.49) 80 76 80 11 12.118.130.86 [AS 7018] 316 316 320 12 219.158.97.9 [AS 4837] 304 296 304 13 219.158.11.153 [AS 4837] 296 284 280 14 219.158.19.82 [AS 4837] 284 * 288 15 120.82.0.150 [AS 17816] 288 292 292 16 3.3.3.74 [AS 17622] 304 304 300 ==============================> [ (1.1.1.49) R2, (1.1.1.49)R2gigabitEthernet 0/1/0/6.313 (1.1.1.48)R1gigabitEthernet 0/1/0/6.313 ] 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * *

27 * * * 28 * * * 29 * * * 30 * * * route-server> 和问题 A 是对称的 C. 至于为什么到虚拟 VRRP 地址 2.2.2.129 可以 ping 通 是因为数据包没有绕 gigabitethernet 0/1/0/6.313 route-server>trace 2.2.2.129 Type escape sequence to abort. Tracing the route to 2.2.2.129 1 gateway.cbbtier3.att.net (12.0.1.202) [AS 7018] 4 0 4 2 n54ny401me3-cbbtier3.ip.att.net (12.89.5.13) [AS 7018] 4 0 0 3 cr1.n54ny.ip.att.net (12.123.2.6) [MPLS: Label 16092 Exp 1] 72 68 76 4 cr2.cgcil.ip.att.net (12.122.1.2) [MPLS: Labels 23256/16494 Exp 1] 72 72 72 5 cr1.cgcil.ip.att.net (12.122.2.53) [MPLS: Labels 21629/16494 Exp 1] 76 72 72 6 cr2.dvmco.ip.att.net (12.122.31.85) [MPLS: Labels 21370/16494 Exp 1] 72 72 72 7 cr1.slkut.ip.att.net (12.122.30.25) [MPLS: Labels 20076/16494 Exp 1] 76 76 72 8 cr2.la2ca.ip.att.net (12.122.30.30) [MPLS: Labels 0/16494 Exp 1] 72 72 72 9 cr84.la2ca.ip.att.net (12.123.30.249) [MPLS: Labels 0/16333 Exp 1] 72 72 72 10 gar2.lsrca.ip.att.net (12.122.129.49) 68 72 72 11 12.118.130.86 [AS 7018] 268 268 272 12 219.158.96.245 [AS 4837] 268 272 276 13 219.158.3.121 [AS 4837] 252 256 256 14 219.158.19.86 [AS 4837] 260 256 256 15 120.84.0.34 [AS 17816] 336 344 336 16 * * 3.3.3.66 [AS 17622] 284 ===============================> route-server> 问题总结 出现上面的原因是因为上联某台路由器到 58.248.19.128/28 是负载均衡的, 路由器选择哪条路径就由 CEF HASH 的结果得出 : HASH 的因子包括 ( 源地址 + 目的地址 +...) 12.0.1.x,2.2.2.130 12.0.1.x,2.2.2.131 这两对虽然 SOURCE 一样, 但是 destination 不同 HASH 到不同 link 上了 经验总结 loose mode urpf 的规则 :

1. loose mode 只查路由表中有无匹配, 不查进入接口. 2. 但是如果 source 所属是本地直连,loose mode 也要检查进入接口. 3. 默认是不会用 default route 作 urpf 的的检查依据的, 需要 allow-default 开启 相关命令 show ip route show cef ipv4 drops location x/x/x traceroute x.x.x.x