涉及产品和版本
S全系列交换机
所有版本
组网情况
现象描述
Switch_1上配置keepalive检测功能后,Switch_1上GRE隧道协议down,Switch_2上GRE隧道协议仍可以up。
原因分析
查看两端交换机的tunnel配置。
<Switch_1>displaycurrent-configurationinterfaceTunnel1 # interfaceTunnel1 ipaddress192.168.230.1255.255.255.252 tunnel-protocolgre keepalive source183.203.53.12 destination183.203.48.197 #<Switch_2>displaycurrent-configurationinterfaceTunnel1 # interfaceTunnel1 ipaddress192.168.230.2255.255.255.252 tunnel-protocolgre source183.203.48.197 destination183.203.53.12 #
查看两端交换机上的配置,以Switch_2上为例。
[Switch_2]displaycurrent-configurationinterfaceEth-Trunk1 # interfaceEth-Trunk1 descriptionTO-PC/MB-eth-trunk-3*10G portlink-typeaccess portdefaultvlan1000 traffic-policyABCinbound modelacp #[Switch_2]displaytrafficpolicyuser-defined UserDefinedTrafficPolicyInformation: Policy:ABC Classifier:guolv Operator:OR Behavior:guolv Permit Totalpolicynumberis1[Switch_2]displaytrafficclassifieruser-defined UserDefinedClassifierInformation: Classifier:guolv Precedence:5 Operator:OR Rule(s):if-matchacl3001 Totalclassifiernumberis1[Switch_2]displayacl3001 AdvancedACL3001,18rules Acl'sstepis5 rule5permitipsource183.203.46.00.0.0.255(match-counter0) rule10permitipsource183.203.47.00.0.0.128(match-counter0) rule15permitipsource183.203.48.00.0.0.64(match-counter0) rule20permitipsource183.203.49.00.0.0.32(match-counter0) rule25permittcpsource183.203.52.00.0.0.255(match-counter0) rule30permittcpsource221.131.53.20(match-counter0) rule35permitipsource10.231.140.00.0.0.255(match-counter0) rule40permitipsource10.231.138.00.0.0.255(match-counter0) rule45permitipsource10.231.137.00.0.0.255(match-counter0) rule50permitipsource10.231.136.00.0.0.255(match-counter0) rule55permitipsource10.231.141.00.0.0.255(match-counter0) rule60permitipsource10.231.142.00.0.0.255(match-counter0) rule65permitipsource10.231.143.00.0.0.255(match-counter0) rule70permitipsource10.231.144.00.0.0.255(match-counter0) rule100permittcpdestination-porteqwww(match-counter0) rule10000permittcptcp-flagack(match-counter0) rule10001permittcptcp-flagrst(match-counter0) rule4294967294denyip(match-counter0)
在Switch_2匹配ACL获取报文信息,可以看出Switch_1发送的keepalive报文如下:
报文到达Switch_2后,首先进行GRE解封装,去掉GRE头,内层的IP头的目的IP不是本机IP,于是会匹配traffic policy ABC,该报文会命中ACL3001的最后1个rule,报文被丢弃。Switch_1收不到回应的keepalive报文,GRE隧道down。
keepalive报文是不上送的,而是直接转发,因此重定向对keepalive报文是生效的。
处理步骤
修改重定向的ACL规则,使keepalive报文不被丢弃。
总结与建议
GRE隧道两端设备为SwitchA和SwitchB,SwitchA上配置keepalive后,SwitchA发送的keepalive报文在SwitchB上是不上送的,而是直接转发,到SwitchA后再上送。这点和普通的协议报文是不同的。
GRE的keepalive检测是单向的,不是双向的。
