NE40E-------友商C设备
NE40E V800R006C20SPC100
NE40E ping 友商设备,指定参数-r不丢包,不指定ping概率性丢包(必现)
NE40E的1槽位下调用了一个cpu-defend的策略,删除后无论怎么ping都正常了
关键配置如下:
#
acl number 3341
description ping-tracert
rule 10 permit icmp icmp-type echo-reply
rule 15 permit icmp icmp-type ttl-exceeded
rule 20 permit icmp icmp-type port-unreachable
rule 25 permit icmp icmp-type echo
#
cpu-defend policy 10
process-sequence whitelist user-defined-flow blacklist
user-defined-flow 22 acl 3341
car user-defined-flow 22 cir 32 cbs 15000
priority user-defined-flow 22 low
#
slot 1
cpu-defend-policy 10
load-balance hash-fields mpls payload-header
undo load-balance dynamic-adjust enable
#
处理过程
Ping时带-r和不带-r的区别:
1、报文封装差异:
这两种报文长度不同,Ping的时候带-r参数会在icmp request和reply报文中增加40字节的选项字段。
2、内部处理的差异
1)ping带-r参数时,IP头带option,此时上送不走自定义流通道,而是走内部对IP头带option的报文提供的通道
Ping不带-r参数时,IP头不带option,此时走自定义流上送通道
2)另外对于被ping的设备,如果带-r参数会上送单板CPU;如果不带-r参数,走快回流程,不上送单板CPU
查看cpu丢弃计数:
[~CBR-AGN-1.OE25]diagnose
[~CBR-AGN-1.OE25-diagnose]display cpu-defend statistics-all slot 1
Index CarID Packet-Info Passed Packets Dropped Packets
==================================================================================================
15 191 IPV4_ARP_REPLY 286 0
15 190 IPV4_ARP_REQUEST 22 0
18 25 LACP 2544 0
39 31 IPV4_TTL_EXPIRED 1121852 118175
48 248 TCPSYN 1414 0
50 82 IPV4_ARP_MISS 2290 0
108 146 TSU_4_OVER_6_TUNNEL_INDEX_MISS0 1
109 160 LLDP 7059 0
128 508 User-defined Flow 4 23713 0
145 491 User-defined Flow 21 709 0
146 490 User-defined Flow 22 161527 56882
<CBR-AGN-1.OE25>ping -c 1000 -m 50 x.x.66.225
PING x.x.66.225: 56 data bytes, press CTRL_C to break
Reply from x.x.66.225: bytes=56 Sequence=1 ttl=255 time=64 ms
……………………
Reply from x.x.66.225: bytes=56 Sequence=1000 ttl=255 time=64 ms
--- 116.251.66.225 ping statistics ---
1000 packet(s) transmitted
966 packet(s) received
3.40% packet loss
round-trip min/avg/max = 64/64/87 ms
[~CBR-AGN-1.OE25-diagnose]display cpu-defend statistics-all slot 1
Index CarID Packet-Info Passed Packets Dropped Packets
==================================================================================================
15 191 IPV4_ARP_REPLY 286 0
15 190 IPV4_ARP_REQUEST 22 0
18 25 LACP 2568 0
39 31 IPV4_TTL_EXPIRED 1131640 119154
48 248 TCPSYN 1425 0
50 82 IPV4_ARP_MISS 2308 0
108 146 TSU_4_OVER_6_TUNNEL_INDEX_MISS0 1
109 160 LLDP 7119 0
128 508 User-defined Flow 4 23915 0
145 491 User-defined Flow 21 709 0
146 490 User-defined Flow 22 163882 57411
基于上面的差异和当前cpu-defend的信息,不带-r参数ping的时候丢包,是因为该单板所有icmp上送报文超过了配置的带宽(设备配置的User-defined Flow 22带宽为32K),删除cpu-defend-policy之后,带宽放开,所以不再丢包。
Ping带-r参数时,带宽也比较大(512K公共通道,IP头带option上送时都走这个通道),所以也没有丢包。
根因
ping -r和不携带-r参数时,设备内不处理机制不同,ping不带-r走自定义流(受全局car user-defined-flow控制),超过自定义流带宽导致丢包
解决方案
删除cpu-policy
建议与总结
注意ping携带不同参数我司设备处理机制不同,设备会限制各种协议报文上送cpu,注意门限值
2019-08-28 16:22:00 
