[f-nsp] RPF filtering combined with link aggregation/etherchannel
Franz Georg Köhler
lists at openunix.de
Tue Mar 13 11:36:12 EDT 2012
Hello,
I have a setup with Fastiron switches connected via Ethernet link
aggregation to Netiron routers.
I was ocasionally seeing servers being unreachable via IP while the
router was able to determine the server's arp address.
I finally figured out, that this seems to be related in some way with
the combined usage of ethernet link aggregation and RPF strict mode
enabled on the lag on netiron side.
When enabling RPF on the interface, the router begins to filter some IP
packets from those ports, while the IP route on the router directs to a
VE interface (802.Q is in place here) that is bound to the lag
interfaces (The router should - as I understand - see a valid route
towards the packet's source interface).
I wonder if this is an expected behaviour? The weird thing is, that
packets are being dropped relatively rarely, most of the packets are
passing the router.
This made it difficult to find this problem's cause, while I am a bit
dissappointed from the foundry debugging capabilities (at least there is
a lack of documentation - the foundry diagnostic guide doesn't even
refer to the debug packet or dm commands).
#show runn int eth 2/1
interface ethernet 2/1
enable
rpf-mode strict
!
#show ip route 85.195.100.2
Type Codes - B:BGP D:Connected I:ISIS O:OSPF R:RIP S:Static; Cost -
Dist/Metric
BGP Codes - i:iBGP e:eBGP
ISIS Codes - L1:Level-1 L2:Level-2
OSPF Codes - i:Inter Area 1:External Type 1 2:External Type 2 s:Sham Link
Destination Gateway Port Cost
Type Uptime
1 85.195.100.0/29 DIRECT ve 342 0/0 D
61d14h
Topo HW idx : 65535 Topo SW idx: 257 Topo next vlan: 0
L2 protocols : NONE
Tagged Ports : ethe 2/1 to 2/4
----------------------------------------------------------
Port Type Tag-Mode Protocol State
2/1 TRUNK TAGGED NONE FORWARDING
2/2 TRUNK TAGGED NONE FORWARDING
2/3 TRUNK TAGGED NONE FORWARDING
2/4 TRUNK TAGGED NONE FORWARDING
Arp Inspection: 0
DHCP Snooping: 0
IPv4 Multicast Snooping: Disabled
IPv6 Multicast Snooping: Disabled
Bytes received : 11254605
#show arp 85.195.100.2
IP Address MAC Address Type Age Port
1 85.195.100.2 000c.2915.7c96 Dynamic 0 2/1
#ping 85.195.100.2
Sending 1, 16-byte ICMP Echo to 85.195.100.2, timeout 5000 msec, TTL 64
Type Control-c to abort
Request timed out.
No reply from remote host.
(config)#interface ethernet 2/1
(config-if-e1000-2/1)#no rpf-mode strict
(config-if-e1000-2/1)#^Z
#ping 85.195.100.2
Sending 1, 16-byte ICMP Echo to 85.195.100.2, timeout 5000 msec, TTL 64
Type Control-c to abort
Reply from 85.195.100.2 : bytes=16 time=6ms TTL=64
Success rate is 100 percent (1/1), round-trip min/avg/max=6/6/6 ms.
#show lag vst10
Total number of LAGs: 7
Total number of deployed LAGs: 7
Total number of trunks created:7 (121 available)
LACP System Priority / ID: 1 / 001b.ed24.dc00
LACP Long timeout: 90, default: 90
LACP Short timeout: 3, default: 3
=== LAG "vst10" ID 10 (dynamic Deployed) ===
LAG Configuration:
Ports: e 2/1 to 2/4
Port Count: 4
Primary Port: 2/1
Trunk Type: hash-based
LACP Key: 100
Port Individual Configuration:
Port Name
2/1 vst10
2/2 vst10
2/3 vst10
2/4 vst10
Deployment: Trunk ID 10, Active Primary 2/4, base fid: 0x0800
Port Link Port-State Dupl Speed Trunk Tag Priori MAC Name
Type
2/1 Up Forward Full 1G 10 Yes level0 001b.ed24.dc00 vst10
default-port
2/2 Up Forward Full 1G 10 Yes level0 001b.ed24.dc00 vst10
default-port
2/3 Up Forward Full 1G 10 Yes level0 001b.ed24.dc00 vst10
default-port
2/4 Up Forward Full 1G 10 Yes level0 001b.ed24.dc00 vst10
default-port
Port [Sys P] [Port P] [ Key ] [Act][Tio][Agg][Syn][Col][Dis][Def][Exp][Ope]
2/1 1 1 100 Yes L Agg Syn Col Dis No No Ope
2/2 1 1 100 Yes L Agg Syn Col Dis No No Ope
2/3 1 1 100 Yes L Agg Syn Col Dis No No Ope
2/4 1 1 100 Yes L Agg Syn Col Dis No No Ope
Best regards,
Franz Georg Köhler
More information about the foundry-nsp
mailing list