S9706 acl策略下发失败
2014/12/14 13:52:08点击:
问题描述
9706设备含3块板,其中2个48口板out方向支持1k的ACL,24口板ACL容量为512,,acl在vlan出方向使用。当acl用到500多的时候报错容量不足。
Slot 1
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 956 646
Rule Free 2038 7236 378
Rule Total 2048 8192 1024
Slot 2
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 961 647
Rule Free 2038 7231 377
Rule Total 2048 8192 1024
Slot 3
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 158 916 481
Rule Free 866 3180 31
Rule Total 1024 4096 512
Slot 1
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 956 646
Rule Free 2038 7236 378
Rule Total 2048 8192 1024
Slot 2
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 961 647
Rule Free 2038 7231 377
Rule Total 2048 8192 1024
Slot 3
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 158 916 481
Rule Free 866 3180 31
Rule Total 1024 4096 512
告警信息
Dec 4 2014 10:14:14+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[87]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 420)
Dec 3 2014 14:30:35+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[98]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Dec 3 2014 14:12:45+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[100]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Nov 20 2014 15:40:29+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[251]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 320)
Nov 20 2014 15:39:46+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[252]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:38:01+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[256]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:36:41+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[257]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:09+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[260]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:05+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[261]:Failed to send the data to the slot 3 device.
Dec 3 2014 14:30:35+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[98]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Dec 3 2014 14:12:45+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[100]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Nov 20 2014 15:40:29+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[251]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 320)
Nov 20 2014 15:39:46+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[252]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:38:01+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[256]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:36:41+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[257]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:09+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[260]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:05+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[261]:Failed to send the data to the slot 3 device.
处理过程
查看logbuffer,查看acl资源:display acl resource
根因
acl策略都在vlan下使能,Vlan下启用的acl策略是全局下发,即由主控板下发到每一块业务板上。
通过display acl resourse发现:slot1和slot2的acl占用数基本上为646(实际使用的acl资源),而slot3为481(上限为512)。
导致该问题的原因为:一条rule占用一条acl资源,还缺少100多acl条资源,所以会出现策略下发失败的情况。
通过display acl resourse发现:slot1和slot2的acl占用数基本上为646(实际使用的acl资源),而slot3为481(上限为512)。
导致该问题的原因为:一条rule占用一条acl资源,还缺少100多acl条资源,所以会出现策略下发失败的情况。
解决方案
1.明确客户需求,是否可精简outbound方向的策略(宽出),或者只在相应的接口下启用(相应板卡下发)。
2.选择高规格的板卡。
2.选择高规格的板卡。
建议与总结
出方向的acl资源比较少,入方向的acl资源较多,为出方向的8倍。
根据宽进严出的策略可以减少在出方向的限制,或者在对应接口下使能,减少在vlan下的使用,否则容易形成瓶颈。
根据宽进严出的策略可以减少在出方向的限制,或者在对应接口下使能,减少在vlan下的使用,否则容易形成瓶颈。
- 上一篇:S9306交换机由于单主控转发丢包 2014/12/14
- 下一篇:AR G3盒式路由器发货去除串口线的公告 2014/12/14