acl使用情况
- 0关注
- 0收藏,53浏览
问题描述:
根据下述信息,请分析设备slot 2单板入方向的qos策略在仅修改acl的rule,不新增其他任何策略和接口下发的情况下,当前单板资源最多能支持新增多少条acl的rule。
[H3C-probe]display hardware internal qacl show acl-group slot 2 chip 0
+----------------------- acl group info --------------------------+
| Stage: IFP Group Id: 0 priority: 47 |
| KeySize: Single KeyType: 13 Type: SYSTEM |
| Blocks: 0x0001 HdrBlock: IACL 0 Reserved: YES |
+-----------------------------------------------------------------+
| Stage: IFP Group Id: 2 priority: 45 |
| KeySize: Single KeyType: 13 Type: SYS CID |
| Blocks: 0x0002 HdrBlock: IACL 1 Reserved: NO |
+-----------------------------------------------------------------+
| Stage: IFP Group Id: 1 priority: 36 |
| KeySize: Single KeyType: 13 Type: EXCP |
| Blocks: 0x0004 HdrBlock: IACL 2 Reserved: NO |
+-----------------------------------------------------------------+
| Stage: IFP Group Id: 3 priority: 25 |
| KeySize: Single KeyType: 13 Type: PFT L3 |
| Blocks: 0x0008 HdrBlock: IACL 3 Reserved: NO |
+-----------------------------------------------------------------+
| Stage: IFP Group Id: 4 priority: 14 |
| KeySize: Single KeyType: 13 Type: MQC |
| Blocks: 0x0010 HdrBlock: IACL 4 Reserved: NO |
+-----------------------------------------------------------------+
| Stage: EFP Group Id: 5 priority: 14 |
| KeySize: Single KeyType: 13 Type: MQC |
| Blocks: 0x0001 HdrBlock: EACL 0 Reserved: NO |
+-----------------------------------------------------------------+
[H3C-probe]display hardware internal qacl show acl-resc slot 2 chip 0
---------------Qacl Group UsedResc Info---------------
Acl Hw Block: IACL 0
======================================================
GroupType: SYSTEM
----------------------------------------------------
acl type usedEntries
[ 19]RX IPv4 High 1
[ 20]RX IPv6 High 4
[ 21]RX IPv4 Middle High 1
[ 23]RX IPv4 Middle 2
[ 24]RX IPv6 Middle 2
[ 25]RX Low 15
[ 28]SYS IPv6 Ping 3
[386]LLDP AVOID OFP 3
Acl Hw Block: IACL 1
======================================================
GroupType: SYS CID
----------------------------------------------------
acl type usedEntries
[152]VSI IPV6 ND DTC 4
[ 20]RX IPv6 High 1
[ 21]RX IPv4 Middle High 1
[ 25]RX Low 2
Acl Hw Block: IACL 2
======================================================
GroupType: EXCP
----------------------------------------------------
acl type usedEntries
[296]BGP TO CPU 4
[301]OSPFV6 TO CPU 3
[251]EXCP LOW 1
[ 32]VXLAN RM TAG 2
Acl Hw Block: IACL 3
======================================================
GroupType: PFT L3
----------------------------------------------------
acl type usedEntries
[ 88]PktFilter IP on VRF 5
Acl Hw Block: IACL 4
======================================================
GroupType: MQC
----------------------------------------------------
acl type usedEntries
[ 2]MQC Port 2
Acl Hw Block: EACL 0
======================================================
GroupType: MQC
----------------------------------------------------
acl type usedEntries
[ 2]MQC Port 2
@==========@================================================================@
| | Type Total Reserved Configured Remaining |
| @----------------------------------------------------------------@
| Global |ACL counter 0 0 0 0 |
| |Meter 0 0 0 0 |
| |Policer counter 0 0 0 0 |
| |Other counter 0 0 0 0 |
| @----------------------------------------------------------------@
| IGS |Policer 8191 100 4 8087 |
| |Policer Counter 3327 300 9 3018 |
| @----------------------------------------------------------------@
| EGS |Policer 2047 0 0 2047 |
| |Policer Counter 3839 0 0 3839 |
| @----------------------------------------------------------------@
| IACL 1 |Entry 1536 32 0 1504 |
| |Entry640 0 0 0 0 |
| |Block Counter 768 1 0 767 |
| @----------------------------------------------------------------@
| IACL 0 |Entry 1536 1536 0 0 |
| |Entry640 0 0 0 0 |
| |Block Counter 768 768 0 0 |
| @----------------------------------------------------------------@
| EACL 0 |Entry 512 0 4 508 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 2 254 |
| @----------------------------------------------------------------@
| EACL 1 |Entry 512 0 0 512 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 0 256 |
| @----------------------------------------------------------------@
| IACL 2 |Entry 1536 0 40 1496 |
| |Entry640 0 0 0 0 |
| |Block Counter 768 0 7 761 |
| @----------------------------------------------------------------@
| EACL 2 |Entry 512 0 0 512 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 0 256 |
| @----------------------------------------------------------------@
| IACL 3 |Entry 1536 0 10 1526 |
| |Entry640 0 0 0 0 |
| |Block Counter 768 0 0 768 |
| @----------------------------------------------------------------@
| IACL 4 |Entry 512 0 4 508 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 2 254 |
| @----------------------------------------------------------------@
| IACL 5 |Entry 512 0 0 512 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 0 256 |
| @----------------------------------------------------------------@
| IACL 6 |Entry 512 0 0 512 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 0 256 |
| @----------------------------------------------------------------@
| IACL 7 |Entry 512 0 0 512 |
| |Entry640 0 0 0 0 |
| |Block Counter 256 0 0 256 |
| @----------------------------------------------------------------@
| SCL Tcam|Entry 1024 0 0 1024 |
| |Entry640 0 0 0 0 |
| |Block Counter 512 0 0 512 |
| @----------------------------------------------------------------@
| SCL Hash|Entry 8192 0 0 8192 |
| |Entry640 0 0 0 0 |
| |Block Counter 0 0 0 0 |
@==========@================================================================@
[H3C-probe]display hardware internal qacl show slot 2 chip 0 verbose 0 acl-type 2
===============================================
Acl-Type[2] MQC Port, block IACL 4, SinglePort, Installed, Active
Prio 0x2e000000, Group 4, Expand to 1 Sdk Entry(ies):
PolicyID 105, CBMapID 0, ClassID 105, BehaviorID 106, IfmatchID 0 [IN]
ACL GroupNo : 3000, RuleID : 0
Sdk Entries --------
Key Type: Ipv4 Key
Entry Id: 41, Lport: 34, Class 72
Rule Match --------
Ports[1-0]: 00000000 00000000 00000000 00000000, 00000000 00000000 00000004 00000000
IP Type: Ipv4 packet
Source IP: 192.168.10.1, 255.255.255.255
Dest IP: 192.168.1.1, 255.255.255.255
Actions --------
Account, stats-id: 35
Stats Byte: 0, Pkt: 0
===============================================
[H3C-probe]sdk slot 2 chip 0 show/acl/entry-info/entry/41/detail
show acl entry-info entry 41 detail
No. ENTRY_ID GROUP_ID HW E_PRI G_PRI TYPE INDEX ACTION SIZE
-------------------------------------------------------------------------------------------------
1 41 4 Y 0x2E000000 4 TcamMacL3-320 176 Permit 320
最佳答案
一、核心前提梳理
- 入方向 = IFP IACL
- QoS 策略调用 ACL = 对应硬件组 Group 4 = IACL 4(MQC 类型,入方向)
- 业务实际占用:MQC Port 对应挂载在 IACL 4
二、提取 IACL4 资源台账
qacl show acl-resc 资源表摘出:IACL 4总 Entry:512已配置 Configured:4剩余 Remaining:508
三、排除不可用资源
- IACL0:Reserved 全占满(Total1536、Reserved1536、剩余 0),系统预留,不能新增业务 ACL
- IACL1/2/3:为系统 CID、异常上送、报文过滤专用,不承载普通 MQC QoS 的 ACL 规则
- EACL 是出方向,题目只关心入方向,不纳入计算
- 全局 Policer、Counter 剩余充足,无瓶颈,瓶颈只在IACL4 的 TCAM Entry
四、最终结论
补充说明
- 每条普通 IPv4/IPv6 ACL rule 占用 1 个 IACL4 Entry,当前已用 4 条,剩余 508 条可直接扩容;
- 无需考虑其他 IACL/EACL,因为 MQC QoS 入方向固定占用IACL4硬件组;
- IACL0 为系统独占,无法挪用给业务 ACL。
根据你提供的诊断信息,针对 slot 2 单板入方向QoS策略仅修改ACL rule 的场景,分析如下:
1. 定位资源归属
入方向QoS策略对应的硬件块是 IACL 4(Group 4,Type MQC,Stage IFP)。当前该块已用 4 个 Entry,且已用 2 个 Block Counter。
2. 资源瓶颈分析
从 display hardware internal qacl show acl-resc slot 2 chip 0 的 IACL 4 部分看到:
| 资源类型 | 总量 | 已用 | 剩余 |
|---|---|---|---|
| Entry | 512 | 4 | 508 |
| Block Counter | 256 | 2 | 254 |
每新增一条 ACL rule,底层会占用 1 个 Entry(verbose 信息中明确
Expand to 1 Sdk Entry)。由于当前策略的 behavior 已包含
account动作,每条新增 rule 都会自动继承统计需求,因此也必须占用 1 个 Block Counter。
3. 最终结论
新增 rule 数量受限于更紧张的 Block Counter 剩余量。
答案:最多可新增 254 条 ACL rule。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论