全部
经验案例
典型配置
技术公告
FAQ
漏洞说明

全部
是
否

全部
是
否

大数据引擎
知了引擎

产品线		搜索取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式	默认策略匹配全词匹配整句

高级搜索

知

某局点S6800资源不足问题经验案例

2020-02-28 发表

0关注
0收藏 1638浏览

胡晓东七段

粉丝：15人关注：14人

组网及说明

设备：S6800

版本：2612P02

问题描述

S6800设备替换思科旧设备时，发现提示ACL资源不足：

PFILTER/3/PFILTER_IF_NO_RES，acl resource is insufficient.

过程分析

查看现场返回的诊断信息，发现packet filter下发到底层为double模式，共占用了6个slice，这6个slice,根据TD2+芯片规格，理论上可以提供2048+1024+1024=4096个entry，而现场已经使用了3977个entry。查看思科配置发现，思科设备是把一条超长的ACL（里边有462的rule），在33个vlan interface inbound方向上进行包过滤 ,这个操作需要消耗462*33=15246条slice资源。超出了设备规格，导致下发失败，最后提示资源不足的问题。

通过命令行查看底层资源查用情况，

[h3c-probe]debug qacl show acl-resc slot 2 chip 0

Pri 7, Group 3,usedEntries 130,mode Single, physlice 3/

=========================================

acl type usedEntries[130]

=========================================

[111]Policy Based Routing V4 130

======================================

-------------------------------------------------------------------------

Pri 8, Group 2,usedEntries 3977,mode Double, physlice 0/1/4/5/6/7/

=========================================

acl type usedEntries[3977]

=========================================

[96 ]PktFilter IP on VRF 3977

======================================

TD2+ 芯片规格：每个slice的entry ：

{2048, ,}, /* 0*/

{2048, }, /* 1 */

{2048, }, /* 2 */

{2048, }, /* 3 */

{1024, }, /* 4 */

{1024, ,}, /* 5 */

{1024, ,}, /* 6 */

{1024, ,}, /* 7 */

{1024, ,}, /* 8 */

{1024, ,}, /* 9 */

{1024, }, /* 10 */

{1024, ,}, /* 11 */

解决方法

1. 不合理的解决方法：

1.1 改成全局MQC上下发，占用462*2条资源，但是全局这种方案存在同时匹配L2/L3的潜在问题，不建议现场采用。

1.2 优化ACL规则，删减掉带gt和 range 的ACL条目，使ACL占用模式变成single.并且不能在33 个vlan interface这么多下发。改成在22个vlan interface 下发。或者再删除PBR 节省2K资源，在27 个vlan interface下发。这种方法不满足客户需求，也最终未采用。

例如：

rule 35 permit udp source 10.97.31.11 0 destination 10.97.32.0 0.0.0.255 destination-port gt 16384 ------删除

2. 合理的解决方法：

2.1 对ACL进行精简，起33个独立ACL，针对现网流量最大限度的减少rule条数。

2.2 使用9850设备替换，基于interface vlan的share mode，可以共享一份资源。可以实测成功下发：

[TD3_Tor_9850]display packet-filter interface

Interface: Vlan-interface10

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface11

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface12

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface13

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface14

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface15

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface16

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface17

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface18

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface19

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface20

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface21

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface22

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface23

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface24

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface25

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface26

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface27

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface28

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface29

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface30

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface31

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface32

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface33

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface134

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface135

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface136

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface137

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface138

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface139

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface140

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface141

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

Interface: Vlan-interface142

Inbound policy:

IPv4 ACL AL-Input-Standard, Share-mode

[TD3_Tor_9850-tcl-probe]debug qacl show acl-resc sl 1 c 0

---------------Qacl Group UsedResc Info---------------

Acl Hw Resource: VFP, Pipe:0

-------------------------------------------------------------------------

Pri 3, Group 5,usedEntries 16 ,mode Single, physlice 0/

=========================================

acl type usedEntries[16]

=========================================

[109]Pdt VFP FirstNh2Classid 16

======================================

-------------------------------------------------------------------------

Acl Hw Resource: EFP, Pipe:0

-------------------------------------------------------------------------

Acl Hw Resource: IFP, Pipe:0

-------------------------------------------------------------------------

Pri 120, Group 3,usedEntries 46 ,mode Double, physlice 6/7/

=========================================

acl type usedEntries[46]

=========================================

[23 ]RX Low 9

[25 ]Super_RX Low 1

[92 ]DATAPROTECT 1

[114]IFP LOW 1

[129]MPLS Vpn High 1

[153]PDT LOW INITIAL 1

[307]UntrustPriority 32

======================================

-------------------------------------------------------------------------

Pri 122, Group 7,usedEntries 1 ,mode Single, physlice 8/

=========================================

acl type usedEntries[1]

=========================================

[120]Policy Based Routing V4 1

======================================

-------------------------------------------------------------------------

Pri 123, Group 9,usedEntries 462,mode Double, physlice 3/4/

=========================================

acl type usedEntries[462]

=========================================

[96 ]PktFilter IP on VRF 462

======================================

-------------------------------------------------------------------------

Pri 125, Group 1,usedEntries 59 ,mode Triple, physlice 9/10/11/

=========================================

acl type usedEntries[59]

=========================================

[8 ]RX IPv4 High 5

[10 ]RX IPv4 Middle 29

[13 ]RX IPv6 High 8

[14 ]RX IPv6 Middle_High 1

[15 ]RX IPv6 Middle 3

[70 ]RX Middle Low 2

[87 ]STMVLAN_PERMIT 9

[88 ]STM_DENYALL 1

[152]PDT HIGH INITIAL 1

======================================

-------------------------------------------------------------------------

Acl Hw Resource: IFP, Pipe:1

-------------------------------------------------------------------------

Pri 120, Group 4,usedEntries 71 ,mode Double, physlice 6/7/

=========================================

acl type usedEntries[71]

=========================================

[23 ]RX Low 9

[25 ]Super_RX Low 1

[92 ]DATAPROTECT 1

[114]IFP LOW 1

[129]MPLS Vpn High 1

[153]PDT LOW INITIAL 1

[307]UntrustPriority 57

======================================

-------------------------------------------------------------------------

Pri 122, Group 8,usedEntries 1 ,mode Single, physlice 8/

=========================================

acl type usedEntries[1]

=========================================

[120]Policy Based Routing V4 1

======================================

-------------------------------------------------------------------------

Pri 123, Group 10,usedEntries 462,mode Double, physlice 3/4/

=========================================

acl type usedEntries[462]

=========================================

[96 ]PktFilter IP on VRF 462

======================================

-------------------------------------------------------------------------

Pri 125, Group 2,usedEntries 49 ,mode Triple, physlice 9/10/11/

=========================================

acl type usedEntries[49]

=========================================

[8 ]RX IPv4 High 5

[10 ]RX IPv4 Middle 29

[13 ]RX IPv6 High 8

[14 ]RX IPv6 Middle_High 1

[15 ]RX IPv6 Middle 3

[70 ]RX Middle Low 2

[152]PDT HIGH INITIAL 1

======================================

-------------------------------------------------------------------------

Acl Hw Resource: EXTERNAL, Pipe:0

-------------------------------------------------------------------------

ACL ext mode: disable

Acl Group RollBack Info Begin

Acl Group RollBack Info : VFP, Pipe 0

=====================================

GID PRI MODE SliceBitmap

-------------------------------------

5 3 Single 0x0001

======================================

Acl Hw Resource: VFP, Pipe 0

======================================

entrynum counternum meternum

total : 1024 0 0

total-reserved : 256 0 0

used-reserved : 16 0 0

used-useracl : 0 0 0

free-useracl : 768 0 0

======================================

------------------------------------------------------

Acl Group RollBack Info : EFP, Pipe 0

=====================================

GID PRI MODE SliceBitmap

-------------------------------------

======================================

Acl Hw Resource: EFP, Pipe 0

======================================

entrynum counternum meternum

total : 2048 1024 1024

total-reserved : 0 0 0

used-reserved : 0 0 0

used-useracl : 0 0 0

free-useracl : 2048 1024 1024

======================================

------------------------------------------------------

Acl Group RollBack Info : IFP, Pipe 0

=====================================

GID PRI MODE SliceBitmap

-------------------------------------

3 122 Double 0x00c0

7 124 Single 0x0100

1 125 Triple 0x0e00

======================================

Acl Hw Resource: IFP, Pipe 0

======================================

entrynum counternum meternum

total : 18432 18432 3072

total-reserved : 7680 7680 768

used-reserved : 538 72 56

used-useracl : 1849 0 0

free-useracl : 8903 10752 2304

======================================

------------------------------------------------------

Acl Group RollBack Info : IFP, Pipe 1

=====================================

GID PRI MODE SliceBitmap

-------------------------------------

4 122 Double 0x00c0

8 124 Single 0x0100

2 125 Triple 0x0e00

======================================

Acl Hw Resource: IFP, Pipe 1

======================================

entrynum counternum meternum

total : 18432 18432 3072

total-reserved : 7680 7680 768

used-reserved : 578 62 56

used-useracl : 1849 0 0

free-useracl : 8903 10752 2304

======================================

------------------------------------------------------

Acl Group RollBack Info : EXTERNAL, Pipe 0

=====================================

GID PRI MODE SliceBitmap

-------------------------------------

======================================

Acl Hw Resource: EXTERNAL, Pipe 0

======================================

entrynum counternum meternum

total : 0 0 0

total-reserved : 0 0 0

used-reserved : 0 0 0

used-useracl : 0 0 0

free-useracl : 0 0 0

======================================

------------------------------------------------------

[TD3_Tor_9850-tcl-probe]

[TD3_Tor_9850]display qos-acl re sl 1

Interfaces: HGE1/1/1 to HGE1/1/4, XGE1/1/5:1 to XGE1/1/6:4

HGE1/1/7, XGE1/1/8:1 to XGE1/1/8:4

FGE1/3/1 to FGE1/3/16 (slot 1)

---------------------------------------------------------------------

Type Total Reserved Configured Remaining Usage

---------------------------------------------------------------------

VFP ACL 1024 256 0 768 25%

IFP ACL 18432 7680 1849 8903 51%

IFP Meter 3072 768 0 2304 25%

IFP Counter 18432 7680 0 10752 41%

EFP ACL 2048 0 0 2048 0%

EFP Meter 1024 0 0 1024 0%

EFP Counter 1024 0 0 1024 0%

Interfaces: GE1/0/1 to GE1/0/2, XGE1/2/1 to XGE1/2/24

FGE1/2/25 to FGE1/2/26, WGE1/4/1 to WGE1/4/24

HGE1/4/25, XGE1/4/26:1 to XGE1/4/26:4 (slot 1)

---------------------------------------------------------------------

Type Total Reserved Configured Remaining Usage

---------------------------------------------------------------------

VFP ACL 1024 256 0 768 25%

IFP ACL 18432 7680 1849 8903 51%

IFP Meter 3072 768 0 2304 25%

IFP Counter 18432 7680 0 10752 41%

EFP ACL 2048 0 0 2048 0%

EFP Meter 1024 0 0 1024 0%

EFP Counter 1024 0 0 1024 0%

该案例对您是否有帮助：

您的评价：1

若您有关于案例的建议，请反馈：

0 个评论

该案例暂时没有网友评论

编辑评论

举报

×

侵犯我的权益 >

对根叔知了社区有害的内容 >

辱骂、歧视、挑衅等（不友善）

侵犯我的权益

×

泄露了我的隐私 >

侵犯了我企业的权益 >

抄袭了我的内容 >

诽谤我 >

辱骂、歧视、挑衅等（不友善）

骚扰我

泄露了我的隐私

×

您好，当您发现根叔知了上有泄漏您隐私的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您认为哪些内容泄露了您的隐私？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

侵犯了我企业的权益

×

您好，当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱，我们会在审核后尽快给您答复。

1. 您举报的内容是什么？（请在邮件中列出您举报的内容和链接地址）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）
3. 是哪家企业？（营业执照，单位登记证明等证件）
4. 您与该企业的关系是？（您是企业法人或被授权人，需提供企业委托授权书）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好，当您发现根叔知了上有诽谤您的内容时，您可以向根叔知了进行举报。请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱，我们会尽快处理。

1. 您举报的内容以及侵犯了您什么权益？（请在邮件中列出您举报的内容、链接地址，并给出简短的说明）
2. 您是谁？（身份证明材料，可以是身份证或护照等证件）

我们认为知名企业应该坦然接受公众讨论，对于答案中不准确的部分，我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息

色情、暴力、血腥等违反法律法规的内容

政治敏感

不规范转载 >

辱骂、歧视、挑衅等（不友善）

骚扰我

诱导投票

不规范转载

×

举报说明

✖

案例意见反馈

➤

网站相关: 关于我们; 服务条款; 帮助中心; 经验与权限; 积分规则

联系我们: 联系我们; 建议反馈

常用链接: 知了APP下载; 标杆的神器下载

关注我们: H3C官网; 新华三服务公众号; 安仔远程运维服务; 新华三商城

内容许可: 除特别说明外，用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

Copyright©2024新华三集团保留一切权利当前呈现版本 NO.1

本图标版权归新华三集团所有，仅限本社区使用，切勿用做商业目的，违者必究

浙ICP备09064986号-1 浙公网安备 33010802004416号

✖

亲~登录后才可以操作哦!

确定

✖

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

✖

你的邮箱还未认证，请认证邮箱或绑定手机后进行当前操作

✖