无
问题描述:现场设备1/4单板是FX单板,在ten1/4/0/47,ten1/4/0/48端口应用流镜像到端口1/4/0/45,提示资源不足
Nov 29 17:43:15:591 2021 HQ-OA-S12510-ST-C01 QOS/4/QOS_POLICY_APPLYIF_CBFAIL: -Chassis=1-Slot=4; Failed to apply classifier-behavior TAP-Mirror in policy TAP-Mirror to the outbound direction of interface Ten-GigabitEthernet1/4/0/47. Not enough resources are available to complete the operation.
Nov 29 17:43:26:968 2021 HQ-OA-S12510-ST-C01 QOS/4/QOS_POLICY_APPLYIF_CBFAIL: -Chassis=1-Slot=4; Failed to apply classifier-behavior TAP-Mirror in policy TAP-Mirror to the inbound direction of interface Ten-GigabitEthernet1/4/0/48. Not enough resources are available to complete the operation.
Nov 29 17:43:28:623 2021 HQ-OA-S12510-ST-C01 QOS/4/QOS_POLICY_APPLYIF_CBFAIL: -Chassis=1-Slot=4; Failed to apply classifier-behavior TAP-Mirror in policy TAP-Mirror to the outbound direction of interface Ten-GigabitEthernet1/4/0/48. Not enough resources are available to complete the operation.
Nov 29 17:52:54:128 2021 HQ-OA-S12510-ST-C01 QOS/4/QOS_POLICY_APPLYIF_CBFAIL: -Chassis=1-Slot=4; Failed to apply classifier-behavior TAP-Mirror in policy TAP-Mirror to the inbound direction of interface Ten-GigabitEthernet1/4/0/47. Not enough resources are available to complete the operation.
查看1/4单板的底层acl资源,出方向只占了bank10,入方向占了bank0-10.下发流镜像时出入方向都提示资源不足。删除sflow后还是提示资源不足。
====debug qacl show acl-resc chassis 1 slot 4 chip 1====
---------------Qacl Group UsedResc Info---------------
Acl Hw Resource: EFP
------------------------------------------------------
L2 PROGRAM : Line 0x8000-0 ProId 0
------------------------------------------------------
Pri 1, Group 7,usedEntries 30,mode Single,
ResDb 7, KeySize 160Bit, Bank 10/First-pass KeyA
=========================================
acl type usedEntries[30]
=========================================
[96 ]PktFilter IP on VRF 30
======================================
Qset Info:
SrcIp-ForwardingType-StageEgress-Ip4-OutVPort-
Aset Info:
PrioIntNew-RedirectPort-Drop-MirrorEgress-DropPrecedence-RedirectVportPort-Stat0-QosMapIdNew-
------------------------------------------------------
------------------------------------------------------
Acl Hw Resource: IFP
------------------------------------------------------
IPV6 PROGRAM : Line 0x0-8 ProId 8 PriPoll 1
------------------------------------------------------
Pri 91, Group 1,usedEntries 9,mode Quad,
ResDb 1, KeySize 320Bit, Bank 0/1/Second-pass KeyA/B
=========================================
acl type usedEntries[9]
=========================================
[14 ]RX IPv6 Middle_High 1
[70 ]RX Middle Low 2
[74 ]SFLOW 2
[110]IFP HIGH 1
[141]PDT HIGH INITIAL 1
[239]Rport Isolate 2
======================================
Qset Info:
DstIp6-DstIp6High-DstIp6Low-DstMac-InPort-Drop-L4SrcPort-L4DstPort-EtherType-IpProtocol-DstPort-IpType-ForwardingType-StageIngress-IpFrag-Ip6-MplsTerminated-IngressStpState-L3DestRouteHit-DstL3Egress-DstMulticastGroup-FlowId-
Aset Info:
PrioIntNew-DropPrecedence-VportTcNew-Stat0-PolicerLevel0-Trap-UsePolicerResult-Snoop-
------------------------------------------------------
------------------------------------------------------
Acl Hw Resource: IFP
------------------------------------------------------
L2 PROGRAM : Line 0x0-1f0 ProId 12 PriPoll 2
------------------------------------------------------
Pri 92, Group 2,usedEntries 126,mode Quad,
ResDb 2, KeySize 320Bit, Bank 0/1/Second-pass KeyA/B
=========================================
acl type usedEntries[126]
=========================================
[8 ]RX IPv4 High 81
[9 ]RX IPv4 Middle High 2
[10 ]RX IPv4 Middle 31
[47 ]OAM-High 2
[70 ]RX Middle Low 3
[74 ]SFLOW 2
[110]IFP HIGH 3
[239]Rport Isolate 2
======================================
Qset Info:
DstMac-DstIp-InPort-Drop-L4SrcPort-L4DstPort-EtherType-IpProtocol-Ttl-DstPort-ForwardingType-StageIngress-InterfaceClassL2-IpFrag-Ip4-MplsTerminated-IngressStpState-DstL3Egress-DstMulticastGroup-FlowId-
Aset Info:
PrioIntNew-DropPrecedence-VportTcNew-Stat0-PolicerLevel0-Trap-UsePolicerResult-Snoop-
------------------------------------------------------
Pri 56, Group 3,usedEntries 1430,mode Quad,
ResDb 3, KeySize 320Bit, Bank 2/3/6/7/First-pass KeyC/D
=========================================
acl type usedEntries[1430]
=========================================
[96 ]PktFilter IP on VRF 1430
======================================
Qset Info:
SrcIp-DstIp-RangeCheck-L4SrcPort-L4DstPort-EtherType-IpProtocol-TcpControl-ForwardingType-StageIngress-Ip4-IngressStpState-ForwardingVlanId-
Aset Info:
DropPrecedence-Stat0-
------------------------------------------------------
Pri 38, Group 4,usedEntries 450,mode Double,
ResDb 4, KeySize 320Bit, Bank 4/5/Second-pass KeyC/D
=========================================
acl type usedEntries[450]
=========================================
[0 ]MQC Vlan 450
======================================
Qset Info:
SrcIp-DstIp-EtherType-StageIngress-Ip4-IngressStpState-ForwardingVlanId-
Aset Info:
PrioIntNew-VportTcNew-Stat0-PolicerLevel0-UsePolicerResult-
------------------------------------------------------
------------------------------------------------------
Acl Hw Resource: IFP
------------------------------------------------------
VXLAN OVERLAY PROGRAM : Line 0x20000000-0 ProId 9 PriPoll 4
------------------------------------------------------
Pri 4, Group 6,usedEntries 2,mode Single,
ResDb 6, KeySize 80Bit, Bank 9/First-pass KeyA
=========================================
acl type usedEntries[2]
=========================================
[236]SFLOW VXLAN ROO 2
======================================
Qset Info:
InPort-StageIngress-
Aset Info:
Snoop-
------------------------------------------------------
------------------------------------------------------
Acl Hw Resource: IFP
------------------------------------------------------
VXLAN DEFAULT PROGRAM : Line 0x40000000-0 ProId 7 PriPoll 0
------------------------------------------------------
Pri 90, Group 0,usedEntries 3,mode Single,
ResDb 0, KeySize 320Bit, Bank 0/1/Second-pass KeyC/D
=========================================
acl type usedEntries[3]
=========================================
[74 ]SFLOW 2
[141]PDT HIGH INITIAL 1
======================================
Qset Info:
InPort-StageIngress-MplsTerminated-
Aset Info:
PrioIntNew-VportTcNew-Stat0-PolicerLevel0-Trap-UsePolicerResult-Snoop-
------------------------------------------------------
------------------------------------------------------
Acl Hw Resource: IFP
------------------------------------------------------
MPLS PROGRAM : Line 0xff80000-0 ProId 11 PriPoll 3
------------------------------------------------------
Pri 93, Group 5,usedEntries 2,mode Single,
ResDb 5, KeySize 80Bit, Bank 8/Second-pass KeyA
=========================================
acl type usedEntries[2]
=========================================
[74 ]SFLOW 2
======================================
Qset Info:
InPort-StageIngress-
Aset Info:
Snoop-
以上排查说明交换机acl资源是足够的,再看下镜像资源
流镜像配置如下:
traffic classifier TAP-Mirror operator and
if-match acl 3900
acl number 3900
rule 10 permit ip source 10.19.0.0 0.0.255.255
rule 20 permit ip destination 10.19.0.0 0.0.255.255
traffic behavior TAP-Mirror
mirror-to interface Ten-GigabitEthernet1/4/0/45
看设备只有一个流镜像mirror-to配置,应用在同一单板同一芯片端口的both方向,这种情况只会占用该芯片两个镜像资源。而FX单板单芯片出入方向共6个资源,说明镜像资源是足够流镜像配置使用的。
那么设备上是否其他配置也会占用流镜像呢?
设备上同时有包过滤配置如下,acl 2100中rule规则一共有11个logging字段,含该字段的acl在底层下发时有一个流统动作,而出方向流统会占用出方向镜像资源。结合前面提到的FX单板单芯片出入方向共6个资源,说明是镜像资源不足了,导致流镜像无法下发成功。
#
interface Vlan-interface100
ip address 10.19.253.254 255.255.255.0
arp send-gratuitous-arp
packet-filter 2100 outbound
ntp-service broadcast-server authentication-keyid 1
#
acl number 2100
description ** NET-MGT VLAN Out ACL **
step 10
rule 0 permit source 10.2.32.200 0.0.0.3 logging
rule 0 comment permit ip MGMT servers
rule 10 permit source 10.16.28.200 0.0.0.3 logging
rule 20 permit source 10.5.10.180 0.0.0.3 logging
rule 30 permit source 10.6.10.180 0.0.0.3 logging
rule 40 permit source 10.5.10.200 0.0.0.3 logging
rule 50 permit source 10.6.10.200 0.0.0.3 logging
rule 60 permit source 10.6.10.11 0 logging
rule 70 permit source 10.5.10.11 0 logging
rule 80 permit source 10.5.10.32 0.0.0.15
rule 90 permit source 10.6.10.32 0.0.0.15
rule 100 permit source 10.5.1.0 0.0.0.31
rule 110 permit source 10.6.1.0 0.0.0.31
rule 120 permit source 10.16.71.64 0.0.0.15
rule 120 comment permit ip hosts in IT department of HQ
rule 130 permit source 10.19.71.64 0.0.0.31
rule 140 permit source 10.5.76.0 0.0.0.255
rule 140 comment permit ip hosts in IT YunWei of DC-OM
rule 150 permit source 10.5.77.0 0.0.0.255
rule 160 permit source 10.6.76.0 0.0.0.255
rule 170 permit source 10.6.77.0 0.0.0.255
rule 180 permit source 10.5.206.0 0.0.0.255
rule 180 comment permit ip hosts in DaiWai Outband
rule 190 permit source 10.6.206.0 0.0.0.255
rule 200 permit source 10.1.248.0 0.0.7.255
rule 200 comment permit ip interface address of DC and LDR router and switch
rule 210 permit source 10.2.248.0 0.0.7.255
rule 220 permit source 10.3.248.0 0.0.7.255
rule 230 permit source 10.5.248.0 0.0.7.255
rule 240 permit source 10.6.248.0 0.0.7.255
rule 250 permit source 10.7.240.0 0.0.15.255
rule 260 permit source 10.8.240.0 0.0.15.255
rule 270 permit source 10.230.248.0 0.0.7.255
rule 270 comment permit ip interface address of old DR router and switch
rule 280 permit source 10.231.248.0 0.0.7.255
rule 290 permit source 10.19.240.0 0.0.15.255
rule 290 comment permit ip BaoLeiJi servers
rule 300 permit source 10.5.7.0 0.0.0.15 logging
rule 310 permit source 10.6.7.0 0.0.0.15 logging
rule 310 comment permit ip ZhunRu Servers
rule 320 permit source 10.6.6.20 0
rule 330 permit source 10.6.6.36 0.0.0.3
rule 340 deny logging
#
结合实际情况,对rule规则中的logging字段做删减,预留足够的镜像资源
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作