某局点S10508X-G包过滤下发失败问题处理经验案例
- 0关注
- 0收藏 499浏览
组网及说明
组网不涉及
问题描述
包过滤下发失败,提示资源不足:
%Sep 1 16:10:41:006 2023 User-S10508X SHELL/6/SHELL_CMD: -Line=vty3-IPAddr=172.X.X.X-User=admin; Command is packet-filter 3042 inbound
%Sep 1 16:10:41:950 2023 User-S10508X PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: -Chassis=2-Slot=6; Failed to apply or refresh the IPv4 default action to the inbound direction of interface Vlan-interface42. The resources are insufficient.
%Sep 1 16:10:42:113 2023 User-S10508X PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: -Chassis=1-Slot=6; Failed to apply or refresh the IPv4 default action to the inbound direction of interface Vlan-interface42. The resources are insufficient.
过程分析
查看当前资源使用情况:
[User-S10508X-Vlan-interface42]dis qos-acl resource
Interfaces: GE1/6/0/1 to GE1/6/0/48, XGE1/6/0/49 to XGE1/6/0/52 (chassis 1 slot 6)
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
IGS ACL 8192 1536 2844 3812 53%
EGS ACL 1536 0 4 1532 0%
IGS Counter 4096 768 1296 2032 50%
EGS Counter 768 0 0 768 0%
IGS Meter 8191 100 4 8087 1%
EGS Meter 2047 0 0 2047 0%
IMeter Counter 3327 300 12 3015 9%
EMeter Counter 3839 0 0 3839 0%
Interfaces: GE2/6/0/1 to GE2/6/0/48, XGE2/6/0/49 to XGE2/6/0/52 (chassis 2 slot 6)
---------------------------------------------------------------------
Type Total Reserved Configured Remaining Usage
---------------------------------------------------------------------
IGS ACL 8192 1536 2844 3812 53%
EGS ACL 1536 0 4 1532 0%
IGS Counter 4096 768 1296 2032 50%
EGS Counter 768 0 0 768 0%
IGS Meter 8191 100 4 8087 1%
EGS Meter 2047 0 0 2047 0%
IMeter Counter 3327 300 12 3015 9%
EMeter Counter 3839 0 0 3839 0%
查看板卡信息,报错的两个slot 6槽位板卡型号都是LSEM1GT48TSSD0:
===============display device verbose===============
Slot Type State Subslot Soft Ver Patch Ver
1/6 LSEM1GT48TSSD0 Normal 0 S10500XG-7753P07 None
2/6 LSEM1GT48TSSD0 Normal 0 S10500XG-7753P07 None
LSEM1GT48TSSD0单板IACL(入方向acl资源)有 8个block(编号0-7);前四个可以各下发1536条ACL,后四条可以各下发256条ACL;
0,1,2,7都已使用;4、5、6被合并到3中被PFT L3使用
====display hardware internal qacl show acl-resc chassis 1 slot 6 chip 0====
---------------Qacl Group UsedResc Info---------------
Acl Hw Block: IACL 0
======================================================
GroupType: SYSTEM
----------------------------------------------------
acl type usedEntries
[ 19]RX IPv4 High 1
[ 21]RX IPv4 Middle High 1
[ 23]RX IPv4 Middle 2
[ 25]RX Low 7
Acl Hw Block: IACL 1
======================================================
GroupType: DP PKT
----------------------------------------------------
acl type usedEntries
[240]DROP GROUP BFD INTF 1
Acl Hw Block: IACL 2
======================================================
GroupType: EXCP
----------------------------------------------------
acl type usedEntries
[267]EXCP HIGH 1
[273]OSPF TO CPU 3
Acl Hw Block: IACL 3
======================================================
GroupType: PFT L3
----------------------------------------------------
acl type usedEntries
[ 79]PktFilter IP on VRF 1411
Acl Hw Block: IACL 7
======================================================
GroupType: MQC
----------------------------------------------------
acl type usedEntries
[ 0]MQC Vlan 2
| @----------------------------------------------------------------@
| IACL 3 |Entry 3072 0 2822 250 |
| |Entry640 0 0 0 0 |
| |Block Counter 1536 0 1295 241 |
| @----------------------------------------------------------------@
包过滤缺省动作被配置为deny,会下发default action;而LSEM1GT48TSSD0单板芯片支持微分段,需要将微分段的包过滤拆分到新的Group;
packet-filter default deny
由于0,1,2,7都已使用;4、5、6被合并到3中被PFT L3使用,因此没有多余的BLOCK下发微分段default action;导致提示资源不足
解决方法
修改packet-filter default的缺省动作为permit方式,并在acl中配置rule xx deny ip来替代packet-filter default deny
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作