Print

某局点S10508X-G包过滤下发失败问题处理经验案例

2023-09-26 发表

组网及说明

组网不涉及



问题描述

包过滤下发失败,提示资源不足:

%Sep  1 16:10:41:006 2023 User-S10508X SHELL/6/SHELL_CMD: -Line=vty3-IPAddr=172.X.X.X-User=admin; Command is packet-filter 3042 inbound

%Sep  1 16:10:41:950 2023 User-S10508X PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: -Chassis=2-Slot=6; Failed to apply or refresh the IPv4 default action to the inbound direction of interface Vlan-interface42. The resources are insufficient.

%Sep  1 16:10:42:113 2023 User-S10508X PFILTER/3/PFILTER_IF_IPV4_DACT_NO_RES: -Chassis=1-Slot=6; Failed to apply or refresh the IPv4 default action to the inbound direction of interface Vlan-interface42. The resources are insufficient.



过程分析

查看当前资源使用情况:

[User-S10508X-Vlan-interface42]dis qos-acl resource

Interfaces: GE1/6/0/1 to GE1/6/0/48, XGE1/6/0/49 to XGE1/6/0/52 (chassis 1 slot 6)

---------------------------------------------------------------------

Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

IGS ACL          8192       1536       2844       3812       53%

EGS ACL          1536       0          4          1532       0%

IGS Counter      4096       768        1296       2032       50%

EGS Counter      768        0          0          768        0%

IGS Meter        8191       100        4          8087       1%

EGS Meter        2047       0          0          2047       0%

IMeter Counter   3327       300        12         3015       9%

EMeter Counter   3839       0          0          3839       0%

 

Interfaces: GE2/6/0/1 to GE2/6/0/48, XGE2/6/0/49 to XGE2/6/0/52 (chassis 2 slot 6)

---------------------------------------------------------------------

Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

IGS ACL          8192       1536       2844       3812       53%

EGS ACL          1536       0          4          1532       0%

IGS Counter      4096       768        1296       2032       50%

EGS Counter      768        0          0          768        0%

IGS Meter        8191       100        4          8087       1%

EGS Meter        2047       0          0          2047       0%

IMeter Counter   3327       300        12         3015       9%

EMeter Counter   3839       0          0          3839       0%

查看板卡信息,报错的两个slot 6槽位板卡型号都是LSEM1GT48TSSD0:

  ===============display device verbose=============== 

Slot   Type                  State    Subslot  Soft Ver            Patch Ver

1/6    LSEM1GT48TSSD0        Normal   0        S10500XG-7753P07    None     

2/6    LSEM1GT48TSSD0        Normal   0        S10500XG-7753P07    None     

LSEM1GT48TSSD0单板IACL(入方向acl资源)有 8block(编号0-7);前四个可以各下发1536ACL,后四条可以各下发256ACL

0127都已使用;456被合并到3中被PFT L3使用

 ====display hardware internal qacl show acl-resc chassis 1 slot 6 chip 0====

---------------Qacl Group UsedResc Info---------------

Acl Hw Block: IACL 0

======================================================

  GroupType: SYSTEM

  ----------------------------------------------------

    acl type                   usedEntries

    [ 19]RX IPv4 High                1  

    [ 21]RX IPv4 Middle High         1  

    [ 23]RX IPv4 Middle              2  

    [ 25]RX Low                      7  

Acl Hw Block: IACL 1

======================================================

  GroupType: DP PKT

  ----------------------------------------------------

    acl type                   usedEntries

    [240]DROP GROUP BFD INTF         1  

Acl Hw Block: IACL 2

======================================================

 GroupType: EXCP

  ----------------------------------------------------

    acl type                   usedEntries

    [267]EXCP HIGH                   1  

    [273]OSPF TO CPU                 3  

Acl Hw Block: IACL 3

======================================================

 GroupType: PFT L3

  ----------------------------------------------------

    acl type                   usedEntries

    [ 79]PktFilter IP on VRF         1411

Acl Hw Block: IACL 7

======================================================

  GroupType: MQC

  ----------------------------------------------------

    acl type                   usedEntries

    [  0]MQC Vlan                    2  

|          @----------------------------------------------------------------@

|  IACL 3  |Entry           3072        0           2822        250         |

|          |Entry640        0           0           0           0           |

|          |Block Counter   1536        0           1295        241         |

|          @----------------------------------------------------------------@

包过滤缺省动作被配置为deny,会下发default action;而LSEM1GT48TSSD0单板芯片支持微分段,需要将微分段的包过滤拆分到新的Group

packet-filter default deny

由于0127都已使用;456被合并到3中被PFT L3使用,因此没有多余的BLOCK下发微分段default action;导致提示资源不足



解决方法

修改packet-filter default的缺省动作为permit方式,并在acl中配置rule xx deny ip来替代packet-filter default deny