S9706 acl策略下發失敗
2014/12/14 13:52:08點擊:
問題描述
9706設備含3塊闆,其中2個(gè)48口闆out方向支持1k的ACL,24口闆ACL容量為512,,acl在vlan出方向使用。當acl用到500多(duō)的時(shí)候報錯容量不足。
Slot 1
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 956 646
Rule Free 2038 7236 378
Rule Total 2048 8192 1024
Slot 2
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 961 647
Rule Free 2038 7231 377
Rule Total 2048 8192 1024
Slot 3
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 158 916 481
Rule Free 866 3180 31
Rule Total 1024 4096 512
Slot 1
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 956 646
Rule Free 2038 7236 378
Rule Total 2048 8192 1024
Slot 2
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 10 961 647
Rule Free 2038 7231 377
Rule Total 2048 8192 1024
Slot 3
Vlan-ACL Inbound-ACL Outbound-ACL
----------------------------------------------------------------------------
Rule Used 158 916 481
Rule Free 866 3180 31
Rule Total 1024 4096 512
告警信息
Dec 4 2014 10:14:14+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[87]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 420)
Dec 3 2014 14:30:35+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[98]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Dec 3 2014 14:12:45+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[100]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Nov 20 2014 15:40:29+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[251]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 320)
Nov 20 2014 15:39:46+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[252]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:38:01+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[256]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:36:41+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[257]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:09+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[260]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:05+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[261]:Failed to send the data to the slot 3 device.
Dec 3 2014 14:30:35+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[98]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Dec 3 2014 14:12:45+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[100]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Nov 20 2014 15:40:29+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[251]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 320)
Nov 20 2014 15:39:46+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[252]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:38:01+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[256]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:36:41+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[257]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:09+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[260]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:05+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[261]:Failed to send the data to the slot 3 device.
處理(lǐ)過程
查看logbuffer,查看acl資源:display acl resource
根因
acl策略都在vlan下使能,Vlan下啓用的acl策略是全局下發,即由主控闆下發到每一塊業務闆上(shàng)。
通(tōng)過display acl resourse發現:slot1和(hé)slot2的acl占用數(shù)基本上(shàng)為646(實際使用的acl資源),而slot3為481(上(shàng)限為512)。
導緻該問題的原因為:一條rule占用一條acl資源,還(hái)缺少(shǎo)100多(duō)acl條資源,所以會(huì)出現策略下發失敗的情況。
通(tōng)過display acl resourse發現:slot1和(hé)slot2的acl占用數(shù)基本上(shàng)為646(實際使用的acl資源),而slot3為481(上(shàng)限為512)。
導緻該問題的原因為:一條rule占用一條acl資源,還(hái)缺少(shǎo)100多(duō)acl條資源,所以會(huì)出現策略下發失敗的情況。
解決方案
1.明(míng)确客戶需求,是否可(kě)精簡outbound方向的策略(寬出),或者隻在相應的接口下啓用(相應闆卡下發)。
2.選擇高(gāo)規格的闆卡。
2.選擇高(gāo)規格的闆卡。
建議與總結
出方向的acl資源比較少(shǎo),入方向的acl資源較多(duō),為出方向的8倍。
根據寬進嚴出的策略可(kě)以減少(shǎo)在出方向的限制(zhì),或者在對應接口下使能,減少(shǎo)在vlan下的使用,否則容易形成瓶頸。
根據寬進嚴出的策略可(kě)以減少(shǎo)在出方向的限制(zhì),或者在對應接口下使能,減少(shǎo)在vlan下的使用,否則容易形成瓶頸。
- 上(shàng)一篇:S9306交換機由于單主控轉發丢包 2014/12/14
- 下一篇:AR G3盒式路由器(qì)發貨去除串口線的公告 2014/12/14