1676540326,

组网及说明

S12508为下联设备，上联设备对接CR，俩台S12508为M-lag部署，每台出八条链路对接CR，S12508上联物理链路做QOS策略入方向策略。

问题描述

S12508原本的就有QOS入方向策略，现在在ACL里添加新的rule ，rule对源地址，源端口，目的地址做入方向限制，添加后远程非常卡，不稳定，有时候会卡中断，删除添加的rule恢复正常，日志提示资源不足。

 

QOS/4/QOS_POLICY_APPLYIF_CBFAIL: -Slot=3; Failed to apply classifier-behavior media_ip in policy policy_inbound to the inbound direction of interface Ten-GigabitEthernet3/0/27. Not enough resources to complete the operation.

 

%Dec  6 17:43:52:368 2022 SQL-5F-F1-5-IPTV(H3C)-S12508-1 RESMON/3/RESMON_SEVERE: -Slot=3; -Resource=mqcin-Total=1536-Used=1528-Free=8; Free resource decreased to or below severe threshold 10%.

 

Interfaces: XGE3/0/1 to XGE3/0/48 (slot 3)

---------------------------------------------------------------------

Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

VFP ACL          1024       512        0          512        50%

IFP ACL          18432      7680       5724       5028       72%

IFP Meter        3072       768        0          2304       25%

IFP Counter      18432      7680       8          10744      41%

EFP ACL          2048       512        0          1536       25%

EFP Meter        1024       256        0          768        25%

EFP Counter      1024       256        0          768        25%

过程分析

设备资源不足了，收集了如下命令：

 display QoS-ACL resource advanced-mode slot 3

%Dec  6 17:43:52:368 2022 SQL-5F-F1-5-IPTV(H3C)-S12508-1 RESMON/3/RESMON_SEVERE: -Slot=3; -Resource=mqcin-Total=1536-Used=1528-Free=8; Free resource decreased to or below severe threshold 10%.

 

  Pri 25, Group  7,usedEntries 1426,mode Double, physlice 6/7/9/10/

  ===================================================

    acl type                             usedEntries[1426]

  ===================================================

    [2  ]MQC Port                              1426

  ================================================

Interfaces: XGE3/0/1 to XGE3/0/48 (slot 3)

---------------------------------------------------------------------

Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

VFP ACL          1024       512        0          512        50%

IFP ACL          18432      7680       5724       5028       72%

IFP Meter        3072       768        0          2304       25%

IFP Counter      18432      7680       8          10744      41%

EFP ACL          2048       512        0          1536       25%

EFP Meter        1024       256        0          768        25%

EFP Counter      1024       256        0          768        25%

 

IFP总的是18K，系统预留7680个。共12个slice，slice0~7和9~10每个768，slice8和11每个1536。当前由于MQC占用slice 6~7和slice9~10，且下发方式为double模式，也就是下发一个rule会在底层占用两个资源。

 

====debug qacl show acl-resc slot 3 chip 0==== 

---------------Qacl Group UsedResc Info---------------

------------------------------------------------------

Acl Hw Resource: IFP, Pipe:0

------------------------------------------------------

  Pri 23, Group  3,usedEntries 26 ,mode Double, physlice 3/4/

  ===================================================

    acl type                             usedEntries[26]

  ===================================================

    [154]PDT LOW INITIAL                       1  

    [411]LLDP DENY LOW                         3  

    [23 ]RX Low                                15 

    [25 ]Super_RX Low                          1  

    [95 ]RX PRIO LLOW                          3  

    [360]RX PRIO LLOW RPORTVLAN                2  

    [27 ]TCP_RX_MISS_LOWEST                    1  

  ================================================

------------------------------------------------------

  Pri 25, Group  7,usedEntries 1426,mode Double, physlice 6/7/9/10/

  ===================================================

    acl type                             usedEntries[1426]

  ===================================================

    [2  ]MQC Port                              1426

  ================================================

------------------------------------------------------

  Pri 27, Group  1,usedEntries 92 ,mode Triple, physlice 0/1/2/

  ===================================================

    acl type                             usedEntries[92]

  ===================================================

    [153]PDT HIGH INITIAL                      1  

    [97 ]STMVLAN_PERMIT                        3  

    [98 ]STM_DENYALL                           9  

    [7  ]RX IPv4 Super High                    4  

    [8  ]RX IPv4 High                          13 

    [9  ]RX IPv4 Middle High                   9  

    [10 ]RX IPv4 Middle                        33 

    [13 ]RX IPv6 High                          10 

    [14 ]RX IPv6 Middle_High                   2  

    [15 ]RX IPv6 Middle                        3  

    [80 ]RX Middle Low                         3  

    [70 ]Zero-Mac-Deny                         1  

    [434]IP TO ME DEFAULT                      1  

  ================================================

------------------------------------------------------

  Pri 30, Group  8,usedEntries 10 ,mode IntraDb, physlice 5/

  ===================================================

    acl type                             usedEntries[10]

  ===================================================

    [410]VXLAN DRNI IPMC                       10 

  ================================================

 

当没有新添加rule时，slice占用情况如下，slice 6~7已占满。现网中在ACL 3001中添加了134条rule，且在八个端口下发，于是占用条目数为：134*8=1072条，而底层slice9~10剩余条数仅为720条，无法满足新添加的rule条目全部下发，所以造成资源不足。

解决方法

现网优化acl，acl中rule规则尽量聚合，能用掩码（通配符）匹配不要详细的一条条写，节省资源

CRM论坛（CRMbbs.com）——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容，欢迎向我们投稿，共建CRM多元化生态体系，创建CRM客户管理一体化生态解决方案。本文来源：知了社区基于知识共享署名-相同方式共享3.0中国大陆许可协议,S12508G-AF QOS调用ACL