张文宁,某局点S7506E-NP 设备报ACL资源不足问题
组网及说明
/
告警信息
/
问题描述
现场设备偶尔会报资源不足,但是看前后日志没有添加ACL相关配置。
报错前后有接口震荡:
%@14911845%Mar 28 15:44:19:607 2023 CORE_A IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet2/0/40 changed to up. %@14911846%Mar 28 15:44:19:607 2023 CORE_A IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet2/0/40 changed to up. %@14911847%Mar 28 15:44:20:251 2023 CORE_A IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet2/0/40 changed to down. %@14911848%Mar 28 15:44:20:261 2023 CORE_A IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet2/0/40 changed to down. %@14911856%Mar 28 15:47:49:443 2023 CORE_A PORTAL/4/RULE: -Slot=2; Not enough resources. %@14911857%Mar 28 15:48:22:496 2023 CORE_A PORTAL/4/RULE: -Slot=2; Not enough resources. %@14911858%Mar 28 15:49:59:589 2023 CORE_A PORTAL/4/RULE: -Slot=2; Not enough resources.
过程分析
查看配置发现配置了portal,和大量的Free-rule,现场是在新增free-rule的时候报资源不足的:
%Mar 28 14:00:58:385 2023 CORE_A SHELL/6/SHELL_CMD: -Line=vty0-IPAddr=172.16.7.55-User=admin; Command is dis arp | inc 172.16.5.41
%Mar 28 14:00:58:420 2023 CORE_A SHELL/6/SHELL_CMD: -Line=vty1-IPAddr=172.16.7.125-User=admin; Command is portal free-rule 550 source ip 172.16.149.208 32
%Mar 28 14:00:58:707 2023 CORE_A SHELL/6/SHELL_CMD: -Line=vty0-IPAddr=172.16.7.55-User=admin; Command is dis arp | inc 172.16.144.108
%Mar 28 14:00:58:995 2023 CORE_A SHELL/6/SHELL_CMD: -Line=vty0-IPAddr=172.16.7.55-User=admin; Command is dis arp | inc 172.16.63.38
%Mar 28 14:00:59:338 2023 CORE_A SHELL/6/SHELL_CMD: -Line=vty0-IPAddr=172.16.7.55-User=admin; Command is dis arp | inc 172.16.144.155
%Mar 28 14:01:00:125 2023 CORE_A PORTAL/4/RULE: -Slot=2; Not enough resources.
当端口updown的时候,涉及新的portal用户上线,也要下发acl,资源不足也会报的。
现场已经没有空闲的slice了,其它slice计算有空闲的acl因为类型不同也无法给portal使用。
====debug qacl show acl-resc slot 2 chip 0====
---------------Qacl Group UsedResc Info---------------
Acl Hw Resource: VFP, Pipe:0
------------------------------------------------------
Pri 2, Group 3,usedEntries 18 ,mode Single, physlice 2/
=========================================
acl type usedEntries[18]
=========================================
[107]Pdt VFP FirstNh2Classid 18
======================================
------------------------------------------------------
Pri 3, Group 2,usedEntries 1 ,mode Single, physlice 3/
=========================================
acl type usedEntries[1]
=========================================
[91 ]STMVLAN_PERMIT 1
======================================
------------------------------------------------------
Acl Hw Resource: EFP, Pipe:0
------------------------------------------------------
Pri 2, Group 7,usedEntries 62 ,mode Double, physlice 2/3/
=========================================
acl type usedEntries[62]
=========================================
[100]PktFilter IP on VRF 62
======================================
------------------------------------------------------
Acl Hw Resource: IFP, Pipe:0
------------------------------------------------------
Pri 7, Group 6,usedEntries 10 ,mode Double, physlice 0/1/
=========================================
acl type usedEntries[10]
=========================================
[148]PDT LOW INITIAL 1
[23 ]RX Low 7
[25 ]Super_RX Low 1
[27 ]TCP_RX_MISS_LOWEST 1
======================================
------------------------------------------------------
Pri 9, Group 8,usedEntries 1017,mode Double, physlice 2/3/4/5/6/7/8/9/
=========================================
acl type usedEntries[1017]
=========================================
[35 ]Portal Free 439
[36 ]Portal User 527
[37 ]Portal Redirect 34
[39 ]Portal Deny 17
======================================
------------------------------------------------------
Pri 11, Group 5,usedEntries 48 ,mode Single, physlice 11/
=========================================
acl type usedEntries[48]
=========================================
[116]Policy Based Routing V4 48
======================================
------------------------------------------------------
Pri 12, Group 4,usedEntries 70 ,mode Double, physlice 12/13/
=========================================
acl type usedEntries[70]
=========================================
[101]PktFilter Eth_Mac on VRF 2
[100]PktFilter IP on VRF 68
======================================
------------------------------------------------------
Pri 14, Group 1,usedEntries 50 ,mode Double, physlice 14/15/
=========================================
acl type usedEntries[50]
=========================================
[147]PDT HIGH INITIAL 1
[91 ]STMVLAN_PERMIT 2
[92 ]STM_DENYALL 1
[7 ]RX IPv4 Super High 2
[8 ]RX IPv4 High 11
[9 ]RX IPv4 Middle High 5
[10 ]RX IPv4 Middle 26
[14 ]RX IPv6 Middle_High 1
[64 ]Zero-Mac-Deny 1
======================================
现场一个slice的长度是256,portal占用了8个,共有8*256=2048,现场有1017个entry,因为是double模式,所以使用了1017*2=2034条。所以已占用的slice已经只剩14条资源。 同时通过debug qacl show acl-resc slot 2 chip 0可以看到该单板0~15的slice全部都被使用了,没有空闲的slice腾出来给portal用。所以就资源不足了。 现场如果不去优化acl ,想要删除配置来腾出slice,可以看下这些能不能删除:
------------------------------------------------------
Pri 12, Group 4,usedEntries 70 ,mode Double, physlice 12/13/
=========================================
acl type usedEntries[70]
=========================================
[101]PktFilter Eth_Mac on VRF 2
[100]PktFilter IP on VRF 68
======================================
解决方法
现场配置了portal,包过滤和pbr,其中portal占用了非常多的acl,其中portal中配置了较多的portal-free rule,建议精简到5条内优化解决。
同时也可以核对其它包过滤和pbr配置的必要性,如果不需要可以删除配置来释放acl,腾出acl资源。
内容来源:知了社区,基于知识共享署名-相同方式共享3.0中国大陆许可协议CRM论坛(CRMbbs.com)——一个让用户更懂CRM的垂直性行业内容平台,CRM论坛致力于互联网、客户管理、销售管理、SCRM私域流量内容输出5年。 如果您有好的内容,欢迎向我们投稿,共建CRM多元化生态体系,创建CRM客户管理一体化生态解决方案。,某局点S7506E-NP 设备报ACL资源不足问题
