No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Exact Matching of EACL Rules Cannot Be Realized on the NE40

Publication Date:  2012-07-27 Views:  30 Downloads:  0
Issue Description
EACL is configured on Interface G1/0/3 of the NE40. Two of the EACL rules are as follows:
EACL_NODE: No.21, Seq=21, Priority=153
wg: intervlan protocol=ip 10.34.202.0 0.0.0.255 any
To_ZXS_NE20: redirect ip 61.233.85.122 GigabitEthernet2/0/2 vlan 2

EACL_NODE: No.22, Seq=20, Priority=154
yh001: intervlan protocol=ip 10.0.0.0 0.255.255.255 any
to_zxs_ne05_00: redirect ip 61.233.85.194 Ethernet3/0/4 vlan 31
Match the source addresses of the packets received by Interface G1/0/3 with the rules and redirect the addresses to different outbound interfaces. The frontline engineer reported that, when he pinged the IP addresses of the packets sent to the public network through the PC (IP address: 10.34.202.19) and matched the addresses with the EACL rules on LPU G1/0/3 of the NE40, the addresses did not match the wg rule but the yh001 rule. After the redirection, the packets were sent through Interface Ethe3/0/4.
<ZXS_NE40>disp eacl hit-count dianxin rule wg     Not matched

Query EACL hit count from NPS:
DianXin wg: GigabitEthernet1/0/3
The number of EACL hits: 0
<ZXS_NE40>disp eacl hit-count dianxin rule yh001     Matched

Query EACL hit count from NPS:
DianXin yh001: GigabitEthernet1/0/3
The number of EACL hits: 18325
The version of the equipment was V3.10 2351. 
 
Alarm Information
Null
Handling Process
1. Nothing wrong was found with the configuration.
2. View the corresponding SMT leaf by running the diagnosis command.
View the leaf data through the source IP address 10.34.202.19:
[ZXS_NE40-diag]efu qos display 1 l3 port 0 srcip 10.34.202.19
Start display smt on board 01...
display lpu smt message is send success.
[ZXS_NE40-diag]
Show Leaf data:

redirectAttr.redir_sel=3
redirectAttr.tbStatusCheck=1
redirectAttr.u_redir.pbIpRoute.ifHandle=0x40013
redirectAttr.u_redir.pbIpRoute.nextHopIpAddr=0x3de955c2 (the redirected next-hop address was 61.233.85.194)
redirectAttr.u_redir.pbIpRoute.ulVlanId=0x1f
View the leaf data through the source IP address 10.1.2.3:
[ZXS_NE40-diag]efu qos display 1 l3 port 0 srcip 10.1.2.3
Start display smt on board 01...

redirectAttr.redir_sel=3
redirectAttr.tbStatusCheck=1
redirectAttr.u_redir.pbIpRoute.ifHandle=0x40013
RedirectAttr.u_redir.pbIpRoute.nextHopIpAddr=0x3de955c2 (the redirected next-hop address was 61.233.85.194)
redirectAttr.u_redir.pbIpRoute.ulVlanId=0x1f
From the preceding information, it was found that, whether the source address 10.34.202.19 or 10.1.2.3 was matched with the rules, the SMT leaf in the microcode of the upper-layer software was the node of the SMT tree of the matched yh001 rule, that is, the network segment with 10.0.0.0 as the source IP address. Obviously, the problem was caused by the wrong node of the configured EACL rules.
It was confirmed that, when the fuzzy rules were configured first and then the exact rules, or the exact rules were deleted or added after the two rules were successfully configured, sometimes the packets were sent to the wrong SMT node. Thus, the source IP addresses of these packets could not match the exact matching rules or fuzzy matching rules.
From the user’s log, the engineer found that the user did perform such operations:
%Mar 15 11:15:00 2007 ZXS_NE40 SHELL/6/CLI:’rule-map intervlan wg ip 10.34.202.0 0.0.0.255 any’
%Mar 15 11:16:05 2007 ZXS_NE40 SHELL/6/CLI:’eacl DianXin wg To_ZXS_NE20’
%Mar 15 11:19:43 2007 ZXS_NE40 SHELL/6/CLI:’undo eacl DianXin wg
%Mar 15 11:19:58 2007 ZXS_NE40 SHELL/6/CLI:’undo eacl DianXin wg ’
%Mar 15 11:24:39 2007 ZXS_NE40 SHELL/6/CLI:’eacl DianXin wg
%Mar 16 10:30:48 2007 ZXS_NE40 SHELL/6/CLI:’undo eacl DianXin wg
%Mar 16 10:30:51 2007 ZXS_NE40 SHELL/6/CLI:’undo eacl DianXin wg ’
%Mar 16 10:34:20 2007 ZXS_NE40 SHELL/6/CLI:’eacl DianXin wg 
 
Root Cause
1. Configuration
2. Equipment 
 
Suggestions
It is recommended to adopt the following workarounds:
1. First, delete the corresponding EACL rules (including exact and fuzzy rules).
2. Re-configure EACL rules. First, configure the exact matching rules, and then the fuzzy matching rules. Finally, apply the EACL rules to the corresponding interface again. 
 

END