No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Traffic policy didn't work due to non-continuous mask in ACL in NE40E-X8

Publication Date:  2016-07-01 Views:  71 Downloads:  0
Issue Description

After traffic policy was configured in NE40E-X8, this function didn’t work.

In the following topology, the customer wanted to filter private ip from interface G4/0/0. The private network in 10.x.x.x and 192.168.x.x can be filtered, but private network in 172.16.x.x to 172.16.31.x can’t be filtered.

The related configuration is as follows:

#

acl number 3001

 description for_internet_filter_inbound

 rule 5 deny ip source 10.0.0.0 0.255.255.255

 rule 10 deny ip source 172.0.0.0 0.16.255.255   //by mistake

 rule 15 deny ip source 192.168.0.0 0.0.255.255

rule 20 permit ip

#

traffic classifier class_internet_filter_inbound operator or

 if-match acl 3001

#

traffic behavior be_int_filter_inbound

#

traffic policy po_int_filter_inbound

 share-mode

 classifier class_internet_filter_inbound behavior be_int_filter_inbound precedence 1

#

GigabitEthernet4/0/0

 portswitch

 description ***link_to_MIX***

 port link-type access

 port default vlan 2

 mode lacp-static

 traffic-policy po_int_filter_inbound inbound

#

Alarm Information

None

Handling Process

(1)                Check the logs, and found the following kind of abnormal logs:

May 10 2016 09:25:42.784+02:00 DST Farm_NE40E_X8_01 %%01QOS/4/QOSACL_NO_CHASSISID(l):VS=Admin-VS-CID=0x807f04a1-Slot=4;The LPU does not support this rule. (SlotId=4, Direction=Inbound, Rule=the rule that matchs the ip address with no-prefix mask.)

 

May 10 2016 00:05:40.324+02:00 DST Farm_NE40E_X8_01 %%01QOS/4/QOSACL_NO_CHASSISID(l):VS=Admin-VS-CID=0x807f048d-Slot=5;The LPU does not support this rule. (SlotId=5, Direction=Inbound, Rule=the rule that matchs the ip address with no-prefix mask.)

The above logs indicate in the boards in slot 4 and slot5 are not supported non-continuous mask.

(2)   Checked the configuration again.  And found in rule 10 of acl 3001, the mask is non-continuous.

#

acl number 3001

 description for_internet_filter_inbound

 rule 5 deny ip source 10.0.0.0 0.255.255.255

 rule 10 deny ip source 172.0.0.0 0.16.255.255   // non-continuous mask

 rule 15 deny ip source 192.168.0.0 0.0.255.255

rule 20 permit ip

#

The customer wanted to filter private network 172.16.0.0-172.32.255.255. But he configured rule 10 by mistake.

Root Cause

For some board with algorithm  TCAM, non-continuous mask is not supported due to physical limitation. For those board, you can configure non-continuous mask, but it will not work.

Solution

(1)   Use global traffic policy to implement the same function as ACL-based Simplified Traffic Policy.

#

acl number 3001

 description for_internet_filter_inbound

 rule 5 deny ip source 10.0.0.0 0.255.255.255

 rule 10 deny ip source 172.16.0.0 0.15.255.255   // change to continuous mask to cover private network 172.16.0.0-172.31.255.255

 rule 15 deny ip source 192.168.0.0 0.0.255.255

rule 20 permit ip

#

Suggestions

When found log like this

May 10 2016 00:05:40.324+02:00 DST Farm_NE40E_X8_01 %%01QOS/4/QOSACL_NO_CHASSISID(l):VS=Admin-VS-CID=0x807f048d-Slot=5;The LPU does not support this rule. (SlotId=5, Direction=Inbound, Rule=the rule that matchs the ip address with no-prefix mask.)

Please investigate if there is non-continuous mask in the configuration.

END