s9706 acl策略下发失败

发布时间:  2014-12-10 浏览次数:  951 下载次数:  0
问题描述
9706设备含3块板,其中2个48口板out方向支持1k的ACL,24口板ACL容量为512,,acl在vlan出方向使用。当acl用到500多的时候报错容量不足。
Slot  1 
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used               10          956          646               
  Rule Free             2038         7236          378               
  Rule Total            2048         8192         1024                
Slot  2 
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used               10          961          647               
  Rule Free             2038         7231          377               
  Rule Total            2048         8192         1024                
Slot  3 
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used              158          916          481               
  Rule Free              866         3180           31               
  Rule Total            1024         4096          512                

告警信息
Dec  4 2014 10:14:14+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[87]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 420)
Dec  3 2014 14:30:35+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[98]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Dec  3 2014 14:12:45+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[100]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3149 classifier 3149 behavior 3149 acl 3149, rule 10000)
Nov 20 2014 15:40:29+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[251]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 320)
Nov 20 2014 15:39:46+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[252]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:38:01+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[256]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 19 2014 09:36:41+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[257]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:09+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[260]:Failed to send the data to the slot 3 device. (ErrorInfomation= Adding rule failed. Insufficient resource in policy 3146 classifier 3146 behavior 3146 acl 3146, rule 330)
Nov 17 2014 16:33:05+08:00 NH-3M-VM-S9706-D-2 %%01ACLE/3/DEVICE_DOWN(l)[261]:Failed to send the data to the slot 3 device. 
处理过程
查看logbuffer,查看acl资源:display acl resource
根因
acl策略都在vlan下使能,Vlan下启用的acl策略是全局下发,即由主控板下发到每一块业务板上。
通过display acl resourse发现:slot1和slot2的acl占用数基本上为646(实际使用的acl资源),而slot3为481(上限为512)。
导致该问题的原因为:一条rule占用一条acl资源,还缺少100多acl条资源,所以会出现策略下发失败的情况。
解决方案
1.明确客户需求,是否可精简outbound方向的策略(宽出),或者只在相应的接口下启用(相应板卡下发)。
2.选择高规格的板卡。
建议与总结
出方向的acl资源比较少,入方向的acl资源较多,为出方向的8倍。
根据宽进严出的策略可以减少在出方向的限制,或者在对应接口下使能,减少在vlan下的使用,否则容易形成瓶颈。

END