S9706合并策略减少ACL rule资源使用解决策略路由不生效

发布时间:  2015-12-16 浏览次数:  169 下载次数:  0
问题描述

S9706原策略路由上添加新的流量分类后,导致原的流分类的流动作动作失效,策略路由失效。

 

告警信息

添加新3004的流分类到流策略中去时,有RULE 规则资源不足的错误。

 Error: Adding rule failed. Insufficient rule resource in policy ForServers classifier 3003 behavior PBR-For-Servers acl 3003, rule 740, on slot 4 vlan 110.

处理过程

1.收集故障现象,发现有RULE 规则资源不足的错误告警

Error: Adding rule failed. Insufficient rule resource in policy ForServers classifier 3003 behavior PBR-For-Servers acl 3003, rule 740, on slot 4 vlan

2.怀疑设备ACL已经超限,使用命令 display traffic-policy applied-record 查看策略下发情况发现

有一个没有下发成功

=========================================================================

  ===============display traffic-policy applied-record===============

=========================================================================

#

-------------------------------------------------

  Policy Name:   ForServers

  Policy Index:  0

     Classifier:3001     Behavior:ServersReplyLanUsers

     Classifier:3002     Behavior:ServersReplyShenZhenTianWeiShiXunWangLuoUsers

     Classifier:3004     Behavior:ServersReplyLanUsers

     Classifier:3003     Behavior:PBR-For-Servers

-------------------------------------------------

*vlan 202

    traffic-policy ForServers inbound 

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 88

    traffic-policy ForServers inbound 

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 89

    traffic-policy ForServers inbound 

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 6

    traffic-policy ForServers inbound 

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 110

    traffic-policy ForServers inbound 

      slot 1    :  success

      slot 3    :  success

      slot 4    :  fail

      slot 5    :  success

[LG-S9706-2]DIS traffic policy  statistics interface GigabitEthernet 1/0/34 outbound verbose  rule-base  class   3004
Info: The Policy is not applied in this view.

可以看出下发失败的只有SLOT 4,说明SLOT 4所在的槽位的板块ACL rule资源不足。

 

2.根据客户业务和配置,修改客户配置,将两个vlan下的策略合并成一个全局策略,减少ACL资源占用,解决问题

修改方法见解决方案。

根因
由于ACL资源受限导致,修改配置合并资源减少客户业务占用的资源解决。

 

解决方案

1.使用全局策略替代vlan接口下的策略,合并资源,减少资源总数的占用。
原配置方案:
#
traffic classifier 3001 operator or precedence 45
if-match acl 3001
traffic classifier 3002 operator or precedence 46
if-match acl 3002
traffic classifier 3003 operator or precedence 50
if-match acl 3003
traffic classifier 3004 operator or precedence 47
if-match acl 3004
#
traffic behavior PBR-For-Servers
permit
redirect ip-nexthop 10.0.255.42 forced
traffic behavior ServersReplyLanUsers
permit                                  
traffic behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers
permit
#
traffic policy ForServers match-order config
classifier 3001 behavior ServersReplyLanUsers
classifier 3002 behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers
classifier 3004 behavior ServersReplyLanUsers       //调整新的流量分类优先级高于原来的3003
classifier 3003 behavior PBR-For-Servers             //此条动作失效
vlan 6
description ServAcceSW-Manager
traffic-policy ForServers inbound
vlan 88
description VLAN_SERVER_FARM_1
traffic-policy ForServers inbound
vlan 89
description VLAN_SERVER_FARM_2
traffic-policy ForServers inbound
vlan 110
traffic-policy ForServers inbound
vlan 202
description Connect to SZCT-MPLS-PE-VPN3007813-20150422
traffic-policy ForServers inbound
修改的配置方案:将vlan 88和vlan 89合并起来。
前面计算资源的时候拷贝错了,一条策略是315条,该策略应用到5个vlan下,则占用acl资源数为315*5=1575条,超过了可配置的条目,可以将vlan 88和vlan 89合并起来,这样占用资源315*4=1260条,具体步骤:#
traffic classifier 3001_8889 operator and precedence 55                        
if-match acl 3001                                                             
if-match vlan-id 88 to 89                                                                         traffic classifier 3002_8889 operator and precedence 56                        
if-match acl 3002                                                             
if-match vlan-id 88 to 89                                                     
traffic classifier 3003_8889 operator and precedence 60                        
if-match acl 3003                                                             
if-match vlan-id 88 to 89                                                     
traffic classifier 3004_8889 operator and precedence 57                        
if-match acl 3004                                                             
if-match vlan-id 88 to 89                                                     

#                                             
traffic policy ForServersVlan8889 match-order config                           
classifier 3001_8889 behavior ServersReplyLanUsers                            
classifier 3002_8889 behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers   
classifier 3004_8889 behavior ServersReplyLanUsers                            
classifier 3003_8889 behavior PBR-For-Servers                                 
#                              
traffic-policy ForServersVlan8889 global inbound                               
#  
注意配置之前先把vlan 88 和89下的策略删掉,配置失败的策略也要删掉重新配置。

说明:在使用一条策略(traffic policy)的时候,ACL rule资源的占用数的计算是此策略下所有ACL中包含的rule条数*策略应用次数,
举个例子一条策略是中所有ACL总有rule 315条,该策略应用到5个vlan下,则占用acl资源数为315*5=1575条,如果可以将vlan 88和vlan 89合并起来,这样占用资源315*4=1260条

建议与总结

1.在使用一条策略(traffic policy)的时候,ACL rule资源的占用数的计算是此策略下所有ACL中包含的rule条数*策略应用次数,
根据实际环境有时候可以将多个接口(物理接口或者vlan或者VLAN接口)的策略合并成一个全局视图下的策略,减少板块资源占用。

2.此方法使用具有局限性适用于配置可以合并且rule资源相差不多的特定场景,是一种巧妙的资源占用的规避方法。

END