由于客户配置ACL数量超规格导致NE5000E接口流策略无法统计网管无法查询流量问题处理

发布时间:  2013-02-22 浏览次数:  164 下载次数:  0
问题描述
版本信息:NE5000E V300R007C00SPC500 
补丁信息:V300R007C00SPC023
组网概述:不涉及组网
故障现象:NE5000E上接口上配置流策略实现报文流量统计功能,客户反馈1月24日以后网管无法通过SNMP查询到NE5000E上IDC地址的流量,但是以前查询记录都是正常的。



告警信息:
497    Critical   13-01-24  00:12:12    The hardware resource(ID=42,User=ACLv4
                                        ) storage media of LPUclc2/9(Entity) e
                                        xceeded the prealarm threshold, Resume
498    Critical   13-01-24  00:12:12    The hardware resource(ID=1,User=ACLv4)
                                         storage media of LPUclc2/9(Entity) ex
                                        ceeded the prealarm threshold, Resume


处理过程
1、经过与第三方网管确认,实际情况为入方向流量无法统计,出方向流量可以正常统计。排除SNMP接口索引和SNMP策略限制问题。
2、在NE5000E设备上排查入方向traffic classifier策略对应ACL的地址段配置正确。排除策略配置问题。
3、在NE5000E上执行display traffic policy statistics 命令统计入方向对应classifier的流量计数,发现无法正常统计。
[SNXA-PB-CMNET-RT02-CNE5000E]display traffic policy statistics inter gi2/9/1/0 inbound verbose classifier-based class  IDC-filter-in
Interface: GigabitEthernet2/9/1/0
Traffic policy inbound: IDC-filter-in   
    Current status: Refresh failed! Waiting for refreshing again!
    IPv4&L2: Rule Index: 2870(Free), 2993(Needed)
       IPv6: Rule Index: 3583(Free), 0(Needed)
4、在NE5000E上执行display traffic policy statistics 命令统计出方向对应classifier的流量计数,发现可以正常统计。排除软件问题。
 [SNXA-PB-CMNET-RT02-CNE5000E]dis traffic policy statistics inter gi2/9/1/0 outbound verbose classifier-based class IDC-filter-out
Interface: GigabitEthernet2/9/1/0
Traffic policy outbound: IDC-filter-out
Statistics last cleared: Never
Rule number: 15 IPv4, 0 IPv6
Current status: OK!
 
Classifier: IDC-filter-out
  Behavior: IDC-filter
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                  568,177,722,343                          0
  +--Passed              568,177,722,343                          0
5、检查NE5000E接口入方向与出方向策略配置,发现入方向策略关联classifier 较多。
interface GigabitEthernet2/9/1/0
 description To-[SNXA-PC-IDC-RT02-MX960]GE9/1/1
 ip address 218.200.2.197 255.255.255.252
 isis enable 100
 isis circuit-level level-2
 traffic-policy IDC-filter-in inbound
 traffic-policy IDC-filter-out outbound

traffic policy IDC-filter-in
 undo share-mode
 statistics enable
  classifier Con-Telcom-Address2-Destination behavior Con-Telcom-Address2-Destination
 classifier Con-Telcom-Address-Destination behavior Con-Telcom-Address-Destination
 classifier Con-Unicom-Address2-Destination behavior Con-Unicom-Address2-Destination
 classifier Con-Unicom-Address-Destination behavior Con-Unicom-Address-Destination
 classifier Con-Edu-Address-Destination behavior Con-Edu-Address-Destination
 classifier IDC-filter-in behavior IDC-filter

traffic policy IDC-filter-out
undo share-mode
statistics enable
classifier IDC-filter-out behavior IDC-filter
6、怀疑是策略太多导致ACL不生效,与客户协商删除了其中部分classifier,然后查看可以正常统计。联系第三方网管
人员确认网管也可以正常查询。
[SNXA-PB-CMNET-RT02-CNE5000E]dis traffic policy statistics inter gi2/9/1/0 inbound verbose classifier-based class IDC-filter-in
Interface: GigabitEthernet2/9/1/0
Traffic policy inbound: IDC-filter-in
Statistics last cleared: Never
Rule number: 5215 IPv4, 0 IPv6
Current status: OK!
Classifier: IDC-filter-in
  Behavior: IDC-filter
Item                             Packets                      Bytes
-------------------------------------------------------------------
Matched                          929,473              1,346,434,043
  +--Passed                      929,473              1,346,434,043
  +--Dropped                           0                          0
7、经过与公司确认应该是客户在NE5000E上配置的ACL超过单板硬件规格。通过命令可以看到已经剩余资源提供,空余2870需要2993。
[SNXA-PB-CMNET-RT02-CNE5000E]display traffic policy statistics inter gi2/9/1/0 inbound verbose classifier-based class  IDC-filter-in
Interface: GigabitEthernet2/9/1/0
Traffic policy inbound: IDC-filter-in   
    Current status: Refresh failed! Waiting for refreshing again!
    IPv4&L2: Rule Index: 2870(Free), 2993(Needed)
       IPv6: Rule Index: 3583(Free), 0(Needed)
查看历史告警也有ACL超限的提示,由于客户处理其他问题时清理了设备告警,因此实时告警中不存在。
可以通过命令查询单板规格为11328,目前剩余629。
[SNXA-PB-CMNET-RT02-CNE5000E-hidecmd]display  nps-qos clc2/9 priority ipv4 common
Total And Class Table Number: 0
Total Rule Index: 11328 Free Rule Index: 629

根因

原因分析:
1、网管接口索引发生变化,导致网管无法从设备上提取统计信息;
2、客户NE5000E上策略配置被修改,导致流量无法采集;
3、设备上本身就无法统计到IDC的流量信息;
4、设备软件问题导致流量无法统计;
5、设备硬件问题导致流量无法统计。

解决方案

N/A

建议与总结
建议和总结:
对于流策略统计来说,规格超限影响整个策略下的classifier统计查询。但对于classifier对应动作为重定向,只影响超规格后的ACL rule.

END