No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Troubleshooting ACL Resource Insufficiency

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting ACL Resource Insufficiency

Troubleshooting ACL Resource Insufficiency

Introduction

Devices provide limited ACL resources, which are shared by many services. If ACL resources are insufficient for a service, the service will fail to be delivered.

The following sections describe the reasons of ACL resource insufficiency, services that use ACL resources, and solutions to ACL resource insufficiency.

Reason of ACL Resource Insufficiency

On the live network, the device generally reports an alarm indicating that ACL resources are insufficient when only a few rules are configured and the number of rules does not reach the upper limit. Why does the device report such an alarm? This is because the rule resource is only one type of ACL resources, and the bottleneck of ACL resources lies in the KB resource.

When a service is delivered, you first select a group and then apply for the required KB resource. The service can run normally only when KB resources are sufficient and the group is created successfully. The groups can be classified into single-width group, double-width group, and quadruple-width group. A single-width group and a double-width group occupy one KB respectively, and a quadruple-width group occupies two KBs.

When a new service is configured, and the created group meets the requirement, the service can be directly delivered to the created group without occupying extra KB resources. If the created group cannot meet the requirement, you need to apply for a KB resource to create a group.

To better understand the ACL implementation, the following uses the CE12800 as an example.

Figure 1-1

The table row specifies the bucket depth, which indicates the rule specification. The table column specifies the bucket width, which indicates the KB specification. The bucket width is the bottleneck of determining whether the service is successfully delivered. If the sum of matching fields in a rule does not exceed 80 bits (for example, the sum of matching fields in source and destination IP addresses is 64 bits because the field of an IP address is 32 bits), a single-width group is selected and one KB is occupied. If the sum of matching fields in a rule in the range from 80 to 160 bits, a double-width group is selected and one KB is occupied. If the sum of matching fields in a rule exceeds 160 bits, a quadruple-width group is selected and two consecutive KBs are selected, and the start number of KBs must be an even number.

For example:

Rule 1: rule permit tcp source 1.1.1.1 24 destination 1.1.2.2 24

Rule 2: rule permit tcp source 1.1.1.1 24 destination 1.1.2.2 24 source-port eq 1 destination-port eq 10

Rule 3: rule permit tcp source 1.1.1.1 24 destination 1.1.2.2 24 source-port eq 1 destination-port eq 10 tcp-flag ack ttl-expired tos 2 precedence 5 logging

As shown in the preceding table, Rule 1 is delivered to a single-width group and occupies one KB, Rule 2 is delivered to a double-width group and occupies one KB, and Rule 3 is delivered to a quadruple-width group and occupies two KBs. In addition, the device uses two KBs by default to send protocol packets.

Assume that Rule 4, Rule 5, Rule 6, Rule 7, and Rule 8 are configured, all eight KB resources are occupied. If new services are configured and the created group cannot meet the requirement, the device reports an alarm indicating that the ACL resources are insufficient and services fail to be delivered because no KB resource is available for creating a group.

For more information about ACL resources, see the chapter "ACL Resource Introduction" in the ACL Technical Topics.

Services That Use ACL Resources

ACL has powerful functions. It allows users to configure MQC for different services. In addition, some services are implemented depending on ACL, for example, IPv4, IPv6, MPLS, TRILL, and VXLAN. For example, to collect statistics on VLANIF interfaces, an ACL needs to be delivered.

The following figure shows how the ACL is delivered and how the chip processes the ACL.

There are two grouping methods:

  1. Static: Each service uses a fixed group of ACL rules.
  2. Dynamic: The device traverses pre-defined group template based on the user-defined fields and actions, and chooses a group. This method applies to MQC services..

If a selected group has been created, the device will not apply for the KB, CE, and action resources. The device only applies for the TCAM bank resources to deliver ACL rules.

The following table defines the mappings between static group templates and services.

Group ID

Type

Field Set

Action Set

14

ALL

Port

VLAN ID

DMAC Hit

DMAC

Statistics

CAR

Service

QoS CAR

Y

-

-

-

Y

Y

Port BC Suppress

Y

-

-

Y

-

Y

Port Unknown UC Suppress

Y

-

Y

-

-

Y

Vlan BC Suppress

-

Y

-

Y

-

Y

In the preceding table, ACL group 14 matches all packet types, as well as the match fields and actions of the service delivered to this group.Y indicates that this field is matched and this action is taken.

The following table provides examples of dynamic group templates. Dynamic groups are not mapped to fixed services.

Group ID

Type

Field Set

Action Set

Port

VS

SrcIP

DstIP

L4SPort

L4DPort

Protocol

Statistics

Deny

Redirect

290

IPv4

Y

-

Y

-

-

-

-

-

Y

Y

214

IPv4

-

Y

Y

Y

Y

Y

Y

Y

Y

Y

In the preceding table, when a type of packets match some fields or certain actions are taken, the packets are delivered to the corresponding group. Y indicates that this field is matched and this action is taken.

Depending on the user sensitivity, services using ACL are classified into explicit services and implicit services. MQC is an explicit service. When configuring MQC, you need to configure ACL. IPv6 service is implicit service. When configuring IPv6 service, the device delivers an ACL to process IPv6 protocol packets. You are unaware of this ACL delivery process.

For details about explicit and implicit services that use ACL resources, see the chapter "Services and ACL" in the ACL Technical Topics.

Best Practice of ACL Resource Application

By default, the services configured by users are delivered to pre-defined groups. Pre-defined groups meet different customer requirements. They include many matching fields and actions. The ACL resources cannot be fully used. The devices provide an open hardware resource programming capability - TCAM ACL customization.

With this function, users can customize ACL resource groups, which contain the matching conditions, actions, and priorities. When service is delivered, the customized group is preferentially used. This reduces the number of redundant fields delivered to the groups in chip and implements optimal chip resource allocation.

The following describes three major applications of TCAM ACL customization. For more information, see the chapter "Best Practice of ACL Application" in the ACL Technical Topics.

Multiple Traffic Policies Contain Different Matching Fields

Multiple traffic policies are delivered, including different matching fields. Multiple pre-defined groups are occupied. The TCAM ACL customized groups contain all matching fields and application actions of multiple traffic policies. The system preferentially selects the customized group. Only one group is created, to save the group resources.

The system provides the following three pre-defined groups for the traffic policy.

Group ID

Group Mode

Field Set

Action Set

213

160bit

Source IP

Destination IP

Source Interface

VSI

Redirect Interface

Deny

Statistics

216

160bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

IP Fragment Type

Source Interface

VSI

Redirect Interface

Deny

Remark DSCP

Mirror

294

160bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

TCP Flag

IP Fragment Type

Source Interface

VSI

Redirect Interface

Deny

Statistics

Configure ACL 3001 to match the source IP address and the action is deny.

#
acl 3001
 rule 5 permit ip source 1.1.1.1 0
 rule 10 deny ip
#

Group 213 contains the source IP address and deny action. Group 213 is created in the chip to meet requirement.

Configure ACL 3002 to match the destination IP address and source TCP port.

#
acl 3002
 rule 5 permit tcp destination 2.2.2.2 0 source-port eq 10000
 rule 10 deny ip
#

Group 213 does not contain the source TCP port number, so the ACL cannot be delivered to group 213. The system searches for other pre-defined templates.

Group 216 contains the fields and actions in rules. Group 216 is created to meet requirement.

Configure ACL 3003 to match the destination IP address, destination TCP port, and TCP flag.

#
acl 3003
 rule 5 permit tcp destination 3.3.3.3 0 destination-port eq 10001 tcp-flag established
 rule 10 deny ip
#

Group 213 does not contain the source TCP port, so the ACL cannot be delivered to group 213. Group 216 does not contain the TCP flag, so the ACL cannot be delivered to group 216. The system searches for other pre-defined templates. Group 294 contains the fields and actions of rules. Group 294 is created to meet requirement.

Three traffic policies are applied. Due to the field difference, three pre-defined groups are selected, occupying three chip groups.

Use the following TCAM ACL customized groups to reduce the number of groups occupied by the traffic policy.

Group ID

Group Mode

Field Set

Action Set

User Define Group

160bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

TCP Flag

IP Fragment Type

Source Interface

VSI

Deny

When selecting a group for traffic policy, the system checks whether the TCAM ACL group can meet requirements. Customized TCAM ACL groups include all fields and actions matching ACL 3001, 3002, and 3003. Therefore, TCAM ACL groups are selected successfully for ACL 3001, 3002, and 3003. These ACLs are not delivered to pre-defined group

The TCAM ACL customized template is configured. Three traffic policies are applied, containing different matching fields. Only one group is occupied.

Multiple Traffic Policies Are Applied to Take Different Actions

Multiple traffic policies are delivered, including different actions. Multiple pre-defined groups are also occupied. The TCAM ACL customized groups contain all matching fields and application actions of multiple traffic policies. The system preferentially selects the customized group. Only one group is created, to save the group resources.

The system provides the following two pre-defined groups for the traffic policy.

Group ID

Group Mode

Field Set

Action Set

213

160bit

Source IP

Destination IP

Source Interface

VSI

Redirect Interface

Deny

Statistics

295

160bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

IP Fragment Type

Source Interface

VSI

Redirect Interface

Deny

Car

The configuration is as follows:

1. Configure ACL 3001 to match the source IP address and the action is deny.

#
acl 3001
 rule 5 permit ip source 1.1.1.1 0
 rule 10 deny ip
#

2. Run the traffic policy statistics command. Set the action of ACL 3001 to statistics collection.

#
traffic classifier statistics
 if-match acl 3001
traffic behavior statistics
 statistics enable
traffic policy statistics
 classifier statistics behavior statistics
#

3. Run the traffic policy car command. Set the action of ACL 3001 to CAR.

#
traffic classifier car
 if-match acl 3001
traffic behavior car
 statistics car
traffic policy car
 classifier car behavior car
#

According to the pre-defined groups, group 213 contains the source IP address and statistics collection action. Group 213 is created to meet traffic policy statistics requirement.

Group 213 does not contain the CAR action, but the traffic policy car contains the car action. The traffic policy cannot be delivered to group 213. The system searches for other groups.

Group 295 contains the source IP address and the CAR action. Group 295 is created to meet traffic policy car requirement.

Two traffic policies are applied. Due to the action difference, two pre-defined groups are selected, occupying two chip groups.

Use the following TCAM ACL customized groups to reduce the number of groups occupied by the traffic policy.

Group ID

Group Mode

Field Set

Action Set

User Define Group

160bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

TCP Flag

IP Fragment Type

Source Interface

VSI

Statistics

car

When selecting a group for traffic policy, the system checks whether the TCAM ACL group can meet requirements. Customized TCAM ACL groups include the source IP address and actions of statistics collection and CAR. Therefore, traffic policy statistics and traffic policy car successfully select TCAM ACL groups. These ACLs are not delivered to pre-defined groups.

The TCAM ACL customized template is configured. Two traffic policies are applied, containing different actions. Only one chip group is occupied.

Traffic Policy Containing a Few Matching Fields Is Applied and 320-Bit Group Is Used

The delivered traffic policy contains only a few matching fields. The traffic policy is delivered to the 320-bit pre-defined group. The TCAM ACL customized group is configured, containing all matching fields and application actions of multiple traffic policies. The unnecessary fields are deleted from pre-defined groups. Then the group width is reduced to 160-bit, saving chip resources.

For example, the system has the following pre-defined group.

Group ID

Group Mode

Field Set

Action Set

233

320bit

Source IP

Destination IP

L4 Source Port

L4 Destination Port

IP Protocol

TCP Flag

IP Fragment Type

IP TOS

IP TTL

ICMP Type

Source Interface

VSI

Redirect Interface

Deny

Statistics

Remark 8021p

Remark VLAN

Remark DSCP

Mac learning disable

The traffic policy is configured, containing IP DSCP and the remark dscp action. Among all pre-defined templates, only group 233 can meet requirement. However, group 233 contains many matching fields and actions. It is a 320-bit group that occupies many chip resources.

The following TCAM ACL customized group can be configured.

Group ID

Group Mode

Field Set

Action Set

User Define Group

160bit

Source IP

Destination IP

IP ToS

VSI

remark dscp

The customized TCAM ACL group contains only the matching fields and actions required by users. The width is 160 bits and it occupies a few chip groups.

When selecting a group for traffic policy, the system checks whether the TCAM ACL group can meet requirements. Customized TCAM ACL groups include the IP ToS and remark dscp. Therefore, traffic policy successfully selects TCAM ACL groups. These ACLs are not delivered to pre-defined groups.

With the customized TCAM ACL template, the delivered policy occupies a few chip resources and meets user requirements.

Troubleshooting Case

Symptom

When the traffic policy is delivered, the following message is displayed:

Error: Failed to apply the traffic policy p1 on slot 1. To check the cause, run the display traffic-policy applied-record command.

Checking the Reason

Use either of the following methods to check the failure reason:

1. Run the display traffic-policy applied-record command to check the failure reason:

[~HUAWEI] display traffic-policy applied-record                           
Total records : 1                                                               
------------------------------------------------------------------------------- 
Policy Type/Name                 Apply Parameter             Slot   State       
------------------------------------------------------------------------------- 
P1                               Global inbound                 1   fail(3)     
------------------------------------------------------------------------------- 
Fail reason:                                                                    
   3 -- The numbers of matched conditions and actions in the traffic policy exceed the limit. 

fail(3) indicates that the traffic policy fails to be delivered. The numeral 3 is the reason number, as shown in the following table.

No.

Reason

Description

3

The numbers of matched conditions and actions in the traffic policy exceed the limit.

The pre-defined template does not contain the combination of actions and matching conditions.

4

Insufficient ACL resources.

The KBs, CEs, or banks are insufficient.

2. Run the display system tcam fail-record command in the diagnostic view to check the failure reason.

[~HUAWEI-diagnose] display system tcam fail-record                       
----------------------------------------------------------------------------------- 
Slot  Chip Time                Service                  ErrInfo                    
----------------------------------------------------------------------------------- 
1     1    2017-03-28 10:31:38 Traffic Policy Global    Select group                 
Total: 1   

ErrInfo indicates the reason why the traffic policy fails to be delivered. The following table lists the common reasons.

Displayed Reason

Description

Select group.

The pre-defined template does not contain the combination of actions and matching conditions.

Group resource full

The KBs or CEs are insufficient.

Entry resource full

The banks are insufficient.

Solutions

If the traffic policy delivery failure is caused by insufficiency of KB or CE resources, run the display system tcam acl group resource [ slot slot-id [ chipchip-id ] ] command in the system view to check the KB or CE resource usage:

For other solutions, see the chapter "ACL Maintenance" in the ACL Technical Topics.

[~HUAWEI] display system tcam acl group resource slot 1
STG : Stage                   KCP  : Key Construction Program                   
ING : Ingress                 EGR  : Egress                                     
CYC : Cycle                   PTYPE: PortType                                   
FRT : Front Ports             RCY  : Recycle Ports                              
16-L: 16bit-LSB Copy Engine   16-M : 16bit-MSB Copy Engine                      
32-L: 32bit-LSB Copy Engine   32-M : 32bit-MSB Copy Engine                      
F   : Free                    T    : Total                                      
--------------------------------------------------------------------------------
Slot: 1    Chip : 0   UseRate:Normal                                            
--------------------------------------------------------------------------------
STG KCP PacketType       PTYPE       CYC Group   UsedKey 16-L  32-L  16-M  32-M 
                                                          F|T   F|T   F|T   F|T 
--------------------------------------------------------------------------------
ING   1 L2               FRT           0 2       2,3      2|8   5|8   7|8   6|8 
ING   2 IPV4             FRT           0 3       2,3      0|8   4|8   4|8   6|8 
ING   3 TRILL            FRT           0 1       2,3      6|8   5|8   7|8   6|8 
ING   4 IPV6             FRT           0 4       2,3      2|8   5|8   1|8   6|8 
--------------------------------------------------------------------------------

STG: indicates whether the ingress or egress ACL resources are occupied. ING indicates ingress, and EGR indicates egress.

CYC: indicates the ACL resource pool number. On the E series card, for example, resource pool 0 contains 3 KBs, and resource pool 1 contains 4 KBs.

Group: indicates the group ID delivered to service. It has the same value as the FE Group ID contained in the display system tcam service brief command output in the diagnose view.

UsedKey: indicates the KB resource number in use.

16-L, 32-L, 16-M, 32-M: indicates the CE resource usage. T indicates all CE resources, and F indicates remaining CE resources.

For other information, see the display system tcam acl group resource command description in the command reference.

If all the 7 KBs in the same KCP are used up, the traffic policy delivery failure is caused by insufficiency of KBs. The solution is as follows:

1. Configure the TCAM ACL customized group to reduce the KB occupation (recommended).

2. In V100R006C00 and later versions, run the traffic-policy resource-saving-mode command to enable the resource saving mode when traffic policy is used. Then all ACL resources required by traffic policies are adjusted and delivered again so that other services can be successful.
NOTE:
  1. When this function is enabled, all traffic policies on the device are re-delivered, and services may be interrupted temporarily.
  2. In addition, when a new traffic policy is applied to the device or the old traffic policies, including classifier, behavior, and ACL rules are modified, all traffic policies are re-delivered, and services may be interrupted temporarily.
Translation
Download
Updated: 2019-07-01

Document ID: EDOC1100086955

Views: 454

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next