S9706合并策略减少ACL rule资源使用解决策略路由不生效

S9706原策略路由上添加新的流量分类后,导致原来的流分类的流动作动作失效,策略路由失效。

添加新3004的流分类到流策略中去时,有RULE 规则资源不足的错误。

 Error: Adding rule failed. Insufficient rule resource in policy ForServers classifier 3003 behavior PBR-For-Servers acl 3003, rule 740, on slot 4 vlan 110.

1.收集故障现象,发现有有RULE 规则资源不足的错误告警

Error: Adding rule failed. Insufficient rule resource in policy ForServers classifier 3003 behavior PBR-For-Servers acl 3003, rule 740, on slot 4 vlan

2.怀疑设备ACL已经超限,使用命令 display traffic-policy applied-record 查看策略下发情况发现

有一个没有下发成功

=========================================================================

  ===============display traffic-policy applied-record===============

=========================================================================

#

-------------------------------------------------

  Policy Name:   ForServers

  Policy Index:  0

     Classifier:3001     Behavior:ServersReplyLanUsers

     Classifier:3002     Behavior:ServersReplyShenZhenTianWeiShiXunWangLuoUsers

     Classifier:3004     Behavior:ServersReplyLanUsers

     Classifier:3003     Behavior:PBR-For-Servers

-------------------------------------------------

*vlan 202

    traffic-policy ForServers inbound

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 88

    traffic-policy ForServers inbound

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 89

    traffic-policy ForServers inbound

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 6

    traffic-policy ForServers inbound

      slot 1    :  success

      slot 3    :  success

      slot 4    :  success

      slot 5    :  success

*vlan 110

    traffic-policy ForServers inbound

      slot 1    :  success

      slot 3    :  success

      slot 4    :  fail

      slot 5    :  success

[LG-S9706-2]DIS traffic policy  statistics interface GigabitEthernet 1/0/34 outbound verbose  rule-base  class   3004
Info: The Policy is not applied in this view.

可以看出下发失败的只有SLOT 4,说明SLOT 4所在的槽位的板块ACL rule资源不足。

2.根据客户业务和配置,修改客户配置,将两个vlan下的策略合并成一个全局策略,减少ACL资源占用,解决问题

修改方法见解决方案。

1.使用全局策略替代vlan接口下的策略,合并资源,减少资源总数的占用。
原配置方案:
#
traffic classifier 3001 operator or precedence 45
if-match acl 3001
traffic classifier 3002 operator or precedence 46
if-match acl 3002
traffic classifier 3003 operator or precedence 50
if-match acl 3003
traffic classifier 3004 operator or precedence 47
if-match acl 3004
#
traffic behavior PBR-For-Servers
permit
redirect ip-nexthop 10.0.255.42 forced
traffic behavior ServersReplyLanUsers
permit
traffic behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers
permit
#
traffic policy ForServers match-order config
classifier 3001 behavior ServersReplyLanUsers
classifier 3002 behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers
classifier 3004 behavior ServersReplyLanUsers       //调整新的流量分类优先级高于原来的3003
classifier 3003 behavior PBR-For-Servers             //此条动作失效
vlan 6
description ServAcceSW-Manager
traffic-policy ForServers inbound
vlan 88
description VLAN_SERVER_FARM_1
traffic-policy ForServers inbound
vlan 89
description VLAN_SERVER_FARM_2
traffic-policy ForServers inbound
vlan 110
traffic-policy ForServers inbound
vlan 202
description Connect to SZCT-MPLS-PE-VPN3007813-20150422
traffic-policy ForServers inbound
修改的配置方案:将vlan 88和vlan 89合并起来。
前面计算资源的时候拷贝错了,一条策略是315条,该策略应用到5个vlan下,则占用acl资源数为315*5=1575条,超过了可配置的条目,可以将vlan 88和vlan 89合并起来,这样占用资源315*4=1260条,具体步骤:#
traffic classifier 3001_8889 operator and precedence 55
if-match acl 3001
if-match vlan-id 88 to 89                                                                         traffic classifier 3002_8889 operator and precedence 56
if-match acl 3002
if-match vlan-id 88 to 89
traffic classifier 3003_8889 operator and precedence 60
if-match acl 3003
if-match vlan-id 88 to 89
traffic classifier 3004_8889 operator and precedence 57
if-match acl 3004
if-match vlan-id 88 to 89

#
traffic policy ForServersVlan8889 match-order config
classifier 3001_8889 behavior ServersReplyLanUsers
classifier 3002_8889 behavior ServersReplyShenZhenTianWeiShiXunWangLuoUsers
classifier 3004_8889 behavior ServersReplyLanUsers
classifier 3003_8889 behavior PBR-For-Servers
#
traffic-policy ForServersVlan8889 global inbound
#
注意配置之前先把vlan 88 和89下的策略删掉,配置失败的策略也要删掉重新配置。

说明:在使用一条策略(traffic policy)的时候,ACL rule资源的占用数的计算是此策略下所有ACL中包含的rule条数*策略应用次数,
举个例子一条策略是中所有ACL总有rule 315条,该策略应用到5个vlan下,则占用acl资源数为315*5=1575条,如果可以将vlan 88和vlan 89合并起来,这样占用资源315*4=1260条

1.在使用一条策略(traffic policy)的时候,ACL rule资源的占用数的计算是此策略下所有ACL中包含的rule条数*策略应用次数,
根据实际环境有时候可以将多个接口(物理接口或者vlan或者VLAN接口)的策略合并成一个全局视图下的策略,减少板块资源占用。

2.此方法使用具有局限性适用于配置可以合并且rule资源相差不多的特定场景,是一种巧妙的资源占用的规避方法。