EARL 8分类管理器:LOU、L4Ops和Capmap表的行为检验
下载选项
已更新: 2016 年 11 月 30 日
文档 ID:118649
非歧视性语言
此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
关于此翻译
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
目录
简介
本文档介绍如何将逻辑操作单元(LOU)和第4层操作(L4Ops)编程到capmap表中。它提供故障场景、在这些情况下通常会遇到的错误类型以及您应该从这些错误中推断什么。
分类管理器(CM)管理分类三态内容可寻址存储器(TCAM)和相关资源,如标签、LOU、capmap条目等。功能管理器(FM)和QoS管理器(QM)使用CM服务对TCAM条目进行编程以支持Cisco IOS® 访问控制列表(ACL)和服务质量(QoS)功能。
背景信息
LOU和L4Ops - LOU代表逻辑运算单元,逻辑运算单元是用于存储ACL和VLAN访问控制列表(VACL)中指定的TCP/UDP端口号的{operator, operand}元组的硬件寄存器。 这些元组也称为L4Ops。例如,如果将主机X与主机Y gt 1023匹配,则元组将变为{gt, 1023}。
L4Ops — 第4层操作。
Capmap表 — 之前描述的L4Op被编程到LOU寄存器中,LOU寄存器由capmap表中的条目引用。每个capmap表的限制为10(一个为方向保留,这将限制降至9个)条目(L4Ops)。 Capmap表由TCAM标签本身编制索引。
有两个TCAM,A和B;每个TCAM都有8K标签。对于每个TCAM,有一个包含2K条目的capmap表。由于每个TCAM都有8K标签,因此此处有4:1重叠 — 四个标签映射到一个capmap条目。重叠为:1=2049=4097=6145。
基本上,这意味着TCAM标签1、2049、4097和6145使用相同的capmap索引。思科传统实施的TCAM标签分配因这种重叠而导致问题。思科为TCAM分配了2K(确切地说,2048年)的标签。 这意味着分配将采用1、2049、4097、6145、2、2050、4098、6146等形式。
因此,从一开始,TCAM分配就会重叠。以下示例演示此操作(取自思科漏洞ID CSCuo02666)。 以下是两个ACL,a1和a2,定义并应用于接口VLAN 1和接口VLAN 2,如下所示:
Sup2T(config)#ip access-list extended a1
Sup2T(config-ext-nacl)# permit ip host 1.1.1.1 any dscp 1
Sup2T(config-ext-nacl)# permit ip host 1.1.1.1 any dscp 2
Sup2T(config-ext-nacl)# permit ip host 1.1.1.1 any dscp 3
Sup2T(config-ext-nacl)# permit ip host 1.1.1.1 any dscp 4
Sup2T(config-ext-nacl)# permit ip host 1.1.1.1 any dscp 5
Sup2T(config-ext-nacl)#exit
Sup2T(config)#int vlan 1
Sup2T(config-if)#ip access-group a1 in
Sup2T(config-if)#exit
Sup2T(config)#ip access-list extended a2
Sup2T(config-ext-nacl)# permit ip host 1.1.1.2 any dscp 6
Sup2T(config-ext-nacl)# permit ip host 1.1.1.2 any dscp 7
Sup2T(config-ext-nacl)# permit ip host 1.1.1.2 any dscp cs1
Sup2T(config-ext-nacl)# permit ip host 1.1.1.2 any dscp 9
Sup2T(config-ext-nacl)#exit
Sup2T(config)#int vlan 2
Sup2T(config-if)#ip access-group a2 in
Sup2T(config-if)#end
以下是这些接口的TCAM:
Sup2T#show platform hardware acl entry interface vlan 1 security in ip detail
mls_if_index:20000001 dir:0 feature:0 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match,
I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------
---------
fno:0
tcam:B, bank:0, prot:0 Aces
I V 16366 2049 0 0 0 1.1.1.1 - 0.0.0.0
- 0 0 0 - ----- dscp=5; 0x0000000000000038
0
I M 16366 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 16367 2049 0 0 0 1.1.1.1 - 0.0.0.0
- 0 0 0 - ----- dscp=4; 0x0000000000000038
0
I M 16367 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 16368 2049 0 0 0 1.1.1.1 - 0.0.0.0
- 0 0 0 - ----- dscp=3; 0x0000000000000038
0
I M 16368 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 16369 2049 0 0 0 1.1.1.1 - 0.0.0.0
- 0 0 0 - ----- dscp=2; 0x0000000000000038
0
I M 16369 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 16370 2049 0 0 0 1.1.1.1 - 0.0.0.0
- 0 0 0 - ----- dscp=1; 0x0000000000000038
0
I M 16370 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 16371 2049 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x0000000040000038
0
I M 16371 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
Sup2T#show platform hardware acl entry interface vlan 2 security in ip detail
mls_if_index:20000002 dir:0 feature:0 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
fno:0
tcam:B, bank:1, prot:0 Aces
I V 32738 4097 0 0 0 1.1.1.2 - 0.0.0.0
- 0 0 0 - ----- dscp=9; 0x0000000000000038
0
I M 32738 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 32739 4097 0 0 0 1.1.1.2 - 0.0.0.0
- 0 0 0 - ----- dscp=8; 0x0000000000000038
0
I M 32739 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 32740 4097 0 0 0 1.1.1.2 - 0.0.0.0
- 0 0 0 - ----- dscp=7; 0x0000000000000038
0
I M 32740 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 32741 4097 0 0 0 1.1.1.2 - 0.0.0.0
- 0 0 0 - ----- dscp=6; 0x0000000000000038
0
I M 32741 0x1FFF 0 0x00 0x000 255.255.255.255 - 0.0.0.0
- 0 0 0x0
I V 32745 4097 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x0000000040000038
0
I M 32745 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
为接口VLAN 1分配的TCAM标签是2049,为接口VLAN 2分配的TCAM标签是4097。这意味着这两个接口都使用相同的capmap表,以引用LOU寄存器的L4Op编程。
您可以使用以下命令来确认这一点(ACL a1中有五个ACE,ACL a2中有四个ACE意味着您应该将capmap表看作已满):
Sup2T#show platform hardware acl capmap tcam B label 4097
Hardware Capmap Table Entry For TCAM B. Free items are not shown
Index Loc[9] [8] [7] [6] [5] [4] [3] [2] [1] [0]
----- ------ --- --- --- --- --- --- --- --- ---
1 212 10 9 8 7 6 5 4 3 2
Sup2T#show platform hardware acl capmap tcam B label 2049
Hardware Capmap Table Entry For TCAM B. Free items are not shown
Index Loc[9] [8] [7] [6] [5] [4] [3] [2] [1] [0]
----- ------ --- --- --- --- --- --- --- --- ---
1 212 10 9 8 7 6 5 4 3 2
因此,在此阶段,如果尝试为任何这些接口安装另一个不可扩展的基于L4Op的访问控制条目(ACE),您将收到No free capmap entry available错误。
Sup2T(config)#ip access-list extended a2
Sup2T(config-ext-nacl)#permit ip host 1.1.1.2 any dscp 10
Sup2T(config-ext-nacl)#end
*Sep 16 14:57:55.983: %EARL_CM-5-NOCAPMAP: No free capmap entry available
*Sep 16 14:57:55.991: %FMCORE-4-RACL_REDUCED: Interface Vlan2 routed traffic
will be software switched in ingress direction. L2 features may not be applied
at the interface
这会导致软件桥接整个接口,从而可能导致交换速度降低、CPU使用率高以及其他相关问题。
注意:Cisco Bug ID CSCuo02666(Cisco Bug ID CSCuo02666)已提出,可解决此问题。它引入的最大逻辑变化是TCAM标签的分配方式。现在,思科将TCAM标签持续(2、3、4、5等)分配到2048年,而不是在2K的间隙。这意味着从头开始就不再共享capmap表。
请记住,LOU与任何其他硬件资源一样,都是有限的。总共有104个LOU可供使用:
Sup2T#show platform software acl lou
LOUs Registers (shadow copies)
Index Type A_Op A_Val A_Cnt B_Op B_Val B_Cnt
----- -------- ---- ----- ----- ---- ----- -----
0PKT_QOS_GI A is free. NEQ 0 1
1 DST_PORT LT 81 2 B is free.
2 B & A are free
3 B & A are free
4 B & A are free
5 B & A are free
6 B & A are free
7 B & A are free
8 B & A are free
9 B & A are free
10 B & A are free
11 B & A are free
12 B & A are free
13 B & A are free
14 B & A are free
15 B & A are free
*snip*
95 B & A are free
96 B & A are free
97 B & A are free
98 B & A are free
99 B & A are free
100 B & A are free
101 B & A are free
102 B & A are free
103 B & A are free
程序Capmap表和LOU寄存器
仅当必须考虑L4操作时才使用Capmap表。请注意,差分服务代码点(DSCP)/服务类别(CoS)值上的匹配也被视为L4Op。以下是一个简单示例(它使用的代码版本包括Cisco Bug ID CSCuo02666的修复),本文档以增量方式构建:
Sup2T#show ip access-lists a3
Extended IP access list a3
10 permit ip host 192.168.1.1 host 192.168.1.2
I have this applied to interface VLAN 1.
Sup2T#show run int vlan 1
Building configuration...
Current configuration : 84 bytes
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group a3 in
end
这已正确编程到TCAM:
Sup2T#show platform hardware acl entry interface vlan 1 security in ip
mls_if_index:20000001 dir:0 feature:0 proto:0
pass#0 features
fno:0
tcam:B, bank:1, prot:0 Aces
Permit ip host 192.168.1.1 host 192.168.1.2
L3_Deny ip any any
Sup2t-MA1.7#show platform hardware acl entry interface vlan 1 security in ip detail
mls_if_index:20000001 dir:0 feature:0 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
----------------------------------------------------------------
----------------------------------------------------------------
-----------------------------------------------------------------
-----
fno:0
tcam:B, bank:1, prot:0 Aces
I V 32741 2 0 0 0 192.168.1.1 - 192.168.1.2
- 0 0 0 - ----- - 0x0000000000000038
0
I M 32741 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
- 0 0 0x0
I V 32745 2 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x0000000040000038
0
I M 32745 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
通过TCAM标签本身引用Capmap表。您可以在show platform software [hardware] acl capmap tcam <> label <>命令中使用TCAM标签,以查看此TCAM标签的对应表(软件或硬件)。
Sup2T#show platform hardware acl capmap tcam B label 2
Hardware Capmap Table Entry For TCAM B. Free items are not shown
Index Loc[9] [8] [7] [6] [5] [4] [3] [2] [1] [0]
----- ------ --- --- --- --- --- --- --- --- ---
1 212 0 0 0 0 0 0 0 0 0
此标签的capmap表中未分配任何内容。定义的ACL没有L4Op;无需在capmap表中安装条目。
将此ACE更改为:
Sup2T#show ip access-lists a3
Extended IP access list a3
10 permit tcp host 192.168.1.1 host 192.168.1.2 eq www
再次查看capmap表。
Sup2T#show platform software acl capmap tcam B label 2
Shadow Capmap Table Entry For TCAM B
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ---------
------- ---------------- ---------------- ---------------- -------------
--- ---------------- ----------------
1 9 Reserved Free Free Free
Free Free Free Free Free
Free
如果直接等同于端口号,它也不计为L4Op。
将其更改为:
Sup2T#show ip access-lists a3
Extended IP access list a3
10 permit tcp host 192.168.1.1 host 192.168.1.2 gt www
再次检查capmap表:
Sup2T#show platform software acl capmap tcam B label 2
Shadow Capmap Table Entry For TCAM B
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ---------
------- ---------------- ---------------- ---------------- ------------
---- ---------------- ----------------
2 8 212/0/1 Free Free Free
Free Free Free Free Free 3/1/1
capmap表中现在有一个条目。ACE已转换为capmap表中的3/1/1。其格式为RST/INV/CNT。此处的RST指定此L4Op安装到哪个LOU注册器,而CNT描述此LOU的聚合计数(稍后有关此的详细信息)。 查看以下输出,了解如何对RST值进行索引:
Sup2T#show platform software acl capmap mapping
L4op_sel value Reference
============== =========
0 ------ LOU0 B register
1 ------ LOU0 A register
2 ------ LOU1 B register
3 ------ LOU1 A register
..... ..............
..... ..............
206 ----- LOU103 B register
207 ----- LOU103 A register
208 ----- Global format match for global acl
209 ----- Group id present
210 ----- L4_hdr_vld
211 ----- Mpls_plus_ip_pkt
212 ----- ife/ofe for direction
(213-223) ---- Reserved
(224-239) ---- 16 TCP flags map
(240-255) ---- 16 IPv6 ext header map
您可以看到,0的L4opsel值指向LOU0 B寄存器,1指向LOU0 A寄存器,2指向LOU1 B寄存器,3指向LOU1 B寄存器,依此类推。A寄存器总是先编程。看到这一点后,3/1/1的输出更有意义。
在此输出中,3表示L4Op已编程到LOU1 A寄存器中。如果直接查看LOU寄存器的内容,您还可以验证L4Op的编程位置:
Sup2T#show platform software acl lou
LOUs Registers (shadow copies)
Index Type A_Op A_Val A_Cnt B_Op B_Val B_Cnt
----- -------- ---- ----- ----- ---- ----- -----
0PKT_QOS_GI A is free. NEQ 0 1
1 DST_PORT LT 81 1 B is free.
2 B & A are free
3 B & A are free
4 B & A are free
*snip*
Sup2T#show platform hardware acl lou
Dumping h/w lou values
Index lou_mux_sel A_Opcode A_Value B_Opcode B_Value
----- ----------- -------- ------- -------- -------
0 7 NEQ 0 NEQ 0
1 1 LT 81 NEQ 0
2 0 NEQ 0 NEQ 0
3 0 NEQ 0 NEQ 0
*snip*
如您所见,(gt, X)元组在LOU寄存器中被编程为(LT, X+1)。
注意:L4Ops仅在应用于接口时才被编程到LOU寄存器中。如果ACL是使用L4Ops创建的(实际上没有将ACL应用到接口),则不会将适用的L4Ops编程到LOU寄存器中。
从接口VLAN 1中删除ACL,然后再次查看LOU寄存器:
Sup2T(config)#int vlan 1
Sup2T(config-if)#no ip access-group a3 in
Sup2T#show platform software acl lou
LOUs Registers (shadow copies)
Index Type A_Op A_Val A_Cnt B_Op B_Val B_Cnt
----- -------- ---- ----- ----- ---- ----- -----
0PKT_QOS_GI A is free. NEQ 0 1
1 B & A are free
2 B & A are free
3 B & A are free
4 B & A are free
*snip*
Sup2T#show platform hardware acl lou
Dumping h/w lou values
Index lou_mux_sel A_Opcode A_Value B_Opcode B_Value
----- ----------- -------- ------- -------- -------
0 7 NEQ 0 NEQ 0
1 1 NEQ 0 NEQ 0
2 0 NEQ 0 NEQ 0
3 0 NEQ 0 NEQ 0
*snip*
案例研究#1 — 带TCP标志的ACL
TCP标志具有在LOU寄存器范围内分配的一组特殊寄存器。您可以通过show platform software acl capmap mapping命令查看此范围,如下所示:
Sup2T#show platform software acl capmap mapping
L4op_sel value Reference
============== =========
0 ------ LOU0 B register
1 ------ LOU0 A register
2 ------ LOU1 B register
3 ------ LOU1 A register
..... ..............
..... ..............
206 ----- LOU103 B register
207 ----- LOU103 A register
208 ----- Global format match for global acl
209 ----- Group id present
210 ----- L4_hdr_vld
211 ----- Mpls_plus_ip_pkt
212 ----- ife/ofe for direction
(213-223) ---- Reserved
(224-239) ---- 16 TCP flags map
(240-255) ---- 16 IPv6 ext header map
L4op_sel值224-239可用于TCP标志,这为您提供了一组16个寄存器供使用。这是一个简单的例子来证明这一点。此ACL已定义:
Sup2T(config)#ip access-list extended a13
Sup2T(config-ext-nacl)#permit tcp host 192.168.13.10 host 192.168.13.20 syn
Sup2T(config-ext-nacl)#exit
将此入站应用于接口VLAN 13:
Sup2T(config)#int vlan 13
Sup2T(config-if)#ip access-group a13 in
Sup2T(config-if)#end
Sup2T#show platform hardware acl entry interface vlan 13 security in ip detail
mls_if_index:2000000D dir:0 feature:0 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
----------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------
--------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
------
fno:0
tcam:B, bank:1, prot:0 Aces
I V 32545 13 0 0 0 192.168.13.10 - 192.168.13.20
- 0 0 1 ANY:----s- ----- - 0x0000000000000038
0
I M 32545 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
- 0 0 0xF
I V 32546 13 0 0 0 192.168.13.10 - 192.168.13.20
- 1 0 1 - ----- - 0x0000000000000038
0
I M 32546 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
- 1 0 0xF
I V 32547 13 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x0000000040000038
0
I M 32547 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
Sup2T#show platform software acl capmap tcam B label 13
Shadow Capmap Table Entry For TCAM B
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ---------------- -----------
----- ----------------
13 8 212/0/1 Free Free Free
Free Free Free Free Free 224/0/1
在本例中,TCP标志在寄存器224中编程(这对应于TCP标志的第一个可用寄存器)。 此项的聚合计数与具有相同TCP标志的TCP流(读取ACE)的数量相对应。
向当前ACL a13添加另一个ACE。这应具有不同的TCP标志:
Sup2T(config)#ip access-list extended a13
Sup2T(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.1.2 ack
Sup2T(config-ext-nacl)#exit
如果再次查看capmap表,您会看到使用了另一个TCP寄存器:
Sup2T#show platform software acl capmap tcam b label 13
Shadow Capmap Table Entry For TCAM B
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ---------------- -----------
----- ----------------
13 7 212/0/1 Free Free Free
Free Free Free Free 225/0/1 224/0/1
如您所见,编程是按标志完成的;对于每个标志,使用独立的TCP寄存器,并且您会根据该寄存器进行计数。这意味着,对于每个标志,您还使用一个capmap条目。这进一步表明,从技术上讲,您不能在ACL中超出9个标志,否则您将在16个标志TCP限制之前达到capmap限制。
放大TCP标志,以便达到TCP寄存器限制,以便查看发生的情况。此示例显示了为达到100% TCP寄存器利用率而配置并应用到不同接口VLAN的多个ACL,如下所示:
Sup2T#show platform hardware capacity acl
Classification Mgr Tcam Resources
Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext
1 3% 7% 0% 1% 96% 100% 1% 0% 0% 0%
3 3% 7% 0% 1% 96% 100% 1% 0% 0% 0%
4 3% 7% 0% 1% 96% 100% 1% 0% 0% 0%
6 3% 7% 0% 1% 96% 100% 2% 0% 0% 0%
在此阶段,如果您决定使用唯一的TCP标志(或使其唯一的TCP标志组合)配置另一个ACL,并将其应用于接口,则必须将新的TCP标志(或标志组合)编程到TCP寄存器。但是,没有可用的硬件寄存器。在这种情况下,您将桥接整个接口。
Sup2T(config)#ip access-list extended a29
Sup2T(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.1.2 psh rst
Sup2T(config-if)#int vlan 29
Sup2T(config-if)#ip access-group a29 in
*Oct 6 13:57:47.612: %FMCORE-4-RACL_REDUCED: Interface Vlan29 routed traffic
will be software switched in ingress direction. L2 features may not be applied
at the interface
Sup2T#show platform hardware acl entry interface vlan 29 security in ip
mls_if_index:2000001D dir:0 feature:0 proto:0
pass#0 features
fno:0
tcam:B, bank:1, prot:0 Aces
Bridge ip any any
案例研究#2 - 100% LOU注册使用
请记住,LOU是有限的资源 — 您也会用完这些资源。您可以使用以下命令监控LOU的使用情况:
Sup2T#show platform hardware capacity acl
Classification Mgr Tcam Resources
Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext
1 2% 7% 0% 1% 1% 0% 1% 0% 0% 0%
3 2% 7% 0% 1% 1% 0% 1% 0% 0% 0%
4 2% 7% 0% 1% 1% 0% 1% 0% 0% 0%
6 2% 7% 0% 1% 1% 0% 2% 0% 0% 0%
扩展ACL以使用更多LOU。安装多个ACL后(使用range命令,该命令会占用两个LOU寄存器(A和B)),此示例显示96%的LOU使用率:
Sup2T#show platform hardware capacity acl
Classification Mgr Tcam Resources
Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext
1 3% 7% 0% 1% 96% 0% 1% 0% 0% 0%
3 3% 7% 0% 1% 96% 0% 1% 0% 0% 0%
4 3% 7% 0% 1% 96% 0% 1% 0% 0% 0%
6 3% 7% 0% 1% 96% 0% 2% 0% 0% 0%
创建另一个ACL,并将其应用于会导致LOU使用率超过100%的接口。
Sup2T(config)#ip access-list extended a12
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1401 1410
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1411 1420
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1421 1430
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1431 1440
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1441 1450
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1451 1460
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1461 1470
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1471 1480
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1481 1490
Sup2T(config-ext-nacl)#$68.14.1 host 192.168.14.2 range 1491 1500
Sup2T(config-ext-nacl)#exit
Sup2T(config)#int vlan 12
Sup2T(config-if)#ip access-group a12 in
示例达到100% LOU使用率;但是,请注意未收到错误消息。
Sup2T#show platform hardware capacity acl
Classification Mgr Tcam Resources
Key: Ttlent - Total TCAM entries, QoSent - QoS TCAM entries, LOU - LOUs,
RBLent - RBACL TCAM entries, Lbl - Labels, TCP - TCP Flags,
Dstbl - Destinfo Table, Ethcam - Ethertype Cam Table,
ACTtbl - Accounting Table, V6ext - V6 Extn Hdr Table
Module Ttlent QoSent RBLent Lbl LOU TCP Dstbl Ethcam ACTtbl V6ext
1 3% 7% 0% 1% 100% 0% 1% 0% 0% 0%
3 3% 7% 0% 1% 100% 0% 1% 0% 0% 0%
4 3% 7% 0% 1% 100% 0% 1% 0% 0% 0%
6 3% 7% 0% 1% 100% 0% 2% 0% 0% 0%
这是另一个测试。现在LOU为100%,请使用非常简单的L4Op并尝试为接口安装该L4Op。配置此ACL:
Sup2T#show ip access-lists a13
Extended IP access list a13
10 permit tcp host 192.168.14.1 host 192.168.14.2 range 1600 1650
将此入站应用于接口VLAN 13。
Sup2T#show run int vlan 13
Building configuration...
Current configuration : 87 bytes
!
interface Vlan13
ip address 192.168.13.1 255.255.255.0
ip access-group a13 in
end
立即查看此VLAN的TCAM:
Sup2T#show platform hardware acl entry interface vlan 13 sec in ip
mls_if_index:2000000D dir:0 feature:0 proto:0
pass#0 features
fno:0
tcam:B, bank:0, prot:0 Aces
Permit tcp host 192.168.14.1 host 192.168.14.2 eq 1650
Permit tcp host 192.168.14.1 host 192.168.14.2 range 1648 1649
Permit tcp host 192.168.14.1 host 192.168.14.2 range 1632 1647
Permit tcp host 192.168.14.1 host 192.168.14.2 range 1600 1631
Permit tcp host 192.168.14.1 host 192.168.14.2 fragments
L3_Deny ip any any
L4Op已扩展。如果查看此TCAM标签的capmap表,您会看到未安装任何内容。
Sup2T#show platform hardware acl entry interface vlan 13 sec in ip detail
mls_if_index:2000000D dir:0 feature:0 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------
---------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
----------------------------------------------------------------
----------------------------------------------------------------
----------------------------------------------------------------
------
fno:0
tcam:B, bank:0, prot:0 Aces
I V 16136 14 0 0 0 192.168.14.1 - 192.168.14.2
1650 0 0 1 - ----- - 0x0000000000000038
0
I M 16136 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
0xFFFF 0 0 0xF
I V 16137 14 0 0 0 192.168.14.1 - 192.168.14.2
1648 0 0 1 - ----- - 0x0000000000000038
0
I M 16137 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
0xFFFE 0 0 0xF
I V 16138 14 0 0 0 192.168.14.1 - 192.168.14.2
1632 0 0 1 - ----- - 0x0000000000000038
0
I M 16138 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
0xFFF0 0 0 0xF
I V 16139 14 0 0 0 192.168.14.1 - 192.168.14.2
1600 0 0 1 - ----- - 0x0000000000000038
0
I M 16139 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
0xF
I V 16140 14 0 0 0 192.168.14.1 - 192.168.14.2
- 1 0 1 - ----- - 0x0000000000000038
0
Sup2T#show platform software acl capmap tcam B label 14
Shadow Capmap Table Entry For TCAM B
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ---------------- -----------
----- ----------------
14 9 212/0/1 Free Free Free
Free Free Free Free Free
Free
下面是对所发生情况的解释。由于LOU寄存器已满,因此您无法再在那里安装任何新的L4Op,并且capmap表中不能引用任何内容。在此阶段,您仍尝试通过扩展L4Ops在TCAM中安装。如果L4Op不可扩展,则软件将整个接口切换到给定方向。
100% LOU注册使用意味着什么?您的TCAM开始快速填充(由于L4Op扩展)。 如果尝试安装不可扩展的L4Op,那么使用当前实施,整个接口将桥接软件。
如今,只有在您尝试在这种情况下安装不可扩展的L4Op时,才会生成错误。本示例修改了当前应用于接口VLAN 13的ACL a13,添加了不可扩展的L4Op。
Sup2T(config)#ip access-list extended a13
Sup2T(config-ext-nacl)#permit tcp host 192.168.14.1 host 192.168.14.2 dscp 40
Oct 5 04:50:13.104: %FMCORE-4-RACL_REDUCED: Interface Vlan13 routed traffic will
be software switched in ingress direction. L2 features may not be applied at the
interface
Oct 5 04:50:13.096: %EARL_CM-DFC3-5-NOLOU: No free LOU entry available on the EARL
Oct 5 04:50:13.096: %EARL_CM-DFC1-5-NOLOU: No free LOU entry available on the EARL
Oct 5 04:50:13.096: %EARL_CM-DFC4-5-NOLOU: No free LOU entry available on the EARL
Sup2T#show platform hardware acl entry interface vlan 13 security in ip
mls_if_index:2000000D dir:0 feature:0 proto:0
pass#0 features
fno:0
tcam:B, bank:0, prot:0 Aces
Bridge ip any any
案例研究#3 — 使用L4Ops的QoS编程
QoS策略也可能引用L4Ops;这些L4Op必须像任何其他L4Op一样安装。这意味着,即使对于QoS策略,每个接口都受到捕获表和LOU固有的限制。以下示例以小小的方式说明这一点:
Sup2T#show ip access-lists a1
Extended IP access list a1
10 permit tcp host 192.168.1.10 host 192.168.2.10 dscp ef
Sup2T#show class-map a1-class
Class Map match-all a1-class (id 37)
Match access-group name a1
Sup2T#show policy-map a1-policy
Policy Map a1-policy
Class a1-class
police cir 80000 bc 2500
conform-action transmit
exceed-action drop
此示例具有与类映射匹配的策略映射,该类映射调用访问列表a1,该访问列表匹配从192.168.1.10到192.168.2.10且标有加速转发(EF)的流量。 DSCP值上的匹配是不可扩展的L4Op;这需要编程到LOU寄存器,并通过capmap表中的条目引用。此策略映射现已安装为入站到gig3/23。
Sup2T#show run int gig3/23
Building configuration...
Current configuration : 176 bytes
!
interface GigabitEthernet3/23
switchport
switchport trunk allowed vlan 1-30
switchport mode trunk
service-policy input a1-policy
end
要查看接口的QoS编程,请使用以下命令:
Sup2T#show platform hardware acl entry interface gig3/23 qos in ip module 3
mls_if_index:8096000 dir:0 feature:1 proto:0
pass#0 features
fno:0
tcam:A, bank:0, prot:0 Aces
0x0000E0100000D00B tcp host 192.168.1.10 host 192.168.2.10 dscp eq 46
0x000000000080D00B ip any any
详细说明此命令可为您提供此接口上使用的TCAM标签。
Sup2T#show platform hardware acl entry interface gig3/23 qos in ip detail module 3
mls_if_index:8096000 dir:0 feature:1 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
-----------------------------------------------------------------------
-----------------------------------------------------------------------
--------------------------------------------------------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
------------------------------
fno:0
tcam:A, bank:0, prot:0 Aces
I V 16238 2 0 0 0 192.168.1.10 - 192.168.2.10
- 0 0 1 - ----- dscp=46; 0x0000E0100000D00B
0
I M 16238 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
- 0 0 0xF
I V 16239 2 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x000000000080D00B
0
I M 16239 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
使用的TCAM标签是2。请立即查看此TCAM的capmap表:
Sup2T#show platform software acl capmap tcam A label 2 module 3
Shadow Capmap Table Entry For TCAM A
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ---------------- -----------
----- ----------------
2 8 212/0/1 Free Free Free
Free Free Free Free Free 2/1/1
注意:对于QoS TCAM,必须指定模块编号。如果没有这种情况,输出不会产生任何结果。
Sup2T#show platform software acl capmap mapping
L4op_sel value Reference
============== =========
0 ------ LOU0 B register
1 ------ LOU0 A register
2 ------ LOU1 B register
3 ------ LOU1 A register
*snip*
LOU值2指向LOU1,注册B。您可以使用以下命令确认此编程:
Sup2T#show platform hardware acl lou
Dumping h/w lou values
Index lou_mux_sel A_Opcode A_Value B_Opcode B_Value
----- ----------- -------- ------- -------- -------
0 7 NEQ 0 NEQ 0
1 4 NEQ 0 NEQ 46
2 1 NEQ 0 NEQ 0
*snip*
扩展配置。
Sup2T#show ip access-lists a1
Extended IP access list a1
10 permit tcp host 192.168.1.10 host 192.168.2.10 dscp ef
20 permit tcp host 192.168.2.11 host 192.168.2.11 dscp ef
30 permit tcp host 192.168.3.11 host 192.168.3.11 dscp ef
40 permit tcp host 192.168.4.11 host 192.168.4.11 dscp ef
50 permit tcp host 192.168.5.11 host 192.168.5.11 dscp ef
60 permit tcp host 192.168.6.11 host 192.168.6.11 dscp ef
70 permit tcp host 192.168.7.11 host 192.168.7.11 dscp ef
80 permit tcp host 192.168.8.11 host 192.168.8.11 dscp ef
Sup2T#show platform software acl capmap tcam A label 2 module 3
Shadow Capmap Table Entry For TCAM A
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ----------
------ ---------------- ---------------- ----------------
2 8 212/0/1 Free Free Free
Free Free Free Free Free 2/1/8
这不再使用任何条目;相反,它会增加针对第一个条目本身的聚合参考计数,这是合理的。从capmap表和LOU寄存器的角度来看,对源和目的地没有任何顾虑。这只是存储L4Op信息。由于它与所有ACE上的相同DSCP值匹配,因此您只需要一个条目即可获得该DSCP值。
修改此项,以便使用九个不同的DSCP值。
Sup2T#show ip access-lists a1
Extended IP access list a1
10 permit tcp host 192.168.1.10 host 192.168.2.10 dscp af11
20 permit tcp host 192.168.2.11 host 192.168.2.11 dscp af12
30 permit tcp host 192.168.3.11 host 192.168.3.11 dscp af13
40 permit tcp host 192.168.4.11 host 192.168.4.11 dscp af21
50 permit tcp host 192.168.5.11 host 192.168.5.11 dscp af22
60 permit tcp host 192.168.6.11 host 192.168.6.11 dscp af23
70 permit tcp host 192.168.7.11 host 192.168.7.11 dscp af31
80 permit tcp host 192.168.8.11 host 192.168.8.11 dscp af32
90 permit tcp host 192.168.9.11 host 192.168.9.11 dscp af33
现在,如果您查看capmap表,您会看到它已满:
Sup2T#show platform software acl capmap tcam A label 2 module 3
Shadow Capmap Table Entry For TCAM A
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2]
[1] [0]
----- ----- ---------------- ---------------- ---------------- -----------
----- ---------------- ---------------- ---------------- ----------------
---------------- ----------------
2 0 212/0/1 10/1/1 9/1/1 8/1/1
7/1/1 6/1/1 5/1/1 4/1/1 3/1/1
2/1/1
如果您尝试安装另一个不可扩展的基于L4Op的条目,会发生以下情况:
Sup2T(config-ext-nacl)#permit tcp host 192.168.10.11 host 192.168.10.11 dscp 2
Sup2T(config-ext-nacl)#end
%QM-4-TCAM_ENTRY: Hardware TCAM entry programming failed for slot 3 intf Gi3/23
dir IN: <CONFIG_UPDATE_REQ> TCAM Req Error: FAIL (4): Low TCAM Entries (1)
%QM-4-TCAM_ENTRY: Hardware TCAM entry programming failed for slot 3 intf Gi3/23
dir IN: <CONFIG_UPDATE_REQ> TCAM Req Error: FAIL (4): Low TCAM Entries (1)
%QM-4-TCAM_ENTRY: Hardware TCAM entry programming failed for slot 3 intf Gi3/23
dir IN: <CONFIG_UPDATE_REQ> TCAM Req Error: FAIL (4): Low TCAM Entries (1)
%QM-4-TCAM_ENTRY: Hardware TCAM entry programming failed for slot 3 intf Gi3/23
dir IN: <CONFIG_UPDATE_REQ> TCAM Req Error: FAIL (4): Low TCAM Entries (1)
%QM-4-TCAM_ENTRY: Hardware TCAM entry programming failed for slot 3 intf Gi3/23
dir IN: <CONFIG_UPDATE_REQ> TCAM Req Error: FAIL (4): Low TCAM Entries (1)
%FMCORE-6-RACL_ENABLED: Interface GigabitEthernet3/23 routed traffic is hardware
switched in ingress direction
Oct 20 17:12:54.304: %EARL_CM-DFC3-5-NOCAPMAP: No free capmap entry available
立即查看此接口的TCAM:
Sup2T#show platform hardware acl entry interface gig3/23 qos in ip module 3
mls_if_index:8096000 dir:0 feature:1 proto:0
Couldnt find feature for mls_if_index 0x8096000, dir 0
TCAM中不再为此接口安装任何QoS功能。
请注意,标记不会使用任何L4Op。因此,如果您有一个没有L4Ops的简单ACL,并且您在匹配时设置了DSCP值,则不会为此使用LOU寄存器。示例如下:
Sup2T#show policy-map a1-policy
Policy Map a1-policy
Class a1-class
set dscp ef
Sup2T#show class-map a1-class
Class Map match-all a1-class (id 37)
Match access-group name a1
Sup2T#show ip access-lists a1
Extended IP access list a1
10 permit tcp host 192.168.1.1 host 192.168.2.1
这适用于接口gig3/23:
Sup2T#show run interface gig3/23
Building configuration...
Current configuration : 176 bytes
!
interface GigabitEthernet3/23
switchport
switchport trunk allowed vlan 1-30
switchport mode trunk
service-policy input a1-policy
end
Sup2T#show platform hardware acl entry interface gig3/23 qos in ip detail module 3
mls_if_index:8096000 dir:0 feature:1 proto:0
pass#0 features
UAPRSF: U-urg, A-ack, P-psh, R-rst, S-syn, F-fin
MLGFI: M-mpls_plus_ip_pkt, L-L4_hdr_vld, G-gpid_present,F-global_fmt_match, I-ife/ofe
's' means set; 'u' means unset; '-' means don't care
----------------------------------------------------------------
----------------------------------------------------------------
---------------------------------------------------------------
-------
I INDEX LABEL FS ACOS AS IP_SA SRC_PORT
IP_DA DST_PORT F FF L4PROT TCP-F:UAPRSF MLGFI OtherL4OPs
RSLT CNT
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------
---------
fno:0
tcam:A, bank:0, prot:0 Aces
I V 16238 3 0 0 0 192.168.1.1 - 192.168.2.1
- 0 0 1 - ----- - 0x0000E010005D100B
0
I M 16238 0x1FFF 0 0x00 0x000 255.255.255.255 - 255.255.255.255
- 0 0 0xF
I V 16239 3 0 0 0 0.0.0.0 - 0.0.0.0
- 0 0 0 - ----- - 0x000000000080D00B
0
I M 16239 0x1FFF 0 0x00 0x000 0.0.0.0 - 0.0.0.0
- 0 0 0x0
Sup2T#show platform software acl capmap tcam A label 3 module 3
Shadow Capmap Table Entry For TCAM A
-----------------------------------------------------------------------
Output in a RST/INV/CNT format: RST - result value; INV - inverted;
CNT - aggregated reference account;
CBF - number of free cap bits (one per entry);
Free items are not shown
-----------------------------------------------------------------------
Index CBF [9] [8] [7] [6]
[5] [4] [3] [2] [1]
[0]
----- ----- ---------------- ---------------- ---------------- ----------------
---------------- ---------------- ---------------- ---------------- -----------
----- ----------------
3 9 212/0/1 Free Free Free
Free Free Free Free Free
Free
案例研究#4 — 双堆栈ACL导致CAPMAP耗尽
在本例中,有一个接口配置为同时使用IPv4和IPv6 ACL,当接口打开时会产生以下错误:
%EARL_CM-5-NOCAPMAP: No free capmap entry available
%FMCORE-4-RACL_REDUCED: Interface Vlan500 routed traffic will be software switched in ingress direction.
L2 features may not be applied at the interface
但是,如果仅删除IPv4 ACL,然后重新编入到同一接口,硬件编程将成功完成,并且不再生成错误。
在本例中,这些ACL在SVI下配置:
Switch#sh ip access-lists INGRESS
Extended IP access list INGRESS
10 permit tcp host 1.1.1.1 host 1.1.1.2 range 1 10
20 permit tcp host 1.1.1.3 host 1.1.1.4 range 10 ftp-data
30 permit tcp host 2.1.1.3 host 2.1.1.4 range 30 40
40 permit tcp host 2.1.1.3 host 2.1.1.4 range 85 100
50 permit tcp host 2.1.1.3 host 10.1.1.1 range 222 333
60 permit tcp host 20.5.4.3 host 10.100.100.1 range www 443
70 permit tcp host 200.50.4.3 host 11.11.11.1 range 800 813
80 permit tcp host 200.50.40.30 host 12.12.11.1 range 50 60
90 permit tcp host 13.13.13.3 host 14.14.14.3 range gopher 90
100 permit tcp host 23.23.23.3 host 14.14.10.1 range 123 345
110 permit udp host 123.123.123.1 range 50 60 host 23.23.23.1 range 10 20
120 permit udp host 45.45.43.1 range 1000 1010 host 1.1.1.1 range 50 65
130 permit tcp host 78.78.78.1 range 89 95 host 2.3.4.5 range 1111 1200
140 permit tcp host 5.5.5.50 eq 65000 host 5.4.5.4
150 permit tcp host 5.15.5.150 range 1200 1250 host 1.7.8.4 range 45 65
Switch#show ipv6 access-list DENY-ALL-V6
IPv6 access list DENY-ALL-V6
permit udp FE80::/64 host FF02::66 eq 2000 sequence 10
deny ipv6 any any sequence 20
如上例所示,IPv4 ACL有9个以上唯一的可扩展L4Op。在仅配置IPv4的接口下,这些接口将根据需要展开,以便不耗尽capmap表。
当在双堆栈环境中将这些编程到TCAM硬件时,交换机首先从IPv4 ACL开始。由于capmap表中的可用条目不足,交换机会扩展一些可扩展的L4Op,以便在不超过该L4O的情况下填充capmap表。结果是,现在表中的可用条目数为0,这意味着现在没有可用于编程IPv6 ACL的不可扩展L4Op的条目,当您转到下一步编程时,需要这些条目。
当您仅删除IPv4 ACL时,capmap表中的可用条目数会增加,IPv6 ACL现在已正确编程到硬件中,并使用新释放的capmap条目之一。当IPv4 ACL重新应用到接口配置时,同样的扩展再次发生。由于IPv6 ACL使用了可用的capmap值,现在只扩展了一个额外的IPv4条目。由于此ACL中所有L4Op都可扩展,因此编程成功。
为防止手动删除和添加IPv4 ACL以允许条目在硬件中合并,我们创建了一项增强功能,以在此类情况下更改TCAM合并算法。有关详细信息,请参阅Cisco Bug ID CSCuq24924。
由于此增强功能,“固定”软件版本现在在全局配置中具有可配置选项,可更改在双堆栈IPv4/v6 ACL部署等实例中编程L4Ops的方式。这是可以进行的配置更改
Switch(config)#platform hardware acl tcam-exp-logic enable
注意:由于此增强所引入的更改,可扩展的L4Op以高于正常速率扩展,并可能导致TCAM利用率的显着增加。
由思科工程师提供
- Aninda ChatterjeeCisco TAC Engineer
反馈