A certain site S12516F-AF AC exit cannot call object group
- 0 Followed
- 0Collected ,16Browsed
Problem Description
ACL egress cannot invoke object group
Process Analysis
1. Normally, this configuration can be applied successfully.
2. After adding this line, an alarm will be triggered, and it does not specify that ACL is not supported (rule 2000 permit tcp source object-group xx destination xxxx destination-port eq xx).
%Jan 26 13:28:28:026 2024 xxx PFILTER/3/PFILTER_IF_UNK_ERR: -Slot=3; Failed to apply or refresh IPv6 ACL xxxx rule xxxx to the inbound direction of interface xx.
%Jan 26 13:28:28:132 2024 xxx PFILTER/3/PFILTER_IF_UNK_ERR: -Slot=2; Failed to apply or refresh IPv6 ACL xxxx rule xxxx to the inbound direction of interface xx.
%Jan 26 13:28:28:134 2024 xxx PFILTER/3/PFILTER_IF_UNK_ERR: -Slot=2; Failed to apply or refresh IPv6 ACL xxxx rule xxxx to the inbound direction of interface xx.
3. Object group information, if configured separately, can also be applied successfully.
4. In ACL 3999 rule 2000, the CMCC object group is empty and can be invoked successfully. However, after adding addresses to the object group, an error occurs again, which is also suspected to be an IPv6 address issue.
Solution
1. Collect bcm slot 2 chip 2 diag/field/res under probe view:
(1) ACL exceeds the maximum bit width. The maximum supported matching entry is 320 bits, but the current configuration exceeds 320 bits, resulting in a fail:
Chassis00 slot02 2024/01/26 13:28:27:879979 [LINE:2911-TASK:aclmgrd-FUNC:_bcm_dpp_field_group_verify_qset]:specified qset is too wide 324 for unit 2 stage 0, max 320
(2) Addresses exceeding 64 bits occupy 128 bits, while addresses below 64 bits occupy only 64 bits. Adding port, port number range, TCP keywords, etc., exceeds the 320-bit width:
rule 2000 permit tcp source object-group x destination xxxx4 destination-port eq xx
rule 2001 permit tcp destination xxxx destination-port object-group xx
(3) It is recommended to limit the matching mask of the source address or destination address to no more than 64 bits to reduce bit width usage:
Resource DB 7 [Group 7]
Type = TCAM, Stage = ingress_pmf, Priority = 74, Key Size = 320, NOF CEs = 14
Key:
Second Key msb Key lsb Lost Bits Qual msb Qual lsb Qual Type
----------------------------------------------------------------------------
No 31 0 0 31 0 ipv6_sip_high
No 63 32 0 31 0 ipv6_dip_high
No 79 64 0 15 0 user_def_4
No 111 80 0 63 32 ipv6_dip_high
No 143 112 0 63 32 ipv6_sip_high
No 159 144 0 15 0 user_def_3
Yes 31 0 0 31 0 ipv6_dip_low
Yes 39 32 0 7 0 ipv6_next_prtcl
Yes 63 40 0 23 0 ipv6_l4ops
Yes 69 64 0 5 0 ipv4_tcp_ctl
Yes 88 80 0 8 0 src_pp_port
Yes 92 89 0 3 0 eth_tag_format
Yes 124 93 0 63 32 ipv6_dip_low
Yes 131 125 3 3 0 pfq1_next_protocol
The bit width occupied by each matching item is as follows: IPv6 addresses below 64 bits occupy 64 bits, while those above 64 bits occupy 128 bits.
Type = TCAM, Stage = ingress_pmf, Priority = 74, Key Size = 320, NOF CEs = 14
Key:
Second Key msb Key lsb Lost Bits Qual msb Qual lsb Qual Type
----------------------------------------------------------------------------
No 31 0 0 31 0 ipv6_sip_high //IPv6 source address, 32bit
No 63 32 0 31 0 ipv6_sip_low //IPv6 source address, 32bit
No 79 64 0 15 0 user_def_4///destination port, 16bit
No 111 80 0 63 32 ipv6_sip_low//ipv6 source address, 32bit
No 143 112 0 63 32 ipv6_sip_high//ipv6 source address, 32bit
No 159 144 0 15 0 user_def_3///source port, 16bit
Yes 31 0 0 31 0 ipv6_dip_high//ipv6 destination address, 32bit
Yes 39 32 0 7 0 ipv6_next_prtcl///TCP,8bit
Yes 63 40 0 23 0 ipv6_l4ops//range,24bit
Yes 69 64 0 5 0 ipv4_tcp_ctl//TCP keyword, 6bit
Yes 88 80 0 8 0 src_pp_port//IPv6 packets are delivered by default, 9bit
Yes 92 89 0 3 0 eth_tag_format//IPv6 packets are delivered by default, 4bit
Yes 124 93 0 63 32 ipv6_dip_high//IPv6 destination address, 32bit
Yes 131 125 3 3 0 pfq1_next_protocol//IPv6 packets are delivered by default, 4bit