5130S-52S-EI-H1 ip source binding not effective
- 0 Followed
- 0Collected ,16Browsed
Network Topology
pc--------- 1/0/47 sw(gateway)
Problem Description
IP source binding not effective
Process Analysis
[sw-probe]debug port mapping slot 1
[Interface] [Unit] [Port] [Combo?] [Active?] [IfIndex] [MID] [Link]
GE1/0/47 1 22 no no 0x2f 1 up
Interface 47 corresponds to chap 1
[sw-probe]debug qacl show acl-resc slot 1 chip 1
---------------Qacl VTcam UsedResc Info---------------
Acl Hw Resource: Group 0, VTcamId 0, Client TTI 0
------------------------------------------------------
Pri 0, usedEntries 1, mode Double
=========================================
acl type usedEntries[1]
=========================================
[341]Zero-Mac-Deny 1
======================================
------------------------------------------------------
Acl Hw Resource: Group 0, VTcamId 1, Client TTI 1
------------------------------------------------------
Acl Hw Resource: Group 0, VTcamId 1, Client IPCL 0
------------------------------------------------------
Pri 2, usedEntries 2, mode Double
=========================================
acl type usedEntries[2]
=========================================
[32 ]PortBind Bind 1
[31 ]PortBind Default 1
======================================
------------------------------------------------------
Pri 9, usedEntries 360, mode Double
=========================================
acl type usedEntries[360]
=========================================
[229]Subnet Vlan 360
======================================
------------------------------------------------------
Acl Hw Resource: Group 0, VTcamId 1, Client IPCL 1
------------------------------------------------------
Acl Hw Resource: Group 0, VTcamId 1, Client IPCL 2
------------------------------------------------------
Pri 11, usedEntries 13, mode Double
=========================================
acl type usedEntries[13]
=========================================
[7 ]RX IPv4 Super High 1
[8 ]RX IPv4 High 4
[10 ]RX IPv4 Middle 8
======================================
------------------------------------------------------
Acl Hw Resource: Group 0, VTcamId 1, Client EPCL
------------------------------------------------------
Found PortBind Bind and subvlan in the same lookup engine
debug qacl show slot 1 chip 1 verbose found subvlan has higher precedence
Acl-Type PortBind Bind, Stage IPCL 0, SinglePort, Installed, Active
Prio Mjr/Sub 0x202/0x5, RuleFormat INGRESS_EXT_NOT_IPV6, Vtcame/Idx 1/ 374,
Rule Match --------
Port: 22
Source mac: 5405-DBCF-5080, FFFF-FFFF-FFFF
Source IP: 172.18.8.169, 255.255.255.255
IP Type: Any IPv4 packet
Actions --------
Permit
Acl-Type Subnet Vlan, Stage IPCL 0, SinglePort, Installed, Active
Prio Mjr/Sub 0x209/0x5, RuleFormat INGRESS_EXT_NOT_IPV6, Vtcame/Idx 1/ 189,
Rule Match --------
Port: 22
Source IP: 172.18.8.0, 255.255.255.0
Number-of-tags: 0x0
Actions --------
Insert vlan 8
[sw-probe]debug qacl show acl-prioinfo slot 1
Type Acl Type Name Reserved Major Sub
32 PortBind Bind FALSE 2 5
229 Subnet Vlan FALSE 9 5
In the same lookup engine
ACL policies with higher precedence are installed first at positions with smaller ind-id values in the corresponding engine
In the same lookup engine, search sequentially from small to large based on Idx_ID
Determine via Vtcame/ldx parameter, the smaller the subsequent ID, the higher the precedence
If Vtcame is the same, compare Idx directly; if Vtcame differs, compare Mir/Sub, Mir first, then Sub
Higher major values take priority; if majors are equal, higher sub values take priority
Matching subvlan prevents portbind from matching
Solution
Changing subvlan to a regular access port test passed