Jump to content
Калькуляторы

Vlan Filter

Есть узел агрегации cisco 3550

к нему сходятся 24 узла доступа

на нем происходит маршрутизация районного трафика

vlan на дом, маршрутизируется L3 - 25 vlan

 

Есть задача откывать/закрывать досутп в интенрнет

а так же открывать/закрывать доступ к локальным ресурсам

 

решено было использовать Vlan filter

 

Суть АCL 112 такова, если IP абонента отсутствует в данном списке, то у абонента работает только интернет и сервера статистики

если добавить IP в ACL 112 как на списки ниже, то у него работает интернет+локальная сеть

 

при небольшом кол-ве правил (когда ACL 112 только первые 10 строк) все работает хорошо,

а когда большой ACL как ниже, начинаются огромные потери пакетов, загрузка процессора на уровне 30% при этом

 

что можно сделать?

 

в логах следующее

 

000108: Mar 23 21:07:53: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.80.2)
000109: Mar 23 21:07:53: %FM-3-UNLOADING: Unloading input vlan label 11 feature from all TCAMs
..........
..........
..........
000149: Mar 23 21:09:16: %FM-3-UNLOADING: Unloading input vlan label 27 feature from all TCAMs
000150: Mar 23 21:09:18: %FM-3-UNLOADING: Unloading input vlan label 29 feature from all TCAMs

 

нашли расшифровку ошибки http://www.cisco.com/en/US/docs/switches/l...c.html#wp253879

Error Message    FM-3-UNLOADING: Unloading [chars] label [dec] feature from [chars].

Note    This message applies only to Catalyst 3550 switches.
Explanation    The feature manager was unable to fit the complete configuration into the hardware, so some features will be applied in software. This error prevents some or all the packets from being forwarded in hardware and requires them to be forwarded by the CPU. Multicast packets might be dropped instead of being forwarded. The first [chars] is the direction (input or output), [dec] is the label number, and the second [chars] is the TCAM ID.

Recommended Action    Allocate more space to the relevant section of the TCAM by using the sdm prefer global configuration command and then reboot the switch, or use a simpler configuration. Use the same ACLs on multiple interfaces, if possible.

 

судя по логам ругается на ACL что не может их запихать все в железку и типо часть будет обрабатываться процессором

по рекомендации заменили sdm prefer default на sdm prefer access extended-match ребутнули

не помогло

 

что не так?

 

 

вот конфиг vlan filter и ACL - при котором все тормозит, вернее теряются пакеты у всех кто попадает под эти списки

vlan access-map BLOCK_LAN 10
action drop
match ip address 111
vlan access-map BLOCK_LAN 20
action forward
match ip address 112
vlan access-map BLOCK_LAN 30
action forward
match ip address 113


vlan filter BLOCK_LAN vlan-list 131-136,139-149,151-154,163-166

access-list 111 deny   ip any host 109.248.0.54
access-list 111 deny   ip any host 109.248.0.50
access-list 111 deny   ip any host 192.168.200.5
access-list 111 deny   ip any host 192.168.200.253
access-list 111 deny   ip any host 192.168.1.253
access-list 111 deny   ip any host 10.52.101.1

access-list 112 permit tcp any any eq 135
access-list 112 permit tcp any any eq 139
access-list 112 permit tcp any any eq 445
access-list 112 permit ip any host 192.168.200.5
access-list 112 permit ip any host 109.248.0.54
access-list 112 permit ip any host 109.248.0.50
access-list 112 permit ip any host 192.168.1.253
access-list 112 permit ip any host 10.52.101.1
access-list 112 permit ip host 109.248.0.50 any
access-list 112 permit ip host 109.248.0.54 any
access-list 112 permit ip host 10.11.4.10 any
access-list 112 permit ip host 10.1.13.2 any
access-list 112 permit ip host 10.1.13.1 any
access-list 112 permit ip host 10.1.32.10 any
access-list 112 permit ip host 10.11.7.38 any
access-list 112 permit ip host 10.11.8.18 any
access-list 112 permit ip host 10.1.10.34 any
access-list 112 permit ip host 10.1.11.46 any
access-list 112 permit ip host 10.1.13.30 any
access-list 112 permit ip host 10.1.13.34 any
access-list 112 permit ip host 10.1.14.14 any
access-list 112 permit ip host 10.1.16.18 any
access-list 112 permit ip host 10.1.16.22 any
access-list 112 permit ip host 10.1.17.19 any
access-list 112 permit ip host 10.1.17.6 any
access-list 112 permit ip host 10.1.18.18 any
access-list 112 permit ip host 10.1.19.10 any
access-list 112 permit ip host 10.1.20.3 any
access-list 112 permit ip host 10.1.20.42 any
access-list 112 permit ip host 10.1.21.44 any
access-list 112 permit ip host 10.1.22.26 any
access-list 112 permit ip host 10.1.22.32 any
access-list 112 permit ip host 10.1.22.34 any
access-list 112 permit ip host 10.1.22.35 any
access-list 112 permit ip host 10.1.23.1 any
access-list 112 permit ip host 10.1.23.18 any
access-list 112 permit ip host 10.1.23.25 any
access-list 112 permit ip host 10.1.23.27 any
access-list 112 permit ip host 10.1.24.37 any
access-list 112 permit ip host 10.1.25.10 any
access-list 112 permit ip host 10.1.26.35 any
access-list 112 permit ip host 10.1.26.39 any
access-list 112 permit ip host 10.1.27.8 any
access-list 112 permit ip host 10.1.29.1 any
access-list 112 permit ip host 10.1.29.12 any
access-list 112 permit ip host 10.1.29.4 any
access-list 112 permit ip host 10.1.3.18 any
access-list 112 permit ip host 10.1.30.6 any
access-list 112 permit ip host 10.1.31.20 any
access-list 112 permit ip host 10.1.31.22 any
access-list 112 permit ip host 10.1.32.3 any
access-list 112 permit ip host 10.1.33.30 any
access-list 112 permit ip host 10.1.34.6 any
access-list 112 permit ip host 10.1.35.28 any
access-list 112 permit ip host 10.1.35.6 any
access-list 112 permit ip host 10.1.36.10 any
access-list 112 permit ip host 10.1.36.28 any
access-list 112 permit ip host 10.1.36.3 any
access-list 112 permit ip host 10.1.4.14 any
access-list 112 permit ip host 10.1.4.20 any
access-list 112 permit ip host 10.1.5.31 any
access-list 112 permit ip host 10.1.6.2 any
access-list 112 permit ip host 10.1.7.26 any
access-list 112 permit ip host 10.1.7.31 any
access-list 112 permit ip host 10.1.7.32 any
access-list 112 permit ip host 10.1.7.35 any
access-list 112 permit ip host 10.1.7.36 any
access-list 112 permit ip host 10.11.1.86 any
access-list 112 permit ip host 10.11.1.90 any
access-list 112 permit ip host 10.11.10.22 any
access-list 112 permit ip host 10.11.10.38 any
access-list 112 permit ip host 10.11.10.42 any
access-list 112 permit ip host 10.11.10.50 any
access-list 112 permit ip host 10.11.10.62 any
access-list 112 permit ip host 10.11.10.66 any
access-list 112 permit ip host 10.11.10.74 any
access-list 112 permit ip host 10.11.10.86 any
access-list 112 permit ip host 10.11.11.10 any
access-list 112 permit ip host 10.11.11.102 any
access-list 112 permit ip host 10.11.11.106 any
access-list 112 permit ip host 10.11.11.14 any
access-list 112 permit ip host 10.11.11.18 any
access-list 112 permit ip host 10.11.11.38 any
access-list 112 permit ip host 10.11.11.42 any
access-list 112 permit ip host 10.11.11.62 any
access-list 112 permit ip host 10.11.11.94 any
access-list 112 permit ip host 10.11.11.98 any
access-list 112 permit ip host 10.11.12.26 any
access-list 112 permit ip host 10.11.12.54 any
access-list 112 permit ip host 10.11.12.70 any
access-list 112 permit ip host 10.11.12.74 any
access-list 112 permit ip host 10.11.12.78 any
access-list 112 permit ip host 10.11.12.82 any
access-list 112 permit ip host 10.11.12.86 any
access-list 112 permit ip host 10.11.13.10 any
access-list 112 permit ip host 10.11.13.42 any
access-list 112 permit ip host 10.11.13.46 any
access-list 112 permit ip host 10.11.13.6 any
access-list 112 permit ip host 10.11.13.78 any
access-list 112 permit ip host 10.11.13.90 any
access-list 112 permit ip host 10.11.13.94 any
access-list 112 permit ip host 10.11.14.42 any
access-list 112 permit ip host 10.11.15.14 any
access-list 112 permit ip host 10.11.15.18 any
access-list 112 permit ip host 10.11.15.22 any
access-list 112 permit ip host 10.11.15.34 any
access-list 112 permit ip host 10.11.15.42 any
access-list 112 permit ip host 10.11.15.46 any
access-list 112 permit ip host 10.11.15.50 any
access-list 112 permit ip host 10.11.15.54 any
access-list 112 permit ip host 10.11.15.6 any
access-list 112 permit ip host 10.11.16.14 any
access-list 112 permit ip host 10.11.16.18 any
access-list 112 permit ip host 10.11.16.22 any
access-list 112 permit ip host 10.11.16.46 any
access-list 112 permit ip host 10.11.16.50 any
access-list 112 permit ip host 10.11.16.58 any
access-list 112 permit ip host 10.11.16.62 any
access-list 112 permit ip host 10.11.16.86 any
access-list 112 permit ip host 10.11.17.26 any
access-list 112 permit ip host 10.11.17.42 any
access-list 112 permit ip host 10.11.18.102 any
access-list 112 permit ip host 10.11.18.90 any
access-list 112 permit ip host 10.11.19.106 any
access-list 112 permit ip host 10.11.19.114 any
access-list 112 permit ip host 10.11.19.118 any
access-list 112 permit ip host 10.11.19.14 any
access-list 112 permit ip host 10.11.19.46 any
access-list 112 permit ip host 10.11.19.66 any
access-list 112 permit ip host 10.11.19.86 any
access-list 112 permit ip host 10.11.2.2 any
access-list 112 permit ip host 10.11.2.22 any
access-list 112 permit ip host 10.11.2.26 any
access-list 112 permit ip host 10.11.2.62 any
access-list 112 permit ip host 10.11.2.82 any
access-list 112 permit ip host 10.11.2.90 any
access-list 112 permit ip host 10.11.2.94 any
access-list 112 permit ip host 10.11.20.126 any
access-list 112 permit ip host 10.11.20.138 any
access-list 112 permit ip host 10.11.20.142 any
access-list 112 permit ip host 10.11.20.156 any
access-list 112 permit ip host 10.11.20.162 any
access-list 112 permit ip host 10.11.20.178 any
access-list 112 permit ip host 10.11.20.18 any
access-list 112 permit ip host 10.11.20.54 any
access-list 112 permit ip host 10.11.20.94 any
access-list 112 permit ip host 10.11.21.18 any
access-list 112 permit ip host 10.11.21.30 any
access-list 112 permit ip host 10.11.21.58 any
access-list 112 permit ip host 10.11.21.6 any
access-list 112 permit ip host 10.11.21.70 any
access-list 112 permit ip host 10.11.21.74 any
access-list 112 permit ip host 10.11.22.10 any
access-list 112 permit ip host 10.11.22.14 any
access-list 112 permit ip host 10.11.22.18 any
access-list 112 permit ip host 10.11.22.26 any
access-list 112 permit ip host 10.11.22.54 any
access-list 112 permit ip host 10.11.22.58 any
access-list 112 permit ip host 10.11.22.62 any
access-list 112 permit ip host 10.11.22.66 any
access-list 112 permit ip host 10.11.22.70 any
access-list 112 permit ip host 10.11.22.90 any
access-list 112 permit ip host 10.11.22.94 any
access-list 112 permit ip host 10.11.23.106 any
access-list 112 permit ip host 10.11.23.110 any
access-list 112 permit ip host 10.11.23.2 any
access-list 112 permit ip host 10.11.23.86 any
access-list 112 permit ip host 10.11.24.18 any
access-list 112 permit ip host 10.11.24.22 any
access-list 112 permit ip host 10.11.24.26 any
access-list 112 permit ip host 10.11.24.30 any
access-list 112 permit ip host 10.11.24.34 any
access-list 112 permit ip host 10.11.24.38 any
access-list 112 permit ip host 10.11.24.58 any
access-list 112 permit ip host 10.11.24.74 any
access-list 112 permit ip host 10.11.24.82 any
access-list 112 permit ip host 10.11.25.26 any
access-list 112 permit ip host 10.11.25.82 any
access-list 112 permit ip host 10.11.26.10 any
access-list 112 permit ip host 10.11.26.30 any
access-list 112 permit ip host 10.11.26.34 any
access-list 112 permit ip host 10.11.27.102 any
access-list 112 permit ip host 10.11.27.26 any
access-list 112 permit ip host 10.11.27.38 any
access-list 112 permit ip host 10.11.27.50 any
access-list 112 permit ip host 10.11.27.54 any
access-list 112 permit ip host 10.11.27.62 any
access-list 112 permit ip host 10.11.27.70 any
access-list 112 permit ip host 10.11.27.78 any
access-list 112 permit ip host 10.11.27.86 any
access-list 112 permit ip host 10.11.27.90 any
access-list 112 permit ip host 10.11.27.98 any
access-list 112 permit ip host 10.11.28.10 any
access-list 112 permit ip host 10.11.28.110 any
access-list 112 permit ip host 10.11.28.114 any
access-list 112 permit ip host 10.11.28.122 any
access-list 112 permit ip host 10.11.28.42 any
access-list 112 permit ip host 10.11.28.50 any
access-list 112 permit ip host 10.11.28.58 any
access-list 112 permit ip host 10.11.28.66 any
access-list 112 permit ip host 10.11.28.74 any
access-list 112 permit ip host 10.11.28.78 any
access-list 112 permit ip host 10.11.28.82 any
access-list 112 permit ip host 10.11.28.86 any
access-list 112 permit ip host 10.11.28.90 any
access-list 112 permit ip host 10.11.28.94 any
access-list 112 permit ip host 10.11.29.10 any
access-list 112 permit ip host 10.11.29.102 any
access-list 112 permit ip host 10.11.29.11 any
access-list 112 permit ip host 10.11.29.110 any
access-list 112 permit ip host 10.11.29.22 any
access-list 112 permit ip host 10.11.29.30 any
access-list 112 permit ip host 10.11.29.34 any
access-list 112 permit ip host 10.11.29.38 any
access-list 112 permit ip host 10.11.29.78 any
access-list 112 permit ip host 10.11.29.94 any
access-list 112 permit ip host 10.11.29.98 any
access-list 112 permit ip host 10.11.3.10 any
access-list 112 permit ip host 10.11.3.54 any
access-list 112 permit ip host 10.11.3.60 any
access-list 112 permit ip host 10.11.3.66 any
access-list 112 permit ip host 10.11.30.26 any
access-list 112 permit ip host 10.11.30.42 any
access-list 112 permit ip host 10.11.30.46 any
access-list 112 permit ip host 10.11.30.50 any
access-list 112 permit ip host 10.11.30.58 any
access-list 112 permit ip host 10.11.31.106 any
access-list 112 permit ip host 10.11.31.14 any
access-list 112 permit ip host 10.11.31.26 any
access-list 112 permit ip host 10.11.31.30 any
access-list 112 permit ip host 10.11.31.46 any
access-list 112 permit ip host 10.11.31.70 any
access-list 112 permit ip host 10.11.31.74 any
access-list 112 permit ip host 10.11.32.42 any
access-list 112 permit ip host 10.11.32.78 any
access-list 112 permit ip host 10.11.32.82 any
access-list 112 permit ip host 10.11.32.90 any
access-list 112 permit ip host 10.11.33.122 any
access-list 112 permit ip host 10.11.33.14 any
access-list 112 permit ip host 10.11.33.150 any
access-list 112 permit ip host 10.11.33.18 any
access-list 112 permit ip host 10.11.33.30 any
access-list 112 permit ip host 10.11.33.38 any
access-list 112 permit ip host 10.11.33.62 any
access-list 112 permit ip host 10.11.33.66 any
access-list 112 permit ip host 10.11.34.38 any
access-list 112 permit ip host 10.11.34.46 any
access-list 112 permit ip host 10.11.34.50 any
access-list 112 permit ip host 10.11.34.70 any
access-list 112 permit ip host 10.11.34.74 any
access-list 112 permit ip host 10.11.34.78 any
access-list 112 permit ip host 10.11.34.82 any
access-list 112 permit ip host 10.11.35.2 any
access-list 112 permit ip host 10.11.35.26 any
access-list 112 permit ip host 10.11.35.54 any
access-list 112 permit ip host 10.11.35.78 any
access-list 112 permit ip host 10.11.35.82 any
access-list 112 permit ip host 10.11.36.102 any
access-list 112 permit ip host 10.11.36.110 any
access-list 112 permit ip host 10.11.36.118 any
access-list 112 permit ip host 10.11.36.122 any
access-list 112 permit ip host 10.11.36.14 any
access-list 112 permit ip host 10.11.36.154 any
access-list 112 permit ip host 10.11.36.2 any
access-list 112 permit ip host 10.11.36.38 any
access-list 112 permit ip host 10.11.36.50 any
access-list 112 permit ip host 10.11.36.86 any
access-list 112 permit ip host 10.11.4.30 any
access-list 112 permit ip host 10.11.4.42 any
access-list 112 permit ip host 10.11.4.54 any
access-list 112 permit ip host 10.11.4.58 any
access-list 112 permit ip host 10.11.4.78 any
access-list 112 permit ip host 10.11.5.14 any
access-list 112 permit ip host 10.11.5.18 any
access-list 112 permit ip host 10.11.5.22 any
access-list 112 permit ip host 10.11.5.50 any
access-list 112 permit ip host 10.11.5.6 any
access-list 112 permit ip host 10.11.5.94 any
access-list 112 permit ip host 10.11.6.10 any
access-list 112 permit ip host 10.11.6.42 any
access-list 112 permit ip host 10.11.6.70 any
access-list 112 permit ip host 10.11.6.82 any
access-list 112 permit ip host 10.11.7.74 any
access-list 112 permit ip host 10.11.8.14 any
access-list 112 permit ip host 10.11.8.38 any
access-list 112 permit ip host 10.11.8.58 any
access-list 112 permit ip host 10.11.9.54 any
access-list 112 permit ip host 10.11.35.94 any

access-list 113 permit ip any 109.248.0.0 0.0.63.255
access-list 113 deny   ip 109.248.0.0 0.0.63.255 109.248.0.0 0.0.63.255
access-list 113 deny   ip 109.248.0.0 0.0.63.255 10.0.0.0 0.255.255.255
access-list 113 deny   ip 109.248.0.0 0.0.63.255 192.168.0.0 0.0.255.255
access-list 113 deny   ip any 109.248.0.0 0.0.63.255
access-list 113 permit ip any 10.0.0.0 0.255.255.255
access-list 113 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 113 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 113 deny   ip 10.0.0.0 0.255.255.255 109.248.0.0 0.0.63.255
access-list 113 deny   ip any 10.0.0.0 0.255.255.255

access-list 113 permit ip any 192.168.0.0 0.0.255.255
access-list 113 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 113 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 113 deny   ip 192.168.0.0 0.0.255.255 109.248.0.0 0.0.63.255
access-list 113 deny   ip any 192.168.0.0 0.0.255.255
access-list 113 permit ip any any

 

#sh sdm pref
The current template is the access extended-match template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.

number of unicast mac addresses:   1K
number of igmp groups:             2K
number of qos aces:                1K
number of security aces:           2K
number of unicast routes:          1K
number of multicast routes:        2K

 

#sh tcam inacl 1 statistics
Ingress ACL TCAM#1: Number of active labels: 30
Ingress ACL TCAM#1: Number of masks   allocated:  160, available:  256
Ingress ACL TCAM#1: Number of entries allocated:  582, available: 2746


#sh tcam outacl 1 statistics
Egress ACL TCAM#1: Number of active labels: 2
Egress ACL TCAM#1: Number of masks   allocated:    6, available:  410
Egress ACL TCAM#1: Number of entries allocated:    5, available: 3323

 

 

 

Share this post


Link to post
Share on other sites

не туда запостил.. можно ли перенести в Технические вопросы кабельных сетей.

Share this post


Link to post
Share on other sites

У Cisco есть ограничение по количеству правил в ACL. Например на 2950T цискак, разрешено 75 правил в сумме на группу портов. Группы портов это порты с 1-8, 9-16, 17-24. т.е. ты можешь повесить 75 правил на 1 порт или на 2 или на 3 и т.д. но в суммена на портах с 1 по 8 не должно быть более 75 правил иначе обработка перекладывается на CPU, у емня анпремр на каждый порт по 9 правил, что укладывается в сумме в 74. А вот на гигабитный порт можно 100 правил в этой циске, причём на каждый по 100. Я думаю у тебя как раз тотже случай только с VLAN, единственное решение уменьшить количество правил. Поищи в инете сколько разрешено правил в том или инном случае конкретно для твоей серии циски.

Edited by 2MEX2

Share this post


Link to post
Share on other sites

Если тебе надо разделить клиентов на тех кому доступен инет и кому только локалка и её сервис, то стоит их разнести в разные подсети и просто на сисике одной строкой запретить ходить определённой подсети в инет, а не каждому клиенту в отдельности делать правило держа их в в единой подсети.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this