lanc Опубликовано 23 марта, 2011 · Жалоба Есть узел агрегации cisco 3550 к нему сходятся 24 узла доступа на нем происходит маршрутизация районного трафика vlan на дом, маршрутизируется L3 - 25 vlan Есть задача откывать/закрывать досутп в интенрнет а так же открывать/закрывать доступ к локальным ресурсам решено было использовать Vlan filter Суть АCL 112 такова, если IP абонента отсутствует в данном списке, то у абонента работает только интернет и сервера статистики если добавить IP в ACL 112 как на списки ниже, то у него работает интернет+локальная сеть при небольшом кол-ве правил (когда ACL 112 только первые 10 строк) все работает хорошо, а когда большой ACL как ниже, начинаются огромные потери пакетов, загрузка процессора на уровне 30% при этом что можно сделать? в логах следующее 000108: Mar 23 21:07:53: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.80.2) 000109: Mar 23 21:07:53: %FM-3-UNLOADING: Unloading input vlan label 11 feature from all TCAMs .......... .......... .......... 000149: Mar 23 21:09:16: %FM-3-UNLOADING: Unloading input vlan label 27 feature from all TCAMs 000150: Mar 23 21:09:18: %FM-3-UNLOADING: Unloading input vlan label 29 feature from all TCAMs нашли расшифровку ошибки http://www.cisco.com/en/US/docs/switches/l...c.html#wp253879 Error Message FM-3-UNLOADING: Unloading [chars] label [dec] feature from [chars]. Note This message applies only to Catalyst 3550 switches. Explanation The feature manager was unable to fit the complete configuration into the hardware, so some features will be applied in software. This error prevents some or all the packets from being forwarded in hardware and requires them to be forwarded by the CPU. Multicast packets might be dropped instead of being forwarded. The first [chars] is the direction (input or output), [dec] is the label number, and the second [chars] is the TCAM ID. Recommended Action Allocate more space to the relevant section of the TCAM by using the sdm prefer global configuration command and then reboot the switch, or use a simpler configuration. Use the same ACLs on multiple interfaces, if possible. судя по логам ругается на ACL что не может их запихать все в железку и типо часть будет обрабатываться процессором по рекомендации заменили sdm prefer default на sdm prefer access extended-match ребутнули не помогло что не так? вот конфиг vlan filter и ACL - при котором все тормозит, вернее теряются пакеты у всех кто попадает под эти списки vlan access-map BLOCK_LAN 10 action drop match ip address 111 vlan access-map BLOCK_LAN 20 action forward match ip address 112 vlan access-map BLOCK_LAN 30 action forward match ip address 113 vlan filter BLOCK_LAN vlan-list 131-136,139-149,151-154,163-166 access-list 111 deny ip any host 109.248.0.54 access-list 111 deny ip any host 109.248.0.50 access-list 111 deny ip any host 192.168.200.5 access-list 111 deny ip any host 192.168.200.253 access-list 111 deny ip any host 192.168.1.253 access-list 111 deny ip any host 10.52.101.1 access-list 112 permit tcp any any eq 135 access-list 112 permit tcp any any eq 139 access-list 112 permit tcp any any eq 445 access-list 112 permit ip any host 192.168.200.5 access-list 112 permit ip any host 109.248.0.54 access-list 112 permit ip any host 109.248.0.50 access-list 112 permit ip any host 192.168.1.253 access-list 112 permit ip any host 10.52.101.1 access-list 112 permit ip host 109.248.0.50 any access-list 112 permit ip host 109.248.0.54 any access-list 112 permit ip host 10.11.4.10 any access-list 112 permit ip host 10.1.13.2 any access-list 112 permit ip host 10.1.13.1 any access-list 112 permit ip host 10.1.32.10 any access-list 112 permit ip host 10.11.7.38 any access-list 112 permit ip host 10.11.8.18 any access-list 112 permit ip host 10.1.10.34 any access-list 112 permit ip host 10.1.11.46 any access-list 112 permit ip host 10.1.13.30 any access-list 112 permit ip host 10.1.13.34 any access-list 112 permit ip host 10.1.14.14 any access-list 112 permit ip host 10.1.16.18 any access-list 112 permit ip host 10.1.16.22 any access-list 112 permit ip host 10.1.17.19 any access-list 112 permit ip host 10.1.17.6 any access-list 112 permit ip host 10.1.18.18 any access-list 112 permit ip host 10.1.19.10 any access-list 112 permit ip host 10.1.20.3 any access-list 112 permit ip host 10.1.20.42 any access-list 112 permit ip host 10.1.21.44 any access-list 112 permit ip host 10.1.22.26 any access-list 112 permit ip host 10.1.22.32 any access-list 112 permit ip host 10.1.22.34 any access-list 112 permit ip host 10.1.22.35 any access-list 112 permit ip host 10.1.23.1 any access-list 112 permit ip host 10.1.23.18 any access-list 112 permit ip host 10.1.23.25 any access-list 112 permit ip host 10.1.23.27 any access-list 112 permit ip host 10.1.24.37 any access-list 112 permit ip host 10.1.25.10 any access-list 112 permit ip host 10.1.26.35 any access-list 112 permit ip host 10.1.26.39 any access-list 112 permit ip host 10.1.27.8 any access-list 112 permit ip host 10.1.29.1 any access-list 112 permit ip host 10.1.29.12 any access-list 112 permit ip host 10.1.29.4 any access-list 112 permit ip host 10.1.3.18 any access-list 112 permit ip host 10.1.30.6 any access-list 112 permit ip host 10.1.31.20 any access-list 112 permit ip host 10.1.31.22 any access-list 112 permit ip host 10.1.32.3 any access-list 112 permit ip host 10.1.33.30 any access-list 112 permit ip host 10.1.34.6 any access-list 112 permit ip host 10.1.35.28 any access-list 112 permit ip host 10.1.35.6 any access-list 112 permit ip host 10.1.36.10 any access-list 112 permit ip host 10.1.36.28 any access-list 112 permit ip host 10.1.36.3 any access-list 112 permit ip host 10.1.4.14 any access-list 112 permit ip host 10.1.4.20 any access-list 112 permit ip host 10.1.5.31 any access-list 112 permit ip host 10.1.6.2 any access-list 112 permit ip host 10.1.7.26 any access-list 112 permit ip host 10.1.7.31 any access-list 112 permit ip host 10.1.7.32 any access-list 112 permit ip host 10.1.7.35 any access-list 112 permit ip host 10.1.7.36 any access-list 112 permit ip host 10.11.1.86 any access-list 112 permit ip host 10.11.1.90 any access-list 112 permit ip host 10.11.10.22 any access-list 112 permit ip host 10.11.10.38 any access-list 112 permit ip host 10.11.10.42 any access-list 112 permit ip host 10.11.10.50 any access-list 112 permit ip host 10.11.10.62 any access-list 112 permit ip host 10.11.10.66 any access-list 112 permit ip host 10.11.10.74 any access-list 112 permit ip host 10.11.10.86 any access-list 112 permit ip host 10.11.11.10 any access-list 112 permit ip host 10.11.11.102 any access-list 112 permit ip host 10.11.11.106 any access-list 112 permit ip host 10.11.11.14 any access-list 112 permit ip host 10.11.11.18 any access-list 112 permit ip host 10.11.11.38 any access-list 112 permit ip host 10.11.11.42 any access-list 112 permit ip host 10.11.11.62 any access-list 112 permit ip host 10.11.11.94 any access-list 112 permit ip host 10.11.11.98 any access-list 112 permit ip host 10.11.12.26 any access-list 112 permit ip host 10.11.12.54 any access-list 112 permit ip host 10.11.12.70 any access-list 112 permit ip host 10.11.12.74 any access-list 112 permit ip host 10.11.12.78 any access-list 112 permit ip host 10.11.12.82 any access-list 112 permit ip host 10.11.12.86 any access-list 112 permit ip host 10.11.13.10 any access-list 112 permit ip host 10.11.13.42 any access-list 112 permit ip host 10.11.13.46 any access-list 112 permit ip host 10.11.13.6 any access-list 112 permit ip host 10.11.13.78 any access-list 112 permit ip host 10.11.13.90 any access-list 112 permit ip host 10.11.13.94 any access-list 112 permit ip host 10.11.14.42 any access-list 112 permit ip host 10.11.15.14 any access-list 112 permit ip host 10.11.15.18 any access-list 112 permit ip host 10.11.15.22 any access-list 112 permit ip host 10.11.15.34 any access-list 112 permit ip host 10.11.15.42 any access-list 112 permit ip host 10.11.15.46 any access-list 112 permit ip host 10.11.15.50 any access-list 112 permit ip host 10.11.15.54 any access-list 112 permit ip host 10.11.15.6 any access-list 112 permit ip host 10.11.16.14 any access-list 112 permit ip host 10.11.16.18 any access-list 112 permit ip host 10.11.16.22 any access-list 112 permit ip host 10.11.16.46 any access-list 112 permit ip host 10.11.16.50 any access-list 112 permit ip host 10.11.16.58 any access-list 112 permit ip host 10.11.16.62 any access-list 112 permit ip host 10.11.16.86 any access-list 112 permit ip host 10.11.17.26 any access-list 112 permit ip host 10.11.17.42 any access-list 112 permit ip host 10.11.18.102 any access-list 112 permit ip host 10.11.18.90 any access-list 112 permit ip host 10.11.19.106 any access-list 112 permit ip host 10.11.19.114 any access-list 112 permit ip host 10.11.19.118 any access-list 112 permit ip host 10.11.19.14 any access-list 112 permit ip host 10.11.19.46 any access-list 112 permit ip host 10.11.19.66 any access-list 112 permit ip host 10.11.19.86 any access-list 112 permit ip host 10.11.2.2 any access-list 112 permit ip host 10.11.2.22 any access-list 112 permit ip host 10.11.2.26 any access-list 112 permit ip host 10.11.2.62 any access-list 112 permit ip host 10.11.2.82 any access-list 112 permit ip host 10.11.2.90 any access-list 112 permit ip host 10.11.2.94 any access-list 112 permit ip host 10.11.20.126 any access-list 112 permit ip host 10.11.20.138 any access-list 112 permit ip host 10.11.20.142 any access-list 112 permit ip host 10.11.20.156 any access-list 112 permit ip host 10.11.20.162 any access-list 112 permit ip host 10.11.20.178 any access-list 112 permit ip host 10.11.20.18 any access-list 112 permit ip host 10.11.20.54 any access-list 112 permit ip host 10.11.20.94 any access-list 112 permit ip host 10.11.21.18 any access-list 112 permit ip host 10.11.21.30 any access-list 112 permit ip host 10.11.21.58 any access-list 112 permit ip host 10.11.21.6 any access-list 112 permit ip host 10.11.21.70 any access-list 112 permit ip host 10.11.21.74 any access-list 112 permit ip host 10.11.22.10 any access-list 112 permit ip host 10.11.22.14 any access-list 112 permit ip host 10.11.22.18 any access-list 112 permit ip host 10.11.22.26 any access-list 112 permit ip host 10.11.22.54 any access-list 112 permit ip host 10.11.22.58 any access-list 112 permit ip host 10.11.22.62 any access-list 112 permit ip host 10.11.22.66 any access-list 112 permit ip host 10.11.22.70 any access-list 112 permit ip host 10.11.22.90 any access-list 112 permit ip host 10.11.22.94 any access-list 112 permit ip host 10.11.23.106 any access-list 112 permit ip host 10.11.23.110 any access-list 112 permit ip host 10.11.23.2 any access-list 112 permit ip host 10.11.23.86 any access-list 112 permit ip host 10.11.24.18 any access-list 112 permit ip host 10.11.24.22 any access-list 112 permit ip host 10.11.24.26 any access-list 112 permit ip host 10.11.24.30 any access-list 112 permit ip host 10.11.24.34 any access-list 112 permit ip host 10.11.24.38 any access-list 112 permit ip host 10.11.24.58 any access-list 112 permit ip host 10.11.24.74 any access-list 112 permit ip host 10.11.24.82 any access-list 112 permit ip host 10.11.25.26 any access-list 112 permit ip host 10.11.25.82 any access-list 112 permit ip host 10.11.26.10 any access-list 112 permit ip host 10.11.26.30 any access-list 112 permit ip host 10.11.26.34 any access-list 112 permit ip host 10.11.27.102 any access-list 112 permit ip host 10.11.27.26 any access-list 112 permit ip host 10.11.27.38 any access-list 112 permit ip host 10.11.27.50 any access-list 112 permit ip host 10.11.27.54 any access-list 112 permit ip host 10.11.27.62 any access-list 112 permit ip host 10.11.27.70 any access-list 112 permit ip host 10.11.27.78 any access-list 112 permit ip host 10.11.27.86 any access-list 112 permit ip host 10.11.27.90 any access-list 112 permit ip host 10.11.27.98 any access-list 112 permit ip host 10.11.28.10 any access-list 112 permit ip host 10.11.28.110 any access-list 112 permit ip host 10.11.28.114 any access-list 112 permit ip host 10.11.28.122 any access-list 112 permit ip host 10.11.28.42 any access-list 112 permit ip host 10.11.28.50 any access-list 112 permit ip host 10.11.28.58 any access-list 112 permit ip host 10.11.28.66 any access-list 112 permit ip host 10.11.28.74 any access-list 112 permit ip host 10.11.28.78 any access-list 112 permit ip host 10.11.28.82 any access-list 112 permit ip host 10.11.28.86 any access-list 112 permit ip host 10.11.28.90 any access-list 112 permit ip host 10.11.28.94 any access-list 112 permit ip host 10.11.29.10 any access-list 112 permit ip host 10.11.29.102 any access-list 112 permit ip host 10.11.29.11 any access-list 112 permit ip host 10.11.29.110 any access-list 112 permit ip host 10.11.29.22 any access-list 112 permit ip host 10.11.29.30 any access-list 112 permit ip host 10.11.29.34 any access-list 112 permit ip host 10.11.29.38 any access-list 112 permit ip host 10.11.29.78 any access-list 112 permit ip host 10.11.29.94 any access-list 112 permit ip host 10.11.29.98 any access-list 112 permit ip host 10.11.3.10 any access-list 112 permit ip host 10.11.3.54 any access-list 112 permit ip host 10.11.3.60 any access-list 112 permit ip host 10.11.3.66 any access-list 112 permit ip host 10.11.30.26 any access-list 112 permit ip host 10.11.30.42 any access-list 112 permit ip host 10.11.30.46 any access-list 112 permit ip host 10.11.30.50 any access-list 112 permit ip host 10.11.30.58 any access-list 112 permit ip host 10.11.31.106 any access-list 112 permit ip host 10.11.31.14 any access-list 112 permit ip host 10.11.31.26 any access-list 112 permit ip host 10.11.31.30 any access-list 112 permit ip host 10.11.31.46 any access-list 112 permit ip host 10.11.31.70 any access-list 112 permit ip host 10.11.31.74 any access-list 112 permit ip host 10.11.32.42 any access-list 112 permit ip host 10.11.32.78 any access-list 112 permit ip host 10.11.32.82 any access-list 112 permit ip host 10.11.32.90 any access-list 112 permit ip host 10.11.33.122 any access-list 112 permit ip host 10.11.33.14 any access-list 112 permit ip host 10.11.33.150 any access-list 112 permit ip host 10.11.33.18 any access-list 112 permit ip host 10.11.33.30 any access-list 112 permit ip host 10.11.33.38 any access-list 112 permit ip host 10.11.33.62 any access-list 112 permit ip host 10.11.33.66 any access-list 112 permit ip host 10.11.34.38 any access-list 112 permit ip host 10.11.34.46 any access-list 112 permit ip host 10.11.34.50 any access-list 112 permit ip host 10.11.34.70 any access-list 112 permit ip host 10.11.34.74 any access-list 112 permit ip host 10.11.34.78 any access-list 112 permit ip host 10.11.34.82 any access-list 112 permit ip host 10.11.35.2 any access-list 112 permit ip host 10.11.35.26 any access-list 112 permit ip host 10.11.35.54 any access-list 112 permit ip host 10.11.35.78 any access-list 112 permit ip host 10.11.35.82 any access-list 112 permit ip host 10.11.36.102 any access-list 112 permit ip host 10.11.36.110 any access-list 112 permit ip host 10.11.36.118 any access-list 112 permit ip host 10.11.36.122 any access-list 112 permit ip host 10.11.36.14 any access-list 112 permit ip host 10.11.36.154 any access-list 112 permit ip host 10.11.36.2 any access-list 112 permit ip host 10.11.36.38 any access-list 112 permit ip host 10.11.36.50 any access-list 112 permit ip host 10.11.36.86 any access-list 112 permit ip host 10.11.4.30 any access-list 112 permit ip host 10.11.4.42 any access-list 112 permit ip host 10.11.4.54 any access-list 112 permit ip host 10.11.4.58 any access-list 112 permit ip host 10.11.4.78 any access-list 112 permit ip host 10.11.5.14 any access-list 112 permit ip host 10.11.5.18 any access-list 112 permit ip host 10.11.5.22 any access-list 112 permit ip host 10.11.5.50 any access-list 112 permit ip host 10.11.5.6 any access-list 112 permit ip host 10.11.5.94 any access-list 112 permit ip host 10.11.6.10 any access-list 112 permit ip host 10.11.6.42 any access-list 112 permit ip host 10.11.6.70 any access-list 112 permit ip host 10.11.6.82 any access-list 112 permit ip host 10.11.7.74 any access-list 112 permit ip host 10.11.8.14 any access-list 112 permit ip host 10.11.8.38 any access-list 112 permit ip host 10.11.8.58 any access-list 112 permit ip host 10.11.9.54 any access-list 112 permit ip host 10.11.35.94 any access-list 113 permit ip any 109.248.0.0 0.0.63.255 access-list 113 deny ip 109.248.0.0 0.0.63.255 109.248.0.0 0.0.63.255 access-list 113 deny ip 109.248.0.0 0.0.63.255 10.0.0.0 0.255.255.255 access-list 113 deny ip 109.248.0.0 0.0.63.255 192.168.0.0 0.0.255.255 access-list 113 deny ip any 109.248.0.0 0.0.63.255 access-list 113 permit ip any 10.0.0.0 0.255.255.255 access-list 113 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 113 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 access-list 113 deny ip 10.0.0.0 0.255.255.255 109.248.0.0 0.0.63.255 access-list 113 deny ip any 10.0.0.0 0.255.255.255 access-list 113 permit ip any 192.168.0.0 0.0.255.255 access-list 113 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 113 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255 access-list 113 deny ip 192.168.0.0 0.0.255.255 109.248.0.0 0.0.63.255 access-list 113 deny ip any 192.168.0.0 0.0.255.255 access-list 113 permit ip any any #sh sdm pref The current template is the access extended-match template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1K VLANs. number of unicast mac addresses: 1K number of igmp groups: 2K number of qos aces: 1K number of security aces: 2K number of unicast routes: 1K number of multicast routes: 2K #sh tcam inacl 1 statistics Ingress ACL TCAM#1: Number of active labels: 30 Ingress ACL TCAM#1: Number of masks allocated: 160, available: 256 Ingress ACL TCAM#1: Number of entries allocated: 582, available: 2746 #sh tcam outacl 1 statistics Egress ACL TCAM#1: Number of active labels: 2 Egress ACL TCAM#1: Number of masks allocated: 6, available: 410 Egress ACL TCAM#1: Number of entries allocated: 5, available: 3323 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
lanc Опубликовано 23 марта, 2011 · Жалоба не туда запостил.. можно ли перенести в Технические вопросы кабельных сетей. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
2MEX2 Опубликовано 18 мая, 2011 (изменено) · Жалоба У Cisco есть ограничение по количеству правил в ACL. Например на 2950T цискак, разрешено 75 правил в сумме на группу портов. Группы портов это порты с 1-8, 9-16, 17-24. т.е. ты можешь повесить 75 правил на 1 порт или на 2 или на 3 и т.д. но в суммена на портах с 1 по 8 не должно быть более 75 правил иначе обработка перекладывается на CPU, у емня анпремр на каждый порт по 9 правил, что укладывается в сумме в 74. А вот на гигабитный порт можно 100 правил в этой циске, причём на каждый по 100. Я думаю у тебя как раз тотже случай только с VLAN, единственное решение уменьшить количество правил. Поищи в инете сколько разрешено правил в том или инном случае конкретно для твоей серии циски. Изменено 18 мая, 2011 пользователем 2MEX2 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
2MEX2 Опубликовано 18 мая, 2011 · Жалоба Если тебе надо разделить клиентов на тех кому доступен инет и кому только локалка и её сервис, то стоит их разнести в разные подсети и просто на сисике одной строкой запретить ходить определённой подсети в инет, а не каждому клиенту в отдельности делать правило держа их в в единой подсети. Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...