Why does the system generally display the error message "Add rule to chip failed" or "Error:Adding rule failed." when a traffic policy is delivered and an ACL rule contains a TCP or UDP port range

3

On S series modular switches, the system generally displays an error message when a traffic policy is delivered and an ACL rule contains a TCP or UDP port range. The possible causes of this problem are as follows:
- The traffic policy is applied in the outbound direction (V200R002C00 and earlier versions).
In V200R002C00 and earlier versions, the port range cannot be specified in the outbound direction. If the ACL rule containing a port range and the corresponding traffic policy is applied in the outbound direction, the system displays the preceding error message.
- The number of applied rules that contain port ranges has reached or exceeded the maximum value.
The S series cards support a maximum of 16 TCP or UDP port ranges and the E series cards support a maximum of 32 TCP or UDP port ranges. When the number of rules containing port ranges that are applied in the inbound direction exceeds the maximum, the system displays the preceding error message.

Other related questions:
Why is the statistics displayed in the display acl command output 0 after a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule
The display acl command displays statistics on traffic sent to the control plane. The traffic statistics collection function in traffic policies is used to collect statistics on traffic on the forwarding plane. Statistics on traffic sent to the control plane is not collected. After a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule, the statistics displayed in the display acl command output is 0. Run the display traffic-policy statistics command to view statistics on traffic matching a traffic policy applied to an interface.

After a traffic policy is configured on an S series switch, two more ACL rules are occupied based on the display acl resource command output. Why
Packets sent by an S series switch to the CPU for processing and packets for inter-board communication exist on the switch. To prevent these packets from being affected by the traffic policy, the switch delivers two ACL rules before delivering the traffic policy.

Why does not a traffic classifier support the And relationship between ACL rules
ACL rules may cause conflicts when matching the same elements. For example, if two ACL rules defined in a traffic classifier match VLANs, the And relationship between ACL rules causes matching conflicts and leads to matching failure when VLAN IDs are different.

Why an interface on an S series modular switch cannot deliver the traffic policy containing outbound flow mirroring
For S series modular switches in the following software versions and models, when outbound flow mirroring is configured, other actions cannot be configured in the traffic behavior. If other actions are defined in the traffic behavior, the interface cannot deliver the traffic policy containing outbound flow mirroring. - S9300 series switches running V200R001 and later versions. - S7700 and S9700 series switches running V200R001 and later versions. - S12700 series switches running all software versions.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top