Insufficient rule resource in policy

Created: Dec 29, 2017 10:16:24Latest reply: Jan 18, 2018 01:22:51 2704 8 0 0
  Rewarded Hi-coins: 20 (problem resolved)
Hello. Faced a problem on the switch, the huawei s5700-48TP-PWR-SI gives an error. Prior to this, I set up other switches, exactly the same, everything was fine.

Error: Adding rule failed. Insufficient rule resource in policy tp4001 classifier tc4001 behavior tb4001 acl 4001, rule 44, on slot 0 interface GigabitEthernet0/0/35.
Error: Adding rule failed. Insufficient rule resource in policy tp4001 classifier tc4001 behavior tb4001 acl 4001, rule 54, on slot 0 interface GigabitEthernet0/0/3.
Error: Adding rule failed. Insufficient rule resource in policy tp4001 classifier tc4001 behavior tb4001 acl 4001, rule 67, on slot 0 interface GigabitEthernet0/0/6.

Quidway S5700-48TP-PWR-SI Routing Switch uptime is 0 week, 0 day, 0 hour, 59 minutes
CX22EMGEB 0(Master) : uptime is 0 week, 0 day, 0 hour, 58 minutes
256M bytes DDR Memory
32M bytes FLASH
Pcb      Version :  VER.B
Basic  BOOTROM  Version :  246 Compiled at Jul  2 2015, 16:58:12
CPLD   Version : 6
Software Version : VRP (R) Software, Version 5.150 (V200R005C00SPC500)
FANCARD I information
Pcb      Version : FAN VER.B
PWRCARD I information
Pcb      Version : PWR VER.A
PWRCARD II information
Pcb      Version : PWR VER.A

*interface GigabitEthernet0/0/22
    traffic-policy tp4001 inbound 
      slot 0    :  fail
 *interface GigabitEthernet0/0/23        
    traffic-policy tp4001 inbound 
      slot 0    :  fail



  • x
  • convention:

Featured Answers
user_2844477
Created Jan 9, 2018 12:12:58 Helpful(0) Helpful(0)

You can try this: http://support.huawei.com/onlinetoolsweb/tsrev/en/content/s/40_edesk_PBR_failure/edesk_PBR_failure_edesk003.html

Check this:
[HUAWEI] diagnose
[HUAWEI-diagnose] display fpi resource slot 0 acl rule all
  • x
  • convention:

All Answers
user_2844477
user_2844477 Created Dec 30, 2017 13:52:16 Helpful(0) Helpful(0)

Hi,

Please provide the output for "display acl all", "display acl resource" and "display traffic-policy applied-record".

Thanks.
  • x
  • convention:

andrey44
andrey44 Created Jan 9, 2018 06:25:07 Helpful(0) Helpful(0)

This post was last edited by negodayi at 2018-01-09 06:26. Hi.
Total nonempty ACL number is 1

L2 ACL 4001, 67 rules
Acl's step is 1
rule 1 permit source-mac 0080-4032-4f39
rule 2 permit source-mac 3060-77ce-7fef
rule 3 permit source-mac 3060-77ce-120c
rule 4 permit source-mac 0026-10b0-c199
rule 5 permit source-mac 943e-0035-0c07
rule 6 permit source-mac 0026-5a6b-b2f6
rule 7 permit source-mac 3060-77ce-00c6
rule 9 permit source-mac 7434-350e-b679
rule 10 permit source-mac 0000-4019-e313
rule 11 permit source-mac bcee-7b73-fbff
rule 12 permit source-mac 3433-7e40-afee
rule 16 permit source-mac 402c-610e-f631
rule 17 permit source-mac 402c-610e-f04b
rule 18 permit source-mac 402c-610e-f744
rule 19 permit source-mac 30cb-0aea-7643
rule 20 permit source-mac fcaa-1406-e293
rule 21 permit source-mac 402c-6103-6100
rule 22 permit source-mac 402c-610e-f700
rule 23 permit source-mac 402c-610e-f6e5
rule 24 permit source-mac 402c-610e-f63e
rule 25 permit source-mac e03f-49b2-932a
rule 26 permit source-mac 402c-610e-f7eb
rule 28 permit source-mac 6c62-63a7-a4c7
rule 29 permit source-mac 6466-b305-c53c
rule 30 permit source-mac 3433-7efc-701a
rule 34 permit source-mac 001c-2500-1af7
rule 36 permit source-mac b0ae-e393-05ce
rule 38 permit source-mac 402c-6100-f24f
rule 39 permit source-mac 402c-6100-f24c
rule 40 permit source-mac 440a-5b2a-9936
rule 41 permit source-mac 0010-3c64-9af4
rule 43 permit source-mac 0002-b323-abf9
rule 44 permit source-mac 402c-610e-f02a
rule 46 permit source-mac 3ca0-2ab3-1e9a
rule 48 permit source-mac 402c-6144-02b0
rule 51 permit source-mac 0014-0529-e936
rule 52 permit source-mac 30cb-0aea-7646
rule 53 permit source-mac c05b-7619-0222
rule 54 permit source-mac 0010-f30a-1356
rule 55 permit source-mac 0026-10e0-2730
rule 60 permit source-mac 30cb-0a13-5113
rule 62 permit source-mac 0006-a7e0-0c97
rule 64 permit source-mac 0003-ab3e-b314
rule 65 permit source-mac 1c6f-65cf-0999
rule 67 permit source-mac 3464-a970-0562
rule 69 permit source-mac 7434-353c-7172
rule 73 permit source-mac 0013-7760-7219
rule 74 permit source-mac 10a6-f701-a592
rule 76 permit source-mac 903e-3006-203e
rule 77 permit source-mac c033-a303-330e
rule 78 permit source-mac 7430-2b7e-3f4f
rule 79 permit source-mac 60f7-20a1-1e0e
rule 80 permit source-mac 402c-610e-f6e0
rule 82 permit source-mac 402c-612c-97c0
rule 83 permit source-mac 402c-6100-f243
rule 84 permit source-mac 1003-735b-e103
rule 85 permit source-mac 0017-9ac1-e364
rule 87 permit source-mac 402c-610e-f602
rule 89 permit source-mac 6c62-6309-31b9
rule 90 permit source-mac 6c62-6309-31b0
rule 91 permit source-mac 6cf0-492c-bb2a
rule 94 permit source-mac 3c9f-3b90-31b1
rule 95 permit source-mac 3c9f-3b91-31b1
rule 96 permit source-mac 402c-6100-f207
rule 97 permit source-mac 402c-610e-f0e3
rule 98 permit source-mac 3433-7e37-4c07
rule 99 permit source-mac 902b-34cf-3cee
dis acl resource
Slot  0  
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used               56         5908         5908               
  Rule Free             4040          180          180               
  Rule Total            4096         6088         6088               

  Meter Used               0            4            0               
  Meter Free               0         3580          512               
  Meter Total              0         3584          512               

  Counter Used             0            4            0               
  Counter Free             0         3580          512               
  Counter Total            0         3584          512               
Policy Name:   tp4001
  Policy Index:  0
     Classifier:tc4001     Behavior:tb4001
-------------------------------------------------
*interface GigabitEthernet0/0/1
    traffic-policy tp4001 inbound  
      slot 0    :  fail
*interface GigabitEthernet0/0/2
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/3
    traffic-policy tp4001 inbound  
      slot 0    :  fail
*interface GigabitEthernet0/0/4
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/5
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/6
    traffic-policy tp4001 inbound  
      slot 0    :  fail
*interface GigabitEthernet0/0/7         
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/8
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/9
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/10
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/11
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/12
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/13
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/14
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/15         
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/16
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/17
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/18
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/19
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/20
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/21
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/22
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/23         
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/24
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/25
    traffic-policy tp4001 inbound  
      slot 0    :  fail
*interface GigabitEthernet0/0/26
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/27
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/28
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/29
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/30
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/31         
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/32
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/33
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/34
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/35
    traffic-policy tp4001 inbound  
      slot 0    :  fail
*interface GigabitEthernet0/0/36
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/37
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/38
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/39         
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/40
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/41
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/42
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/43
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/44
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/45
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/46
    traffic-policy tp4001 inbound  
      slot 0    :  success
*interface GigabitEthernet0/0/47         
    traffic-policy tp4001 inbound  
      slot 0    :  success
-------------------------------------------------
  Policy total applied times: 47.
  • x
  • convention:

andrey44
andrey44 Created Jan 9, 2018 09:52:44 Helpful(0) Helpful(0)

How to free ACL resources?
  • x
  • convention:

user_2844477
user_2844477 Created Jan 9, 2018 12:12:58 Helpful(0) Helpful(0)

You can try this: http://support.huawei.com/onlinetoolsweb/tsrev/en/content/s/40_edesk_PBR_failure/edesk_PBR_failure_edesk003.html

Check this:
[HUAWEI] diagnose
[HUAWEI-diagnose] display fpi resource slot 0 acl rule all
  • x
  • convention:

andrey44
andrey44 Created Jan 9, 2018 12:30:40 Helpful(0) Helpful(0)

This post was last edited by negodayi at 2018-01-09 13:22. display fpi resource slot 0 acl rule all

Error: Unrecognized command found at '^' position.

                                 display fpi ?
                                             ^
Error: Unrecognized command found at '^' position.

the command fpi does not exist ..


  • x
  • convention:

andrey44
andrey44 Created Jan 10, 2018 06:13:14 Helpful(0) Helpful(0)

removed all acl
dis acl resource
Slot  0  
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used               56          280          280               
  Rule Free             4040         5808         5808               
  Rule Total            4096         6088         6088               

  Meter Used               0            4            0               
  Meter Free               0         3580          512               
  Meter Total              0         3584          512               

  Counter Used             0            4            0               
  Counter Free             0         3580          512               
  Counter Total            0         3584          512        
added ACL 4001 ( specified above)
Slot  0  
                     Vlan-ACL    Inbound-ACL  Outbound-ACL                  
----------------------------------------------------------------------------
  Rule Used               56         6004         6004               
  Rule Free             4040           84           84               
  Rule Total            4096         6088         6088               

  Meter Used               0            4            0               
  Meter Free               0         3580          512               
  Meter Total              0         3584          512               

  Counter Used             0            4            0               
  Counter Free             0         3580          512               
  Counter Total            0         3584          512               
----------------------------------------------------------------------------
Error: Adding rule failed. Insufficient rule resource in policy tp4001 classifier tc4001 behavior tb4001 acl 4001, rule 36, on slot 0 interface GigabitEthernet0/0/15.dis acl resource
  • x
  • convention:

andrey44
andrey44 Created Jan 10, 2018 06:55:38 Helpful(0) Helpful(0)

I understood what my mistake is, how to optimize? Now ACL applies all 99 rules to 47 ports, because such a large number of rules. 99 * 47 = 4653 rules.
How can you optimize this ACL to control the MAC-address, the connected computers. Or you can hang this ACL on the uplink of the switch, changing the rule to outbound?
  • x
  • convention:

user_2844477
user_2844477 Created Jan 18, 2018 01:22:51 Helpful(0) Helpful(0)

If you intend to allow only a set of MAC address on a determined port, you could use Port Security feature. Have you tried it?

http://support.huawei.com/enterprise/docinforeader!loadDocument1.action?contentId=DOC1000097287&partNo=10142

If it's not enough for you, you could try adding the ACL only to the uplink port in outboud direction. Have you tried it?
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login