Résolu : NCS5500 - Activate ACL based on packet-length match

axelhauguel · ‎18-08-2023

Hello all,

I have read on some forums we need to activate some functions to have packet-length matching on ACL on NCS5500.

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#301 deny tcp any 89.116.164.0/24 packet-length eq 0

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#commit

Fri Aug 18 23:31:42.797 CEST

% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errors

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#show configuration failed

Fri Aug 18 23:31:47.145 CEST

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below.

ipv4 access-list anti-ddos-in

301 deny tcp any 89.116.164.0/24 packet-length eq 0

!!% Parameter not supported in default ACL TCAM key, check syslog for more details: Following processes generated errors

!!% process : pfilter_ea pid : 3532 node : node0_0_CPU0 rc :'dpa_feat_mgr' detected the 'warning' condition 'Parameter not supported in default ACL TCAM key, check syslog for more details'

!

end

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#301 deny tcp any 89.116.164.0/24 packet-length eq 0 RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#commitFri Aug 18 23:31:42.797 CEST % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed [inheritance]' from this session to view the errorsRP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#show configuration failedFri Aug 18 23:31:47.145 CEST!! SEMANTIC ERRORS: This configuration was rejected by !! the system due to semantic errors. The individual !! errors with each failed configuration command can be !! found below. ipv4 access-list anti-ddos-in 301 deny tcp any 89.116.164.0/24 packet-length eq 0!!% Parameter not supported in default ACL TCAM key, check syslog for more details: Following processes generated errors!!% process : pfilter_ea pid : 3532 node : node0_0_CPU0 rc :'dpa_feat_mgr' detected the 'warning' condition 'Parameter not supported in default ACL TCAM key, check syslog for more details'!end RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#

VERSION : IOS XR 7.8.1

Anyone can help me please?

Thank you!

axelhauguel · ‎18-08-2023

Maybe solved ...

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#hw-module profile tcam format access-list ipv4 src-addr dst-addr src-port dst-port proto packet-length frag-bit port-range
Sat Aug 19 00:06:47.487 CEST
In order to activate/deactivate this ipv4 profile, you must manually reload the chassis/all line cards
RP/0/RP0/CPU0:core01.par2(config)#

Voir la solution dans l'envoi d'origine

axelhauguel · ‎18-08-2023

Maybe solved ...

RP/0/RP0/CPU0:core01.par2(config-ipv4-acl)#hw-module profile tcam format access-list ipv4 src-addr dst-addr src-port dst-port proto packet-length frag-bit port-range
Sat Aug 19 00:06:47.487 CEST
In order to activate/deactivate this ipv4 profile, you must manually reload the chassis/all line cards
RP/0/RP0/CPU0:core01.par2(config)#

NCS5500 - Activate ACL based on packet-length match

Liens rapides