cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1770
Views
12
Helpful
10
Replies

Multiple services with same resource

JM Montenot
Level 1
Level 1

Hello all,

I am facing a troubling behaviour that I can't explain.

I have two NSO services:

- 1: a service in charge of policing traffic (the service creates an ACL, a Class-Map and a Policy-Map)

- 2 a service in charge of changing tunnel dscp of packets (the service creates an ACL, a Class-Map and a Policy-Map)

I am trying to instanciate one of each service applied to the same flow (same ACL and Class-Map) on the same interface (same policy-map)/

1- I create the policing service

2- I commit

3- I create the change dscp service

4 - I commit.

It works fine. When I look at the router conf, I have only one ACL, one class-map and two actions are configured in the policy-map for the class-map.

Then, I undo the first service (policing service) and here is the issue: it does delete the class-map dfinition (class-map is still here but doesn't match with the ACL anymore). The ACL is still here and policy-map as well.

When I undo services in the same order as I've created them, there is no issue.

Do you have any idea about this?

It seems I need to create a new ACL and Class-Map for each service.

Thanks.

Alexandre

1 Accepted Solution

Accepted Solutions

Hi Simon, All,

I upgraded to version 4.5 and this issueis corrected! Thanks a lot all for your precious support.

Alexandre

View solution in original post

10 Replies 10

Jan Lindblad
Cisco Employee
Cisco Employee

What does your service code look like? Does it have if-statements checking if some relevant config is there already, and if so doesn't create it? Don't do that. For NSO to see that your service instance really depends on some data, the service should create it, even if it's already there. NSO will then do the reference counting, and remove it when the last service instance that needs it is removed.

If this doesn't answer your question, you'll have to share the logic of your code. Does it use templates? What does the resulting config look like when you display it like this:

show full-configuration ... | display service-meta-data

Hello Jan,

No, I am not using any kind of if statements.

I can share the service but what is the best way? Just copy-paste the code?

When I instantiate one of the two service, if the ACL and class-map doesn't exist, it just creates it (that is normal).

Now, what I'm trying to test is instantiate a service using same ACL and class-map.

It works fine.

But if I remove only one of the two instantiated services, the behaviour varies.

When I remove first the last instantiated service, it works fine, the class-map is let as it must be.

But, if I remove first the first instantiated service, then the ACL is let intact but not the class-map. The class-map is still here but the definition of class-map (match access-group name XXX) vanishes.

The config I wish to obtain is as following:

***** Before service instanciation

TunnelX-policy-map

**** After service 1 instanciation

class-map match-all test-class-map

match access-group name test-access-list

policy-map TunnelX-policy-map

class test-class-map

  police cir 8000

   conform-action drop

   exceed-action drop

   violate-action drop

ip access-list extended test-access-list

permit ip host 10.20.9.130 host 10.20.8.2 dscp ef

****** After service 1 & 2 instanciation

class-map match-all test-class-map

match access-group name test-access-list

policy-map TunnelX-policy-map

class test-class-map

  police cir 8000

   conform-action drop

   exceed-action drop

   violate-action drop

  set dscp tunnel af33

ip access-list extended test-access-list

permit ip host 10.20.9.130 host 10.20.8.2 dscp ef

****** After service 1 removal (EXPECTED)

class-map match-all test-class-map

match access-group name test-access-list

policy-map TunnelX-policy-map

class test-class-map

  set dscp tunnel af33

ip access-list extended test-access-list

permit ip host 10.20.9.130 host 10.20.8.2 dscp ef

****** After service 1 removal (WHAT I GET)


class-map match-all test-class-map

policy-map TunnelX-policy-map

class test-class-map

  set dscp tunnel af33

ip access-list extended test-access-list

permit ip host 10.20.9.130 host 10.20.8.2 dscp ef

Thanks again.

Alexandre

Hi Jean-Marc,

Check the following command in every steps of the way:

     admin@ncs% show devices device X | display service-meta-data

Regards,

Roque

Hi Roque, Jan,

Here is a copy paste. The output is huge so I only focus on what is failing

First service instanciation (we cas seee that there is an ACL configured)

        /* Refcount: 1 */

        /* Backpointer: [ /ncs:services/syr4-nc-ratelimit:syr4-nc-ratelimit[syr4-nc-ratelimit:name='test'] ] */

        class-map test-class-map {

            /* Refcount: 1 */

            match-all;

            match {

                access-group {

                    name test-access-list;

                }

            }

        }

Second service instanciation (still OK)

        /* Refcount: 2 */

        /* Backpointer: [ /ncs:services/syr4-nc-ratelimit:syr4-nc-ratelimit[syr4-nc-ratelimit:name='test'] /ncs:services/syr4-nc-changepriority:syr4-nc-changepriority[syr4-nc-changepriority:name='test2'] ] */

        class-map test-class-map {

            /* Refcount: 2 */

            match-all;

            match {

                access-group {

                    name test-access-list;

                }

            }

        }

First service removal (Not OK, why did the ACL vanished?)

        /* Refcount: 1 */

        /* Backpointer: [ /ncs:services/syr4-nc-changepriority:syr4-nc-changepriority[syr4-nc-changepriority:name='test2'] ] */

        class-map test-class-map {

            /* Refcount: 1 */

            match-all;

        }

Do you have any clue about what I'm doing wrong?

Thanks a ton!!

Hi, if you check the service-meta-data output you'll see that there's no service owner of that acl configuration (no refcounts or backpointers to a service). Now this might be a problem if the "name" inside access-group container is a leaf-list node.

Prior to NSO 4.5 shared resources on leaf-lists didn't work as expected. So if you're using an older version, updating NSO, if possible, might solve the problem.

Simon

Hi Simon,

First of all thanks! I am not using a leaf list a simple leaf? Should I use a leaf-list for this cas?

Thanks

Alexandre

Hi,

sorry I should be more clear I was refering to the model of the device (ios NED), not your service model. In the device model that part for the ACLs is probably modeled as a leaf-list.

When 2 services produce the same configuration, you will see 'refcount 2' on that part of the configuration, but for acl (refering to the printout of the show command), you don't have that refcount - NSO doesn't have info that a second service produced that configuration, so when you delete the first instance that config will be gone.

In the 4.5 versions of NSO, handling of shared-resources on leaf-list nodes is done differently and an update should solve the problem. I don't know if there's any other solution, maybe Jan and Roque can have more input on that.

Simon

Hi,

Thanks again Simon! I am actually using a self-built NETCONF ned but you're giving me an important clue, this might help me. I'll try to upgrade the NSO and let you know.

Hi Simon, All,

I upgraded to version 4.5 and this issueis corrected! Thanks a lot all for your precious support.

Alexandre

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community: