Loading...
Loading...
1. "label allocation failure" message observed when adding*/removing PACL on interface after reaching the maximum number of labels allowed: -- F340.03.22-N9K-1(config-if)# [no] ip port access-group ndb_ipacl_Ethernet1_31 in port traffic-filter ndb_label allocation failure F340.03.22-N9K-1(config-if)# [no] ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_31 in label allocation failure F340.03.22-N9K-1(config-if)# [no] mac port access-group ndb_macacl_Ethernet1_31 label allocation failure -- 2. Unable to decrease the number of labels allocated after reaching the maximum supported and the "label allocation failure" has happened. *Expected to see the error message when adding new PACLs but found a particular scenario on which it prematurely happens. Please look at "Conditions" and "tac-repro" notes.
Pre-conditions: > Has reached the maximum of labels allocated in TCAM region# 0 for PACLs - 30 for Nexus 93180YC-FX - and has IPv4 and IPv6 or MAC ACL applied. If interface has only IPV4/V6 PACLs the problem shouldn't be present. BU statement for that: "We cannot delete policies where IPv4, IPv6 and MAC PACLs are present since when IPv4 ACL are removed, IPv6 and MAC needs to be atomically programmed." -- F340.03.22-N9K-1# show system inter access resource utilization | i Tcam L4 op labels, Tcam 0 30 0 100.00 -- 1.1. Once the interface is up, try to add new IPv4, IPv6 or MAC Port ACL: -- F340.03.22-N9K-1(config-if)# ip port access-group ndb_ipacl_Ethernet1_30 in port traffic-filter ndb_label allocation failure F340.03.22-N9K-1(config-if)# ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_30 in label allocation failure F340.03.22-N9K-1(config-if)# mac port access-group ndb_macacl_Ethernet1_30 label allocation failure -- 1.1.1. The interface will remain with the first PACL applied and will ignore/reject any new one: -- interface Ethernet1/30 no lldp transmit no lldp receive switchport switchport mode trunk ip port access-group ndb_ipacl_Ethernet1_30 in mode tap-aggregation spanning-tree bpdufilter enable mtu 9198 switchport block multicast switchport block unicast no shutdown F340.03.22-N9K-1(config-if)# show hardware access-list interface eth1/30 slot 1 ======= Policies in ingress direction: Policy type Policy Id Policy name ------------------------------------------------------------ PACL 91 ndb_ipacl_Ethernet1_30 <---------- only a single (the first) one in HW -- 1.1. On an interface on which the PACLs were applied already - and label allocated for -, try to remove a PACL (or default the interface). The interface can be up or down but it won't matter: -- Eth1/29 up: interface Ethernet1/29 no lldp transmit no lldp receive switchport switchport mode trunk ip port access-group ndb_ipacl_Ethernet1_29 in ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_29 in mac port access-group ndb_macacl_Ethernet1_29 mode tap-aggregation spanning-tree bpdufilter enable mtu 9198 switchport block multicast switchport block unicast no shutdown F340.03.22-N9K-1(config-if)# int eth1/29 F340.03.22-N9K-1(config-if)# no ip port access-group ndb_ipacl_Ethernet1_29 in label allocation failure -- Eth1/28 down: interface Ethernet1/28 no lldp transmit no lldp receive switchport switchport mode trunk ip port access-group ndb_ipacl_Ethernet1_28 in ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_28 in mac port access-group ndb_macacl_Ethernet1_28 mode tap-aggregation spanning-tree bpdufilter enable mtu 9198 switchport block multicast switchport block unicast F340.03.22-N9K-1(config-if)# int eth1/28 F340.03.22-N9K-1(config-if)# no ip port access-group ndb_ipacl_Ethernet1_28 in label allocation failure -- 2. New PACLs will be allowed on down interfaces - with no label allocated previously - even if the maximum number of labels was reached, however the PACL won't be allocated in hardware when the interface brings up and no error message will be prompted: interface Ethernet1/31 no lldp transmit no lldp receive switchport switchport mode trunk ip port access-group ndb_ipacl_Ethernet1_31 in ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_31 in mac port access-group ndb_macacl_Ethernet1_31 mode tap-aggregation spanning-tree bpdufilter enable mtu 9198 switchport block multicast switchport block unicast no shutdown F340.03.22-N9K-1(config-if)# show hardware access-list interface eth1/31 slot 1 ======= ERROR: no ACL related hardware resources for vdc [1], interface [Ethernet1/31] -- 2.1. On these interfaces, it's possible to add/remove the PACLs if they're shutdown - it won't matter anyway as the PACLs won't be written down in HW.
1. Use Configure Session feature: - Drawback: Available for manual operation only - NDB does not support Configuring Session Manager (even though NDB support NXAPI). ———————————————————— NXOS(config-if)# configure session abc Config Session started, Session ID is 1 NXOS(config-s)# sh run int ethernet 1/30 !Command: show running-config interface Ethernet1/30 !Running configuration last done at: Fri Jun 7 22:10:27 2019 !Time: Fri Jun 7 22:22:28 2019 version 9.2(3) Bios:version 05.33 interface Ethernet1/30 no lldp transmit no lldp receive switchport switchport mode trunk ip port access-group ndb_ipacl_Ethernet1_30 in ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_30 in mode tap-aggregation spanning-tree bpdufilter enable mtu 9198 switchport block multicast switchport block unicast NXOS(config-s)# int ethernet 1/30 NXOS(config-s-if)# no ip port access-group ndb_ipacl_Ethernet1_30 in NXOS(config-s-if)# no ipv6 port traffic-filter ndb_ipv6acl_Ethernet1_30 in NXOS(config-s-if)# verify Verification Successful NXOS(config-s)# commit Verification successful... Proceeding to apply configuration. This might take a while depending on amount of configuration in buffer. Please avoid other configuration changes during this time. Commit Successful ———————————————————— 2. Setup/Aggregate interfaces to port-channel which will reduce the number of PACLs and labels used. 3. Reload.
None.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.