search

project-arlo / sonic-mgmt-framework

SONiC Management Framework
Other
5 stars 15 forks source link

Different ACL ingress bindings to different interfaces is creating different groups #42

Open Tejaswi-Goel opened 5 years ago

Tejaswi-Goel commented 5 years ago

Different ACL ingress bindings to different interfaces is creating different groups in hardware but we expect them to be in one group:

a CLI COMMANDS: 

sonic(config-ipv4-acl)# do show ip access-lists  
ip access-list test1
     1 permit tcp 4.4.4.4/24 5.5.5.5/24
ip access-list test2
     2 permit tcp 6.6.6.6/24 8.8.8.8/24

sonic(config-ipv4-acl)# do show ip access-group
Ingress IP access-list test1 on Ethernet1
Ingress IP access-list test2 on Ethernet2

b: HARDWARE CONFIG CHECK:

**GID          6: gid=0x6**, instance=0 mode=Single, stage=Ingress lookup=Enabled, ActionResId={-1}, pbmp={0x00000000000000000000000000000000000000000000000000000001ffffffff}^M
         qset={SrcIp, DstIp, InPorts, RangeCheck, L4SrcPort, L4DstPort, EtherType, IpProtocol, TcpControl, IpType, Stage, StageIngress, IcmpTypeCode, _RangeCheckBits24_31},^M
         selcodes[0]=^M
{^M
         FPF1=4^M
         FPF2=0^M
         FPF3=7^M
         InterfaceClassSelect=3^M
         TcpClassSelect=0^M
         Intraslice=Primary slice.^M
 {_RangeCheckBits24_31->IpType->InPorts->RangeCheck->Stage->StageIngress->DstIp->SrcIp->L4SrcPort->IcmpTypeCode->L4DstPort->TcpControl->EtherType->IpProtocol},^M
^M
         group_priority= -2147483647^M
         slice_primary =  {slice_number=3, Entry count=512(0x200), Entry free=511(0x1ff)},^M
         group_status={prio_min=65534, prio_max=2147483647, entries_total=2304, entries_free=2303,^M
                       counters_total=2304, counters_free=2303, meters_total=4096, meters_free=3584}^M
EID 0x00000096: gid=0x6,^M
         slice=3, slice_idx=0, part =0 prio=0xfffe, flags=0x210602, Installed, Enabled^M
              tcam: color_indep=1, ^M
 Stage ^M
 StageIngress ^M
 DstIp ^M
    Offset0: 72 Width0: 32 ^M
    DATA=0x05050500 ^M
    MASK=0xffffff00 ^M
 SrcIp ^M
    Offset0: 104 Width0: 32 ^M
    DATA=0x04040400 ^M
    MASK=0xffffff00 ^M
 IpProtocol ^M
    Offset0: 64 Width0: 8 ^M
    DATA=0x00000006 ^M
    MASK=0x000000ff ^M
         action={act=DropCancel, param0=0(0), param1=0(0), param2=0(0), param3=0(0)}^M
         policer=^M
         statistics={stat id 129  slice = 3 idx=0 entries=1}{Bytes}{Packets}^M
**GID          7: gid=0x7**, instance=0 mode=Single, stage=Ingress lookup=Enabled, ActionResId={-1}, pbmp={0x00000000000000000000000000000000000000000000000000000001ffffffff}^M
         qset={SrcIp, DstIp, InPorts, RangeCheck, L4SrcPort, L4DstPort, EtherType, IpProtocol, TcpControl, IpType, Stage, StageIngress, IcmpTypeCode, _RangeCheckBits24_31},^M
         selcodes[0]=^M
{^M
         FPF1=4^M
         FPF2=0^M
         FPF3=7^M
         InterfaceClassSelect=3^M
         TcpClassSelect=0^M
         Intraslice=Primary slice.^M
 {_RangeCheckBits24_31->IpType->InPorts->RangeCheck->Stage->StageIngress->DstIp->SrcIp->L4SrcPort->IcmpTypeCode->L4DstPort->TcpControl->EtherType->IpProtocol},^M
^M
         group_priority= -2147483647^M
         slice_primary =  {slice_number=4, Entry count=256(0x100), Entry free=255(0xff)},^M
         group_status={prio_min=65533, prio_max=2147483647, entries_total=2048, entries_free=2047,^M
                       counters_total=2048, counters_free=2047, meters_total=4096, meters_free=3584}^M
EID 0x00000097: gid=0x7,^M
         slice=4, slice_idx=0, part =0 prio=0xfffd, flags=0x210602, Installed, Enabled^M
              tcam: color_indep=1, ^M
 Stage ^M
 StageIngress ^M
 DstIp ^M
    Offset0: 72 Width0: 32 ^M
    DATA=0x08080800 ^M
    MASK=0xffffff00 ^M
 SrcIp ^M
    Offset0: 104 Width0: 32 ^M
    DATA=0x06060600 ^M
    MASK=0xffffff00 ^M
 IpProtocol ^M
    Offset0: 64 Width0: 8 ^M
    DATA=0x00000006 ^M
    MASK=0x000000ff ^M
         action={act=DropCancel, param0=0(0), param1=0(0), param2=0(0), param3=0(0)}^M
         policer=^M
         statistics={stat id 130  slice = 4 idx=0 entries=1}{Bytes}{Packets}^M
^M^M
sachinholla commented 5 years ago

Apparently this is how ACL orcagent behaves today.. It is written specifically for MSFT usecases. Broadcom team is targeting to revamp ACL infra in next release (Buzznik).

jeff-yin commented 5 years ago

Shouldn't we leave this issue open if the behavior isn't resolved? It'll just be open for a long time, but that's ok...