Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbinding Egress ACL does not cleanup config from hardware #44

Open
Tejaswi-Goel opened this issue Jul 24, 2019 · 9 comments
Open

Unbinding Egress ACL does not cleanup config from hardware #44

Tejaswi-Goel opened this issue Jul 24, 2019 · 9 comments
Assignees
@abhishekd-brcm

Comments

@Tejaswi-Goel
Copy link
Collaborator

Tejaswi-Goel commented Jul 24, 2019
edited
Loading

a. CLI commands used:
sonic(config-ipv4-acl)# seq 1 permit tcp 4.4.4.4/24 5.5.5.5/24 //acl rule added
Success
sonic(config-ipv4-acl)# exit
sonic(config)# interface Ethernet 1 //binding ethernet1
sonic(conf-if-Ethernet1)# ip access-group test1 out
Success
sonic(conf-if-Ethernet1)# exit
b. ConfigDB
root@sonic:/usr/sbin/cli# redis-cli -n 4
127.0.0.1:6379[4]> hgetall "ACL_TABLE|test1_ACL_IPV4"

  1. "type"
  2. "L3"
  3. "ports@"
  4. "Ethernet1"
  5. "stage"
  6. "EGRESS"
    127.0.0.1:6379[4]>

In hardware no Egress rule bound to interface

Remove Egress ACL from interface fails

sonic(conf-if-Ethernet1)# no ip access-group test1 in
Failed
@sachinholla
Copy link
Collaborator

@Tejaswi-Goel , please provide platform details. I see hardware programming working on TH2.

@Tejaswi-Goel
Copy link
Collaborator Author

hi @sachinholla , platform I am using is S6000-ON (Broadcom Trident2).

@maheshwari-mayank
Copy link
Collaborator

@Tejaswi-Goel Is this issue same as issue# 41. Instead of Ethernet1, please try to bind with Ethernet4 or multiple of 4.

@Tejaswi-Goel
Copy link
Collaborator Author

Tejaswi-Goel commented Jul 25, 2019
edited
Loading

@maheshwari-mayank Hi, This time I tested on platform Z9100 (TH) platform:

  1. creating IP ACL:
    sonic(config)# ip access-list test1
    Success
    sonic(config-ipv4-acl)# seq 1 permit tcp 4.4.4.4/24 5.5.5.5/24
    Success

  2. Binding egress ACL to interface
    onic(config)# interface Ethernet 4
    sonic(conf-if-Ethernet4)# ip access-group test1 out
    Success
    sonic(conf-if-Ethernet4)# exit
    sonic(config)# interface Ethernet 0
    sonic(conf-if-Ethernet0)# ip access-group test1 out
    Success
    sonic(conf-if-Ethernet0)# do show ip ac
    access-group access-lists
    sonic(conf-if-Ethernet0)# do show ip access-group
    Egress IP access-list test1 on Ethernet0
    Egress IP access-list test1 on Ethernet4

No changes seen hardware

Also after few seconds of binding egress ACL to an interface I see following container going into exit state for few seconds or more:
2415456da8d0 docker-syncd-brcm:latest "/usr/bin/supervisord" 11 hours ago Exited (0) 13 seconds ago
810724f8d47f docker-orchagent:latest "/usr/bin/supervisord" 11 hours ago Exited (0) 22 seconds ago

Same issue on s6000

@sachinholla
Copy link
Collaborator

Hi @Tejaswi-Goel , i didnt see the crash in our testbed.. Can you provide techsupport logs? It would be better if you collect techsupport logs before bind and after crash.

@Tejaswi-Goel
Copy link
Collaborator Author

Tejaswi-Goel commented Aug 1, 2019
edited
Loading

Tried today on the latest arlo image: the binding egress ACL to an interface works, config seen in configdb and hardware but unbinding Egress ACL does not cleanup config from hardware , same as issue #43 .

@jeff-yin
Copy link
Collaborator

jeff-yin commented Sep 11, 2019
edited
Loading

@Tejaswi-Goel -- devs are asking whether this problem is seen on other platforms. I know you tested S6000-ON; can you try on other platforms like Z9264F-ON, Z9100-ON, or S5232F-ON?

Thanks

@Tejaswi-Goel
Copy link
Collaborator Author

Tejaswi-Goel commented Sep 11, 2019
edited
Loading

@Tejaswi-Goel -- devs are asking whether this problem is seen on other platforms. I know you tested S6000-ON; can you try on other platforms like Z9264F-ON, Z9100-ON, or S5232F-ON?

Thanks

Sure, before I had tested on s6000 and z9100, will test again with the latest code.

@Tejaswi-Goel Tejaswi-Goel changed the title Configuring Egress ACL to interface fails Unbinding Egress ACL does not cleanup config from hardware Sep 11, 2019
@Tejaswi-Goel
Copy link
Collaborator Author

Tejaswi-Goel commented Sep 12, 2019
edited
Loading

Test : Check if the config removed from hardware after unbinding Egress acl
Platform: Z9100:
Commands used to bind acl rule -
sonic(config-ipv4-acl)# seq 1 permit tcp 4.4.4.4/24 5.5.5.5/24
Success
sonic(config-ipv4-acl)# exit
sonic(config)# interface Ethernet 0
sonic(conf-if-Ethernet0)# ip access-group acl1 out
Success
sonic(conf-if-Ethernet0)# do show ip access-group
Egress IP access-list acl1 on Ethernet0

Checking in config-db
127.0.0.1:6379[4]> hgetall "ACL_TABLE|acl1_ACL_IPV4"

  1. "type"
  2. "L3"
  3. "stage"
  4. "EGRESS"
  5. "ports@"
  6. "Ethernet0"

Unbinding ACL:
sonic(conf-if-Ethernet0)# no ip access-group acl1 out
Success
Checking in config-db
127.0.0.1:6379[4]> hgetall "ACL_TABLE|acl1_ACL_IPV4"

  1. "type"
  2. "L3"
  3. "stage"
  4. "EGRESS"

Checking in Hardware
_Used the command - bcmcmd -t 10 "fp show" to check in hardware and removing the ACL from an interface does not cleanup the config in hardware.

seiferteric added a commit that referenced this issue Mar 25, 2020
@seiferteric
Checkout specific gnmi_ext version to fix build error (#44)
f789b29
dell-engops pushed a commit that referenced this issue Nov 9, 2022
@g-balaji1
Fixes for SNC-16498 (#44)
8f1d236 
* show running-config igmp and show running-config pim fixes

* Sub-Interface support added

* running-config pim
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abhishekd-brcm abhishekd-brcm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Tejaswi-Goel @jeff-yin @abhishekd-brcm @sachinholla @maheshwari-mayank