Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Trident3 must be in nonatomic update mode before you can configure ERSPAN

...

Note

If you set an output flag with the INPUT chain, you see an error. For example, running cl-acltool -i on the following rule:

Code Block
languagetext
-A FORWARD,INPUT -i swp1 -o swp2 -s 10.0.14.2 -d 10.0.15.8 -p tcp -j ACCEPT

generates the following error:

Code Block
languagetext
error: line 2 : output interface specified with INPUT chain error processing rule '-A FORWARD,INPUT -i swp1 -o swp2 -s 10.0.14.2 -d 10.0.15.8 -p tcp -j ACCEPT'

However, removing the -o option and interface make it a valid rule.

Anchor
nonatomic
nonatomic
Nonatomic Update Mode and

...

Update Mode

In Cumulus Linux, atomic update  update mode is enabled by default. However, this mode limits the number of ACL rules that you can configure.

...

In Cumulus Linux, atomic update mode is enabled by default. If you have Tomahawk switches and plan to use SPAN and/or mangle rules, you must disable atomic update mode.

To do so, enable non-atomic nonatomic update mode by setting the value for acl.non_atomic_update_mode to TRUE in /etc/cumulus/switchd.conf, then restart switchd.

...

On Tomahawk switches, when updating egress FP rules, some packets do not get counted. This results in an underreporting of counts during ping-pong or incremental switchover.

Trident II+

...

Hardware Limitations

On a Trident II+  and Trident3 switch, the TCAM allocation for ACLs is limited to 2048 rules in atomic mode for a default setup instead of 4096, as advertised for ingress rules.

Trident3 Hardware Limitations

TCAM Allocation

On a Trident3 switch, the TCAM allocation for ACLs is limited to 2048 rules in atomic mode for a default setup instead of 4096, as advertised for ingress rules.

Enable Nonatomic Mode

On a Trident3 switch, you must enable nonatomic update mode before you can configure ERSPAN. To do so, set the value for acl.non_atomic_update_mode to TRUE in /etc/cumulus/switchd.conf, then restart switchd.

Code Block
languagetext
acl.non_atomic_update_mode = TRUE

Egress ACL Rules

On Trident3 switches, egress ACL rules matching on the output SVI interface match layer 3 routed packets only, not bridged packets.
To  To match layer 2 traffic, use egress bridge member port-based rules.

iptables Interactions with cl-acltool

...