昨天下午17點多發生一台cisco不明原因的網路不通
早上去查了一下
找不到原因
只好把昨天早上的config 備份倒回去
說也奇怪 就正常了

到了今天中午
宿舍的4台cisco一起出問題
查了一下log如下
Jul 30 11:10:27 GMT+8: %ACL_ERRMSG-4-UNLOADED: 1 fed:  Output IP Vlan ACL on interface Vlan206 for label 3 on asic255 could not be programmed in hardware and traffic will be dropped.
Jul 30 11:10:27 GMT+8: %ACL_ERRMSG-4-UNLOADED: 1 fed:  Output IP Vlan ACL on interface Vlan207 for label 3 on asic255 could not be programmed in hardware and traffic will be dropped.
Jul 30 11:10:27 GMT+8: %ACL_ERRMSG-4-UNLOADED: 1 fed:  Output IP Vlan ACL on interface Vlan208 for label 3 on asic255 could not be programmed in hardware and traffic will be dropped.
Jul 30 11:10:27 GMT+8: %ACL_ERRMSG-4-UNLOADED: 1 fed:  Output IP Vlan ACL on interface Vlan209 for label 3 on asic255 could not be programmed in hardware and traffic will be dropped.
Jul 30 11:10:27 GMT+8: %ACL_ERRMSG-4-UNLOADED: 1 fed:  Output IP Vlan ACL on interface Vlan210 for label 3 on asic255 could not be programmed in hardware and traffic will be dropped.

詢問廠商後得到這樣的回答

原廠對3850/3650 ACL限制的說明,

ACL TCAM (TAQ)有2塊,分別為in與out,但VACL只能使用其中1塊.限制如下:

1.VACL  => 1.5K 筆 (最多,不分in,out)

2.MAC VACL => 單向460筆(in,out分開算)

3.IPv4 VACL  => 單向690筆(in,out分開算)

4.IPv4 PACL,RACL => 單向1380筆(in,out分開算)

5.MAC PACL,RACL =>單向690筆(in,out分開算)

6.IPv6 PACL,RACL =>單向690筆(in,out分開算)



VLAN Access Control List (VACL) − A VACL is an ACL that is applied to a VLAN. It can only be applied to a VLAN and no other type of interface. The security boundary is to permit or deny traffic that moves between VLANs and permit or deny traffic within a VLAN. The VLAN ACL is supported in hardware, and has no effect on the performance.

Port Access Control List (PACL) − A PACL is an ACL applied to a Layer 2 switchport interface. The security boundary is to permit or deny traffic within a VLAN. The PACL is supported in hardware and has no effect on the performance.

Router ACL (RACL) − An RACL is an ACL that is applied to an interface that has a Layer 3 address assigned to it. It can be applied to any port that has an IP address such as routed interfaces, loopback interfaces, and VLAN interfaces. The security boundary is to permit or deny traffic that moves between subnets or n

意思就是說當acl下超過690條後 机器就會不正常了
XD
cisco吔

為什麼以前都沒發生過咧

不知是因為最近snort升到 2.9.7.5 所以 port scan變的比較敏感
還是port scan真的變多了

反正先改了一下程式
要block的ip直接下到fortiget而不先進LP了
看來也沒啥好方法可以處理了