The family inet filter failed to apply interface under the following conditions:
- The filter action is count or policer
- The used pfe TCAM (ternary content addressable memory) entries exceeds its limitation
This article explains how to check the maximum TCAM entries in which ACX is supported.
When configuring the firewall filter and applying it on a loopback interface, the following message was logged:
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :failed to install entry 2570 in unit 0
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_field_entry_install :rv -14 error "No resources for operation"
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_rule_create :Could not install entry; unit: 0, entry: 2570, group: 16
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_filter_create_exp :[-1] from acx_dfw_rule_create_exp term(1)
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :Status:-1: Tcam rule add failed(old_cnt:514 for hw instance
0x680a04f0 at filter index: 65537 of IFP_FOR_Lo0_FILTER
Jan 3 07:52:00 jtac-ACX2100-r002 feb0 ACX Error (dfw):acx_dfw_change_end :is_filter_cleanup_done set to TRUE for dfw(re-pro-lo0.0-i)
type(IFP_FOR_Lo0_FILTER), new: dfw(re-pro-lo0.0-i) type (IFP_FOR_Lo0_FILTER)
To simplify the sample configuration, the following only used count as action. if the action is policer, the same result occurs.
interface-specific;
term 1 {
from {
source-prefix-list {
list-1;
}
destination-prefix-list {
list-2;
}
protocol tcp;
destination-port telnet;
}
then {
count counter_1;
accept;
}
}
term 2 {
then {
accept;
}
}
prefix-list list-1 {
192.168.10.1/32;
192.168.10.2/32;
192.168.10.3/32;
192.168.10.4/32;
192.168.10.5/32;
192.168.10.6/32;
192.168.10.7/32;
192.168.10.8/32;
192.168.10.9/32;
192.168.10.10/32;
192.168.10.11/32;
192.168.10.12/32;
192.168.10.13/32;
192.168.10.14/32;
192.168.10.15/32;
192.168.10.16/32;
}
prefix-list list-2 {
192.168.20.1/32;
192.168.20.2/32;
192.168.20.3/32;
192.168.20.4/32;
192.168.20.5/32;
192.168.20.6/32;
192.168.20.7/32;
192.168.20.8/32;
192.168.20.9/32;
192.168.20.10/32;
192.168.20.11/32;
192.168.20.12/32;
192.168.20.13/32;
192.168.20.14/32;
192.168.20.15/32;
192.168.20.16/32;
}
It is required to have [(x * y ) + 1 default] entries per filter, where x=16 (src-ip), y=16 (dst-ip). Each hardware instance requires 513 entries(16 * 16 * 2 + 1). It cannot be accommodated, as the maximum number of counters available is only 256.
Reduce source/destination prefix list to a lower number of TCAM entries for the filter instance.
The following command checks TCAM entries usage:
labroot@jtac-ACX2100-r002> show pfe tcam usage all-tcam-stages
Slot 0
Tcam Resource Stage: Pre-Ingress
--------------------------------
Free [hw-grps: 3 out of 3]
No dynamic tcam usage
Tcam Resource Stage: Ingress
----------------------------
Free [hw-grps: 6 out of 7]
Group: 8, Mode: SINGLE, Hw grps used: 1, Tcam apps: 1
Used Allocated Available Errors
Tcam-Entries 52 256 204 0
Counters 104 256 152 0
Policers 0 2048 2048 0
Tcam Resource Stage: Egress
---------------------------
Free [hw-grps: 4 out of 4]
No dynamic tcam usage