Solution to the failure of the switch to deliver ACL to the physical interface
- 0关注
- 0收藏 1098浏览
Network Topology
NULL
Problem Description
A switch at a site failed to deliver ACLs to physical interfaces, as shown in the following figure:
Process Analysis
The following is the ACL configuration:
rule 1 deny source 10.191.19.70 0
rule 2 deny source 10.191.19.71 0
rule 3 deny source 10.191.19.72 0
rule 4 deny source 10.191.19.73 0
rule 5 deny source 10.191.19.74 0
rule 6 deny source 10.191.19.75 0
rule 7 deny source 10.191.19.76 0
rule 8 deny source 10.191.19.77 0
rule 9 deny source 10.191.19.78 0
rule 10 deny source 10.191.19.79 0
rule 11 deny source 10.191.19.80 0
rule 12 deny source 10.191.19.81 0
rule 13 deny source 10.191.19.82 0
rule 14 deny source 10.191.19.83 0
rule 15 deny source 10.191.19.84 0
rule 16 deny source 10.191.19.85 0
rule 17 deny source 10.191.19.86 0
rule 18 deny source 10.191.19.87 0
rule 19 deny source 10.191.19.88 0
rule 20 deny source 10.191.19.89 0
rule 21 deny source 10.191.19.90 0
rule 22 deny source 10.191.19.91 0
rule 23 deny source 10.191.19.92 0
rule 24 deny source 10.191.19.93 0
rule 25 deny source 10.191.19.94 0
rule 26 deny source 10.191.19.95 0
rule 27 deny source 10.191.19.96 0
rule 28 deny source 10.191.19.97 0
rule 29 deny source 10.191.19.98 0
rule 30 deny source 10.191.19.99 0
rule 31 deny source 10.191.19.103 0
rule 32 deny source 10.191.19.104 0
rule 33 deny source 10.191.19.105 0
rule 34 deny source 10.191.19.106 0
rule 35 deny source 10.191.19.107 0
rule 36 deny source 10.191.19.108 0
rule 37 deny source 10.191.19.109 0
rule 38 deny source 10.191.19.110 0
rule 39 deny source 10.191.19.111 0
rule 40 deny source 10.191.19.112 0
rule 41 deny source 10.191.19.113 0
rule 42 deny source 10.191.19.114 0
rule 43 deny source 10.191.19.115 0
rule 44 deny source 10.191.19.116 0
rule 45 deny source 10.191.19.117 0
rule 46 deny source 10.191.19.118 0
rule 47 deny source 10.191.19.119 0
rule 48 deny source 10.191.19.120 0
rule 49 deny source 10.191.19.121 0
rule 50 deny source 10.191.19.122 0
rule 51 deny source 10.191.19.123 0
rule 52 deny source 10.191.19.124 0
rule 53 deny source 10.191.19.125 0
rule 54 deny source 10.191.19.127 0
rule 55 deny source 10.191.19.128 0
rule 56 deny source 10.191.19.129 0
rule 57 deny source 10.191.19.130 0
rule 58 deny source 10.191.19.131 0
rule 59 deny source 10.191.19.132 0
rule 60 deny source 10.191.19.133 0
rule 61 deny source 10.191.19.134 0
rule 62 deny source 10.191.19.135 0
rule 63 deny source 10.191.19.136 0
rule 64 deny source 10.191.19.137 0
rule 65 deny source 10.191.19.138 0
rule 66 deny source 10.191.19.139 0
rule 67 deny source 10.191.19.140 0
rule 68 deny source 10.191.19.141 0
rule 69 deny source 10.191.19.142 0
rule 70 deny source 10.191.19.143 0
rule 71 deny source 10.191.19.144 0
rule 72 deny source 10.191.19.145 0
rule 73 deny source 10.191.19.146 0
rule 74 deny source 10.191.19.147 0
rule 75 deny source 10.191.19.148 0
rule 76 deny source 10.191.19.149 0
rule 77 deny source 10.191.19.150 0
rule 78 deny source 10.191.19.151 0
rule 79 deny source 10.191.19.152 0
rule 80 deny source 10.191.19.153 0
rule 81 deny source 10.191.19.154 0
rule 82 deny source 10.191.19.155 0
rule 83 deny source 10.191.19.156 0
rule 84 deny source 10.191.19.157 0
rule 85 deny source 10.191.19.158 0
rule 86 deny source 10.191.19.159 0
rule 87 deny source 10.191.19.160 0
rule 88 deny source 10.191.19.161 0
rule 89 deny source 10.191.19.162 0
rule 90 deny source 10.191.19.163 0
rule 91 deny source 10.191.19.164 0
rule 92 deny source 10.191.19.165 0
rule 93 deny source 10.191.19.166 0
rule 94 deny source 10.191.19.167 0
rule 95 deny source 10.191.19.168 0
rule 96 deny source 10.191.19.169 0
rule 97 deny source 10.191.19.170 0
rule 98 deny source 10.191.19.171 0
rule 99 deny source 10.191.19.172 0
rule 100 deny source 10.191.19.173 0
rule 101 deny source 10.191.19.174 0
rule 102 deny source 10.191.19.175 0
rule 103 deny source 10.191.19.176 0
rule 104 deny source 10.191.19.177 0
rule 105 deny source 10.191.19.178 0
rule 106 deny source 10.191.19.179 0
rule 107 deny source 10.191.19.180 0
rule 108 deny source 10.191.19.181 0
rule 109 deny source 10.191.19.182 0
rule 110 deny source 10.191.19.183 0
rule 111 deny source 10.191.19.184 0
rule 112 deny source 10.191.19.185 0
rule 113 deny source 10.191.19.186 0
rule 114 deny source 10.191.19.187 0
rule 115 deny source 10.191.19.188 0
rule 116 deny source 10.191.19.189 0
rule 117 deny source 10.191.19.190 0
rule 118 deny source 10.191.19.191 0
rule 119 deny source 10.191.19.192 0
rule 120 deny source 10.191.19.193 0
rule 121 deny source 10.191.19.194 0
rule 122 deny source 10.191.19.195 0
rule 123 deny source 10.191.19.196 0
rule 124 deny source 10.191.19.197 0
rule 125 deny source 10.191.19.198 0
rule 126 deny source 10.191.19.199 0
rule 127 deny source 10.191.19.200 0
rule 128 deny source 10.191.19.201 0
rule 129 deny source 10.191.19.202 0
rule 130 deny source 10.191.19.203 0
rule 131 deny source 10.191.19.204 0
rule 132 deny source 10.191.19.205 0
rule 133 deny source 10.191.19.206 0
rule 134 deny source 10.191.19.207 0
rule 135 deny source 10.191.19.208 0
rule 136 deny source 10.191.19.209 0
rule 137 deny source 10.191.19.210 0
rule 138 deny source 10.191.19.211 0
rule 139 deny source 10.191.19.212 0
rule 140 deny source 10.191.19.213 0
rule 141 deny source 10.191.19.214 0
rule 142 deny source 10.191.19.215 0
rule 143 deny source 10.191.19.216 0
rule 144 deny source 10.191.19.217 0
rule 145 deny source 10.191.19.218 0
rule 146 deny source 10.191.19.219 0
rule 147 deny source 10.191.19.220 0
rule 148 deny source 10.191.19.221 0
rule 149 deny source 10.191.19.222 0
rule 150 deny source 10.191.19.223 0
rule 151 deny source 10.191.19.224 0
rule 152 deny source 10.191.19.225 0
rule 153 deny source 10.191.19.226 0
rule 154 deny source 10.191.19.227 0
rule 155 deny source 10.191.19.228 0
rule 156 deny source 10.191.19.229 0
rule 157 deny source 10.191.19.230 0
rule 158 deny source 10.191.19.231 0
rule 159 deny source 10.191.19.232 0
rule 160 deny source 10.191.19.233 0
rule 161 deny source 10.191.19.234 0
rule 162 deny source 10.191.19.235 0
rule 163 deny source 10.191.19.236 0
rule 164 deny source 10.191.19.237 0
rule 165 deny source 10.191.19.238 0
rule 166 deny source 10.191.19.239 0
rule 167 deny source 10.191.19.240 0
rule 168 deny source 10.191.19.241 0
rule 169 deny source 10.191.19.242 0
rule 170 deny source 10.191.19.243 0
rule 171 deny source 10.191.19.244 0
rule 172 deny source 10.191.19.245 0
rule 173 deny source 10.191.19.246 0
rule 174 deny source 10.191.19.247 0
rule 175 deny source 10.191.19.248 0
rule 176 deny source 10.191.19.249 0
rule 177 deny source 10.191.19.250 0
rule 178 deny source 10.191.19.251 0
rule 179 deny source 10.191.19.252 0
rule 180 deny source 10.191.19.253 0
rule 181 deny source 10.191.19.254 0
rule 182 deny source 10.191.19.255 0
rule 300 permit
From the point of view of ACL policy entries, it may be due to the excessive number of policy entries, which leads to insufficient resources during delivery. Therefore, you need to check the system log to further locate the problem.
When viewing the system log, the following feedback:
%Jun 17 00:00:16:008 2000 LZ-KJZ-1 FILTER/5/FLT_SET_POLICY_RESOURCE_FAIL: Failed to apply the filter policy to or refresh the filter policy 2000 on interface GigabitEthernet1/0/46 due to lack of resources.
According to the log prompt, it can be basically determined that the delivery failure is caused by the excessive number of ACL policy entries.
Solution
The ACL policy configuration needs to be optimized and then issued. The specific configuration is as follows:
acl number 2020
rule 1 deny source 10.191.19.70 0.0.0.255
rule 11 deny source 10.191.19.80 0.0.0.15
rule 12 deny source 10.191.19.96 0.0.0.15
rule 13 deny source 10.191.19.112 0.0.0.15
rule 14 deny source 10.191.19.128 0.0.0.127
quit
interface GigabitEthernet1/0/46
port access vlan 16
loopback-detection enable
loopback-detection action shutdown
packet-filter 2020 inbound
No comments
Add Comments:
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作