不涉及组网
设备上写了一个acl,里面配置了20条左右的规则,客户在vlan接口下应用acl提示acl资源不足。把acl规则应用相关命令删除后,查看display qos-acl resource的出方向利用的资源均为0。在设备物理端口应用此acl,查看出方向应用资源为610,ACL资源占用很高。
#
acl advanced 3101
rule 0 deny tcp source-port gt 0 destination-port eq chargen
rule 5 deny tcp source-port gt 0 destination-port eq echo
rule 10 deny tcp source-port gt 0 destination-port eq 135
rule 15 deny tcp source-port gt 0 destination-port eq 136
rule 20 deny tcp source-port gt 0 destination-port eq 137
rule 25 deny tcp source-port gt 0 destination-port eq 138
rule 30 deny tcp source-port gt 0 destination-port eq 139
rule 35 deny tcp source-port gt 0 destination-port eq 389
rule 40 deny tcp source-port gt 0 destination-port eq 420
rule 45 deny tcp source-port gt 0 destination-port eq 445
rule 50 deny tcp source-port gt 0 destination-port eq 593
rule 55 deny tcp source-port gt 0 destination-port eq 1025
rule 60 deny tcp source-port gt 0 destination-port eq 1068
rule 65 deny tcp source-port gt 0 destination-port eq 1434
rule 70 deny tcp source-port gt 0 destination-port eq 3127
rule 75 deny tcp source-port gt 0 destination-port eq 3128
rule 80 deny tcp source-port gt 0 destination-port eq 3198
rule 85 deny tcp source-port gt 0 destination-port eq 3199
rule 90 deny tcp source-port gt 0 destination-port eq 4444
rule 95 deny tcp source-port gt 0 destination-port eq 5300
rule 100 deny tcp source-port gt 0 destination-port eq 5800
rule 105 deny tcp source-port gt 0 destination-port eq 5900
rule 110 deny tcp source-port gt 0 destination-port eq 5554
当前ACL规则资源占用情况与下发的ACL规则有关系。端口号配置gt会增加ACL资源占用。
不同设备、不同芯片实现方式不一样,现场资源占用情况由ACL下发实现机制决定的,如下:
设备在出方向下发一条acl source-port gt 0,会一下占用16个acl资源
#
acl number 3101
rule 0 permit tcp source-port gt 0 destination-port eq 1035
#
cl Hw Resource: EFP, Pipe:0
------------------------------------------------------
Pri 3, Group 5,usedEntries 16 ,mode Single, physlice 3/
===================================================
acl type usedEntries[16]
===================================================
[99 ]PktFilter IP on PORT 16
在底层是通过L4端口号+掩码的方式在底层下发的情况,eq方式,都是占用一个资源。对于gt,lt,range的情况,则根据端口号的范围情况,底层会对端口号进行掩码划分为多个掩码段,每个掩码段对应一个底层表项,占用一个资源。
[S10504-2071-probe]debug qacl show chassis 1 s 2 c 0 verbose 0 acl-type 99
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/0, Entry 238, Single: 768
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 1, 0xffff
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/1, Entry 239, Single: 769
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 2, 0xfffe
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/2, Entry 240, Single: 770
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 4, 0xfffc
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/3, Entry 241, Single: 771
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 8, 0xfff8
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/4, Entry 242, Single: 772
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 16, 0xfff0
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/5, Entry 243, Single: 773
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 32, 0xffe0
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/6, Entry 244, Single: 774
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 64, 0xffc0
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/7, Entry 245, Single: 775
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 128, 0xff80
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/8, Entry 246, Single: 776
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 256, 0xff00
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/9, Entry 247, Single: 777
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 512, 0xfe00
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/10, Entry 248, Single: 778
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 1024, 0xfc00
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/11, Entry 249, Single: 779
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 2048, 0xf800
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/12, Entry 250, Single: 780
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 4096, 0xf000
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/13, Entry 251, Single: 781
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 8192, 0xe000
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/14, Entry 252, Single: 782
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 16384, 0xc000
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
========
Acl-Type PktFilter IP on PORT, Stage EFP, Pipe 0, SinglePort, Installed, Active
Prio Mjr/Sub 267/1040187391, Group 5 [5], Slice/Idx 3/15, Entry 253, Single: 783
ACL GroupNo : 3101, RuleID : 0
Rule Match --------
Out Port: 15
IP protocol: tcp
IP Type: Any IPv4 packet
L4 Source Port: 32768, 0x8000 ——————————————————————————总共下了十六条
L4 Dst Port: 1035, 0xffff
Actions --------
Permit
ACL规则源端口号去掉gt(大于)0
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作