105X ACL deployment failed with insufficient resource prompts

Null

The customer found that the packet filtering failure deployed on the vlan interface error was reported as follows:

(1) Check the acl resources of the device and find that the acl resources are almost used up.

(2) View customer's acl configuration and packet filtering application.

#

acl advanced name deny-virus

 step 10

 rule 0 deny tcp destination-port eq 4899

 rule 1 deny udp destination-port eq 4899

 rule 2 deny udp destination-port eq 22

 rule 20 deny tcp destination-port eq 9996

 rule 30 deny tcp destination-port eq 135

 rule 40 deny tcp destination-port eq 136

 rule 50 deny tcp destination-port eq 137

 rule 60 deny tcp destination-port eq 138

 rule 70 deny tcp destination-port eq 139

 rule 80 deny tcp destination-port eq 445

 rule 90 deny udp destination-port eq 135

 rule 100 deny udp destination-port eq 2425

 rule 110 deny tcp destination-port eq 2425

 rule 120 deny udp destination-port eq 136

 rule 130 deny udp destination-port eq netbios-ns

 rule 140 deny udp destination-port eq netbios-dgm

 rule 150 deny udp destination-port eq netbios-ssn

 rule 160 deny udp destination-port eq 445

 rule 170 deny udp destination-port eq 1434

 rule 180 permit ip

# // Total 19 rules

This packet filtering is deployed on 54 VLAN interfaces. At the bottom layer, the device will occupy 54 acl entries resources for packet filtering, that is, 54X19 = 1026, which is similar to the customer viewing the acl resource usage.

(3) It is recommended to change to global packet filtering, so that the device will only issue one copy of the underlying resources and only occupy 19 copies of acl resources, thereby saving acl resources.

Deploying Packets Filter globally instead of one VLAN interface.