设备型号:S6800-2C 版本:R2702
设备接口下发出方向包过滤时提示ACL资源不足,下发失败。
display qos-acl resource 发现出方向资源占用率为0%:
EFP 0 256 0 256 0%
EFP 1 256 0 256 0%
EFP 2 256 0 256 0%
EFP 3 256 0 256 0%
出方向总资源数为1024个entries,下发的包过滤调用的acl规则虽然只有771条:
Advanced IPv4 ACL 3200 named ACL-GNET-OUT, 771 rules,
ACL's step is 10, start ID is 0
rule 10 permit ip source 10.99.228.0 0.0.0.255 destination 10.99.228.0 0.0.0.255 counting
rule 12 permit ip source 10.99.228.0 0.0.0.255 destination 10.99.31.0 0.0.0.255 counting
rule 15 permit icmp source 10.99.228.0 0.0.0.255 destination 10.106.253.14 0 counting
rule 15 comment permit GNET nms monitor TD interface
但是由于部分规则配置的L4 port是某一范围,导致同一条规则需下发多条acl,总共会超出1024的规格:
rule 94 permit tcp source 10.62.0.0 0.0.255.255 destination 10.106.5.103 0 source-port gt 1023 destination-port eq 587 counting
L4 port下发的范围包括gt/lt/neq等:
[H3C-acl-ipv4-adv-3999]rule 0 permit tcp source 10.62.0.0 0.0.255.255 destination 10.106.5.103 0 source-port ?
eq Equal to given port number
gt Greater than given port number
lt Less than given port number
neq Not equal to given port number
object-group Specify object group configuration information
range Between two port numbers
修改或合并相应规则,减少下发时占用的acl资源数量。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作