105X ACL deployment failed with insufficient resource prompts
- 0 Followed
- 0Collected ,3689Browsed
Network Topology
Null
Problem Description
The customer found that the packet filtering failure deployed on the vlan interface error was reported as follows:
Process Analysis
(1) Check the acl resources of the device and find that the acl resources are almost used up.
(2) View customer's acl configuration and packet filtering application.
#
acl advanced name deny-virus
step 10
rule 0 deny tcp destination-port eq 4899
rule 1 deny udp destination-port eq 4899
rule 2 deny udp destination-port eq 22
rule 20 deny tcp destination-port eq 9996
rule 30 deny tcp destination-port eq 135
rule 40 deny tcp destination-port eq 136
rule 50 deny tcp destination-port eq 137
rule 60 deny tcp destination-port eq 138
rule 70 deny tcp destination-port eq 139
rule 80 deny tcp destination-port eq 445
rule 90 deny udp destination-port eq 135
rule 100 deny udp destination-port eq 2425
rule 110 deny tcp destination-port eq 2425
rule 120 deny udp destination-port eq 136
rule 130 deny udp destination-port eq netbios-ns
rule 140 deny udp destination-port eq netbios-dgm
rule 150 deny udp destination-port eq netbios-ssn
rule 160 deny udp destination-port eq 445
rule 170 deny udp destination-port eq 1434
rule 180 permit ip
# // Total 19 rules
This packet filtering is deployed on 54 VLAN interfaces. At the bottom layer, the device will occupy 54 acl entries resources for packet filtering, that is, 54X19 = 1026, which is similar to the customer viewing the acl resource usage.
(3) It is recommended to change to global packet filtering, so that the device will only issue one copy of the underlying resources and only occupy 19 copies of acl resources, thereby saving acl resources.
Solution
Deploying Packets Filter globally instead of one VLAN interface.