Method for calculate the number of ACL actual occupation rules

299 0 0 0
When you configure an ACL, the number of rules that are used by the user is different from the number of rules configured on the device. To determine the actual rule resources, you need to know how to calculate the number of rules. From the V200R002C50 version, you can run the display system tcam acl port-division { range begin-port-numberend-port-number | eq begin-port-number | gt begin-port-number-gt | lt end -port-number-lt } Displays the number of ACL rules. There are two scenarios here: 1. If the configured N rules do not match the four-layer port number range (portrange), then: 1) When configured globally, the actual occupied number is N; 2) When configured on an interface or in VLAN view, the actual number of occupied interfaces is the number of N* interfaces. 2. If there are S rules in the configured N rules that match the rule of the four-layer port number range, if the actual number of rules for each rule matching the four-layer port number is M, then: 1) When configured globally, the actual occupied number is N-S+S*M; 2) When configured on an interface or in VLAN view, the actual number of occupations is (N-S+S*M)*. The calculation method of M can be illustrated by example, for example, the configuration is as follows: # Acl number 3000 Rule 5 permit tcp source-port range 100 200 # First convert 100 to a binary number of 1100100, and find the first bit that is 1 from the low bit, which is the second bit. Find the first port range 100 100+2^2-1, which is 100 103. Secondly, 104 is converted to a binary number of 1101000, and the first bit that is 1 is found from the low bit, that is, the third bit. Find the second port range 104 104+2^3-1, which is 104 111. Convert 112 to a binary number of 1110000 again, and find the first bit that is 1 from the low bit, which is the 4th bit. Find the third port range 112 112+2^4-1, which is 112 127. Similarly, the fourth port range 128 191 can be found, the fifth port range is 192 199, and the sixth port range is 200 200. So in this example, the actual number of occupied rules is 6. If a rule matches two ranges, for example: # Acl number 3000 Rule 5 permit tcp source-port range 100 200 destination-port range 100 200 # The actual number of occupied rules is 6*6, that is, 36. This post was last edited by Skay at 2018-08-03 13:31.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top