Got it

Solution to Insufficient ACL Resources at a Site

Latest reply: Feb 24, 2020 08:36:27 73 2 3 0

Hello all,

ACL resources are always insufficient on the live network. If ACLs cannot be compressed, what else can be done? The following case provides a method.

Problem

The customer has the following requirements: Configure a simplified traffic policy on the device to filter traffic based on ACLs, and then redirect the traffic that can pass through the ACLs to the next hop. The customer provides his own configuration script in the following format:

traffic-secure vlan 187 inbound acl 3120

traffic-secure vlan 188 inbound acl 3120

traffic-secure vlan 189 inbound acl 3120

traffic-secure vlan 1720 inbound acl 3120

traffic-secure vlan 1721 inbound acl 3120

traffic-secure vlan 1730 inbound acl 3120

traffic-secure vlan 1731 inbound acl 3120

traffic-secure vlan 1740 inbound acl 3120

traffic-secure vlan 1741 inbound acl 3120

traffic-redirect vlan 179 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 185 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 186 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 187 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 188 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 189 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1720 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1721 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1730 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1731 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1740 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

traffic-redirect vlan 1741 inbound acl name PBR_CLT_SACG ip-nexthop 78.0.226.124

This is only a small display, but actually there are a large number of similar commands.

Process

When inputting the commands, it is found that the ACL configuration exceeds the specification. The system displays a message indicating that resources are insufficient. We try to use the traffic policy to solve the problem. However, the calculation result shows that only a few resources can be saved.

In this process, we find that the customer has a good habit of configuring continuous VLANs, such as VLANs 1720, 1721, 1730, and 1731. If VLAN IDs can be combined, resources can be efficiently saved. The solution is verified in the lab, as follows.

1. Check whether consecutive VLANs are in the same mask segment.

acl

1720 and 1721 are in the same mask segment and can be combined. 187 and 188 cannot be combined. Use this to check other VLAN conditions

2. Create Layer 2 ACLs to combine VLANs.

(1) Configure an ACL for traffic-secure.

acl

The ACL contains consecutive VLANs and their masks. Inconsecutive VLANs, such as VLAN185, can only be added separately. Note that the mask is 0xffe.

(2) Create an ACL for traffic-redirect:

 acl

Similarly, inconsecutive VLANs need to be added separately, which cannot save resources.

3. Match the created lay 2 ACLs with the action.

traffic-secure inbound acl 4000 acl 3120 (filter packets based on ACL 4000.)

traffic-redirect inbound acl 4001 acl name PBR_CLT_SACG ip-nexthop 78.0.226.124 (redirects traffic based on the ACL 4001)

After the combination, the number of configuration commands is greatly reduced, and about 3K resources are saved. (The number of saved resources varies according to different configurations. You need to calculate the number of saved resources.)

Conclusion

Advantages of this method: This method saves resources obviously, especially when a large number of VLANs are continuous.

Disadvantage: The requirements are strict. VLANs must be continuous and the configuration is complex, which is inconvenient for O&M.

I hope it is of help to you.

  • x
  • convention:

Created Feb 18, 2020 17:58:14 Helpful(0) Helpful(0)

Thanks
View more
  • x
  • convention:

Created Feb 24, 2020 08:36:27 Helpful(0) Helpful(0)

thanks for sharing bro.
View more
  • x
  • convention:

An%20enthusiastic%20network%20Engineer%20who%20also%20wants%20to%20be%20a%20programmer

Comment

Comment
You need to log in to comment to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community
Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.