No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ACL Resource usage is high on S12700

Publication Date:  2017-09-23 Views:  368 Downloads:  0
Issue Description

customer configure a lot of ACL for VLAN via traffic policy, but see that the ACL resource usage is very high on all interface cards, even the cards without the assigned VLANs.

[Huawei]dis acl resource
Slot  1
XGigabitEthernet1/0/0 to XGigabitEthernet1/0/47
                   Used          Free         Total
----------------------------------------------------------------------------
  VACL             9             1015         1024

  IACL Unallocated -             -            0
  IACL Allocated   -             -            4096
    IPv4   ACL     2964          108          3072
    Sec    ACL     160           864          1024

  EACL Unallocated -             -            1024
  EACL Allocated   -             -            0

  Ingress Meter    40            4056         4096
  Egress  Meter    0             1024         1024
  Ingress Counter  122           3974         4096
  Egress  Counter  0             1024         1024

  Ingress UDF      0             8            8
----------------------------------------------------------------------------
Slot  2
GigabitEthernet2/0/0 to GigabitEthernet2/0/47
                    Used          Free         Total
-----------------------------------------------------------------------------
  ACL Unallocated   -             -            17408
  ACL Allocated     3136          447          3583
    Ingress ACL     2964          -            -
    Sec     ACL     172           -            -

  EXT Unallocated   -             -            7680
  EXT Allocated     2             510          512
    Ingress ACL     2             -            -

  Car               265           32503        32768
  Counter           178           65358        65536
-----------------------------------------------------------------------------
Slot  3
GigabitEthernet3/0/0 to GigabitEthernet3/0/47
                    Used          Free         Total
-----------------------------------------------------------------------------
  ACL Unallocated   -             -            17408
  ACL Allocated     3132          451          3583
    Ingress ACL     2964          -            -
    Sec     ACL     168           -            -

  EXT Unallocated   -             -            7680
  EXT Allocated     2             510          512
    Ingress ACL     2             -            -

  Car               263           32505        32768
  Counter           174           65362        65536
-----------------------------------------------------------------------------

 

So he want to know why the ACL is using resources on an interface without the VLAN on which the ACL is assigned.

Handling Process

in fact, it is normal.
1. it is not concerned with port configuration for applying ACL on VLAN via traffic policy, so in this case all interface cards will use ACL resources. This is the working mechanism of the device, there is no way to change.
2. customer configure much many rules in ACL, and the traffic-policy apply for many VLAN.

Root Cause

it is not concerned with port configuration for applying ACL on VLAN via traffic policy, so in this case all interface cards will use ACL resources. This is the working mechanism of the device, there is no way to change.

Solution

In fact, we should decide apply the traffic-policy to VLAN or port according to the services. If all VLANs apply to per port, we should apply the traffic-policy to VLAN as best; if in accordance with the configuration of the current device port VLAN, we should refine the ACL rules and apply traffic-policy to the port as best.

Suggestions

1. if all VLAN supply all interface on device, we should configure ACL for VLAN via traffic policy, it can work much less of maintainance

2. if not all interface apply all VLAN(for example: one interface just apply one vlan, even not apply vlan), we should configure ACL for interface via traffic policy, it can work much less of ACL resource.

END