No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Optimizing ACL Resources

Optimizing ACL Resources

If the system prompts that ACL resources are insufficient when you configure a service that occupies ACL resources, the use of ACL resources on the device needs to be optimized. In addition to deleting unneeded services to release ACL resources, you can adjust the ACL application range or combine ACL rules for the services.

For example, you have run the if-match acl { acl-number | acl-name } command to configure 1K rules and applied the traffic policy associated with the ACL to the outbound direction of 40 interfaces. This configuration requires 40K ACL resources, which exceed the maximum outbound ACL resources (38K) supported by the device; therefore, the configuration fails. You can use either of the following methods to optimize ACL resources:

  • Method 1: Adjust ACL application range.

    If the interfaces to which the traffic policy is applied belong to the same VLAN or some of the interfaces belong to the same VLAN (the interfaces without traffic policy configured are not in this VLAN), you can apply the ACL to the VLANs (for example, VLAN 10 and VLAN 20) to which the interfaces belong. After the ACL application range is adjusted, the number of occupied ACL resources is 24K (1K rules x 2 VLANs x 12 LPUs).

  • Method 2: Combine ACL rules.

    Find out the common matching conditions in the ACL rules and relationships between the rules.

    For example, the following content is included in 1K ACL rules:
    #                                                                               
    acl number 3009                                                                 
     rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0                                             
     rule 2 permit ip source 10.1.1.2 0 destination 10.10.1.1 0     
     rule 3 permit ip source 10.1.1.3 0 destination 10.10.1.1 0     
     rule 4 permit ip source 10.1.1.4 0 destination 10.10.1.1 0     
     ...
     rule 255 permit ip source 10.1.1.255 0 destination 10.10.1.1 0    
     rule 256 permit ip source 10.1.2.1 0 destination 10.10.1.1 0    
     ...
     rule 510 permit ip source 10.1.2.255 0 destination 10.10.1.1 0
     ...
     rule 801 deny tcp destination-port eq www      //Port 80                                   
     rule 802 deny tcp destination-port eq 81   
     rule 803 deny tcp destination-port eq 82   
     ...
     rule 830 deny tcp destination-port eq pop2  //Port 109 
     rule 831 deny tcp destination-port eq pop3  //Port 110 
     ...
     rule 1000 xxx
    #                                                                               
    
    Rules 1 through 510 use source and destination IP addresses as matching conditions. Source IP addresses are all IP addresses on network segments 10.1.1.0/24 and 10.1.2.0/24. Therefore, rules 1 through 510 can be combined into the following two rules by using the IP address wildcard mask.
    #                                                                               
    acl number 3009                                                                 
     rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0
     rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0
     ...
    #                                                                               
    

    After combination, rules 1 through 510 are reduced to 492 rules. The number of occupied ACL resources is reduced to 19680 (492 rules x 40 interfaces), which is lower than the upper limit of ACL resources.

    In addition, rules 801 through 831 use TCP destination ports 80-110 as the matching conditions. Therefore, you can specify the range keyword to combine rules 801 through 831 into the following rule:
    #                                                                               
    acl number 3009 
     ...                                                                
     rule 801 deny tcp destination-port range 80 110
     ...
    #                                                                               
    

    After combination, rules 801 through 831 are reduced to 462 rules. The number of occupied ACL resources is reduced to 18480 (462 rules x 40 interfaces), which is lower than the upper limit of ACL resources.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178319

Views: 150246

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next