No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Optimizing ACL Resources

Optimizing ACL Resources

If the system prompts that ACL resources are insufficient when you configure a service that occupies ACL resources, the use of ACL resources on the device needs to be optimized. In addition to deleting unneeded services to release ACL resources, you can adjust the ACL application range or combine ACL rules for the services. The traffic policy service is used as an example here (For the ACL resource calculation method for traffic policy, see MQC Configuration - Configuration Notes in Huawei AR Series Access Routers Configuration Guide - QoS.)

For example, you have run the if-match acl { acl-number | acl-name } command to configure 1K rules and applied the traffic policy associated with the ACL to the outbound direction of 8 interfaces. This configuration requires 8K ACL resources, which exceed the maximum outbound ACL resources (7K) supported by the device; therefore, the configuration fails. You can use either of the following methods to optimize ACL resources:

  • Method 1: Adjust ACL application range.

    If the interfaces to which the traffic policy is applied belong to the same VLAN or some of the interfaces belong to the same VLAN (the interfaces without traffic policy configured are not in this VLAN), you can apply the ACL to the VLANs (for example, VLAN 10 and VLAN 20) to which the interfaces belong. After the ACL application range is adjusted, the number of occupied ACL resources is 2K (1K rules x 2 VLANs).

  • Method 2: Combine ACL rules.

    Find out the common matching conditions in the ACL rules and relationships between the rules.

    For example, the following content is included in 1K ACL rules:
    acl number 3009                                                                 
     rule 1 permit ip source 0 destination 0                                             
     rule 2 permit ip source 0 destination 0     
     rule 3 permit ip source 0 destination 0     
     rule 4 permit ip source 0 destination 0     
     rule 255 permit ip source 0 destination 0    
     rule 256 permit ip source 0 destination 0    
     rule 510 permit ip source 0 destination 0
     rule 801 deny tcp destination-port eq www      //Port 80                                   
     rule 802 deny tcp destination-port eq 81   
     rule 803 deny tcp destination-port eq 82   
     rule 830 deny tcp destination-port eq pop2  //Port 109 
     rule 831 deny tcp destination-port eq pop3  //Port 110 
     rule 1000 xxx
    Rules 1 through 510 use source and destination IP addresses as matching conditions. Source IP addresses are all IP addresses on network segments and Therefore, rules 1 through 510 can be combined into the following two rules by using the IP address wildcard mask.
    acl number 3009                                                                 
     rule 1 permit ip source destination 0
     rule 2 permit ip source destination 0

    After combination, rules 1 through 510 are reduced to 492 rules. The number of occupied ACL resources is reduced to 3936 (492 rules x 8 interfaces), which is lower than the upper limit of ACL resources.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 126536

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next