Troubleshooting ACL Resource Insufficiency on S Series Switches (V200)
Troubleshooting ACL Resource Insufficiency on S Series Switches
Overview
Many services occupy ACL resources that are limited on a switch. When ACL resources are insufficient, ACLs will fail to be applied or an ACL resource insufficiency alarm will be generated.
This document describes the fundamentals of ACL resources, the causes of ACL resource insufficiency, and several common methods for optimizing ACL resources.
This document uses Huawei S5732-H series switches running V200R019C10 as an example. The fundamentals and specifications of ACL resources may vary depending on the switch model and version.
Fundamentals of ACL Resources
ACL resources are represented by rules. When configuring ACL-related services, you need to create an ACL and configure ACL rules, and then apply the ACL in the system view, VLAN view, or interface view. After services are successfully delivered, these rules occupy ACL resources. Some services do not need to be configured with rules to occupy ACL resources. Instead, the switch implicitly delivers rules for these services. These services include security services (for example, the blacklist service), traffic rate limiting services (for example, traffic suppression and CPCAR services), and traffic statistics collection services (including CPU-bound packet statistics collection and VLAN-based traffic statistics collection). Traffic rate limiting occupies CAR resources, and traffic statistics collection occupies counter resources. The specifications of CAR resources, counter resources, and ACL resources are independent of each other.
The number of rules configured on a switch is not simply the same as the number of occupied ACL resources. The service application scope and direction also affect the number of occupied ACL resources. Generally, you can use the following formula to calculate or estimate the number of occupied ACL resources:
Number of occupied ACL resources = Number of rules x Service application scope x Service application direction
- Number of rules: Generally, one rule occupies one ACL resource. If a TCP/UDP port number range is specified in a rule, the rule may be split into multiple rules, occupying multiple ACL resources. To check the rule splitting principles, run the display acl division command and specify the corresponding port number range.
- Service application scope: number of interfaces or VLANs where a service is applied. If the service is applied globally, the value is 1.
- Service application direction: The value is 1 when a service is applied to the inbound or outbound direction. The value is 2 when the service is applied to both the inbound and outbound directions.
The following example helps you understand the consumption of ACL resources on a switch.
- Check the resource information about the ACL module on the switch. In the command output, the value of ACL Unallocated indicates that the switch has 4096 ACL resources remain unallocated, and the value of ACL Allocated indicates that 512 ACL resources have been allocated. Among the 512 ACL resources, 146 ACL resources are used by security services. The total number of ACL resources on the switch is 4608.
<HUAWEI> display acl resource Slot 0 GigabitEthernet0/0/1 to GigabitEthernet0/0/24 XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4 Used Free Total ---------------------------------------------------------------------------- ACL Unallocated - - 4096 ACL Allocated 146 366 512 Sec ACL 146 - - Car 305 32463 32768 Counter 296 65240 65536 ---------------------------------------------------------------------------- - Configure ACL 3000. ACL 3000 contains two rules and is applied to the inbound direction of GE0/0/1 and GE0/0/2.
# acl number 3000 rule 5 permit ip destination 0.0.0.1 255.255.255.0 rule 10 permit ip destination 0.0.0.2 255.255.255.0 # interface GigabitEthernet0/0/1 traffic-filter inbound acl 3000 # interface GigabitEthernet0/0/2 traffic-filter inbound acl 3000 #
- Check the ACL resource information again. In the command output, the Ingress ACL field indicates that the number of occupied ACL resources in the inbound direction of the switch is 4, which is 2 (number of rules) x 2 (number of interfaces) x 1 (inbound direction).
<HUAWEI> display acl resource Slot 0 GigabitEthernet0/0/1 to GigabitEthernet0/0/24 XGigabitEthernet0/0/1 to XGigabitEthernet0/0/4 Used Free Total ---------------------------------------------------------------------------- ACL Unallocated - - 3584 ACL Allocated 150 874 1024 Ingress ACL 4 - - Sec ACL 146 - - Car 305 32463 32768 Counter 296 65240 65536 ----------------------------------------------------------------------------
Causes of ACL Resource Insufficiency
The common causes of insufficient ACL resources are as follows:
Cause 1: Too many redundant services are configured to use ACL resources.
Many services do not take effect or are not used for a long time after being configured, yet continuously occupying a large number of ACL resources. The services include traffic policy, ACL-based simplified traffic policy, local attack defense, and Packet Conservation Algorithm for Internet (iPCA).
Cause 2: Services that occupy ACL resources are not properly configured.
Some typical cases are as follows:
- A large number of rules are configured, among which some can be combined.
- Services are applied to an unnecessarily large scope, for example, too many interfaces or VLANs.
- Services are applied globally, in a VLAN, and on an interface, which overlap.
All these will cause the number of occupied ACL resources to increase exponentially.
ACL Resource Optimization Methods
If ACL resources are insufficient due to a large number of redundant services that use ACL resources, check the configured ACL-related services and delete the services that are no longer valid or used.
This section describes how to optimize ACL resources when insufficiency is caused by inaccurate planning for services that use ACL resources. The optimization will reduce the ACL resource usage without affecting services. To facilitate your understanding of ACL resource optimization, the traffic policy service is used as an example.
For example, before the optimization, if the ACL bound to a traffic policy on a switch contains 1000 rules and the traffic policy is applied to the inbound direction of four interfaces, then the number of ACL resources to be occupied by the service is 4000, which is 1000 (number of rules) x 4 (number of interfaces) x 1 (inbound direction). However, the switch has only 3000 available ACL resources, less than the number of ACL resources required by the traffic policy, leading to a failure to deliver the traffic policy. The configuration file is as follows:
# acl number 3000 rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0 ... //The detailed rule configuration is omitted here. rule 1000 ip source 192.168.10.1 32 # traffic classifier c1 operator and precedence 5 if-match acl 3000 # traffic behavior b1 permit statistic enable # traffic policy p1 match-order config classifier c1 behavior b1 # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 traffic-policy p1 inbound # interface GigabitEthernet1/0/2 port link-type access port default vlan 10 traffic-policy p1 inbound # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/4 port link-type access port default vlan 20 traffic-policy p1 inbound #
- You are advised to use method 1 to combine rules to reduce the number of rules.
- If method 1 has been used, you can use method 2 or method 3 to further reduce the number of ACL resources occupied. If the number of occupied ACL resources need to be significantly reduced, you are advised to adjust the service application scope from interfaces to the entire system (global) or configure traffic policies based on flow IDs. If there is no high requirement on reduction of occupied ACL resources and the number of interfaces to which a traffic policy will be applied is greater than the number of VLANs to which the interfaces belong, you are advised to adjust the service application scope from interfaces to VLANs.
Table 1-1 Comparison between method 2 and method 3
Method
Configuration Difficulty
Number of ACL Resources After Optimization
Recommended Application Scenario
Method 2: Adjust the service application scope from interfaces to VLANs.
Low
Medium
The number of interfaces to which the traffic policy will be applied is greater than the number of VLANs to which the interfaces belong.
Method 2: Adjust the service application scope from interfaces to the entire system (global).
Medium
Small
Applying a traffic policy (for example, permitting or denying packets) globally does not affect the actual effect on each interface.
Method 3: Configure a traffic policy based on the flow ID.
Relatively high
Small
Applying a traffic policy globally affects the actual effect on each interface. For example, in a CAR-based rate limiting scenario, if the traffic policy with the rate limit of 10 Mbit/s on 24 interfaces is changed to global configuration, the total rate of the 24 interfaces on the switch changes from 240 Mbit/s to 10 Mbit/s.
Method 1: Combining Rules to Reduce the Number of Rules
Find out the common matching conditions in the rules as well as the relationships between the rules.
Assume that the 1000 rules in the example contain the following contents:
# acl number 3000 rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0 rule 2 permit ip source 10.1.1.2 0 destination 10.10.1.1 0 rule 3 permit ip source 10.1.1.3 0 destination 10.10.1.1 0 ... rule 255 permit ip source 10.1.1.255 0 destination 10.10.1.1 0 rule 256 permit ip source 10.1.2.1 0 destination 10.10.1.1 0 rule 256 permit ip source 10.1.2.2 0 destination 10.10.1.1 0 rule 256 permit ip source 10.1.2.3 0 destination 10.10.1.1 0 ... rule 510 permit ip source 10.1.2.255 0 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port eq www //Port 80 rule 802 deny tcp destination-port eq 81 rule 803 deny tcp destination-port eq 82 ... rule 830 deny tcp destination-port eq pop2 //Port 109 rule 831 deny tcp destination-port eq pop3 //Port 110 ... rule 1000 xxx #
First, you can aggregate network segments to combine rules. Rules 1 to 510 all use the source IP address and destination IP address of packets as matching conditions, and these source IP addresses together cover all IP addresses on network segments 10.1.1.0/24 and 10.1.2.0/24. (In actual networking, we do not use a rule to match each IP address on a network segment; instead, we can configure rules to match network segments based on IP addresses and subnet masks.) Therefore, rules 1 to 510 can be combined into the following two rules:
# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... #
# acl number 3000 ... rule 801 deny tcp destination-port range 80 110 ... #
After the rules are combined, the number of rules in the preceding example is reduced to 462, the number of actually delivered rules is 466, and the number of occupied ACL resources is decreased to 1864 (less than 3000), which is calculated as following:
461 (number of rules after IP address combination) x 4 (number of interfaces) x 1 (inbound direction) + 1 (number of rules after port number combination) x 5 (number of rules split by range) x 4 (number of interfaces) x 1 (inbound direction)
This meets the ACL resource requirements for configuring the traffic policy.
After the number of rules is reduced to 466 using method 1, you can use method 2 or 3 to further reduce the number of ACL resources occupied.
Method 2: Adjusting the Service Application Scope
After using method 1 to combine rules, you can use either of the following approaches to adjust the service application scope to further reduce the number of ACL resources occupied.
- Adjust the service application scope from interfaces to VLANs.
If the number of interfaces where a traffic policy will be applied is greater than the number of VLANs to which the interfaces belong and if the VLANs contain only these target interfaces, then you can apply the traffic policy to these VLANs. After the application scope is adjusted, the number of occupied ACL resources is the number of rules multiplied by the number of VLANs, which is less than the number of rules multiplied by the number of interfaces. Otherwise, you are advised to adjust the service application scope from interfaces to the entire system (global).
According to the preceding traffic policy configuration, GE1/0/1 and GE1/0/2 belong to VLAN 10, GE1/0/3 and GE1/0/4 belong to VLAN 20, and the two VLANs contain only these four interfaces. In this case, you are advised to apply the traffic policy to VLAN 10 and VLAN 20, as the number of VLANs is smaller than the number of interfaces.
After the optimization using method 1 and before the optimization using this approach in method 2, the configuration file is as follows:# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port range 80 110 ... rule 1000 ip source 192.168.10.1 32 # traffic classifier c1 operator and precedence 5 if-match acl 3000 # traffic behavior b1 permit statistic enable # traffic policy p1 match-order config classifier c1 behavior b1 # interface GigabitEthernet1/0/1 port link-type access port default vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/2 port link-type access port default vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/4 port link-type access port default vlan 20 traffic-policy p1 inbound #
After the optimization using method 1 and this approach in method 2, the configuration file is as follows:# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port range 80 110 ... rule 1000 ip source 192.168.10.1 32 # traffic classifier c1 operator and precedence 5 if-match acl 3000 # traffic behavior b1 permit statistic enable # traffic policy p1 match-order config classifier c1 behavior b1 # vlan 10 traffic-policy p1 inbound # vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/1 port link-type access port default vlan 20 # interface GigabitEthernet1/0/2 port link-type access port default vlan 20 # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 # interface GigabitEthernet1/0/4 port link-type access port default vlan 20 #
After the adjustment, the number of occupied ACL resources is reduced to 932, less than the number occupied after rules are combined. The calculation formula is as follows:
466 (number of rules) x 2 (number of VLANs) x 1 (inbound direction) = 932
- Adjust the service application scope from interfaces to the entire system (global).
You can apply a traffic policy globally, and configure a different traffic policy on each interface where the global traffic policy does not need to be applied so that the global configuration does not take effect. This method relies on the principle that the configuration on an interface takes precedence over the global configuration.
According to the preceding traffic policy configuration, you need to apply the traffic policy to the inbound direction of GE1/0/1 to GE1/0/4. In this case, the traffic policy cannot be applied to the inbound direction of only GE1/0/5. To achieve this, you can apply the traffic policy globally and apply a different traffic policy (for example, p2) with the same classification rules to GE1/0/5.
After the optimization using method 1 and this approach in method 2, the configuration file is as follows:# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port range 80 110 ... rule 1000 ip source 192.168.10.1 32 # acl number 3001 rule 5 permit ip //Matches all IP packets. # traffic classifier c1 operator and precedence 5 if-match acl 3000 # traffic classifier c2 operator and precedence 10 if-match acl 3001 # traffic behavior b1 permit statistic enable # traffic behavior b2 permit # traffic policy p1 match-order config classifier c1 behavior b1 # traffic policy p2 match-order config classifier c2 behavior b2 # interface GigabitEthernet1/0/1 port link-type access port default vlan 20 # interface GigabitEthernet1/0/2 port link-type access port default vlan 20 # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 # interface GigabitEthernet1/0/4 port link-type access port default vlan 20 # interface GigabitEthernet1/0/5 traffic-policy p2 inbound # traffic-policy p1 global inbound #
After the application scope is adjusted, the number of occupied ACL resources is reduced to 467, less than the number occupied after rules are combined. The calculation formula is as follows:
466 (number of rules) x 1 (global) x 1 (inbound direction) + 1 (number of rules) x 1 (number of interfaces) x 1 (inbound direction) = 467
This approach is generally applied to access devices that have more downlink interfaces than uplink interfaces. If the same traffic policy is applied to all downlink interfaces but no uplink interfaces of such a device, you can apply the traffic policy globally, and apply a different traffic policy on each uplink interface to disable the global traffic policy. This approach can save ACL resources.
Method 3: Configuring a Traffic Policy Based on the Flow ID
On the basis of method 1, you can use method 3 to further reduce the number of occupied ACL resources.
For the traffic policy service, when the same traffic classification rules need to be configured and the same action needs to be taken for packets that match the traffic classification rules on different interfaces or in different VLANs, to save ACL resources, split a traffic policy into two. One is to classify packets based on ACL rules and re-mark the flow ID of each type of packets, and the other is to classify packets based on the flow ID and process packets matching the same flow ID in the same manner. This function applies only to traffic policies applied to the inbound direction.
If this function is not configured, the number of ACL resources occupied by a traffic policy is Number of rules x Number of interfaces or VLANs x 1 (inbound direction). After this function is configured, the number of ACL resources occupied by a traffic policy is Number of rules x 1 (global) x 1 (inbound direction) + 1 (flow ID) x Number of interfaces or VLANs x 1 (inbound direction).
The configuration roadmap is as follows:
- Configure an ACL and specify rules.
In this example, the rules have been combined using method 1. The combined rules are as follows:
# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port range 80 110 ... rule 1000 ip source 192.168.10.1 32 #
- Configure a traffic classifier to classify packets based on the ACL rules.
In this example, a traffic classifier named c1 is configured to match packets based on ACL 3000.
# traffic classifier c1 operator and precedence 5 if-match acl 3000 #
- Configure a traffic behavior and run the remark flow-id command to re-mark the flow ID of packets.
Configure a traffic behavior named b3 to re-mark the flow ID of packets. For example, re-mark the flow ID to 4.
# traffic behavior b3 remark flow-id 4 #
- Configure a traffic policy, bind the configured traffic behavior and traffic classifier to the traffic policy, and apply the traffic policy globally.
Configure a traffic policy named p3, bind the traffic classifier c1 and traffic behavior b3 to the traffic policy, and apply the traffic policy globally in the inbound direction.
# traffic policy p3 match-order config classifier c1 behavior b3 # traffic-policy p3 global inbound #
- Configure a traffic classifier and run the if match flow-id command to classify packets.
Configure a traffic classifier named c3 to match packets with the flow ID of 4.
# traffic classifier c3 operator and precedence 10 if-match flow-id 4 #
- Configure a traffic behavior to process packets matching the same flow ID in the same manner.
In this example, a traffic behavior named b1 has been configured to collect traffic statistics.
# traffic behavior b1 statistic enable #
- Configure a traffic policy, bind the configured traffic behavior and traffic classifier to the traffic policy, and apply the traffic policy to interfaces or VLANs.
# traffic policy p1 match-order config classifier c3 behavior b1 # interface GigabitEthernet1/0/1 traffic-policy p1 inbound # interface GigabitEthernet1/0/2 traffic-policy p1 inbound # interface GigabitEthernet1/0/3 traffic-policy p1 inbound # interface GigabitEthernet1/0/4 traffic-policy p1 inbound #
The configuration of the final traffic policy service is as follows:
# acl number 3000 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port range 80 110 ... rule 1000 ip source 192.168.10.1 32 # traffic classifier c1 operator and precedence 5 if-match acl 3000 # traffic classifier c3 operator and precedence 10 if-match flow-id 4 # traffic behavior b1 permit statistic enable # traffic behavior b3 remark flow-id 4 # traffic policy p1 match-order config classifier c3 behavior b1 # traffic policy p3 match-order config classifier c1 behavior b3 # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 traffic-policy p1 inbound # interface GigabitEthernet1/0/2 port link-type access port default vlan 10 traffic-policy p1 inbound # interface GigabitEthernet1/0/3 port link-type access port default vlan 20 traffic-policy p1 inbound # interface GigabitEthernet1/0/4 port link-type access port default vlan 20 traffic-policy p1 inbound # traffic-policy p3 global inbound #
In the preceding example, after the flow ID-based traffic policy is configured, the number of occupied ACL resources is reduced to 470, less than the number occupied after rules are combined. The calculation formula is as follows:
466 (number of rules) x 1 (global) x 1 (inbound direction) + 1 (flow ID) x 4 (number of interfaces) x 1 (inbound direction) = 470