Many services use ACL rules to control packets. These ACL rules occupy ACL resources. The ACL resources on the device are limited. If the number of occupied ACL resources reaches the upper limit, new services cannot be delivered. However, the device running and the services that have ACLs applied are not affected.
To optimize ACL resources, you need to know how ACL rules occupy ACL resources. Generally, the number of occupied ACL resources is calculated as follows:
Number of occupied ACL resources = Number of ACL rules x ACL application scope (Number of interfaces or Number of VLANs or 1 if the ACL is applied globally) x ACL application direction (1 for inbound and 1 for outbound, and 2 for inbound and outbound)
For example, if 1K ACL rules are configured in an ACL using the if-match acl { acl-number | acl-name } command and the traffic policy that references the ACL is applied to the outbound direction of 8 interfaces, then totally 8K (1K rules x 8 interfaces x 1 direction) ACL resources are occupied.
Actually, the number of ACL rules configured on the device is different from the actual number of ACL resources occupied. The calculation method varies depending on factors such as the hardware chip and the type of service to which an ACL is applied.
In the preceding traffic policy example, if the device supports a maximum of 7K downstream ACL resources, the service cannot be configured. You can use any of the following methods to optimize ACL resource usage so that the service can be successfully configured:
Method 2: Adjust the ACL application range.
If the interfaces with the traffic policy applied belong to the same VLAN or if some of the interfaces belong to the same VLAN and the interfaces without traffic policy configured are not in this VLAN, you can apply an ACL to this VLAN (for example, VLAN 10 or VLAN 20). After the ACL application range is adjusted, the number of occupied ACL resources is 2K (1K rules x 2 VLANs).
Method 3: Combine ACL rules to reduce the number of effective ACL rules.
Find out the common matching conditions in the ACL rules and relationships between the rules.
# acl number 3009 rule 1 permit ip source 10.1.1.1 0 destination 10.10.1.1 0 rule 2 permit ip source 10.1.1.2 0 destination 10.10.1.1 0 rule 3 permit ip source 10.1.1.3 0 destination 10.10.1.1 0 rule 4 permit ip source 10.1.1.4 0 destination 10.10.1.1 0 ... rule 255 permit ip source 10.1.1.255 0 destination 10.10.1.1 0 rule 256 permit ip source 10.1.2.1 0 destination 10.10.1.1 0 ... rule 510 permit ip source 10.1.2.255 0 destination 10.10.1.1 0 ... rule 801 deny tcp destination-port eq www //Port 80 rule 802 deny tcp destination-port eq 81 rule 803 deny tcp destination-port eq 82 ... rule 830 deny tcp destination-port eq pop2 //Port 109 rule 831 deny tcp destination-port eq pop3 //Port 110 ... rule 1000 xxx #
# acl number 3009 rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.10.1.1 0 rule 2 permit ip source 10.1.2.0 0.0.0.255 destination 10.10.1.1 0 ... #
After combination, the number of preceding rules is reduced to 492. The number of occupied ACL resources is reduced to 3936 (492 rules x 8 interfaces), which is lower than the upper limit of ACL resources.
# acl number 3009 ... rule 801 deny tcp destination-port range 80 110 ... #
After combination, rules 801 through 831 are reduced to 462 rules. The number of occupied ACL resources is reduced to 3696 (462 rules x 8 interfaces), which is lower than the upper limit of ACL resources.