At a certain site S7510X-G, ACL delivery fail. After adding a new rule355 to the ACL on the customer site, the device reported insufficient resources.

After adding the new red-highlighted rule355 to the ACL on the customer site, the device reported insufficient resources.

[SQ_SHH_BG_SW_01-probe]display acl name defencevirus

Advanced IPv4 ACL named defencevirus, 70 rules,

...

rule 325 deny udp source-port eq 2152

rule 330 deny udp destination-port eq 2123

rule 335 deny udp source-port eq 2123

rule 340 deny udp destination-port eq 3386

rule 345 deny udp source-port eq 3386

rule 350 deny tcp destination-port eq 3386

rule 355 deny tcp source-port eq 3386 // Add this rule

1、probeView shows that the current board has occupied 4588 resources, with only 20 remaining.

[SQ_SHH_BG_SW_01-probe]display hardware internal qacl show acl-resc slot 7 chip 0

---------------Qacl Group UsedResc Info---------------

Acl Hw Block: IACL 2

======================================================

  GroupType: PFT L3

  ----------------------------------------------------

    acl type                   usedEntries

    [ 67]PktFilter IP on PORT        2294

Acl Hw Block: IACL 7

======================================================

  GroupType: PKTFLT

  ----------------------------------------------------

    acl type                   usedEntries

    [ 73]PktFilter IPV4 on RPORT        62  

|          | Type           Total     Reserved    Configured  Remaining     

|  IACL 2  |Entry           4608        0           4588        20          |

|          |Entry640        0           0           0           0           |

|          |Block Counter   2304        0           0           2304        |

|          @----------------------------------------------------------------@

|  IACL 7  |Entry           512         0           124         388         |

|          |Entry640        0           0           0           0           |

|          |Block Counter   256         0           0           256         

2. Check the total resources of the current device in the inbound orientation, which is 8192 in total, divided into IACL0, IACL1, IACL2, and IACL7. IACL0 and 1 are reserved for system resources and cannot be used. Only 2 and 7 can be allocated for packet filtering.

[SQ_SHH_BG_SW_01-probe]display qos-acl resource

Interfaces: GE3/0/1 to GE3/0/48 (slot 3)

---------------------------------------------------------------------

 Type             Total      Reserved   Configured Remaining  Usage

---------------------------------------------------------------------

 IGS ACL          8192       1536       2396       4260       47%

 EGS ACL          1536       0          0          1536       0%

 IGS Counter      4096       768        1          3327       18%

 EGS Counter      768        0          0          768        0%

 IGS Meter        8191       100        3          8088       1%

 EGS Meter        2047       0          0          2047       0%

 IMeter Counter   3327       300        9          3018       9%

 EMeter Counter   3839       0          0          3839       0%

3、For the underlying configuration, the packet-filter named defencevirus inbound is deployed on different interfaces (Layer 2 or Layer 3 ports). Each interface will have one instance on its respective board, meaning each rule occupies resources equivalent to two rules. Therefore, newly added rules can only be deployed on up to 10 interfaces. However, the actual number of interfaces exceeds this limit, causing issues. Subsequently, the deployment was reduced.

   [ 73]PktFilter IPV4 on RPORT        62  

           [ 67]PktFilter IP on PORT        2294

Replace with higher specifications board or reduce rule deployment