Insufficient ACL resources on the S6520X switch problems

  • 0 Followed
  • 0Collected ,32Browsed

Network Topology

IRF switch

Problem Description

When the customer planned to migrate 31 VLAN gateways and their associated ACLs from the core switches to the distribution-layer switches, the assessment found that the hardware resources of the distribution-layer devices could not support the scale of the existing configurations. At present, the core switches are suffering from excessively high CPU and memory utilization due to a large number of ACL rules. If the existing configurations are fully copied to the distribution-layer switches (31 VLANs × 91 rules × bidirectional calls), the ACL resource limit of the devices will be exceeded, resulting in failed configuration application or service interruption.

Process Analysis

1. Requirement Specification Evaluation: The customer stated that the live network configuration includes 31 VLANIF interfaces. Each interface invokes two ACLs for inbound and outbound directions, and each single ACL contains 91 rules. Preliminary calculation shows that the total number of rules required for full migration is 31(VLANs) × 2(directions) × 91(rules) = 6916 rules, which far exceeds the processing capacity of a single chip on the distribution-layer switch. 

2. Laboratory Resource Verification: The R&D team conducted simulation tests on the same model device S6520X-54HF-EI in the laboratory with only inbound ACL configured. The test configuration included 31 VLAN interfaces with 36 ACL rules, plus 3 Portal ACLs, consuming a total of 1119 resource entries.

[H3C]dis qos-acl resource
Type Total Reserved Configured Remaining Usage
IPCL0 ACL 2048 2 1119 927 54%

Test data shows that the resource occupancy reaches 54% during the IPCL0 phase.

3. Resource Bottleneck Analysis: According to the output of the dis qos-acl resource command, the total resources available in the IPCL0 phase of S6520X series switches are 2048 entries. Based on the on-site plan with 36 VLANs (consistent with the scale of the test environment) and 91 rules assigned to each VLAN, the inbound direction alone requires 36×91=3276 resource entries, which exceeds the hardware limit of 2048 entries. If rules for the outbound direction are added, the resource shortage will become more severe. 

4. Configuration Logic Review: Redundant matching entries were found in the ACL rules. The debug qacl show command was used to check the specific rule resource usage, verifying that each rule occupies an independent hardware entry.

[H3C-probe]debug qacl show s 1 c 0 v 0 a 41
Acl-Type Portal Redirect, Stage IPCL 0, Global, Installed, Active
Rule Match: Outer Vlan, IP protocol tcp, L4 Dst Port 80/443Actions: Redirect Trap to cpu


Solution

1. Optimize the ACL invocation direction: Remove the outbound ACL invocation under the VLAN interface and only retain the inbound direction. According to the switch processing mechanism, the inbound direction can effectively control access between VLANs. The configuration in the outbound direction not only consumes double hardware resources but also contributes little to security control.

interface Vlan-interface10
undo packet-filter 3000 outbound
packet-filter 3000 inbound

2. Reduce the number of ACL rules: Reorganize the 91 ACL rules and merge matching entries with identical actions. By leveraging features such as IP address range aggregation and port range matching, compress the 91 rules to no more than 36. For instance, merge multiple rules targeting consecutive ports into a single rule with range matching:

rule permit tcp destination-port range 80 443
rule deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

3. Verify resource margin: After configuration optimization, run the command display qos-acl resource to ensure that the Usage of the IPCL0 phase is lower than 80%, with a 20% margin reserved for business expansion.

[H3C]dis qos-acl resource
Type Total Configured Remaining Usage
IPCL0 ACL 2048 1119 927 54%


Please rate this case:   
0 Comments

No Comments

Add Comments: