加了ACL之后,访问资源变得非常慢。
[限制VLAN 44的PC只能访问特定的资源,但是加上下面的ACL之后,访问速度明显变得非常慢,去掉ACL就很快。这是什么原因呢?
两台S7706的ACL配置
S7706-1
acl name SP-Workstation-Permit 3999
rule 5 permit ip destination 172.29.126.1 0
rule 6 permit ip source 172.29.126.1 0
rule 10 permit ip destination 10.14.64.173 0
rule 11 permit ip source 10.14.64.173 0
rule 15 permit ip destination 172.29.111.158 0
rule 16 permit ip source 172.29.111.158 0
rule 20 permit ip destination 172.25.16.1 0
rule 21 permit ip source 172.25.16.1 0
rule 30 permit ip destination 172.25.17.10 0
rule 31 permit ip source 172.25.17.10 0
rule 40 permit ip destination 172.29.115.71 0
rule 41 permit ip source 172.29.115.71 0
rule 50 permit tcp destination 172.25.25.14 0
rule 51 permit tcp source 172.25.25.14 0
rule 60 permit tcp destination 172.25.25.15 0
rule 61 permit tcp source 172.25.25.15 0
rule 70 permit tcp destination 172.25.25.16 0
rule 71 permit tcp source 172.25.25.16 0
rule 80 permit ip destination 10.193.4.11 0
rule 81 permit ip source 10.193.4.11 0
rule 90 permit tcp destination 172.25.25.10 0 destination-port eq 443
rule 91 permit tcp source 172.25.25.10 0 source-port eq 443
rule 100 permit tcp destination 172.25.25.10 0 destination-port range 8081 8444
rule 101 permit tcp source 172.25.25.10 0 source-port range 8081 8444
rule 110 permit tcp destination 172.25.2.58 0 destination-port eq 28000
rule 111 permit tcp source 172.25.2.58 0 source-port eq 28000
rule 120 permit tcp destination 172.25.2.59 0 destination-port eq 28000
rule 121 permit tcp source 172.25.2.59 0 source-port eq 28000
rule 130 permit tcp destination-port eq 3389
rule 131 permit tcp source-port eq 3389
rule 140 deny ip
#
traffic classifier c-sp-Permit operator or precedence 10
if-match acl SP-Workstation-Permit
#
traffic behavior b-sp-Permit
permit
#
traffic policy p-sp
classifier c-sp-Permit behavior b-sp-Permit
#
vlan 44
description DL-Space Vision Workstation
traffic-policy p-sp inbound
S7706-2
acl name SP-Workstation-Permit 3999
rule 5 permit ip destination 172.29.126.1 0
rule 6 permit ip source 172.29.126.1 0
rule 10 permit ip destination 10.14.64.173 0
rule 11 permit ip source 10.14.64.173 0
rule 15 permit ip destination 172.29.111.158 0
rule 16 permit ip source 172.29.111.158 0
rule 20 permit ip destination 172.25.16.1 0
rule 21 permit ip source 172.25.16.1 0
rule 30 permit ip destination 172.25.17.10 0
rule 31 permit ip source 172.25.17.10 0
rule 40 permit ip destination 172.29.115.71 0
rule 41 permit ip source 172.29.115.71 0
rule 50 permit tcp destination 172.25.25.14 0
rule 51 permit tcp source 172.25.25.14 0
rule 60 permit tcp destination 172.25.25.15 0
rule 61 permit tcp source 172.25.25.15 0
rule 70 permit tcp destination 172.25.25.16 0
rule 71 permit tcp source 172.25.25.16 0
rule 80 permit ip destination 10.193.4.11 0
rule 81 permit ip source 10.193.4.11 0
rule 90 permit tcp destination 172.25.25.10 0 destination-port eq 443
rule 91 permit tcp source 172.25.25.10 0 source-port eq 443
rule 100 permit tcp destination 172.25.25.10 0 destination-port range 8081 8444
rule 101 permit tcp source 172.25.25.10 0 source-port range 8081 8444
rule 110 permit tcp destination 172.25.2.58 0 destination-port eq 28000
rule 111 permit tcp source 172.25.2.58 0 source-port eq 28000
rule 120 permit tcp destination 172.25.2.59 0 destination-port eq 28000
rule 121 permit tcp source 172.25.2.59 0 source-port eq 28000
rule 130 permit tcp destination-port eq 3389
rule 131 permit tcp source-port eq 3389
rule 140 deny ip
#
traffic classifier c-sp-Permit operator or precedence 10
if-match acl SP-Workstation-Permit
#
traffic behavior b-sp-Permit
permit
#
traffic policy p-sp
classifier c-sp-Permit behavior b-sp-Permit
#
vlan 44
description DL-Space Vision Workstation
traffic-policy p-sp inbound
你可以试试放在7706和2700之间的物理接口之间,现在放的应该是vlan44的svi下 路过了解一下 顶个
页:
[1]