加了ACL之后，访问资源变得非常慢。

superxy · 发表于 2015-3-31 08:55:59

[

限制VLAN 44的PC只能访问特定的资源

限制VLAN 44的PC只能访问特定的资源，但是加上下面的ACL之后，访问速度明显变得非常慢，去掉ACL就很快。这是什么原因呢？
两台S7706的ACL配置

S7706-1

acl name SP-Workstation-Permit 3999
rule 5 permit ip destination 172.29.126.1 0
rule 6 permit ip source 172.29.126.1 0
rule 10 permit ip destination 10.14.64.173 0
rule 11 permit ip source 10.14.64.173 0
rule 15 permit ip destination 172.29.111.158 0
rule 16 permit ip source 172.29.111.158 0
rule 20 permit ip destination 172.25.16.1 0
rule 21 permit ip source 172.25.16.1 0
rule 30 permit ip destination 172.25.17.10 0
rule 31 permit ip source 172.25.17.10 0
rule 40 permit ip destination 172.29.115.71 0
rule 41 permit ip source 172.29.115.71 0
rule 50 permit tcp destination 172.25.25.14 0
rule 51 permit tcp source 172.25.25.14 0
rule 60 permit tcp destination 172.25.25.15 0
rule 61 permit tcp source 172.25.25.15 0
rule 70 permit tcp destination 172.25.25.16 0
rule 71 permit tcp source 172.25.25.16 0
rule 80 permit ip destination 10.193.4.11 0
rule 81 permit ip source 10.193.4.11 0
rule 90 permit tcp destination 172.25.25.10 0 destination-port eq 443
rule 91 permit tcp source 172.25.25.10 0 source-port eq 443
rule 100 permit tcp destination 172.25.25.10 0 destination-port range 8081 8444
rule 101 permit tcp source 172.25.25.10 0 source-port range 8081 8444
rule 110 permit tcp destination 172.25.2.58 0 destination-port eq 28000
rule 111 permit tcp source 172.25.2.58 0 source-port eq 28000
rule 120 permit tcp destination 172.25.2.59 0 destination-port eq 28000
rule 121 permit tcp source 172.25.2.59 0 source-port eq 28000
rule 130 permit tcp destination-port eq 3389
rule 131 permit tcp source-port eq 3389
rule 140 deny ip
#
traffic classifier c-sp-Permit operator or precedence 10
if-match acl SP-Workstation-Permit
#
traffic behavior b-sp-Permit
permit
#
traffic policy p-sp
classifier c-sp-Permit behavior b-sp-Permit
#
vlan 44
description DL-Space Vision Workstation
traffic-policy p-sp inbound

S7706-2
acl name SP-Workstation-Permit 3999
rule 5 permit ip destination 172.29.126.1 0
rule 6 permit ip source 172.29.126.1 0
rule 10 permit ip destination 10.14.64.173 0
rule 11 permit ip source 10.14.64.173 0
rule 15 permit ip destination 172.29.111.158 0
rule 16 permit ip source 172.29.111.158 0
rule 20 permit ip destination 172.25.16.1 0
rule 21 permit ip source 172.25.16.1 0
rule 30 permit ip destination 172.25.17.10 0
rule 31 permit ip source 172.25.17.10 0
rule 40 permit ip destination 172.29.115.71 0
rule 41 permit ip source 172.29.115.71 0
rule 50 permit tcp destination 172.25.25.14 0
rule 51 permit tcp source 172.25.25.14 0
rule 60 permit tcp destination 172.25.25.15 0
rule 61 permit tcp source 172.25.25.15 0
rule 70 permit tcp destination 172.25.25.16 0
rule 71 permit tcp source 172.25.25.16 0
rule 80 permit ip destination 10.193.4.11 0
rule 81 permit ip source 10.193.4.11 0
rule 90 permit tcp destination 172.25.25.10 0 destination-port eq 443
rule 91 permit tcp source 172.25.25.10 0 source-port eq 443
rule 100 permit tcp destination 172.25.25.10 0 destination-port range 8081 8444
rule 101 permit tcp source 172.25.25.10 0 source-port range 8081 8444
rule 110 permit tcp destination 172.25.2.58 0 destination-port eq 28000
rule 111 permit tcp source 172.25.2.58 0 source-port eq 28000
rule 120 permit tcp destination 172.25.2.59 0 destination-port eq 28000
rule 121 permit tcp source 172.25.2.59 0 source-port eq 28000
rule 130 permit tcp destination-port eq 3389
rule 131 permit tcp source-port eq 3389
rule 140 deny ip
#
traffic classifier c-sp-Permit operator or precedence 10
if-match acl SP-Workstation-Permit
#
traffic behavior b-sp-Permit
permit
#
traffic policy p-sp
classifier c-sp-Permit behavior b-sp-Permit
#
vlan 44
description DL-Space Vision Workstation
traffic-policy p-sp inbound

wukunpeng · 发表于 2015-3-31 10:29:29

你可以试试放在7706和2700之间的物理接口之间，现在放的应该是vlan44的svi下

Rockyw · 发表于 2015-3-31 11:07:37

路过了解一下

化工3911 · 发表于 2015-3-31 15:05:29

顶个

账号		自动登录	找回密码
密码			论坛注册

[求助] 加了ACL之后，访问资源变得非常慢。

相关帖子

客服中心

投诉建议