Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module
101102103104105106107108109110
Access Control List (ACL) VLAN Groups and
Content Addressable Memory (CAM)
This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements.
Topics:
Optimizing CAM Utilization During the Attachment of ACLs to VLANs
Guidelines for Conguring ACL VLAN groups
Conguring ACL VLAN Groups and Conguring FP Blocks for VLAN Parameters
Viewing CAM Usage
Allocating FP Blocks for VLAN Processes
Optimizing CAM Utilization During the Attachment of
ACLs to VLANs
You can enable and congure the ACL CAM optimization functionality to minimize the number of entries in CAM while ACLs are applied on
a VLAN or a set of VLANs, and also while ACLs are applied on a set of ports. This capability enables the eective usage of the CAM space
when Layer 3 ACLs are applied to a set of VLANs and when Layer 2 or Layer 3 ACLs are applied on a set of ports.
In releases of Dell Networking OS that do not support the CAM optimization functionality, when an ACL is applied on a VLAN, the ACL
rules are congured with the rule-specic parameters and the VLAN as additional attributes in the ACL region. When the ACL is applied on
multiple VLAN interfaces, the consumption of the CAM space increases proportionally. For example, when an ACL with ‘n’ number of rules
is applied on ‘m’ number of VLAN interfaces, a total of n*m entries are congured in the CAM region that is allocated for ACLs. Similarly,
when an L2 or L3 ACL is applied on a set of ports, a large portion of the CAM space gets used because a port is saved as a parameter in
CAM.
To avoid excessive consumption of the CAM space, congure ACL VLAN groups, which combine all the VLANs that are applied with the
same ACL, into a single group. A class identier (Class ID) is assigned for each of the ACLs attached to the VLAN and this Class ID is used
as an identier or locator in the CAM space instead of the VLAN ID. This method of processing reduces the number of entries in the CAM
area signicantly and saves memory space by using the class ID as a ltering criterion in CAM instead of the VLAN ID.
You can create an ACL VLAN group and attach the ACL with the VLAN members. The optimization is applicable only when you create an
ACL VLAN group. If you apply an ACL separately on the VLAN interface, each ACL has a mapping with the VLAN and increased CAM
space utilization occurs. Attaching an ACL individually to VLAN interfaces is similar to the behavior of ACL-VLAN mapping storage in CAM
prior to the implementation of the ACL VLAN group functionality.
The ACL manager application on router processor (RP1) contains all the state information about all the ACL VLAN groups that are present.
The ACL handler on control processor (CP) and the ACL agent on line cards do not contain any stateful information about the group. The
ACL manager application performs the validation after you enter the acl-vlan-group command. If the command is valid, it is processed
and sent to the agent, if required. If a conguration error is found or if the maximum limit has exceeded for the ACL VLAN groups present
on the system, an appropriate error message is displayed. The ACL manager application veries the following parameters when you enter
the acl-vlan-group command:
Whether the CAM prole is set in VFP
Whether the maximum number of groups in the system has exceeded
7
106 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)