Addendum
the ACL VLAN groups present on the system, an appropriate error message is displayed. The ACL
manager application processes the following parameters when you enter an acl-vlan-group
command:
• Whether the CAM profile is set in VFP
• Whether the maximum number of groups in the system is exceeded
• Whether the maximum number of VLAN numbers permitted per ACL group is exceeded
• When a VLAN member that is being added is already a part of another ACL group
After these verification steps are performed, the ACL manager considers the command as valid and sends
the information to the ACL agent on the line card as applicable. The ACL manager notifies the ACL agent
in the following cases:
• A VLAN member is added or removed from a group and previously associated VLANs exist in the
group
• Egress ACL is applied or removed from the group and the group contains VLAN members VLAN
members are added or deleted from a vlan, which itself is a group member.
• A line card returns to the active state after going down and this line card contains a VLAN that is a
member of an ACL group
• The ACL VLAN group is deleted and it contains VLAN members
The ACL manager does not notify the ACL agent in the following cases:
• The ACL VLAN group is created.
• The ACL VLAN group is deleted and it does not contain any VLAN members.
• The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
• The description of the ACL group is added or removed.
Guidelines for Configuring ACL VLAN groups
This functionality is supported on the S4810, S4820T, Z9000, I/O Aggregator and MXL platforms.
Keep the following points in mind when you configure ACL VLAN groups:
• The interfaces to which the ACL VLAN group are applied function as restricted interfaces. The ACL
VLAN group name is used to identify the group of VLANs that is used to perform hierarchical filtering.
• You can add only one ACL to an interface at a point in time.
• When you attempt to attach an ACL VLAN group to the same interface, a validation is performed to
determine whether an ACL is applied directly to an interface. If you previously applied an ACL
separately to the interface, an error occurs when you attempt to attach an ACL VLAN group to the
same interface.
•
The limitation on the maximum number of members that can be part of the ACL VLAN group is
determined by the type of switch and its hardware capabilities. This scaling limit depends on the
number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum
number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum
number of VLAN members is 512 for all ACL VLAN groups.
• The maximum number of VLAN groups that you can configure also depends on the hardware
specifications of the switch. Each VLAN group is mapped to a unique ID in the hardware. The
maximum number of ACL VLAN groups supported is 31. Only a maximum two components (iSCSI
28
ACL VLAN Groups and Content Addressable Memory (CAM)