Service Manual
Implementing ACLs on Dell Networking
OS
You can assign one IP ACL per interface with Dell Networking OS. If you do not assign an IP ACL to an
interface, the software does not use it in any other capacity.
The number of entries allowed per ACL is hardware-dependent.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule
is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable to the
following features:
• L2 Ingress Access list
• L2 Egress Access list
• L3 Ingress Access list
• L3 Egress Access list
NOTE
: IP ACLs are supported over VLANs in Dell Networking OS version 6.2.1.1 and higher.
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port.
For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is
installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas if
you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each port
belonging to a port-pipe.
ACL Optimization
If an access list contains duplicate entries, the Dell Networking OS deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries
whether it is identified as a standard or extended ACL.
Determine the Order in which ACLs are Used to
Classify Traffic
When you link class-maps to queues using the service-queue command, the Dell Networking OS matches
the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1
Access Control Lists (ACLs) 149