Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch Z9100-ON

101

102

103

104

105

106

107

108

109

110

To allocate the number of FP blocks for ACL VLAN optimization, enter the cam-acl-vlan vlanaclopt

<0-2> command. After you configure ACL VLAN CAM, reboot the switch to enable CAM allocation for

ACL VLAN optimization.

To display the number of FP blocks currently allocated to different ACL VLAN services, enter the show

cam-acl-vlan command.

To display the amount of CAM space currently used and available for Layer 2 and Layer 3 ACLs on the

switch, enter the show cam-usage command.

Implementing ACLs on Dell Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by

the software.

The number of entries allowed per ACL is hardware-dependent.

If counters are enabled on ACL rules that are already configured, those counters are reset when a new

rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the

counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no

need to shift the flow in the hardware, the counters are not affected. This is applicable to the following

features:

• L2 Ingress Access list

• L2 Egress Access list

NOTE: IP ACLs are supported over VLANs in Dell Networking OS version 6.2.1.1 and higher.

Assigning ACLs to VLANs

When you apply an ACL to a VLAN using single port-pipe, a copy of the ACL entries gets installed in the

ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. When you apply an ACL

on individual ports of a VLAN, separate copies of the ACL entries are installed for each port belonging to a

port-pipe.

You can use the log keyword to log the details about the packets that match. The control processor

becomes busy based on the number of packets that match the log entry and the rate at which the details

are logged in. However, the route processor (RP) is unaffected. You can use this option for debugging

issues related to control traffic.

ACL Optimization

If an access list contains duplicate entries, Dell Networking OS deletes one entry to conserve CAM space.

Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM

entries to identify whether the access list is a standard or extended ACL.

Determine the Order in which ACLs are Used to Classify Traffic

When you link class-maps to queues using the service-queue command, Dell Networking OS matches

the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).

As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.

ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.

Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against

Access Control Lists (ACLs)

103