Access Profile Table - D-Link xStack DES-6500 User Manual

Access Profile Table

Access profiles allow you to establish criteria to determine whether the Switch will forward packets based on the
information contained in each packet's header. These criteria can be specified on a basis of VLAN, MAC address or IP
address.
Due to a chipset limitation, the Switch supports a maximum of 8 access profiles. The rules used to define the access
profiles are limited to a total of 9600 rules for the Switch, depending on line cards installed.
There is an additional limitation on how the rules are distributed among line cards inserted into the chassis. For 24-port line
cards (DES-6504, DES-6508, DES-6510), ports 1-8 can support 240 rules maximum, ports 9-16 support 240 rules
maximum and ports 17-24 support 240 rules maximum, which leads to a total of 720 rules maximum per 24-port line card.
Since the Switch can hold up to 8 line cards, the maximum number of ACL rules will be 5760 (240 * 3 * 8 = 5760).
For 12 port line cards (DES-6505, DES-6507, DES-6509, DES-6512), all ports can support 100 rules each, which means
that the maximum number of ACL rules using the maximum number of inserted 12-port line cards will be 9600 (12 * 100
* 8 = 9600).
It is important to keep this in mind when setting up VLANs as well. Access rules applied to a VLAN require that a rule be
created for each port in the VLAN. For example, let's say VLAN10 contains ports 2, 11 and 12. If you create an access
profile specifically for VLAN10, you must create a separate rule for each port. Now take into account the rule limit. The
rule limit applies to both port groups 1-8 and 9-16 since VLAN10 spans these groups. One less rule is available for port
group 1-8. Two less rules are available for port group 9-16. In addition, a total of three rules apply to the 9600 rule Switch
limit.
It must be noted that there are specific circumstances under which the ACL cannot filter a packet even when there is a
condition match that should deny forwarding. This is a limitation that may arise if:
•
the destination MAC is the same as the Switch (system) MAC
•
a packet is directed to the system IP interface such as multicast IP packets or if the hardware IP routing table is full
and Switch software routes the packet according to routing protocol.
The DES-6500 has four ways of creating access profile entries on the Switch which include Ethernet (MAC Address), IP,
Packet Content and IPv6.
Creating an access profile is divided into two basic parts. The first is to specify which part or parts of a frame the Switch
will examine, such as the MAC source address or the IP destination address. The second part is entering the criteria the
Switch will use to determine what to do with the frame. The entire process is described below.
Due to a backward compatability issue, when a user upgrades to R3 firmware (3.00-B29),
all settings previously configured for any ACL function (CPU ACL included) on the Switch
will be lost. We recommend that the user save a configuration file of current settings before
upgrading to R3 firmware.
xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch User Manual
87