D-Link xStack DES-6500 Cli Manual page 228

xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch CLI Manual
Due to a chipset limitation, the Switch supports a maximum of 8 access profiles. The rules used to define the access profiles are
limited to a total of 9600 rules for the Switch, depending on line cards installed.
There is an additional limitation on how the rules are distributed among line cards inserted into the chassis. For 24-port line
cards (DES-6504, DES-6508, DES-6510), ports 1-8 can support 240 rules maximum, ports 9-16 support 240 rules maximum
and ports 17-24 support 240 rules maximum, which leads to a total of 720 rules maximum per 24-port line card. Since the
Switch can hold up to 8 line cards, the maximum number of ACL rules will be 5760 (240 * 3 * 8 = 5760).
For 12 port line cards (DES-6505, DES-6507, DES-6509, DES-6512), all ports can support 100 rules each, which means that
the maximum number of ACL rules using the maximum number of inserted 12-port line cards will be 9600 (12 * 100 * 8 =
9600).
It is important to keep this in mind when setting up VLANs as well. Access rules applied to a VLAN require that a rule be
created for each port in the VLAN. For example, let's say VLAN10 contains ports 2, 11 and 12. If you create an access profile
specifically for VLAN10, you must create a separate rule for each port. Now take into account the rule limit. The rule limit
applies to both port groups 1-8 and 9-16 since VLAN10 spans these groups. One less rule is available for port group 1-8. Two
less rules are available for port group 9-16. In addition, a total of three rules apply to the 9600 rule Switch limit.
In the example used above - config access_profile profile_id 1 add access_id 1 ip source_ip 10.42.73.1 port 7 deny – a single
access rule was created. This rule will subtract one rule available for the port group 1 – 8, as well as one rule from the total
available rules.
It must be noted that there are specific circumstances under which the ACL cannot filter a packet even when there is a condition
match that should deny forwarding. This is a limitation that may arise if:

the destination MAC is the same as the Switch (system) MAC

a packet is directed to the system IP interface such as multicast IP packets or if the hardware IP routing table is full and
Switch software routes the packet according to routing protocol.
In order to address this functional limitation of the chip set, an additional function, CPU Interface Filtering, has been added.
CPU Filtering may be universally enabled or disabled. Setting up CPU Interface Filtering follows the same syntax as ACL
configuration and requires some of the same input parameters. To configure CPU Interface Filtering, see the descriptions below
for create cpu access_profile and config cpu access_profile. To enable CPU Interface Filtering, see config
cpu_interface_filtering.
The DES-6500 has four ways of creating access profile entries on the Switch which include Ethernet (MAC Address), IP,
Packet Content and IPv6. Due to the present complexity of the access profile commands, it has been decided to split this
command into four pieces to be better understood by the user and therefore simpler for the user to configure. The beginning of
this section displays the create access_profile and config access_profile commands in their entirety. The following table
divides these commands up into the defining features necessary to properly configure the access profile. Remember these are
not the total commands but the easiest way to implement Access Control Lists for the Switch.
Due to a backward compatability issue, when a user upgrades to R3 firmware (3.00-B21),
all settings previously configured for any ACL function (CPU ACL included) on the Switch
will be lost. We recommend that the user save a configuration file of current settings before
upgrading to R3 firmware.
224