Managing Acl Resource Consumption; Oversubscribing Available Resources - HP 2530 Manual Supplement
Hide thumbs
Also See for 2530:
- Installation and getting started manual (93 pages) ,
- Quick setup manual (9 pages) ,
- Quick setup manual (6 pages)
Table of Contents
Advertisement
Table 13 ACL rule and mask resource usage (continued)
ACE Type
Next ACE entered with a different ACL mask
Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding
ACE
Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding
ACE
Extended ACLs
Implicit deny ip any (automatically included in any standard ACL, but not displayed by the
show access-list <acl-#> command).
First ACE entered
Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols specified
Next ACE entered with any of the following differences from preceding ACE in the list:
Different SA or DA ACL mask
Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an
IP ACE with the same SA and DA ACL masks
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an
IP ACE with different SA and/or DA ACL masks
Use the following CLI commands for planning and monitoring rule and mask usage in an ACL
configuration.
Syntax:
access-list resources help
Provides a quick reference on how ACLs use rule resources. Includes most of the
information in
summary.
Syntax:
show access-list resources
Shows the number of rules used, maximum rules available, resources used and
resources required for ACLs created with Identity Manager (IDM) and for ACLs
created with the CLI.
Managing ACL resource consumption
As shown in
"ACL rule and mask resource usage" (page
in IP or TCP/UDP applications among consecutive ACEs in an assigned ACL can rapidly consume
resources. Adding a new ACE to an ACL consumes one rule. An extensive ACL configuration can
fully subscribe the 128 rule resources available on the switch.
Oversubscribing available resources
If a given ACL requires more rule resources than are available, then the switch cannot apply the
ACL to any interfaces specified for that ACL. In this case, the access-group command fails and
the CLI displays the following:
In the CLI:
Unable to apply access control list.
In the Event Log (and in a Syslog server, if configured on the switch):
"ACL rule and mask resource usage" (page
68), plus an ACL usage
68), changes in IP subnet masks or changes
Planning an ACL application
Rule Usage
1
1
1
1
1
2
1
1
1
69
- Quick Links:
- Dhcp Snooping
- Enabling Dhcp Snooping
Hide quick links:
Advertisement
Table of Contents
