Table of Contents
Advertisement
ACL Optimization
If an access list contains duplicate entries, Dell Networking OS deletes one entry to conserve CAM space.
Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries
to identify whether the access list is a standard or extended ACL.
Determine the Order in which ACLs are Used to Classify
Traffic
When you link class-maps to queues using the service-queue command, Dell Networking OS matches the
class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore (without the keyword order), packets within the range 20.1.1.0/24 match positive against cmap1
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be
buffered in queue 4.
In cases where class-maps with overlapping ACL rules are applied to different queues, use the order
keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. Dell
Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0) before
rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have
an order of 255.
Example of the
order
Dell(conf)#ip access-list standard acl1
Dell(config-std-nacl)#permit 20.0.0.0/8
Dell(config-std-nacl)#exit
Dell(conf)#ip access-list standard acl2
Dell(config-std-nacl)#permit 20.1.1.0/24 order 0
Dell(config-std-nacl)#exit
Dell(conf)#class-map match-all cmap1
Dell(conf-class-map)#match ip access-group acl1
Dell(conf-class-map)#exit
Dell(conf)#class-map match-all cmap2
Dell(conf-class-map)#match ip access-group acl2
Dell(conf-class-map)#exit
Dell(conf)#policy-map-input pmap
Dell(conf-policy-map-in)#service-queue 7 class-map cmap1
Dell(conf-policy-map-in)#service-queue 4 class-map cmap2
Dell(conf-policy-map-in)#exit
Dell(conf)#interface te 10/1
Dell(conf-if-te-10/1)#service-policy input pmap
Important Points to Remember
•
For route-maps with more than one match clause:
•
Two or more match clauses within the same route-map sequence have the same match
commands (though the values are different), matching a packet against these clauses is a logical
OR operation.
Keyword to Determine ACL Sequence
Access Control Lists (ACLs)
141
Advertisement
Table of Contents
Troubleshooting
