Design Safe, Efficient Acls; Identify The Ports - Avaya Cajun P882 User Manual
Multiservice switch
Hide thumbs
Also See for Cajun P882:
- User manual (782 pages) ,
- Command reference manual (764 pages) ,
- Cli reference manual (617 pages)
Table of Contents
Advertisement
Design Safe, Efficient ACLs
Identify the Ports
Avaya P550R, P580, P880, and P882 Multiservice Switch User Guide, v5.3.1
The entry of ACL rules via the CLI, web or Avaya Policy Manager
does not encourage or enforce any checking beyond correct syntax.
The general guideline is that you are configuring a Layer-3 switch,
not a firewall! The following are some criteria for designing safe,
efficient ACLs and how they affect performance:
Specify Destination Address: The wildcard feature of rule
creation is a convenience but can explode the number of
identified Flows. Since the "standard" ACL implies "any" for
the destination, it should also be used with care. It is desirable
for the wildcard to match a specific set of addresses.
Use Protocols/Ports Carefully: By pushing the ACL-to-packet
matching up one or two levels of the IP stack, it refines the
granularity of the Flows to be very specific in what is matched.
A source-port range can cause a large number of "micro" Flows
to be created.
Minimize Rules: The number of rules has a direct impact on
the CPU effort to match rules to Flows. This is especially true
when there is a high frequency of packets that are "walked
down" the entire list and don't match any rules.
Minimize Searching: The goal is to place the most frequently
matched rules toward the beginning of the ACL. This requires a
good knowledge of traffic patterns. This can be noticeable as
ACLs get longer.
Permit Management Traffic with High Priority: This include
routing updates (unicast for RIP 1, multicast for RIP 2), SNMP
(CajunView, HPOV), LDAP (for Cajun Rules/Avaya Policy
Manager). Not doing this can cause loss of management
connectivity.
The chassis is organized by slots, fabric ports, PRE/F-chip's, and
physical ports. The number of F-Chips and physical ports vary with
the module type. This information is useful in spreading the
workload evenly among resources, and identifying possible choke
points:
Every Fabric port can manage up to 4 F-Chips
Slot 1 has 1 Fabric port only
Configuring IP Routing
9-37
Advertisement
Table of Contents
