Access Profile Table - D-Link DES-6500 - Switch User Manual

Access Profile Table

Access profiles allow users to establish criteria to determine whether the Switch will forward packets based on the information
contained in each packet's header. These criteria can be specified on a basis of VLAN, MAC address, IP address or IPv6 address.
Due to a chipset limitation, the Switch supports a maximum of 8 access profiles. The rules used to define the access profiles are
limited to a total of 9600 rules for the Switch, depending on line cards installed.
There is an additional limitation on how the rules are distributed among line cards inserted into the chassis. For Fast Ethernet line
cards (DES-6504, DES-6506, DES-6508, DES-6510), ports are divided into ACL Groups, consisting of ports 1-8, ports 9-16 and
ports 17-24, except the DES-6504 which has two groups, 1-8 and 9-12. These groups support 240 rules maximum each, which
leads to a total of 720 rules maximum per 24-port line card. Since the Switch can hold up to 8 line cards, the maximum number of
ACL rules will be 5760 (240 * 3 * 8 = 5760).
For Gigabit Ethernet line cards (DES-6505, DES-6507, DES-6509) and the 10-Gigabit DES-6512, all ports can support 100 rules
each, which means that the maximum number of ACL rules using the maximum number of inserted 12-port line cards will be
9600 (12 * 100 * 8 = 9600). For a better understanding of ACL rules pertaining to DES-6500 line cards, see the following table:
Line Card
DES-6504
DES-6508
DES-6506/DES-6510
DES-6505
DES-6507
DES-6509
DES-6512
It is important to keep this in mind when setting up VLANs as well. Access rules applied to a VLAN require that a rule be created
for each port in the VLAN. For example, let's say VLAN10 contains ports 2, 11 and 12. If you create an access profile specifically
for VLAN10, you must create a separate rule for each port. Now take into account the rule limit. The rule limit applies to both port
groups 1-8 and 9-16 since VLAN10 spans these groups. One less rule is available for port group 1-8. Two less rules are available
for port group 9-16. In addition, a total of three rules apply to the 9600 rule Switch limit.
It must be noted that there are specific circumstances under which the ACL cannot filter a packet even when there is a condition
match that should deny forwarding. This is a limitation that may arise if:
•
the destination MAC is the same as the Switch (system) MAC
•
a packet is directed to the system IP interface such as multicast IP packets or if the hardware IP routing table is full and
Switch software routes the packet according to routing protocol.
The DES-6500 has four ways of creating access profile entries on the Switch which include Ethernet (MAC Address), IP, Packet
Content and IPv6.
Creating an access profile is divided into two basic parts. The first is to specify which part or parts of a frame the Switch will
examine, such as the MAC source address or the IP destination address. The second part is entering the criteria the Switch will use
to determine what to do with the frame. The entire process is described below.
xStack DES-6500 Modular Layer 3 Chassis Ethernet Switch User Manual
Ports / Groups Maximum
Supported
Rules Per Unit
2 Groups (ports 1-8 240 Rules
and 9-12) Maximum per
group
2 Groups (ports 1-8 240 Rules
and 9-16) Maximum per
group
3 Groups (ports 1- 240 Rules
8, 9-16 and 17-24) Maximum per
group
8 Ports 100 Rules
Maximum Per
Port
12 Ports 100 Rules
Maximum Per
Port
12 Ports 100 Rules
Maximum Per
Port
2 Ports 100 Rules
Maximum Per
Port
Maximum
Supported Rules
Per Line Card
480 Total Rules
480 Total Rules
720 Total Rules
800 Total Rules
1200 Total Rules
1200 Total Rules
200 Total Rules
85
Maximum Supported
Rules Per Full Chassis
3840 Rules Maximum
3840 Rules Maximum
5670 Rules Maximum
6400 Rules Maximum
9600 Rules Maximum
9600 Rules Maximum
1600 Rules Maximum