Implementing Acls On Ftos - Dell Force10 Z9000 Configuration Manual
Ftos configuration guide for z9000 system
Hide thumbs
Also See for Force10 Z9000:
- Reference manual (1483 pages) ,
- Configuration manual (848 pages) ,
- Manual (56 pages)
Table of Contents
Advertisement
Implementing ACLs on FTOS
One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not
used by the software in any other capacity.
The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for
detailed specification on entries allowed per ACL.
If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new
rule is inserted or pre-pended. If a rule is appended, the existing counters are not affected. This is
applicable to the following features:
•
L2 Ingress Access list
•
L2 Egress Access list
•
L3 Egress Access list
Note: IP ACLs are supported over VLANs in Version 6.2.1.1 and higher.
V
ACLs and VLANs
There are some differences when assigning ACLs to a VLAN rather than a physical port. For example,
when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries would get
installed in the ACL CAM on the port-pipe. The entry would look for the incoming VLAN in the packet.
Whereas if you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries would be
installed for each port belonging to a port-pipe.
When you use the
Depending on how many packets match the log entry and at what rate, CP might become busy as it has to
log these packets' details. However the other processors (RP1 and RP2) should be unaffected. This option
is typically useful when debugging some problem related to control traffic. We have used this option
numerous times in the field and have not encountered any problems in such usage so far.
ACL Optimization
If an access list contains duplicate entries, FTOS deletes one entry to conserve CAM space.
Standard and Extended ACLs take up the same amount of CAM space. A single ACL rule uses 2 CAM
entries whether it is identified as a Standard or Extended ACL.
Determine the order in which ACLs are used to classify traffic
When you link class-maps to queues using the command
according to queue priority (queue numbers closer to 0 have lower priorities). For example, in
class-map cmap2 is matched against ingress packets before cmap1.
log
keyword, CP processor will have to log details about the packets that match.
service-queue
, FTOS matches the class-maps
Access Control Lists (ACLs) |
Figure
6-2,
93
Advertisement
Chapters
Table of Contents
Troubleshooting
