Edge-Core ES3528MV2 Management Manual page 350

| Security Measures
C 13
HAPTER
Access Control Lists
C U
OMMAND SAGE
The following restrictions apply to ACLs:
The maximum number of ACLs is 64.
◆
The maximum number of rules per system is 512 rules.
◆
An ACL can have up to 64 rules. However, due to resource restrictions,
◆
the average number of rules bound to the ports should not exceed 20.
The maximum number of rules that can be bound to the ports is 64 for
◆
each of the following list types: MAC ACLs, IP ACLs (including Standard
and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
The maximum number of rules (Access Control Entries, or ACEs) stated
above is the worst case scenario. In practice, the switch compresses
the ACEs in TCAM (a hardware table used to store ACEs), but the actual
maximum number of ACEs possible depends on too many factors to be
precisely determined. It depends on the amount of hardware resources
reserved at runtime for this purpose.
Auto ACE Compression is a software feature used to compress all the
ACEs of an ACL to utilize hardware resources more efficiency. Without
compression, one ACE would occupy a fixed number of entries in TCAM.
So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in
TCAM, where "n" is the fixed number of TCAM entries needed for one
ACE. When compression is employed, before writing the ACE into
TCAM, the software compresses the ACEs to reduce the number of
required TCAM entries. For example, one ACL may include 128 ACEs
which classify a continuous IP address range like 192.168.1.0~255. If
compression is disabled, the ACL would occupy (128*n) entries of
TCAM, using up nearly all of the hardware resources. When using
compression, the 128 ACEs are compressed into one ACE classifying
the IP address as 192.168.1.0/24, which requires only "n" entries in
TCAM. The above example is an ideal case for compression. The worst
case would be if no any ACE can be compressed, in which case the used
number of TCAM entries would be the same as without compression. It
would also require more time to process the ACEs.
The order in which active ACLs are checked is as follows:
User-defined rules in IP and MAC ACLs for ingress ports are checked in
1.
parallel.
Rules within an ACL are checked in the configured order, from top to
2.
bottom.
If the result of checking an IP ACL is to permit a packet, but the result
3.
of a MAC ACL on the same packet is to deny it, the packet will be
denied (because the decision to deny a packet has a higher priority for
security reasons). A packet will also be denied if the IP ACL denies it
and the MAC ACL accepts it.
– 350 –