Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

101

102

103

104

105

106

107

108

109

110

CONFIGURATION mode

cam-acl-pe [default| l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos

number ipmacacl number ipv4pbr number]

NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to re-allocate memory space for

egress ACL and QoS regions

2. Verify the details of CAM ACL egress profiles configured globally on the PE. It does not display CAM ACL egress profiles for

each PE. The new settings will be written to CAM on the next reload.

EXEC and EXEC Privilege mode

show cam-acl-egress-pe

3. Reload the system.

EXEC Privilege mode

reload

The following example displays the current CAM ACL settings for each egress region and configures the egress CAM settings.

Dell# show cam-acl-egress-pe

-- Port extender Egress Cam ACL --

Current Settings(in block sizes)

1 block = 256 entries

L2Acl : 1

Ipv4Acl : 1

Ipv6Acl : 2

Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

The following example displays the running configuration for the configured CAM ACLs.

Dell(conf)#do show running-config | grep cam-acl

cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0

ecfmacl 0 ipv4pbr 2

cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2

cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

Implementing ACLs on Dell EMC Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software.

The number of entries allowed per ACL is hardware-dependent.

If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or

prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal

counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not

affected. This is applicable to the following features:

● L2 Ingress Access list

● L2 Egress Access list

In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available

CAM space is lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version

9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule,

the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4

and IPv6 ingress and egress ACLs.

ACLs and VLANs

There are some differences when assigning ACLs to a VLAN rather than a physical port.

For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is installed in the ACL

CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. Whereas if you apply an ACL on individual ports of

a VLAN, separate copies of the ACL entries are installed for each port belonging to a port-pipe.

When you use the log keyword, the CP has to log the details about the packets that match. Depending on how many packets

match the log entry and at what rate, the CP might become busy as it has to log these packets’ details. However, the Route

110

Access Control Lists (ACLs)