Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

111

112

113

114

115

116

117

118

119

120

● PIM VLT

● Filtering noninitial fragments of a datagram

If your ACL rules contain the following keywords, the system accepts the configuration and shows a message stating that these

features are not supported and ignores the configuration.

● ttl

● fragments

● no-drop

● dscp

● ecn

Optimizing ACL for More Number of IPv4 ACL Rules

To optimize ACL for more number of IPv4 ACL rules, follow these steps:

1. Carve the vlanaclopt CAM region.

CONFIGURATION mode

cam-acl-vlan vlanopenflow 0 vlaniscsi 0 vlanaclopt 2

2. Enable the ACL optimized feature.

CONFIGURATION mode

feature acloptimized

3. Reload the system

EXEC Privilege

reload

After the system reloads, the Dell Networking OS enables the feature.

DellEMC(conf)#feature acloptimized

Configuration change will be in effect after save and reload. ACL config containing TTL,

layer3 and VRF conflicts with ACL Cam optimzation feature and these keywords would be

discarded while applying the ACL.

Dell#show feature

Feature State

------- -----

VRF disabled

UDF disabled

Aclrange disabled

Acloptimized enabled

IP Fragment Handling

The system supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent

packets.

It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols

(permit/deny ip/tcp/udp/icmp).

● Both standard and extended ACLs support IP fragments.

● Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is

to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled.

● Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.

● For an IP ACL, the system always applies implicit deny. You do not have to configure it.

● For an IP ACL, the system applies implicit permit for second and subsequent fragment just prior to the implicit deny.

● If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

● Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments

option and apply it to a Loopback interface, the command is accepted but the ACL entries are not actually installed the

offending rule in CAM.

112

Access Control Lists (ACLs)