Users Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

111

112

113

114

115

116

117

118

119

120

Ipv6Acl : 2

Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

The following example displays the running conguration for the congured CAM ACLs.

Dell(conf)#do show running-config | grep cam-acl

cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0

ipv4pbr 2

cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2

cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

Implementing ACLs on Dell EMC Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software.

The number of entries allowed per ACL is hardware-dependent.

If counters are enabled on ACL rules that are already congured, those counters are reset when a new rule which is inserted or prepended

or appended requires a hardware shift in the ow table. Resetting the counters to 0 is transient as the proginal counter values are retained

after a few seconds. If there is no need to shift the ow in the hardware, the counters are not aected. This is applicable to the following

features:

• L2 Ingress Access list

• L2 Egress Access list

In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is

lesser than what is required for your set of ACL rules. Eective with the Dell EMC Networking OS version 9.13(0.0), the system installs your

ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an

implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs.

ACLs and VLANs

There are some dierences when assigning ACLs to a VLAN rather than a physical port.

For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is installed in the ACL CAM on the

port-pipe. The entry looks for the incoming VLAN in the packet. Whereas if you apply an ACL on individual ports of a VLAN, separate

copies of the ACL entries are installed for each port belonging to a port-pipe.

When you use the log keyword, the CP has to log the details about the packets that match. Depending on how many packets match the

log entry and at what rate, the CP might become busy as it has to log these packets’ details. However, the Route Processor (RP) is

unaected. This option is typically useful when debugging some problem related to control trac. We have used this option numerous

times in the eld and have not encountered problems so far.

ACL Optimization

If an access list contains duplicate entries, the system deletes one entry to conserve CAM space.

Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries whether it is identied as a

standard or extended ACL.

Determine the Order in which ACLs are Used to Classify Trac

When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue

priority (queue numbers closer to 0 have lower priorities).

As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1.

Access Control Lists (ACLs)

119