Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

101

102

103

104

105

106

107

108

109

110

3. Reload the system.

EXEC Privilege mode

reload

The following example displays the current CAM ACL settings for each egress region and configures the egress CAM settings.

Dell# show cam-acl-egress-pe

-- Port extender Egress Cam ACL --

Current Settings(in block sizes)

1 block = 256 entries

L2Acl : 1

Ipv4Acl : 1

Ipv6Acl : 2

Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

The following example displays the running configuration for the configured CAM ACLs.

Dell(conf)#do show running-config | grep cam-acl

cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0

ipv4pbr 2

cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2

cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0

Implementing ACLs on Dell EMC Networking OS

You can assign one IP ACL per interface. If you do not assign an IP ACL to an interface, it is not used by the software.

The number of entries allowed per ACL is hardware-dependent.

If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended

or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained

after a few seconds. If there is no need to shift the flow in the hardware, the counters are not affected. This is applicable to the following

features:

• L2 Ingress Access list

• L2 Egress Access list

In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is

lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version 9.13(0.0), the system installs

your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures

that an implicit deny is installed at the end of your rule. This behavior is applicable for IPv4 and IPv6 ingress and egress ACLs.

ACLs and VLANs

There are some differences when assigning ACLs to a VLAN rather than a physical port.

For example, when using a single port-pipe, if you apply an ACL to a VLAN, one copy of the ACL entries is installed in the ACL CAM on the

port-pipe. The entry looks for the incoming VLAN in the packet. Whereas if you apply an ACL on individual ports of a VLAN, separate

copies of the ACL entries are installed for each port belonging to a port-pipe.

When you use the log keyword, the CP has to log the details about the packets that match. Depending on how many packets match the

log entry and at what rate, the CP might become busy as it has to log these packets’ details. However, the Route Processor (RP) is

unaffected. This option is typically useful when debugging some problem related to control traffic. We have used this option numerous

times in the field and have not encountered problems so far.

ACL Optimization

If an access list contains duplicate entries, the system deletes one entry to conserve CAM space.

Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries whether it is identified as

a standard or extended ACL.

106

Access Control Lists (ACLs)