Setup Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

121

122

123

124

125

126

127

128

129

130

ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword

order), packets within the range 20.1.1.0/24 match positive against cmap1 and are buered in queue 7, though you intended for these

packets to match positive against cmap2 and be buered in queue 4.

In cases such as these, where class-maps with overlapping ACL rules are applied to dierent queues, use the order keyword to specify

the order in which you want to apply ACL rules. The order can range from 0 to 254. The system writes to the CAM ACL rules with lower-

order numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By

default, all ACL rules have an order of

254.

Example of the order Keyword to Determine ACL Sequence

Dell(conf)#ip access-list standard acl1

Dell(config-std-nacl)#permit 20.0.0.0/8

Dell(config-std-nacl)#exit

Dell(conf)#ip access-list standard acl2

Dell(config-std-nacl)#

permit 20.1.1.0/24 order 0

Dell(config-std-nacl)#exit

Dell(conf)#class-map match-all cmap1

Dell(conf-class-map)#match ip access-group acl1

Dell(conf-class-map)#exit

Dell(conf)#class-map match-all cmap2

Dell(conf-class-map)#match ip access-group acl2

Dell(conf-class-map)#exit

Dell(conf)#policy-map-input pmap

Dell(conf-policy-map-in)#service-queue 7 class-map cmap1

Dell(conf-policy-map-in)#service-queue 4 class-map cmap2

Dell(conf-policy-map-in)#exit

Dell(conf)#interface tengig 1/0

Dell(conf-if-te-1/0)#service-policy input pmap

ACL Optimization to Increase Number of Supported

IPv4 ACLs

You can congure the Dell EMC Networking OS to support more number of IPv4 ACLs.

Restrictions for ACL Optimization

After you enable ACL optimization, the system does not support the following features:

• Mirroring dropped packets

• Ability to specify ltering for routed trac only

• ACLs applied on physical ports with VRF ranges

• ACLs with lter parameters such as DSCP and ECN

• PIM VLT

• Filtering noninitial fragments of a datagram

If your ACL rules contain the following keywords, the system accepts the conguration and shows a message stating that these features

are not supported and ignores the conguration.

• ttl

• fragments

• no-drop

• dscp

• ecn

122

Access Control Lists (ACLs)