710 Access Control Lists
supports a fixed number of matching criteria (values and masks). Slices
operate in parallel to perform the configured matching operations. An ACL
with a different offset requires the use of a new hardware slice but multiple
matching values can be specified for a single slice (e.g., an IPv4 destination
address with a 32-bit mask is or Slices can also be
joined together to match widths larger than 32 bits or they can be
concatenated to provide a larger number of matching values with a single
offset. In general, ACLs that match on less than 32 bits will be expanded
internally to match on 32 bits with a variable mask. This allows other ACLs
using the same offset to utilize the same slice with potentially different masks
and match values.
The user interface limits for ACLs are 1023 rules per access list and 100 access
lists. The switch automatically combines slices to operate in parallel over
greater field widths (e.g., IPv6 source address) or combines slices to supply
more match conditions (IPv4 destination address equal to multiple ranges of
addresses). In the case of a match condition specifying a match wider than 32
bits (e.g., a 128-bit IPv6 address), additional slices are assigned to operate in
parallel on the additional match fields. This reduces the overall number of
slices available to match on other key fields. The switch attempts to assign
slices to match conditions in an optimal manner; however, combinations of
match conditions can reduce the maximum number of ACLs that can be
configured to fewer than the published limits. As an example, the smallest
IPv6 QoS match will utilize six slices in the switch hardware.
If encountering a situation where the hardware limit is exceeded when
configuring an ingress ACL, consider disabling features that use ACLs
internally, such as iSCSI or CFM.
The hardware limits are shown in Table 19-1: