Configuring Access Control Lists 597
Resource-Sharing Between ACLs and PBR
ACLs associated with a route-map and general ACLs share the same hardware
resources. If PBR consumes the maximum number of HW resources on an
interface or system-wide, general purpose ACLs cannot be configured and
vice versa. Hardware allocation is performed on a first-come, first-serve basis.
Counter Support for Route-map ACL
A counter is associated with each ACL rule associated with a route-map. The
counter indicates how many packets were policy routed. There is no provision
to nondestructively clear these counters from the UI. Counters associated
with a route-map statement are cleared when the route-map is removed from
the VLAN. The hardware does not support both a counter and a rate-limit.
Therefore, the system does not support configuring ACLs with a rate-limit
being used for PBR.
Priority of ACL/PBR Rules When Applied to Hardware
Each ACL normally is associated with a sequence number that indicates the
order in which an ACL needs to be applied when multiple ACLs are applied
on a single VLAN. The sequence number or priority indicates the order in
which ACLs (and corresponding rules associated with ACLs) are applied.
When an ACL is used in a route-map's “match” clause, it is applied to
hardware with the same priority as if it were an independent ACL, but with
the exception of the implicit “deny all” rule. A route-map may have multiple
statements with different sequence numbers associated with each ACL entry.
In this case, the ACL inherits the sequence number of the route-map entry.
Therefore, it is advisable to segregate ACLs used in route-maps from ACLs
applied directly to interfaces.
ACL Resource Usage
When a route-map defines a “match” rule associated with an ACL, except for
the implicit routing behavior mentioned above, the resource consumption is
the same as if a normal ACL is applied on an interface. Rules consumed by an
ACL corresponding to a route-map “match” clause share hardware resources
with the ACL component. Certain resources cannot be shared. For example,
the rate-limit clause cannot be utilized in a PBR ACL, as the hardware cannot
support both a counter (allocated by every PBR route-map) and a rate limit.
Resources are not consumed until the route-map is associated with an
To Next Page
Loading...
