Chapter 12
| Security Measures
Access Control Lists
– 291 –
Auto ACE Compression is a software feature used to compress all the ACEs of an
ACL to utilize hardware resources more efficiency. Without compression, one
ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25
ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed
number of TCAM entries needed for one ACE. When compression is employed,
before writing the ACE into TCAM, the software compresses the ACEs to reduce
the number of required TCAM entries. For example, one ACL may include 128
ACEs which classify a continuous IP address range like 192.168.1.0~255. If
compression is disabled, the ACL would occupy (128*n) entries of TCAM, using
up nearly all of the hardware resources. When using compression, the 128 ACEs
are compressed into one ACE classifying the IP address as 192.168.1.0/24,
which requires only “n” entries in TCAM. The above example is an ideal case for
compression. The worst case would be if no any ACE can be compressed, in
which case the used number of TCAM entries would be the same as without
compression. It would also require more time to process the ACEs.
The order in which active ACLs are checked is as follows:
1. User-defined rules in IP and MAC ACLs for ingress or egress ports are checked in
parallel.
2. Rules within an ACL are checked in the configured order, from top to bottom.
3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC
ACL on the same packet is to deny it, the packet will be denied (because the
decision to deny a packet has a higher priority for security reasons). A packet
will also be denied if the IP ACL denies it and the MAC ACL accepts it.
Setting A Time Range Use the Security > ACL (Configure Time Range) page to sets a time range during
which ACL functions are applied.
Command Usage
If both an absolute rule and one or more periodic rules are configured for the same
time range (i.e., named entry), that entry will only take effect if the current time is
within the absolute time range and one of the periodic time ranges.
Parameters
These parameters are displayed:
Add
◆ Time-Range Name – Name of a time range. (Range: 1-16 characters)
Add Rule
◆ Time-Range – Name of a time range.
To Next Page
Loading...
Need help?
General
