Rule-Based IP Access Control Lists (ACLs)
December 2005 © Foundry Networks, Inc. 12 - 25
ACL Counting
Software releases 02.3.03 and later support ACL counting, a mechanism for counting the number of packets and
the number of bytes per packet to which ACL filters are applied.
Configuration procedures for ACL counting are in the chapter “Traffic Policies” on page 15-1.
Using ACLs to Control Multicast Features
You can use ACLs to control the following multicast features:
• Limit the number of multicast groups that are covered by a static rendezvous point (RP)
• Control which multicast groups for which candidate RPs sends advertisement messages to bootstrap routers
• Identify which multicast group packets will be forwarded or blocked on an interface
For configuration procedures, see the chapter “Configuring IP Multicast Protocols” on page 19-1
Displaying ACL Information
To display the number of Layer 4 CAM entries used by each ACL, enter the following command:
Syntax: show access-list <acl-num> | <acl-name> | all
The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of CAM entries
listed for the ACL itself is the total of the CAM entries used by the ACL’s entries.
For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4 session table flows in use for the
ACL.
The Total packets and Packets fields apply only to flow-based ACLs.
Troubleshooting ACLs
Use the following methods to troubleshoot ACLs:
• To display the number of Layer 4 CAM entries being used by each ACL, enter the show access-list
<acl-num
> | <acl-nam
e> |
all command. See “Displaying ACL Information” on page 12-25.• To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP or UDP
application ports) from the ACL, then reapply the ACL.
If you are using another feature that requires ACLs, either use the same ACL entries for filtering and for the other
feature, or change to flow-based ACLs.
FESX424 Router(config)# show access-list all
Extended IP access list 100 (Total flows: N/A, Total packets: N/A, Total rule cam use: 3)
permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1)
permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)
deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1)
To Next Page
Loading...
Need help?
General
