IPv4 Access Control Lists (ACLs)
Planning an ACL Application
The following two CLI commands are useful for planning and monitoring rule
and mask usage in an ACL configuration.
Syntax: access-list resources help
Provides a quick reference on how ACLs use rule resources.
Includes most of the information in table 9-2, plus an ACL
usage summary.
Syntax
:
show access-list resources
Shows the number of rules used, maximum rules available,
resources used and resources required for ACLs created with
Identity Manager (IDM) and for ACLs created with the CLI.
Managing ACL Resource Consumption
As shown in table 9-2, changes in IP subnet masks or changes in IP or TCP/
UDP applications among consecutive ACEs in an assigned ACL can rapidly
consume resources. Adding a new ACE to an ACL consumes one rule. An
extensive ACL configuration can fully subscribe the 128 rule resources avail-
able on the switch.
Oversubscribing Available Resources
If a given ACL requires more rule resources than are available, then the switch
cannot apply the ACL to any of the interfaces specified for that ACL. In this
case, the access-group command fails and the CLI displays the following:
â– In the CLI:
Unable to apply access control list.
â– In the Event Log (and in a Syslog server, if configured on the switch):
ACL: unable to apply ACL < acl-# > to port < port-# >, failed
to add entry < # >
(Note that < port-# > is the first port in the assignment command that was
unable to support the ACL.)
Troubleshooting a Shortage of Resources
Do the following to determine how to change resource usage to allow the ACL
you want to configure:
1. Use the show access-list resources command
2. Use show commands to identify the currently configured ACL policies.
9-19
To Next Page
Loading...
Need help?
General