Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
The following two CLI commands are unique to the 3400cl/6400cl switches
and are useful for planning and monitoring rule and mask usage in an ACL
configuration.
Syntax: access-list resources help
Provides a quick reference on how ACL, QoS and Rate-
Limiting use rule resources and how ACL uses mask resources
for each configuration option. Includes most of the
information in table
10-3, plus an ACL usage summary.
Syntax: show access-list resources
Shows the number of rules and ACL masks currently available
on each port. This command is useful for verifying rule and
ACL mask availability as you proceed with configuring ACL,
IGMP, QoS, and/or Rate-Limiting features available on the
switch.
Managing ACL Resource Consumption
As shown in table 10-3, changes in IP subnet masks or changes in IP or TCP/
UDP applications among consecutive ACEs in an assigned ACL can rapidly
consume per-port mask resources. Also, in almost all cases, adding a new ACE
to an ACL consumes one per-port rule. An extensive ACL configuration can
fully subscribe the 120 rule resources available on one or more ports, espe-
cially when QoS and Rate-Limiting are also configured on the switch. (Config-
uring IGMP uses one per-port ACL mask, but does not use any per-port rules.)
However, a relatively short ACL can fully subscribe the eight mask resources
available on one or more ports. (The switch allows one ACL per-port.)
Oversubscribing Available Resources
If a given ACL requires more mask or rule resources on a port than are
available, then the switch cannot apply the ACL to any of the interfaces
specified for that ACL. In this case, the access-group command fails and the
CLI displays the following:
■ In the CLI:
Unable to apply access control list.
■ In the Event Log (and in a Syslog server, if configured on the switch):
ACL: unable to apply ACL < acl-# > to port < port-# >, failed
to add entry < # >
(Note that < port-# > is the first port in the assignment command that was
unable to support the ACL.)
10-20
To Next Page
Loading...
