NOTE: This solution does not apply to “How an ACL filters packets (VLAN 100)” (page 66) or
“How an ACL filters packets (VLAN 12)” (page 67).
Planning an ACL application
Before creating and implementing ACLs:
• Understand the switch resources available to support ACL operation
• Define the polices you want your ACLs to enforce
• Understand how your ACLs will impact your network users
Switch resource usage
ACLs resource loads require careful attention to resource usage when planning a configuration.
Without careful planning, certain resources may be fully consumed causing the switch to be unable
to support further ACL configurations.
Prioritizing and monitoring ACL and QoS feature usage
To configure ACLs on your switch, plan and implement your configuration in descending order of
feature importance. This helps ensure that you first configure the most important features. If insufficient
resources become a consideration, this approach can help you recognize how to distribute the
desired feature implementations across multiple witches to achieve your objectives.
ACL resource usage and monitoring
ACL configurations use internal rules on a per-device basis. There are 128 rules available for
configuring ACLs with the CLI and 128 rules available for configuring ACLs with IDM. You can
apply a CLI ACL and a IDM ACL on the same port at the same time.
The switch uses resources required by the ACEs in an ACL when you apply the ACL to one or more
port or static trunk interfaces.
Rule usage
• There is only one implicit “deny any” entry per device for CLI ACLs, and one implicit “deny
any” entry per device for IDM ACLs.
• The implicit "deny any" entry is created only the first time an ACL is applied to a port. Then
you update the port-map for that "deny any" entry to include or remove additional ports.
• Each ACE, including the implicit deny any ACE in a standard ACL, uses one rule.
• There is a separate rule for every ACE whether the ACE uses the same mask or a new mask.
• Two hardware rules are used for any "permit" ACE with TCP or UDP specified; one for normal
packets, and one for fragmented packets.
“ACL rule and mask resource usage” (page 68) summarizes switch use of resources to support
ACES.
Table 13 ACL rule and mask resource usage
Rule UsageACE Type
Standard ACLs
1Implicit deny any (automatically included in any standard ACL, but not displayed by the show
access-list <acl-#> command).
1First ACE entered
1Next ACE entered with the same ACL mask
68 Updates for the HP Switch Software IPv6 Configuration Guide
To Next Page
Loading...
Need help?
General
