Table 13 ACL rule and mask resource usage (continued)
Rule UsageACE Type
1Next ACE entered with a different ACL mask
1Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding
ACE
1Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding
ACE
Extended ACLs
1Implicit deny ip any (automatically included in any standard ACL, but not displayed by the
show access-list <acl-#> command).
1First ACE entered
2Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols specified
1Next ACE entered with any of the following differences from preceding ACE in the list:
• Different SA or DA ACL mask
• Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
1Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an
IP ACE with the same SA and DA ACL masks
1Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an
IP ACE with different SA and/or DA ACL masks
Use the following CLI commands for planning and monitoring rule and mask usage in an ACL
configuration.
Syntax:
access-list resources help
Provides a quick reference on how ACLs use rule resources. Includes most of the
information in “ACL rule and mask resource usage” (page 68), plus an ACL usage
summary.
Syntax:
show access-list resources
Shows the number of rules used, maximum rules available, resources used and
resources required for ACLs created with Identity Manager (IDM) and for ACLs
created with the CLI.
Managing ACL resource consumption
As shown in “ACL rule and mask resource usage” (page 68), changes in IP subnet masks or changes
in IP or TCP/UDP applications among consecutive ACEs in an assigned ACL can rapidly consume
resources. Adding a new ACE to an ACL consumes one rule. An extensive ACL configuration can
fully subscribe the 128 rule resources available on the switch.
Oversubscribing available resources
If a given ACL requires more rule resources than are available, then the switch cannot apply the
ACL to any interfaces specified for that ACL. In this case, the access-group command fails and
the CLI displays the following:
• In the CLI:
Unable to apply access control list.
• In the Event Log (and in a Syslog server, if configured on the switch):
Planning an ACL application 69
To Next Page
Loading...
Need help?
General
