Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

External TCAM ACLs

In addition to internal ACL tables, BlackDiamond 8900 and X8 xl-series modules and Summit X480 series switches can install ACL rules into a ternary content addressable memory (TCAM). External TCAMs can hold a much greater number of ACL rules than internal ACL memories. External TCAMs are used for user ACLs when the switch runs in either acl-only mode or 12-and-13-and-acl mode. If the switch is not running in one of these two modes, internal ACL memory is used instead.

Note

Note

This feature applies only to BlackDiamond 8900 and X8 xl-series modules and Summit X480 series switches.

To set the system to acl-only mode, issue the following command, save, and reboot:

configure forwarding external-tables acl-only

To set the system to l2-and-l3-and-acl mode, issue the following command, save, and reboot:

configure forwarding external-tables l2-and-l3-and-acl

In acl-only mode, the following condition sets and the following number of rules are supported:

Ipv4 Rules: (The maximum is 61440 such rules.)
{
  <ethernet-source-address>, <ethernet-destination-address>,
  <vlan or vlan-id>, <source-address ipv4 addr>,
  <destination-address ipv4 addr>, <protocol>,
  <source-port l4 port or port-range>,
  <destination-port l4 port or port-range>,
  (Note, only one l4 port range per rule is supported)
  <tcp-flags>
}
Ipv6 Rules: (The maximum is 2048 such rules.)
{
  <ethernet-source-address>, <ethernet-destination-address>,
  <vlan or vlan-id>, <source-address ipv6 addr>,
  <destination-address ipv6 addr>, <diffserv-codepoint>, <protocol>,
  <source-port l4 port or port-range>,
  <destination-port l4 port or port-range>,
  (Note, only one l4 port range per rule is supported)
  <tcp-flags>
}

In l2-and-l3-and-acl mode, the following condition sets and the following number of rules are supported:

Ipv4 Rules: (The maximum is 57344 such rules.)
{
  <vlan or vlan-id>, <source-address ipv4 addr>,
  <destination-address ipv4 addr>, <protocol>,
  <source-port l4 port or port-range>,
  <destination-port l4 port or port-range>,
  (Note, only one l4 port range per rule is supported)
  <tcp-flags>
}
Note

Note

In either of the two available external TCAM ACL modes, configuring more that 55000 rules is not recommended, because when the number of rules is greater than 55000, the system runs low on memory and can experience unexpected crashes.
Published March 2020prev | next

Email this topicEmail this topic

Print this pagePrint this page