Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Wide Key ACLs

This feature allows the use of a 362-bit double-wide match key instead of a standard 181-bit single-wide key to be used with match conditions. A double-wide match key allows you to add more match conditions to an ACL. It also allows matching on a full destination-source IPv6 address.

The feature does not add any new match conditions but rather allows you to add additional condition combinations to any single-wide condition combination that is already supported. The existing supported condition combinations are described in the following table through the following table. The double wide condition combinations that can be appended under the set union operation to the single-wide condition combinations are as follows:

  • OVID, DIP, SIP, IpInfo(First-Fragment,Fragments), IP-Proto, DSCP, TCP-Flag, L4SP, L4DP

  • SIPv6, IP-Proto, DSCP, TCP-Flag, L4SP, L4DP

For example, your single-wide mode supports condition combination A, B, and C, and the double-wide mode adds condition combinations D1 and D2. Then in a single-wide mode, the conditions of your rule should be a subset of either {A}, or {B}, or {C} and in a double-wide mode, the conditions of your rule should be a subset of either {A U D1}, or {A U D2}, or {B U D1}, or {B U D2}, or {C U D1}, or {C U D2}.

The platforms that support this feature can operate either in double-wide mode or in the current single-wide mode. A individual switch or module cannot be configured to operate in a mixed double and single-wide mode. However, a BlackDiamond 8800 chassis or a SummitStack can have a mixture of modules and switches with some of them operating in a single-wide mode and some in a double-wide mode.

Limitations

Following are limitations associated with this feature:

  • Double-wide mode provides richer condition combinations. However, when in a double-wide mode, you can install only one half as many rules into the internal ACL TCAM as you can when in a single-wide mode.

  • Double-wide mode is supported only by internal TCAM hardware. External TCAM hardware does not support this feature and thus is not applicable to external TCAM ACLs.

  • Only ingress ACLs support this feature. Egress and external ACLs do not support it.

  • BlackDiamond 8000 10G24Xc2 and 10G24Xc module can operate in double-wide mode only in slices 8, 9, 10, and 11. Therefore, when you configure double-wide mode on these platforms, they operate in double mode on slices 8 through 11 and in single mode on slices 0 through 7.

Supported Platforms

Wide Key ACLs are available on BlackDiamond X8 Series Switches, BlackDiamond 8000 c- , xl-, and xm-series modules and Summit X460, X480, X670, X460-G2, X670-G2 and X450-G2 and X770 switches.

Published March 2020prev | next

Email this topicEmail this topic

Print this pagePrint this page