ACL Slices and Rules

The Summit family switches (whether or not included in a SummitStack), BlackDiamond X8 series switches and BlackDiamond 8000 c-, e, xl-, and xm-series modules use a mechanism different from the earlier Summit series and BlackDiamond 8800 series switches to implement ACLs. The same architecture and guidelines apply to both platforms.

Note

Note

This feature applies only to BlackDiamond X8 series switches, BlackDiamond 8000 series modules and Summit family switches.

Instead of the per port masks used in earlier switches, these platforms use slices that can apply to any of the supported ports. An ACL applied to a port may be supported by any of the slices.

For Summit family switches and BlackDiamond 8800 a- and e- series modules, the slice support is as follows:
  • BlackDiamond 8800 a-series modules—Each group of 24 ports has 16 slices with each slice having enough memory for 128 ingress rules and actions.

  • BlackDiamond 8800 e‑series modules—Each group of 24 ports has 8 slices with each slice having enough memory for 128 ingress rules and actions.

  • Summit X430 switches—Each group of 48 ports has 4 slices; with each slice having enough memory for 256 ingress rules each, which adds up to 1024 ingress rules.
  • Summit X440 series switches—each group of 24 ports has 4 slices with each slice having enough memory for 256 ingress rules.

  • Summit X450G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 512 egress rules, which adds up to 2048 rules
    • Each group of 48 ports has 16 slices with each slice having enough memory for 256 ingress rules , which adds up to 4096 ingress rules.
  • Summit X460 series switches and E4G400 routers —
    • Each group of 24 ports has 4 slices with each slice having enough memory for 128 egress rules.

    • Each group of 24 ports has 16 slices with each slice having enough memory for 256 ingress rules.

  • Summit X460G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 512 egress rules, which adds up to 2048 rules
    • Each group of 48 ports has 16 slices with each slice having enough memory for 256 ingress rules , which adds up to 4096 ingress rules.
  • Summit X480 series switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules.

    • Each group of 48 ports has 16 internal slices with each slice having enough memory for 512 ingress rules plus the external slice.

  • Summit X670 switches and BlackDiamond X8 series switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules.
    • Each group of 48 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.
  • Summit X670G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules, which adds up to 1024 rules
    • Each group of 48 ports has 12 slices; the first 4 (0-3) slices hold 512 ingress rules each, and the last 8 (4-11) slices hold 256 ingress rules each, which adds up to 4096 ingress rules.
  • Summit X770 switches—
    • Each group of 104 ports has 4 slices with each slice having enough memory for 256 egress rules .
    • Each group of 104 ports has 12 slices; the first 4 (0-3) slices hold 512 ingress rules each, and the last 8 (4-11) slices hold 256 ingress rules each, which adds up to 4096 ingress rules.
  • E4G200 switches—
    • Each group of 12 ports has 4 slices with each slice having enough memory for 128 egress rules.
    • Each group of 12 ports has 8 internal slices with each slice having enough memory for 256 ingress rules.
  • BlackDiamond X8 series switches—
    • 10G48X-
    • Each group of 24 ports has 4 slices with each slice having enough memory for 256 egress rules.
    • Each group of 24 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.
    • 10G48T-
    • Each group of 24 ports has 4 slices with each slice having enough memory for 256 egress rules.
    • Each group of 24 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.
    • 40G12X-
    • Each group of 6 ports has 4 slices with each slice having enough memory for 256 egress rules.
    • Each group of 6 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.
    • 40G24X-
    • Each group of 6 ports has 4 slices with each slice having enough memory for 256 egress rules.
    • Each group of 6 ports has 10 slices; the first 4 (0-3) slices hold 128 ingress rules each, and the last 6 (4-9) slices hold 256 ingress rules each, which adds up to 2048 ingress rules.
Note

Note

Egress ACLs are supported on BlackDiamond X8 series switches, BlackDiamond 8000 c-, xl-, and xm-series modules, E4G-200 and E4G-400 cell site routers, and Summit X460, X480, X670, X770, X460-G2, X670-G2 and X450-G2 series switches only.

The following figure shows the 16 slices and associated rule memory for BlackDiamond 8800 a-series module.

Click to expand in new window
Slice Support for BlackDiamond 8800 a-Series Modules
../Graphics/XM_076.svg

The following figure shows the 8 slices and associated rule memory for a BlackDiamond 8000 e-series module.

Click to expand in new window
Slice Support for BlackDiamond 8000 e-Series Modules
../Graphics/XM_077.svg
For BlackDiamond 8000 c-, xl-, and xm-series modules, the slice support for the cards is as follows:
  • 10G1Xc—
    • Its single port has 4 slices with each slice having enough memory for 128 egress rules.

    • Its single port has 16 slices with each slice having enough memory for 256 ingress rules.

  • G8Xc—
    • Its 8 ports have 4 slices with each slice having enough memory for 128 egress rules.

    • Its 8 ports have 16 slices with each slice having enough memory for 256 ingress rules.

  • 10G4Xc/10G8Xc—
    • Each group of 2 ports has 4 slices with each slice having enough memory for 128 egress rules.

    • Each group of 2 ports has 16 slices with each slice having enough memory for 256 ingress rules.

  • 10G24X-c—
    • Each group of 12 ports has 4 slices with each slice having enough memory for 128 egress rules.

    • Each group of 12 ports has 12 slices with each of the first 8 slices having enough memory for 128 ingress rules and each of the last 4 slices having enough memory for 256 ingress rules.

  • G96T-c—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules.

    • Each group of 48 ports has 16 slices with each slice having enough memory for 512 ingress rules.

  • G48Tc/G48Xc/G24Xc—
    • Each group of 24 ports has 4 slices with each slice having enough memory for 128 egress rules.

    • Each group of 24 ports has 16 slices with each slice having enough memory for 256 ingress rules.

  • G48X-xl/G48T-xl—
    • Its 48 ports have 4 slices with each slice having enough memory for 256 egress rules.

    • Its 48 ports have 16 internal slices with each slice having enough memory for 512 ingress rules.

  • 10G8X-xl—
    • Each group of 4 ports has 4 slices with each slice having enough memory for 256 egress rules.

    • Each group of 4 ports has 16 internal slices with each slice having enough memory for 512 ingress rules.

  • 40G6X-xm and BlackDiamond X8 series switches—
    • Each group of 24 ports has 4 slices with each slice having enough memory for 256 egress rules.

    • Each group of 24 ports has 10 slices with each slice having enough memory for 256 ingress rules.

This architecture also allows a single slice to implement ACLs that are applied to more than one port. When an ACL entry is applied, if its match conditions do not conflict with an already existing ACL, the entry is added to the rule memory of an already populated slice. Because the slices are much more flexible than masks, a much wider variety of rule entries can use the same slice.

When ACLs are applied, the system programs each slice to select parts of the packet information to be loaded into it. For example, one possible way a slice can be programmed allows it to hold the information about a packet‘s ingress port, source and destination IP address, IP protocol, source and destination Layer 4 ports, DSCP value, TCP flag, and if it is a first fragment. Any rule entry that consists of match conditions drawn from that list is compatible with that slice. This list of conditions is just one example. A complete description of possible ways to program a slice is discussed in Compatible and Conflicting Rules.

In the following example, the two rule entries are compatible and require only one slice in hardware even though they are applied to different ports. The following entry is applied to port 1:
entry ex_A {
	if {
		source-address 10.10.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
and the following entry is applied to port 2:
entry ex_B {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}

Both of these ACLs could be supported on the same slice, since the match conditions are taken from the example list discussed earlier. This example is shown in the following figure. In the example, we refer to slice A, even though the slices are numbered. Slice A just means that one slice is used, but does not specify a particular slice. Some rules require more than one slice, so we use letters to show that different slices are used, but not which specific slices.

Click to expand in new window
ACL Entry ex_A and ex_B
../Graphics/XM_078.svg

There are cases where compatible ACLs require using a different slice. If the memory associated with a slice is filled with rule entries, then another slice will be used to process any other compatible entries.

For example, consider the following 129 rule entries applied to ports 3-7:

entry one {
	if {
		source-address 10.66.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry two {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry three {
	if {
		source-address 10.5.2.246/32 ;
		destination-address 10.0.1.16/32 ;
		protocol udp ;
		source-port 100 ;
		destination-port 200 ;
	} then {
		deny ;
	}
}
....
[The 125 intervening entries are not displayed in this example]
....
entry onehundred_twentynine {
	if {
		protocol udp ;
		destination-port 1714 ;
	} then {
		deny ;
	}
}

The following figure shows the result of applying the 129 entries; 128 of the entries are applied to one slice, and the final entry is applied to a different slice. If another compatible entry is applied from another port, for example, it will use Slice B.

Click to expand in new window
ACL Entry one Through onehundred_twentynine
../Graphics/XM_079.svg

As entries are configured on the switch, the slices are programmed to implement the rules, and the rule memory is filled with the matching values for the rules. If a compatible slice is available, each entry is added to that slice.