ACL Slices and Rules

The Summit family switches use a mechanism different from the earlier Summit series to implement ACLs. The same architecture and guidelines apply to both platforms.

Instead of the per port masks used in earlier switches, these platforms use slices that can apply to any of the supported ports. An ACL applied to a port may be supported by any of the slices.

The slice support is as follows:
  • Summit X450-G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules, which adds up to 1024 rules
    • Each group of 48 ports has 16 slices with each slice having enough memory for 256 ingress rules, which adds up to 4096 ingress rules.
  • Summit X460-G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules, which adds up to 1024 rules
    • Each group of 48 ports has 16 slices with each slice having enough memory for 256 ingress rules , which adds up to 4096 ingress rules.
  • Summit X670-G2 switches—
    • Each group of 48 ports has 4 slices with each slice having enough memory for 256 egress rules, which adds up to 1024 rules
    • Each group of 48 ports has 12 slices; the first 4 (0-3) slices hold 512 ingress rules each, and the last 8 (4-11) slices hold 256 ingress rules each, which adds up to 4096 ingress rules.
  • Summit X770 switches—
    • Each group of 104 ports has 4 slices with each slice having enough memory for 256 egress rules .
    • Each group of 104 ports has 12 slices; the first 4 (0-3) slices hold 512 ingress rules each, and the last 8 (4-11) slices hold 256 ingress rules each, which adds up to 4096 ingress rules.
  • ExtremeSwitching X440-G2 switches
    • Each group of 24 ports has 4 slices with each slice having enough memory for 128 egress rules, which adds up to 512 rules.
    • Each group of 24 ports has 8 slices with each slice having enough memory for 256 ingress rules, which adds up to 2048 ingress rules.
  • ExtremeSwitching X620 switches
    • Each group of 10/16 ports has 4 slices with each slice having enough memory for 128 egress rules, which adds up to 512 rules.
    • Each group of 10/16 ports has 8 slices with each slice having enough memory for 256 ingress rules, which adds up to 2048 ingress rules.
Note

Note

Egress ACLs are supported on Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2 and X620 series switches only.

This architecture also allows a single slice to implement ACLs that are applied to more than one port. When an ACL entry is applied, if its match conditions do not conflict with an already existing ACL, the entry is added to the rule memory of an already populated slice. Because the slices are much more flexible than masks, a much wider variety of rule entries can use the same slice.

When ACLs are applied, the system programs each slice to select parts of the packet information to be loaded into it. For example, one possible way a slice can be programmed allows it to hold the information about a packet‘s ingress port, source and destination IP address, IP protocol, source and destination Layer 4 ports, DSCP value, TCP flag, and if it is a first fragment. Any rule entry that consists of match conditions drawn from that list is compatible with that slice. This list of conditions is just one example. A complete description of possible ways to program a slice is discussed in Compatible and Conflicting Rules.

In the following example, the two rule entries are compatible and require only one slice in hardware even though they are applied to different ports. The following entry is applied to port 1:
entry ex_A {
	if {
		source-address 10.10.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
and the following entry is applied to port 2:
entry ex_B {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}

Both of these ACLs could be supported on the same slice, since the match conditions are taken from the example list discussed earlier. This example is shown in the following figure. In the example, we refer to slice A, even though the slices are numbered. Slice A just means that one slice is used, but does not specify a particular slice. Some rules require more than one slice, so we use letters to show that different slices are used, but not which specific slices.

expand icon
ACL Entry ex_A and ex_B
../Graphics/XM_078.svg

There are cases where compatible ACLs require using a different slice. If the memory associated with a slice is filled with rule entries, then another slice will be used to process any other compatible entries.

For example, consider the following 129 rule entries applied to ports 3-7:

entry one {
	if {
		source-address 10.66.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry two {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry three {
	if {
		source-address 10.5.2.246/32 ;
		destination-address 10.0.1.16/32 ;
		protocol udp ;
		source-port 100 ;
		destination-port 200 ;
	} then {
		deny ;
	}
}
....
[The 125 intervening entries are not displayed in this example]
....
entry onehundred_twentynine {
	if {
		protocol udp ;
		destination-port 1714 ;
	} then {
		deny ;
	}
}

The following figure shows the result of applying the 129 entries; 128 of the entries are applied to one slice, and the final entry is applied to a different slice. If another compatible entry is applied from another port, for example, it will use Slice B.

expand icon
ACL Entry one Through onehundred_twentynine
../Graphics/XM_079.svg

As entries are configured on the switch, the slices are programmed to implement the rules, and the rule memory is filled with the matching values for the rules. If a compatible slice is available, each entry is added to that slice.