Wide Key ACLs

Wide key capability provides greater capacity for rules than single-wide key ACL (Access Control List)s.

For example on ExtremeSwitching and Summit series switches, except X870, a double-wide match key provides a 362-bit capacity, instead of a standard 181-bit single-wide key to be used with match conditions. A double-wide key allows you to add more match conditions to an ACL. It also allows matching on a full destination-source IPv6 address.

As indicated, the ExtremeSwitching and Summit X870 has different wide key capabilities than the other ExtremeSwitching and Summit series switches. The different capabilities are summarized as follows:

All ExtremeSwitching and Summit Series Switches (Except X870)
  • Single-wide key
  • Double-wide key

On all platforms, except the ExtremeSwitching and Summit X870 series switches, key width is configured manually (see Configuring Wide Key ACL Modes) and applies to all ACLs on the switch. An individual switch cannot be configured to operate in a mixed double- and single-wide mode. However, a SummitStack can have a mixture of modules and switches with some of them operating in a single-wide mode and some in a double-wide mode.

Double wide key ACLs allow additional condition combinations than single-wide ACLs. The existing supported condition combinations are described in Field Selectors for ExtremeSwitching and Summit Series Switches. The double-wide condition combinations that can be appended under the set union operation to the single-wide condition combinations are as follows:
  • OVID, DIP, SIP, IpInfo(First-Fragment,Fragments), IP-Proto, DSCP, TCP-Flag, L4SP, L4DP
  • SIPv6, IP-Proto, DSCP, TCP-Flag, L4SP, L4DP

For example, your single-wide mode supports condition combination A, B, and C, and the double-wide mode adds condition combinations D1 and D2. Then in a single-wide mode, the conditions of your rule should be a subset of either {A}, or {B}, or {C} and in a double-wide mode, the conditions of your rule should be a subset of either {A U D1}, or {A U D2}, or {B U D1}, or {B U D2}, or {C U D1}, or {C U D2}.

ExtremeSwitching and Summit X870 Series Switches
  • Single-wide key = 80 bits
  • Introslice double key = 160
  • Double-wide key = 320 bits
  • Triple-wide key = 480 bits

For ExtremeSwitching and Summit X870 series switches, key width (single, introslice double, double, and triple) is assigned automatically based on ACL rule size, and a single switch can contain ACLs with different key widths.

Limitations

The following are limitations associated with wide keys:
  • Wide keys provides richer condition combinations. However, there is a tradeoff in ACL capacity; wide key ACLs consume more space.
  • Only ingress ACLs support this feature. Egress and external ACLs do not support it.

Supported Platforms

Wide key ACLs are available on ExtremeSwitching and Summit X450-G2, X460-G2, X670-G2, X770, X440-G2, X590, X620, X870 series switches.