ACL Allocation to Slices—All Platforms

A single slice can implement ACLs that are applied to more than one port. When an ACL entry is applied, if its match conditions do not conflict with an already existing ACL, the entry is added to the rule memory of an already populated slice.

When ACLs are applied, the system programs each slice to select parts of the packet information to be loaded into it. For example, one possible way a slice can be programmed allows it to hold the information about a packet‘s ingress port, source and destination IP address, IP protocol, source and destination Layer 4 ports, DSCP value, TCP flag, and if it is a first fragment. Any rule entry that consists of match conditions drawn from that list is compatible with that slice. This list of conditions is just one example. A complete description of possible ways to program a slice is discussed in Compatible and Conflicting Rules.

In the following example, the two rule entries are compatible and require only one slice in hardware even though they are applied to different ports. The following entry is applied to port 1:
entry ex_A {
	if {
		source-address 10.10.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
and the following entry is applied to port 2:
entry ex_B {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}

Both of these ACLs could be supported on the same slice, since the match conditions are taken from the example list discussed earlier. This example is shown in the following figure. In the example, we refer to slice A, even though the slices are numbered. Slice A just means that one slice is used, but does not specify a particular slice. Some rules require more than one slice, so we use letters to show that different slices are used, but not which specific slices.

Click to expand in new window
ACL Entry ex_A and ex_B

There are cases where compatible ACLs require using a different slice. If the memory associated with a slice is filled with rule entries, then another slice will be used to process any other compatible entries.

For example, consider the following 129 rule entries applied to ports 3-7:

entry one {
	if {
		source-address 10.66.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry two {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry three {
	if {
		source-address 10.5.2.246/32 ;
		destination-address 10.0.1.16/32 ;
		protocol udp ;
		source-port 100 ;
		destination-port 200 ;
	} then {
		deny ;
	}
}
....
[The 125 intervening entries are not displayed in this example]
....
entry onehundred_twentynine {
	if {
		protocol udp ;
		destination-port 1714 ;
	} then {
		deny ;
	}
}

The following figure shows the result of applying the 129 entries; 128 of the entries are applied to one slice, and the final entry is applied to a different slice. If another compatible entry is applied from another port, for example, it will use Slice B.

Click to expand in new window
ACL Entry one Through onehundred_twentynine

As entries are configured on the switch, the slices are programmed to implement the rules, and the rule memory is filled with the matching values for the rules. If a compatible slice is available, each entry is added to that slice.