Aruba Certified Switching Professional: Official Certification Study Guide (HPE6-A45) by Allerd Miriam

Author:Allerd, Miriam [Allerd, Miriam]
Language: eng
Format: epub
ISBN: 9781942741824
Publisher: HPE Press
Published: 2018-03-15T00:00:00+00:00

ACL grouping

When you apply an ACL to an interface, the rules on the ACL take up space in the switch’s ternary content-addressable memory (TCAM). The TCAM is a type of hardware memory. By processing traffic in the hardware, the switch can apply ACLs without slowing the traffic down. The TCAM has a limited size, so it can be beneficial to limit the space consumed by ACL rules in the TCAM.

Figure 9-24  ACL grouping

The number of ACL rules supported in the switch memory depends on the switch model. And the number of rules used by an ACL might not correspond precisely with the number of entries that are configured in the ACL. The number also depends on how you apply the ACL (as a RACL, VACL, or PACL.) The best way to see how many ACL rules your switch is currently using and the number left available is to use the following command:

Switch# show access-list resources

Sometimes you want to apply the same ACL to multiple interfaces. When you apply an ACL as a RACL on multiple VLAN interfaces, the switch is able to store the rules in that ACL in the memory just once. For example, an ACL named FromGuests might use up 18 rules when you apply it as an inbound RACL on VLAN 99. If you also applied this same ACL as an inbound RACL on VLAN 98, the ACL would continue to consume 18 rules. In fact, you could even apply the same ACL as an outbound RACL on a VLAN interface, and the ACL would continue to use only 18 rules.

However, AOS-Switches, by default, must store the rules for each VACL and PACL applied to an interface separately. For example, you apply the FromGuests ACL as a VACL to VLAN 99, and the ACL takes up the space for 16 rules. You then apply the FromGuests ACL as a VACL to VLAN 98, and the ACL takes up another 16 spaces. If you apply the same ACL to physical interfaces, the ACL continues to consume 16 spaces for each interface to which you apply it.

You can use the ACL grouping feature on an AOS-Switch to enable the switch to store the VACL and PACL rules more efficiently. This feature is disabled by default. Enable it with this command:

Switch(config)# access-list grouping

Enabling the feature requires the switch to reboot. After the switch reboots, you can begin using the ACL grouping feature. Simply add shared at the end of the typical command that you use to apply the ACL to an interface. The ACL in question can be any type of ACL, including IP standard, IP extended, MAC standard, and MAC extended. However, you cannot use the shared option for an IP ACL applied as a RACL (in or out option on a VLAN interface); as you learned, the switch already stores the rules for RACLs in a shared manner. You can use the shared option for MAC ACLs applied to VLAN interfaces with the in and out options because these are VACLs.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.