Setting a time range – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual
Page 907
Brocade 6910 Ethernet Access Switch Configuration Guide
857
53-1002581-01
Access Control Lists
41
The maximum number of rules (Access Control Entries, or ACEs) stated above is the worst case
scenario. In practice, the switch compresses the ACEs in TCAM (a hardware table used to store
ACEs), but the actual maximum number of ACEs possible depends on too many factors to be
precisely determined. It depends on the amount of hardware resources reserved at runtime for this
purpose.
Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize
hardware resources more efficiency. Without compression, one ACE would occupy a fixed number
of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM,
where “n” is the fixed number of TCAM entries needed for one ACE. When compression is
employed, before writting the ACE into TCAM, the software compresses the ACEs to reduce the
number of required TCAM entries. For example, one ACL may include 128 ACEs which classify a
continuous IP address range like 192.168.1.0~255. If compression is disabled, the ACL would
occupy (128*n) entries of TCAM, using up nearly all of the hardware resources. When using
compression, the 128 ACEs are compressed into one ACE classifying the IP address as
192.168.1.0/24, which requires only “n” entries in TCAM. The above example is an ideal case for
compression. The worst case would be if no any ACE can be compressed, in which case the used
number of TCAM entries would be the same as without compression. It would also require more
time to process the ACEs.
The order in which active ACLs are checked is as follows:
1. User-defined rules in IP and MAC ACLs for ingress ports are checked in parallel.
2. Rules within an ACL are checked in the configured order, from top to bottom.
3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC ACL on the
same packet is to deny it, the packet will be denied (because the decision to deny a packet has
a higher priority for security reasons). A packet will also be denied if the IP ACL denies it and
the MAC ACL accepts it.
Setting A Time Range
Use the Security > ACL (Configure Time Range) page to sets a time range during which ACL
functions are applied.
CLI References
•
Command Usage
If both an absolute rule and one or more periodic rules are configured for the same time range (i.e.,
named entry), that entry will only take effect if the current time is within the absolute time range
and one of the periodic time ranges.
Parameters
These parameters are displayed:
Add
•
Time-Range Name – Name of a time range. (Range: 1-16 characters)
Add Rule
•
Time-Range – Name of a time range.