Brocade Communications Systems 6650 Switch User Manual


 
Brocade ICX 6650 Security Configuration Guide 119
53-1002601-01
Displaying ACL information
Syntax: show access-list hw-usage on | off
Syntax: show access-list access-list-id | all
By default, hardware usage statistics are disabled. To disable hardware usage statistics after is has
been enabled, use the show access-list hw-usage off command.
The access-list-id variable is a valid ACL name or number.
Displaying ACL information
To display the number of entries used by each ACL, enter the following command.
Syntax: show access-list ACL-num | ACL-name | all
The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of
CAM entries listed for the ACL itself is the total of the CAM entries used by the ACL entries.
For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4 session table flows
in use for the ACL.
The Total packets and Packets fields apply only to flow-based ACLs.
Troubleshooting ACLs
Use the following methods to troubleshoot access control lists (ACLs):
To display the number of Layer 4 CAM entries being used by each ACL, enter the show
access-list ACL-num | ACL-name | all command. Refer to “Displaying ACL information” on
page 119.
To determine whether the issue is specific to fragmentation, remove the Layer 4 information
(TCP or UDP application ports) from the ACL, then reapply the ACL.
If you are using another feature that requires ACLs, either use the same ACL entries for filtering and
for the other feature, or change to flow-based ACLs.
Policy Based Routing
Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route
IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set
routing attributes for the traffic.
A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with
PBR, you can route IP packets based on their source IP address. With extended ACLs, you can route
IP packets based on all of the clauses in the extended ACL.
Brocade# show ip access-lists
Extended IP access list 100: 1 entry
deny ip any any