ServerIron ADX Security Guide 53
53-1002440-03
ACL entries and the Layer 4 CAM 2
1. The system-max for Ip-filter-sys value must be set to 4096.
ServerIronADX(config)# system-max ip-filter-sys 4096
2. The Ip access-group max-l4-cam parameter must be set to 4096 on the interface that the ACL
will be applied
ServerIronADX(config)# interface ethernet 1
ServerIronADX(config-if-e1000-1)# ip access-group max-l4-cam 4096
3. Execute the write memory command to save the running configuration to the startup-config
reload the ServerIron ADX.
The actual number of ACLs you can configure and store in the startup-config file depends on the
amount of memory available on the device for storing the startup-config. To store 4096 ACLs in the
startup-config file requires at least 250K bytes, which is larger than the space available on a
device’s flash memory module.
You can load ACLs dy namical ly by sav ing the m in an external configuration file on flash card or TFTP
server, then loading them using one of the following commands.
copy tftp running-config <ip-addr> <filename>
ncopy tftp <ip-addr> <from-name> running-config
In this case, the ACLs are added to the existing configuration.
ACL entries and the Layer 4 CAM
Rule-based ACLs both use Layer 4 CAM entries.

Aging out of entries in the Layer 4 CAM

On a ServerIron ADX device, the device permanently programs rule-based ACLs into the CAM. The
entries never age out.

Displaying the number of Layer 4 CAM entries

To display the number of Layer 4 CAM entries used by each ACL, enter the following command.
Syntax: show access-list <acl-num> | <acl-name> | all
The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of
CAM entries listed for the ACL itself is the total of the CAM entries used by the ACL’s entries.
ServerIronADX(config)# show access-list all
Extended IP access list 100 (Total flows: N/A, Total packets: N/A, Total rule cam
use: 3)
permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1)
permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)
deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1)