Chapter 14 Configuring Access Control Lists on the ML-Series Card

ML-Series ACL Support

Access violations accounting is not supported on the ML-Series card.

ACL logging is supported only for packets going to the CPU, not for switched packets.

IP standard ACLs applied to bridged egress interfaces are not supported in the data-plane. When bridging, ACLs are only supported on ingress.

IP ACLs

The following ACL styles for IP are supported:

Standard IP ACLs: These use source addresses for matching operations.

Extended IP ACLs: (Control plane only) These use source and destination addresses for matching operations and optional protocol type and port numbers for finer granularity of control.

Named ACLs: These use source addresses for matching operations.

Note By default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. With standard ACLs, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.

After creating an ACL, you must apply it to an interface, as shown in the “Applying the ACL to an Interface” section on page 14-4.

Named IP ACLs

You can identify IP ACLs with a name, but it must be an alphanumeric string. Named IP ACLs allow you to configure more IP ACLs in a router than if you used numbered ACLs. If you identify your ACL with an alphabetic rather than a numeric string, the mode and command syntax are slightly different.

Consider the following before configuring named ACLs:

A standard ACL and an extended ACL cannot have the same name.

Numbered ACLs are also available, as described in the “Creating Numbered Standard and Extended IP ACLs” section on page 14-3.

User Guidelines

Keep the following in mind when you configure IP network access control:

You can program ACL entries into Ternary Content Addressable Memory (TCAM).

You do not have to enter a deny everything statement at the end of your ACL; it is implicit.

You can enter ACL entries in any order without any performance impact.

For every eight TCAM entries, the ML-Series card uses one entry for TCAM management purposes.

Do not set up conditions that result in packets getting lost. This situation can happen when a device or interface is configured to advertise services on a network that has ACLs that deny these packets.

IP ACLs are not supported for double-tagged (QinQ) packets. They will, however, be applied to IP packets entering on a QinQ access port.

Cisco ONS 15310-CL, ONS 15310-MA, and ONS 15310-MA SDH Ethernet Card Software Feature and Configuration Guide, R9.1 and R9.2

14-2

78-19415-01

 

 

Page 168
Image 168
Cisco Systems ONS 15310-CL, Cisco ONS 15310-MA manual Named IP ACLs, User Guidelines, 14-2

ONS 15310-CL, ONS 15310-MA, Cisco ONS 15310-MA specifications

Cisco Systems has long been a leader in networking and telecommunications technology, and among its impressive lineup of products, the Cisco ONS 15310 series stands out as an essential solution for optical networking. This series includes models such as the ONS 15310-MA, ONS 15310-CL, and ONS 15310-CA, each designed to meet the diverse needs of service providers and enterprises seeking to enhance their optical transport networks.

The Cisco ONS 15310-MA is an advanced multi-service platform designed for metropolitan area networks. It facilitates the seamless transport of data, voice, and video over optical networks. One of its main features is its ability to support a variety of interfaces, including Ethernet, SONET/SDH, and Wavelength Division Multiplexing (WDM), allowing users to integrate multiple services into a single platform. Additionally, the ONS 15310-MA supports advanced traffic management and Quality of Service (QoS) features to prioritize critical applications and ensure consistent performance.

The ONS 15310-CL variant is tailored for more specific applications, providing enhanced capabilities aimed at delivering carrier-grade services. It features a robust architecture that accommodates high-capacity traffic without compromising reliability. This model emphasizes low power consumption and a compact design, making it suitable for deployment in space-constrained environments. The ONS 15310-CL also supports a wide range of optical interfaces, making it highly flexible for various network configurations.

In terms of technologies, the Cisco ONS 15310 series leverages Optical Transport Network (OTN) capabilities, providing high efficiency and greater bandwidth utilization. OTN technology enables efficient error correction and adds resilience to the network through its built-in protection mechanisms. Furthermore, the series supports seamless integration with existing IP/MPLS networks, creating a cohesive infrastructure as organizations evolve their networking requirements.

One of the defining characteristics of the ONS 15310 series is its focus on scalability. Network operators can start with a modest deployment and gradually expand capacity as demand grows. This adaptability is complemented by Cisco's comprehensive management and monitoring tools, providing operators with real-time insights into network performance and facilitating proactive management.

In conclusion, the Cisco ONS 15310-MA and ONS 15310-CL models represent sophisticated solutions for modern optical networks. With their versatile features, advanced technologies, and robust design, they empower service providers and enterprises to build resilient, high-capacity networks that meet the demands of today’s data-driven world.