After a traffic policy is configured on an S series switch, two more ACL rules are occupied based on the display acl resource command output. Why

21

Packets sent by an S series switch to the CPU for processing and packets for inter-board communication exist on the switch. To prevent these packets from being affected by the traffic policy, the switch delivers two ACL rules before delivering the traffic policy.

Other related questions:
Why is the statistics displayed in the display acl command output 0 after a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule
The display acl command displays statistics on traffic sent to the control plane. The traffic statistics collection function in traffic policies is used to collect statistics on traffic on the forwarding plane. Statistics on traffic sent to the control plane is not collected. After a traffic policy defining an ACL rule and traffic statistics is applied and traffic matches the ACL rule, the statistics displayed in the display acl command output is 0. Run the display traffic-policy statistics command to view statistics on traffic matching a traffic policy applied to an interface.

Do S series switch support ACL-based simplified traffic policy
On S series switches (except S1700), the traffic-filter command filters packets through the ACL-based simplified traffic policy. S series modular switches support ACL-based simplified traffic policies since V200R005.

Mechanism for ACL rules on S series switches to take effect
ACL rules on S series switches are classified into the following two modes: An ACL is bound to the traffic policy and delivered to the hardware of the LPU through the first mode. The second mode relates to software processing. An ACL prevents users from logging in through Telnet. After being sent to the CPU, packets are processed in the sequence that is specified during the configuration of the ACL. Rules in an ACL can be matched according to the depth first principle or the configuration order.

ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top