Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

How to Note template

How To Note
How To | See How Many Hardware Filter Table Entries are in
Use
Introduction
This How To Note describes the hardware filter
structure of the x600, x610, x900 Series and
SwitchBlade x908 switches and provides an in-depth
look at the AlliedWare Plus command used to display
hardware filter table entries.
The structure of the hardware filter tables are quite
different in the two series of switches. These differences
are explained, as are the way these differences are
evident in the output of the display commands.
A number of configuration scenarios are considered and
the hardware table usage on each scenario is discussed.
List of terms:
Switch Instance
A single switch chip with its
associated ports, internal data
interfaces, hardware tables, and
packet buffer memory.
Port bit map
An efficient method for the
storage of a list of ports.
Each port is represented by a
single bit in a 32-bit or 64-bit
value.
Ping-of-death attack
A type of attack on a computer
that involves sending a
malformed or otherwise
malicious ping to a network
device.
DoS
Denial of Service: a generic term
for attacks that reduce or stop
the operation of a network.
C613-16149-00 REV C
alliedtelesis.com x
Introduction
What information will you find in this document?
This How To Note begins with the following information:

"Related How To Notes" on page 2

"Which products and software version does it apply to?" on page 2
Then it describes the configuration, in the following sections:

"x600 and x610 Hardware Filter Structure" on page 4

"x600 and x610—show platform classifier statistics utilization brief command" on page 8

"x900 and SwitchBlade x908 Hardware Filter Structure" on page 16

"x900 and SwitchBlade x908—show platform classifier statistics utilization brief
command" on page 18
Related How To Notes
You also may find the following AlliedWare Plus (or AlliedWare) How To Note useful:

How to Configure Hardware Filters on SwitchBlade x908, x900-12XT/S, and x900-24
Series Switches

http://www.alliedtelesis.com/media/datasheets/howto/conf-filter_x900_awp_c.pdf
Which products and software version does it apply to?
This How To Note applies to the following Allied Telesis routers and managed Layer 3
switches:

x600 Series Switches

x610 Series Switches

x900 Series Switches

SwitchBlade x908 Series Switches

SwitchBlade x8100 Series Switches
It requires AlliedWare Plus™ software version 5.2.1-0.1 and above.
Note:
The show platform classifier statistics utilization brief command was introduced
from software version 5.3.3 and above.
Page 2 | See How Many Hardware Filter Table Entries are in Use
Introduction
Contents
Introduction .............................................................................................................................................................................1
What information will you find in this document? ...................................................................................1
Related How To Notes ...........................................................................................................................................2
Which products and software version does it apply to?......................................................................2
x600 and x610 Hardware Filter Structure ............................................................................................................3
x600 and x610—show platform classifier statistics utilization brief command ................................7
Example 1: No hardware rules ...........................................................................................................................8
Example 2: An ACL ...................................................................................................................................................9
Example 3: A MAC hardware ACL ...............................................................................................................10
Example 4: Web authentication ......................................................................................................................10
Example 5: DoS ........................................................................................................................................................11
Example 6: VLAN counters ...............................................................................................................................12
Example 7: QoS........................................................................................................................................................14
x900 and SwitchBlade x908 Hardware Filter Structure .............................................................................15
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command .17
Example 1: No hardware rules ........................................................................................................................18
Example 2: A global ACL configured............................................................................................................19
Example 3: An ACL configured and applied to a port.......................................................................20
Example 4: Adding a MAC hardware ACL to the port.....................................................................22
Example 5: QoS........................................................................................................................................................23
See How Many Hardware Filter Table Entries are in Use | Page 3
x600 and x610 Hardware Filter Structure
x600 and x610 Hardware Filter Structure
On the x600 Series switches, the entries in the field processor (Broadcom's equivalent of the
Marvell PCL table) are not in one monolithic chunk, but are divided up into slices of 128
entries each. All the slices run in parallel, i.e. when a packet is run through the field processor,
multiple copies of the packet are created, and one copy is taken through each slice
simultaneously. So each packet can potentially match an entry in each slice (but it can only
match one entry per slice). The actions associated with all of the entries that the packet
matched are taken.
On the x610 Series switches, the tables are implemented in the same way as on the x600
Series switches, except that they have twice the storage space available—each slice has 256
entries, rather than 128.
This allows you to put things like Access Control Lists (ACLs), QoS (Quality of Service) and
VLAN counters in different slices, so that they don't interfere with each other.
Note:
If x600 Series and x610 Series switches are connected together in a mixed-mode
stack, the table size is restricted to 128 entries, as on the x600 Series switches.
The switch has a switch chip (instance) for every 24 ports. Each instance has 16 slices. On an
x600 each slice has 128 entries; on an x610 each slice has 256 entries. Because all features
except VLAN counters use double-width rules (which consume 2 slices), the actual number
of slices per instance is in reality only eight. Each of the eight double-width slices has 128
entries on an x600 or 256 entries on an x610.
Note:
The x600 and x610 switch instances are numbered in the reverse way to normal, i.e.
ports1.0.1-1.0.24 are instance 1.1 and ports1.0.25-1.0.48 are instance 1.0.
Page 4 | See How Many Hardware Filter Table Entries are in Use
x600 and x610 Hardware Filter Structure
x600
Instance 1.1
port1.0.1-1.0.24
Instance 1.0
port1.0.25-1.0.48
Instance
1 slice
Each switch instance has 16 slices.
Each slice has 128 entries.
Features which use only single-width
rules are VLAN counter (although it does
consume 2 slices).
Instance
1 slice
Most features use a double-width
rule, which consumes 2 slices.
If double-width rules are used, there
are only 8 slices per instance.
Each of the 8 slices has 128 entries.
Features which use double-width rules
include: ACLs, DOS, QoS, and
Web Authentication.
One of the per-instance slices is allocated to be used by ACLs, meaning that they have 128
entries available. However the System ACLs always consume five entries, leaving 123 for
configurable ACLs. EPSR uses one entry per domain (EPSR can have a maximum of 32
domains=32 entries), which also comes out of the ACL entry allocation.
See How Many Hardware Filter Table Entries are in Use | Page 5
x600 and x610 Hardware Filter Structure
When Web Auth, DoS detection, and VLAN counters are configured, they also use one slice
each. The rest of the slices are used by QoS.
5 entries are always used for
ARP and some multicast frame.
slice
11slice
0-32 entries are used for
EPSR. One EPSR instance
consumes 1 entry.
0-123 entries are used for
user-defined ACL. One ACL
config consumes 1 entry.
ACLs that are used globally on the switch, as well as DoS detection, are applied to both
switch instances of the x600-48. If an ACL is only applied to a single port then it is only
applied to the switch instance to which that port belongs.
One slice has 128 entries
Instance
For ACL
For Web Auth
For DoS
For
ACL
1 slice
For Web Auth
For DoS
For QoS
For QoS
Instance 1.1
Instance 1.0
...
...
1 - 24
25 - 48
Page 6 | See How Many Hardware Filter Table Entries are in Use
x600 and x610 Hardware Filter Structure
If an ACL is applied to an aggregation that includes ports from both instances, then it will be
written into the tables on both instances.
ACL applied to
port1.0.1-1.0.24
DoS detection ACL applied
to an aggregated link or
VLAN
ACL applied to
port1.0.25-1.0.48
Applied to both
switch instances
Applied to switch
instance 1.1 only
Applied to switch
instance 1.0 only
Instance 1.1
ports1.0.1-1.0.24
Instance 1.0
ports1.0.25-1.0.48
If the same ACLs are applied to ports in the same switch instance, the entries are combined
(merged) so that only a single set of the same ACLs are written to the switch instance.
This is possible because the ingress port is one of the matching criteria for the entry that can
be used to determine if the packet matches the entry. In the case of ACLs, we match on a
port bitmap. If an entry is assigned to multiple ports, they are all selected in the bitmap and
packets ingressing on any of these ports may match the entry.
ACL 3001, 3002, 3003
applied to port 1.0.1
3 entries
ACL 3001, 3002, 3003
applied to port 1.0.16
Same ACLs
applied
to ports in the
same instance
are merged
3 entries
Only 3 entries are written to
switch instance 1.1
Instance 1.1
ports1.0.1-1.0.24
See How Many Hardware Filter Table Entries are in Use | Page 7
x600 and x610—show platform classifier statistics utilization brief command
x600 and x610—show platform classifier statistics
utilization brief command
The following section contains various examples of table output from the command show
platform classifier statistics utilization brief for x600 and x610 Series switches.
Output descriptions
Policy Type
Description
ACL
Utilization of the hardware rule entries for Access-lists
Web Auth
Utilization of the hardware rule entries for Web Authentication
VLAN Counter
Utilization of the hardware rule entries for Denial of Service (DoS) attacks
QoS
Utilization of the hardware rule entries for QoS
The Group ID is a unique internal identifier for the slice. Groups that can be installed on all
switch instances in the system have the bits 0x58 set in the top byte, whereas groups that are
installed on only one switch instance do not. If you convert Group ID 1476395009 (ACL
Group ID) into hex you get 0x58000001, which shows how this works more clearly.
The Group IDs match up with the IDs in the output of the show platform table fieldproc
command.
The VLAN Counter Group-Octet and Group-Packet utilization will always be the same.
Counting both requires two separate entries in different slices, so for each VLAN counter we
add an entry in both slices, one for counting octets and one for counting packets. Web Auth,
DoS, and VLAN Counter are allocated from the QoS slices.
See the following for configuration examples:

"Example 1: No hardware rules" on page 9

"Example 2: An ACL" on page 10

"Example 3: A MAC hardware ACL" on page 11

"Example 4: Web authentication" on page 12

"Example 5: DoS" on page 12

"Example 6: VLAN counters" on page 13

"Example 7: QoS" on page 15
Page 8 | See How Many Hardware Filter Table Entries are in Use
x600 and x610—show platform classifier statistics utilization brief command
Example 1: No hardware rules
x600
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
0 / 122 ( 0%)
Web Auth
1476395010
- /
- ( -%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 896 ( 0%)
x610
awplus#sh platform classifier statistics utilization brief
[Instance 8]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
0 / 249 ( 0%)
Web Auth
Inactive
0 /
0 ( 0%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 1792 ( 0%)
See How Many Hardware Filter Table Entries are in Use | Page 9
x600 and x610—show platform classifier statistics utilization brief command
Example 2: An ACL
x600: In the x600 there are 6 ACLs in use by default of the total 128 entries, which gives a
total of 122 entries available for ACLs (128-6=122).
x600
awplus(config)#access-list 3001 deny tcp 10.10.10.50 0.0.0.0 any eq 80
awplus(config)#int port1.0.1
awplus(config-if)#ip access-group 3001
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
1 / 122 ( 0%)
Web Auth
1476395010
- /
- ( -%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 896 ( 0%)
The ACL hardware utilization does not change if multiple ports have the same ACL applied.
x600
awplus(config)#int port1.0.2-1.0.24
awplus(config-if)#ip access-group 3001
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
1 / 122 ( 0%)
Web Auth
1476395010
- /
- ( -%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 896 ( 0%)
x610: In the x610 there are 7 ACLs in use by default of the total 256 entries, which gives a
total of 249 entries available for ACLs (256-7=249).
Page 10 | See How Many Hardware Filter Table Entries are in Use
x600 and x610—show platform classifier statistics utilization brief command
x610
awplus(config)#access-list 3001 deny tcp 10.10.10.50 0.0.0.0 any eq 80
awplus(config)#int port2.0.1
awplus(config-if)#access-group 3001
awplus#sh platform classifier statistics utilization brief
[Instance 8]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
1 / 249 ( 0%)
Web Auth
Inactive
0 /
0 ( 0%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 1792 ( 0%)
Note:
The ACL utilization will not show until the ACL is applied to a port.
Example 3: A MAC hardware ACL
Adding another ACL will increase the ACL entries used.
x600
awplus(config)#access-list 4001 deny 0000.cd12.3456 0000.0000.0000 any
awplus(config)#int port1.0.1
awplus(config-if)#mac access-group 4001
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395010
- /
- ( -%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 896 ( 0%)
See How Many Hardware Filter Table Entries are in Use | Page 11
x600 and x610—show platform classifier statistics utilization brief command
Example 4: Web authentication
Note:
The interface that auth-web is configured on must be 'up' for the hardware utilization
to be shown.
The maximum utilization if Web Auth is configured is seven - the rest of the slice is reserved
and cannot be used by other modules. The Web Auth feature uses 128 entries from the
QoS allocation. In the table below, the total QoS entries has decreased from 896 to 768
x600
awplus(config)#aaa authentication auth-web default group radius
awplus(config)#interface port1.0.1
awplus(config-if)#switchport mode access
awplus(config-if)#auth-web enable
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
Inactive
0 /
0 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 768 ( 0%)
Example 5: DoS
When the DoS feature is enabled, 128 free entries are moved from QoS to DoS (leaving
QoS with 640). Each separate DoS parameter configured uses another entry.
x600
awplus(config)#int port1.0.1
awplus(config-if)#dos synflood action shutdown
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
1476395012
1 / 128 ( 0%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 640 ( 0%)
Page 12 | See How Many Hardware Filter Table Entries are in Use
x600 and x610—show platform classifier statistics utilization brief command
Now configure protection against ping-of-death attacks, and this will add another entry.
x600
awplus(config)#int port1.0.1
awplus(config-if)#dos synflood action shutdown
awplus(config-if)#dos ping-of-death action shutdown
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
1476395012
2 / 128 ( 1%)
VLAN Counter
Group-Octet
Inactive
0 /
0 ( 0%)
Group-Packet
Inactive
0 /
0 ( 0%)
QoS
0 / 640 ( 0%)
Example 6: VLAN counters
When the VLAN counter feature is enabled, 128 free entries are moved from QoS (default
896) to VLAN counter (leaving QoS with 768, or 640 if DoS is also configured, or 512 if DoS
and Web Auth are configured).
The VLAN counter Group-Octet and Group-Packet output will show one entry used for
each VLAN that has counters enabled on it.
See How Many Hardware Filter Table Entries are in Use | Page 13
x600 and x610—show platform classifier statistics utilization brief command
x600
awplus(config)#int port1.0.1
awplus(config-if)#vlan 1 statistics name test
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
1476395012
2 / 128 ( 1%)
VLAN Counter
Group-Octet
1476395014
1 / 128 ( 0%)
Group-Packet
1476395013
1 / 128 ( 0%)
QoS
0 / 512 ( 0%)
awplus(config)#int port1.0.2
awplus(config-if)#switchport access vlan 2
awplus(config-if)#vlan 2 statistics name test2
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
1476395012
2 / 128 ( 1%)
VLAN Counter
Group-Octet
1476395014
2 / 128 ( 1%)
Group-Packet
1476395013
2 / 128 ( 1%)
QoS
0 / 512 ( 0%)
Page 14 | See How Many Hardware Filter Table Entries are in Use
x600 and x610—show platform classifier statistics utilization brief command
Example 7: QoS
When the QoS feature is enabled, there is one entry per class map (including the default
class) per port that the policy map is assigned to. There are additional entries for each port
(or static aggregator) that QoS is applied to. QoS Group 0 refers to the individual slice
actually used by QoS (since QoS can occupy multiple slices). The next slice used will be
named Group-1 etc.
x600
awplus(config)#mls qos enable
awplus(config)#class-map cmap1
awplus(config-cmap)#match cos 4
awplus(config)#policy-map pmap1
awplus(config-pmap)#class cmap1
awplus(config-pmap-c)#remark new-cos 6
awplus(config)#int port1.0.1
awplus(config-if)#service-policy input pmap1
awplus#sh platform classifier statistics utilization brief
[Instance 1.0]
Number of Entries:
Policy Type
Group ID
Used / Total
---------------------------------------------ACL
1476395009
2 / 122 ( 1%)
Web Auth
1476395011
7 / 128 ( 5%)
DoS
1476395012
2 / 128 ( 1%)
VLAN Counter
Group-Octet
1476395014
2 / 128 ( 1%)
Group-Packet
1476395013
2 / 128 ( 1%)
QoS
2 / 512 ( 0%)
Group-0
1
2 / 128 ( 1%)
The QoS Group ID in the example above is 1 for Group-0.
See How Many Hardware Filter Table Entries are in Use | Page 15
x900 and SwitchBlade x908 Hardware Filter Structure
x900 and SwitchBlade x908 Hardware Filter
Structure
The switch chip in the x900 Series switches and XEM-12S, XEM-12XT, and XEM-1XP
expansion modules has 2048 rule entries arranged in four banks. Normal ACLs use one
entry. Double width rules, such as the IPv6 ACL, use two entries:
x900
Instance 0
Instance 2
port1.0.1-1.0.12
port1.0.13-1.0.24
Instance
Single-width rule
uses 1 entry
0
512
Double-width rule
(IPv6 ACL, MLD snooping)
uses 2 entries
511
1023
1024
1536
2047
1535
The 2048 rule entries are arranged in 4 banks
The switch chip in the XEM-2XS, XEM-2XT, XEM-2XP, XEM-12Sv2, XEM-12Tv2, and XEM24T expansion modules has 8168 rules arranged in a single bank.
Normal ACLs use one entry, and IPV6 ACLs use 2 entries.
The maximum number of rules that you can configure is as follows:
Table 1:
SET OF PORTS
XEM-12S
ROUTING RATIO:
IPv4 only
IPv4 and IPv6
2047
1023
8168
4084
XEM-12T
XEM-1XP
Ports 1-12 or 13-24 of x900
XEM-2XT
XEM-2XP
XEM-2XS
XEM-12Tv2
XEM-12Sv2
XEM-24T
Page 16 | See How Many Hardware Filter Table Entries are in Use
x900 and SwitchBlade x908 Hardware Filter Structure
In the above table, “ROUTING RATIO” is a setting that either enforces single-entry ACLs
only (IPv4 only mode) or allows single- and double-entry ACLS (IPV4 and IPv6 mode). The
routing ratio is configured by the following commands:
platform routingratio IPv4only
platform routingratio IPv4andV6
If the ACLs are only applied to ports that are contained within a single switch chip, then it is
possible to separately configure the maximum number of ACLs on each switch chip in the
switch.
Example
If a SwitchBlade x908 is configured with IPv4 only routing ratio, and contains two XEM-12T,
a XEM-24T and a XEM-2XS, then the maximum number of ACLs that can be configured on
the switch is as follows:
Two XEM-12T = 2 x 2047
One XEM-24T = 8168
One XEM-2XS = 8168
TOTAL = 20430 ACLs
Limitation when using global ACLs
If global ACLs are configured, and per-port ACLs are configured, then a copy of the full set of
global ACLs is appended to each set of ACLs that are attached to a given port. This is
because all the ACLs that can apply to a given port must be present all together in a block.
3 global ACL entries exist
Add 1 rule to port1.0.1
3 global entries are also copied
Add 1 rule to port1.0.2
3 global entries are also copied
Once global ACLs are configured, the total number of ACLs that the switch can accomodate
can alter. The exact number of ACLs that the switch can accomodate when there is a
mixture of global and per-port ACLs is not a fixed number - it always depends on the relative
proportions of per-port and global ACLs in the configuration, and on the number of separate
ports that have per-port ACLs applied to them.
See How Many Hardware Filter Table Entries are in Use | Page 17
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
x900 and SwitchBlade x908—show platform
classifier statistics utilization brief command
The following section contains various examples of table output from the command show
platform classifier statistics utilization brief for the x900 Series and SwitchBlade x908
switches.
The table output is in two sections:

one shows the rule entry usage

the other shows the profile table usage
The profile table shows the number of bytes that need to be examined in each type of
packet in order to cover all the match criteria in all the configured rules. There are different
profile tables for different types of packet - TCP, UDP, Fragmented IP, unfragmented IP
packets that are neither UDP or TCP, IPv6 packets, and packets that are neither IPv4 or IPv6.
Once the number of different bytes being examined in any given packet type reaches 16 no
new ACLs can be added that would match on any other bytes in that packet type.
See the following for configuration examples:
Note:
The following output examples show total entries using routing ratio IPv4 (i.e. 2048).

"Example 1: No hardware rules" on page 19

"Example 2: A global ACL configured" on page 20

"Example 3: An ACL configured and applied to a port" on page 21

"Example 4: Adding a MAC hardware ACL to the port" on page 22

"Example 5: QoS" on page 23
Page 18 | See How Many Hardware Filter Table Entries are in Use
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
Example 1: No hardware rules
x900/SBx908
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
0
ACL
0
QoS
0
Total
0 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
0000000000000000
0 / 16
UDP (IPv4)
0000000000000000
0 / 16
IPv4 fragment 0000000000000000
0 / 16
IPv4 other
0000000000000000
0 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
0
ACL
0
QoS
0
Total
0 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
0000000000000000
0 / 16
UDP (IPv4)
0000000000000000
0 / 16
IPv4 fragment 0000000000000000
0 / 16
IPv4 other
0000000000000000
0 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
See How Many Hardware Filter Table Entries are in Use | Page 19
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
Example 2: A global ACL configured
The global ACL shows one entry used for each global ACL applied.
x900/SBx908
awplus(config)#access-list 3002 deny ip 10.10.10.5/24 any
awplus(config)#ip access-group 3002
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
The profile is showing that this ACL would match three bytes (the first three bytes of the
source IP address) in any type of IPv4 packet.
x900/SBx908
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
Page 20 | See How Many Hardware Filter Table Entries are in Use
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
Example 3: An ACL configured and applied to a port
There will be two entries used up by global ACLs on instance 0 - the original global ACL, and
the copy that is added in after the access group configured on port1.0.1.
x900/SBx908
awplus(config)#access-list 3001 deny tcp 10.10.10.50 0.0.0.0 any eq 80
awplus(config)#int port1.0.1
awplus(config-if)#ip access-group 3001
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
2
ACL
1
QoS
0
Total
3 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2222233000000000
7 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2222233000000000
7 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
The profile is showing that this new filter has added four more bytes to the number that
would be matched on TCP and fragment IP packets. This will be two bytes for IP protocol
type (TCP) and two bytes for destination TCP port number. Note that nothing changed in
the tables on instance 2, as the filter was only applied to a port in instance 0.
x900/SBx908
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
See How Many Hardware Filter Table Entries are in Use | Page 21
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
Example 4: Adding a MAC hardware ACL to the port
x900/SBx908
awplus(config)#access-list 4001 deny 0000.cd12.3456 0000.0000.0000 any
awplus(config)#int port1.0.1
awplus(config-if)#mac access-group 4001
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
2
ACL
2
QoS
0
Total
4 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
1111112222233000
13 / 16
UDP (IPv4)
1111112220000000
9 / 16
IPv4 fragment 1111112222233000
13 / 16
IPv4 other
1111112220000000
9 / 16
Ethernet
1111110000000000
6 / 16
IPv6
1111110000000000
6 / 16
The profile is showing that this new filter has added six bytes to the number that would be
matched on the MAC address.
x900/SBx908
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
Page 22 | See How Many Hardware Filter Table Entries are in Use
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
Example 5: QoS
Note:
Before commencing this example, the previous four configurations were not removed.
Each class-map (including the default class-map) configured in the policy-map uses one
hardware table entry, so the QoS entries show as 2 when applied to one port.
x900/SBx908
awplus(config)#mls qos enable
awplus(config)#class-map cmap1
awplus(config-cmap)#match cos 4
awplus(config)#policy-map pmap1
awplus(config-pmap)#class cmap1
awplus(config-pmap-c)#set cos 6
awplus(config)#int port1.0.1
awplus(config-if)#service-policy input pmap1
% Insufficient space in the hardware packet classifier tables. Either
the total number of rules has reached the limit or the number of bytes
to match exceeds limit of 16 bytes.
% Fail to attach class-map to interface port1.0.1
There is not enough space to add the policy map pmap1 to this port, so we will remove the
MAC access-list 4001 from port 1.0.1 first.
x900/SBx908
awplus(config-if)#no mac access-group 4001
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
2
ACL
1
QoS
0
Total
3 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2222233000000000
7 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2222233000000000
7 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
[Instance 2]
[port1.0.13-1.0.24]
See How Many Hardware Filter Table Entries are in Use | Page 23
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
x900/SBx908
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
Now we add the policy map pmap1 to port1.0.1
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
2
ACL
1
QoS
2
Total
5 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
1112222233000000
10 / 16
UDP (IPv4)
1112220000000000
6 / 16
IPv4 fragment 1112222233000000
10 / 16
IPv4 other
1112220000000000
6 / 16
Ethernet
1110000000000000
3 / 16
IPv6
1110000000000000
3 / 16
The profile needs to check for the ethertype, to make sure it is an 802.1Q header, as well as
checking the priority. The ethertype + priority is over two bytes in length, so three bytes are
needed. This is why we now see the first three bytes in the table as 1's.
The same policy applied to a second port in the same switch instance will use another two
QoS entries, but make no change to profile usage.
Page 24 | See How Many Hardware Filter Table Entries are in Use
x900 and SwitchBlade x908—show platform classifier statistics utilization brief command
x900/SBx908
awplus(config)#int port1.0.4
awplus(config-if)#service-policy input pmap1
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
3
ACL
1
QoS
4
Total
8 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
1112222233000000
10 / 16
UDP (IPv4)
1112220000000000
6 / 16
IPv4 fragment 1112222233000000
10 / 16
IPv4 other
1112220000000000
6 / 16
Ethernet
1110000000000000
3 / 16
IPv6
1110000000000000
3 / 16
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
1
ACL
0
QoS
0
Total
1 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
2220000000000000
3 / 16
UDP (IPv4)
2220000000000000
3 / 16
IPv4 fragment 2220000000000000
3 / 16
IPv4 other
2220000000000000
3 / 16
Ethernet
0000000000000000
0 / 16
IPv6
0000000000000000
0 / 16
Also applying the same policy to a port in the second switch instance (port1.0.24) will
consume another.
See How Many Hardware Filter Table Entries are in Use | Page 25
x900/SBx908
awplus(config)#int port1.0.24
awplus(config-if)#service-policy input pmap1
awplus#sh platform classifier statistics utilization brief
[Instance 0]
[ port1.0.1-1.0.12]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
3
ACL
1
QoS
4
Total
8 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
1112222233000000
10 / 16
UDP (IPv4)
1112220000000000
6 / 16
IPv4 fragment 1112222233000000
10 / 16
IPv4 other
1112220000000000
6 / 16
Ethernet
1110000000000000
3 / 16
IPv6
1110000000000000
3 / 16
[Instance 2]
[port1.0.13-1.0.24]
Number of PCE Entries:
Used / Total
-------------------------------Global ACL
2
ACL
0
QoS
2
Total
4 / 2048 ( 0%)
Profiles:
Legend of Offset Type) 1:Ether 2:IP 3:TCP/UDP
Packet Type
Offset Type
Used / Total
------------- 0------8------15 -----------TCP (IPv4)
1112220000000000
6 / 16
UDP (IPv4)
1112220000000000
6 / 16
IPv4 fragment 1112220000000000
6 / 16
IPv4 other
1112220000000000
6 / 16
Ethernet
1110000000000000
3 / 16
IPv6
1110000000000000
3 / 16
North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895
| 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830
EMEA & CSA Operations | Antareslaan 18 | 2132 JE Hoofddorp | Netherlands | T: +31 23 5656800 | F: +31 23 5575466
alliedtelesis.com
© 2012 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.
C613-16149-00 REV C
Related documents
7th Grade AVID Weekly Learning Log/Reflections
7th Grade AVID Weekly Learning Log/Reflections
Photography - Wapping Fair
Photography - Wapping Fair
Mean – the average
Mean – the average
Journal Entry Format
Journal Entry Format
Mrs. Bondi ELA 5-6 Journal Entries 1. Each semester you will keep a
Mrs. Bondi ELA 5-6 Journal Entries 1. Each semester you will keep a
September 22 Art Meeting Everything should be at www.okarted.org
September 22 Art Meeting Everything should be at www.okarted.org
ASSIGNMENT FEEDBACK
ASSIGNMENT FEEDBACK
Download