514 BigIron RX Series Configuration Guide53-1001810-01Enabling support for additional ACL statements21• ACL entry – An ACL entry contains the filter commands associated with an ACL ID. These arealso called “statements.” The maximum number of ACL entries you can configure is asystem-wide parameter and depends on the device you are configuring. You can configure upto the maximum number of entries in any combination in different ACLs. The total number ofentries in all ACLs cannot exceed the system maximum.You configure ACLs on a global basis, then apply them to the incoming traffic on specific ports. Youcan apply only one ACL to a port’s inbound traffic. The software applies the entries within an ACL inthe order they appear in the ACL’s configuration. As soon as a match is found, the software takesthe action specified in the ACL entry (for example, permit or deny the packet) and stops furthercomparison for that packet.Enabling support for additional ACL statementsYou can enable support for additional ACL statements if the device has enough space for astartup-config file that contains the ACLs. Enter the following command at the Global CONFIG levelof the CLI.BigIron RX(config)# system-max ip-filter-sys 5000Syntax: [no] system-max ip-filter-sys Enter up to 8000 for . The default is 4000 statements.You can load ACLs dynamically by saving them in an external configuration file on a flash card or aTFTP server, then loading them using one of the following commands:• copy slot1 | slot2 running • ncopy slot1 | slot2 running• copy tftp running-config • ncopy tftp running-configIn this case, the ACLs are added to the existing configuration.ACL-based inbound mirroringWith IronWare Release 02.4.00, the Multi-Service IronWare software supports using an ACL toselect traffic for mirroring from one port to another. Using this feature, you can monitor traffic in themirrored port using a protocol analyzer.Considerations when configuring ACL-based inbound mirroringThe following must be considered when configuring ACL-based Inbound Mirroring:• Configuring a Common Destination ACL Mirror Port for All Ports of a PPCR• Support with ACL CAM Sharing Enabled.• The mirror and copy-sflow keywords are mutually exclusive on a per-ACL clause basis.• ACL-based inbound mirroring and port-based inbound mirroring are mutually exclusive on aper-port basis.• Mirror (analyzer) ports cannot be assigned to the 16x10G module. You can monitor traffic on16x10 ports.