Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series

641

642

643

644

645

646

647

648

649

650

644 Access Control Lists

Additional match criteria may be configured by the administrator if desired.

Since a route-map is configured in the context of a routing VLAN, a VLAN

tag is automatically added to the match criteria without the need for the

administrator to specify the VLAN ID.

Route-Map Processing

An incoming packet is matched against the criteria in the 'match' terms

specified in each route-map in the policy. The 'match' terms (clauses) must

refer to one or more MAC or IPv4 addresses or a packet length. Multiple

MAC or IPv4 match terms are allowed in a route-map, each consisting of a list

of ACLs.

Conceptually, ACL processing proceeds by attempting to match each of the

ACLs listed in the first match clause, in order. If an ACL does not match,

processing moves to the next ACL, in order, until an ACL matches or the

ACL list is exhausted. If there are more match terms in the route-map,

processing proceeds with the next match term, in order. In reality, all ACLs

matches are attempted in parallel at once, and the priority of the ACL is used

to implement the conceptual match process.

An ACL that is used in a 'match' term itself has one or more permit and/or

deny rules. The incoming packet is matched sequentially against the permit

rules in each ACL in the match list, in order, and a permit/deny decision is

reached. If a permit rule in an ACL in the list matches, the ACL match term

criteria is met and no further match processing takes place in the route-map.

If none of the permit rules in an ACL matches, the packet match is

attempted against the next ACL in the route-map match list. Deny ACLs are

optimized out of both permit and deny route-maps and are not processed.

Once a match has occurred:

• For a permit route-map, if the decision reached in the above step is permit,

then PBR executes the action specified in the

set

term(s) of the route-map

statement. The counter for the route-map is incremented for each

matching packet.

• For a permit route-map, if the decision reached in the above step is deny,

then PBR does not apply any action that is specified in

set

term(s) in the

route-map statement. In this situation, the counter for this match

statement is not incremented. The processing logic terminates, and the

packet goes through the standard destination-based routing logic.