Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N3000 Series
681682683684685686687688689690
686 Access Control Lists
Additional match criteria may be configured by the administrator if desired.
Since a route-map is configured in the context of a routing VLAN, a VLAN
tag is automatically added to the match criteria without the need for the
administrator to specify the VLAN ID.
Route-Map Processing
An incoming packet is matched against the criteria in the 'match' terms
specified in each route-map in the policy. The 'match' terms (clauses) must
refer to one or more MAC or IPv4 access-groups or a packet length. Multiple
MAC, IPv4, or IPv6 access-group match terms are allowed in a route-map,
each access-group consisting of a list of ACLs.
Conceptually, access-group processing proceeds by attempting to match each
of the access-groups listed in the first match clause, in order. If an access-
group does not match, processing moves to the next access-group, in order,
until an access-group matches or the access-group list is exhausted. If there
are more match terms in the route-map, processing proceeds with the next
match term, in order. In reality, all access-group matches within an access-
group are attempted in parallel at once, and the priority of the access-group is
used to implement the conceptual match process.
An access-group that is used in a 'match' term itself has one or more permit
and/or deny rules. The incoming packet is matched sequentially against the
permit rules in each ACL in the access-group, in order, and a permit/deny
decision is reached. If a permit rule in an access-group in the list matches, the
match term criteria is met and no further match processing takes place in the
route-map. If none of the permit rules in an access-group matches, the packet
match is attempted against the next access-group in the route-map match
list. Deny rules are optimized out of both permit and deny route-maps and
are not processed.
Once a match has occurred:
For a permit route-map, if the decision reached in the above step is permit,
then PBR executes the action specified in the set term(s) of the route-map
statement. The counter for the route-map is incremented for each
matching packet.