Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N4000 Series
641642643644645646647648649650
648 Access Control Lists
PBR and Implicit Deny-all
Configuring a routing policy on an interface overrides the implicit “deny all”
ACL at the end of the last interface access group. Administrators should
ensure all appropriate ACL deny rules are configured on an interface on which
PBR is configured in order to ensure system security.
Limitations
Internally Generated Packets
Packets that are generated internally by the router are never policy routed.
Set Clause Required
Route-map deny/permit statements without “set” clauses are ignored except
in the case where a deny route-map refers to an ACL with a permit statement.
No Implicit “deny all” Rule
When an access-group is configured on an interface, an implicit rule of “deny
all” is applied to the last access-group on the interface. Since PBR processing
occurs after normal ACL processing, when a “permit” route-map associated
ACL is applied to an interface, the implicit “deny all” rule is not applied.
When match rules in an ACL associated with a route-map are successful,
mirror both
redirect both (see Note 1)
rate limit both
1. In the case of redirect ACL action, both the redirect and PBR actions are honored,
if possible. This implies the PBR routed packet is redirected to the configured
physical port and the redirected port is participating in the egress VLAN to which the
packet is being routed. In other words, the system will select the interface specified
by the ACL which is a member of the egress VLAN. If the physical interface is not a
member of the egress VLAN, the behavior is undefined.
2. In case of the PBR set interface Null0 action, the PBR routed packet is dropped
only if no conflicting port ACL is configured. Configuring ACL deny statements that
also match packets with a PBR set interface Null0 action is redundant and wastes
system resources.
PBR Action (VLAN) ACL Action (Interface) Result