Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON

111

112

113

114

115

116

117

118

119

120

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prex lists, and route-maps.

At their simplest, access control lists (ACLs), prex lists, and route-maps permit or deny trac based on MAC and/or IP addresses. This

chapter describes implementing IP ACLs, IP prex lists and route-maps. For MAC ACLS, refer to Layer 2.

An ACL is essentially a lter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram protocol

[UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the criterion in

the rst lter, the second lter (if congured) is applied. When a packet matches a lter, the switch drops or forwards the packet based on

the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet is dropped (implicit deny).

The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer to User

Congurable CAM Allocation and CAM Optimization. For complete CAM proling information, refer to Content Addressable Memory

(CAM).

You can congure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as one of

the parameters. Using this new capability, you can also congure VRF based ACLs on interfaces.

NOTE

: You can apply Layer 3 VRF-aware ACLs only at the ingress level.

You can apply VRF-aware ACLs on:

• VRF Instances

• Interfaces

In order to congure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl command

for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now includes the following

new parameter that enables you to allocate a CAM region:

vrfv4acl.

The order of priority for conguring user-dened ACL CAM regions is as follows:

• V4 ACL CAM

• VRF V4 ACL CAM

• L2 ACL CAM

With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:

• Port/VLAN based PERMIT/DENY Rules

• Port/VLAN based IMPLICIT DENY Rules

• VRF based PERMIT/DENY Rules

• VRF based IMPLICIT DENY Rules

NOTE

: In order for the VRF ACLs to take eect, ACLs congured in the Layer 3 CAM region must have an implicit-permit option.

You can use the ip access-group command to congure VRF-aware ACLs on interfaces. Using the ip access-group command, in

addition to a range of VLANs, you can also specify a range of VRFs as input for conguring ACLs on interfaces. The VRF range is from 1 to

511. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not require you to carve out a

separate CAM region.

NOTE

: You can congure VRF-aware ACLs on interfaces either using a range of VLANs or a range of VRFs but not both.

112 Access Control Lists (ACLs)