Reference Guide
Access Control Lists
OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to lter trac and drop or
forward matching packets. To redistribute routes that match congured criteria, use a route-map.
ACLs
ACLs are a lter containing criterion to match; for example, examine IP, TCP, or UDP packets, and an action to take such as forwarding or
dropping packets at the NPU. ACLs permit or deny trac based on MAC and/or IP addresses. The number of ACL entries is hardware-
dependent.
ACLs have only two actions — forward or drop. Route-maps not only permit or block redistributed routes but also modify information
associated with the route when it is redistributed into another protocol. When a packet matches a lter, the device drops or forwards the
packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet drops (implicit deny).
ACL rules do not consume hardware resources until you apply the ACL to an interface.
ACLs process in sequence. If a packet does not match the criterion in the rst lter, the second lter applies. If you congured multiple
hardware-based ACLs, lter rules apply on the packet content based on the priority NPU rule.
Route maps
Route-maps are software-based ltering in a routing protocol redistributing routes from one protocol to another and used in decision
criterion in route advertisements. A route-map denes which of the routes from the specied routing protocol redistributed into the target
routing process, see Route-maps.
Route-maps with more than one match criterion, two or more matches within the same route-map sequence have dierent match
commands. Matching a packet against this criterion is an AND operation. If no match is found in a route-map sequence, the process moves
to the next route-map sequence until a match is found, or until there are no more sequences. When a match is found, the packet is
forwarded and no additional route-map sequences process. If you include a continue clause in the route-map sequence, the next route-map
sequence also processes after a match is found.
IP ACLs
An ACL lters packets based on the:
• IP protocol number
• Source and destination IP address
• Source and destination TCP port number
• Source and destination UDP port number
For ACL, TCP, and UDP lters, match criteria on specic TCP or UDP ports. For ACL TCP lters, you can also match criteria on established
TCP sessions.
When creating an ACL, the sequence of the lters is important. You can assign sequence numbers to the lters as you enter them or OS10
can assign numbers in the order you create the lters. The sequence numbers display in the show running-configuration and
show ip access-lists [in | out] command output.
Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting trac ow. Existing
entries in the CAM shue to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms.
8
482 Access Control Lists