Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4820T

111

112

113

114

115

116

117

118

119

120

Access Control Lists (ACLs)

This chapter describes access control lists (ACLs), prex lists, and route-maps.

At their simplest, access control lists (ACLs), prex lists, and route-maps permit or deny trac based on MAC and/or IP addresses.

This chapter describes implementing IP ACLs, IP prex lists and route-maps. For MAC ACLS, refer to

Layer 2.

An ACL is essentially a lter containing some criteria to match (examine IP, transmission control protocol [TCP], or user datagram

protocol [UDP] packets) and an action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match

the criterion in the rst lter, the second lter (if congured) is applied. When a packet matches a lter, the switch drops or forwards

the packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet is dropped

(implicit deny).

The number of ACLs supported on a system depends on your content addressable memory (CAM) size. For more information, refer

to User Congurable CAM Allocation and CAM Optimization. For complete CAM proling information, refer to Content Addressable

Memory (CAM).

You can congure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs also incorporate VRF ID as

one of the parameters. Using this new capability, you can also congure VRF based ACLs on interfaces.

NOTE: You can apply Layer 3 VRF-aware ACLs only at the ingress level.

You can apply VRF-aware ACLs on:

• VRF Instances

• Interfaces

In order to congure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You can use the cam-acl

command for allocating CAM regions. As part of the enhancements to support VRF-aware ACLs, the cam-acl command now

includes the following new parameter that enables you to allocate a CAM region:

vrfv4acl.

The order of priority for conguring user-dened ACL CAM regions is as follows:

• V4 ACL CAM

• VRF V4 ACL CAM

• L2 ACL CAM

With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:

• Port/VLAN based PERMIT/DENY Rules

• Port/VLAN based IMPLICIT DENY Rules

• VRF based PERMIT/DENY Rules

• VRF based IMPLICIT DENY Rules

NOTE: In order for the VRF ACLs to take eect, ACLs congured in the Layer 3 CAM region must have an implicit-permit

option.

You can use the ip access-group command to congure VRF-aware ACLs on interfaces. Using the ip access-group

command, in addition to a range of VLANs, you can also specify a range of VRFs as input for conguring ACLs on interfaces. The

VRF range is from 1 to 63. These ACLs use the existing V4 ACL CAM region to populate the entries in the hardware and do not

require you to carve out a separate CAM region.

Access Control Lists (ACLs)

111