Dell 9.7(0.0) Plumbing Product User Manual


  Open as PDF
of 1039
 
6
Access Control Lists (ACLs)
This chapter describes access control lists (ACLs), prefix lists, and route-maps.
At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on
MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps.
For MAC ACLS, refer to Layer 2.
An ACL is essentially a filter containing some criteria to match (examine IP, transmission control protocol
[TCP], or user datagram protocol [UDP] packets) and an action to take (permit or deny). ACLs are
processed in sequence so that if a packet does not match the criterion in the first filter, the second filter
(if configured) is applied. When a packet matches a filter, the switch drops or forwards the packet based
on the filter’s specified action. If the packet does not match any of the filters in the ACL, the packet is
dropped (implicit deny).
The number of ACLs supported on a system depends on your content addressable memory (CAM) size.
For more information, refer to User Configurable CAM Allocation and CAM Optimization. For complete
CAM profiling information, refer to Content Addressable Memory (CAM).
You can configure ACLs on VRF instances. In addition to the existing qualifying parameters, Layer 3 ACLs
also incorporate VRF ID as one of the parameters. Using this new capability, you can also configure VRF
based ACLs on interfaces.
NOTE: You can apply Layer 3 VRF-aware ACLs only at the ingress level.
You can apply VRF-aware ACLs on:
VRF Instances
Interfaces
In order to configure VRF-aware ACLs on VRF instances, you must carve out a separate CAM region. You
can use the cam-acl command for allocating CAM regions. As part of the enhancements to support
VRF-aware ACLs, the cam-acl command now includes the following new parameter that enables you to
allocate a CAM region:
vrfv4acl.
The order of priority for configuring user-defined ACL CAM regions is as follows:
V4 ACL CAM
VRF V4 ACL CAM
L2 ACL CAM
With the inclusion of VRF based ACLs, the order of precedence of Layer 3 ACL rules is as follows:
Port/VLAN based PERMIT/DENY Rules
Port/VLAN based IMPLICIT DENY Rules
VRF based PERMIT/DENY Rules
92
Access Control Lists (ACLs)