Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsEMC PowerSwitch N3000E-ON Series
691692693694695696697698699700
Access Control Lists 695
In the last column of the table (Optimized), a Yes entry means the rule is
never processed in hardware because the action, if any, is to fall through to the
next match criteria. The system optimizes out deny ACL match clauses and
never processes them in the system hardware. Counters for these match
clauses will always show 0.
Interface ACLs and PBR Interaction
PBR can be configured only on VLAN routing interfaces. However, user-
defined ACLs can be configured on all types of interfaces, including physical
interfaces, port-channels, and VLANs. When processing packets on which
both PBR and user-defined ACLs are configured, routing policy is performed
only after the application of all user-defined VLAN and interface ACLs.
Only packets that do not match any user-defined ingress deny ACLs rules
configured on an incoming interface are eligible for processing by PBR. User-
defined interface ACLs have a higher precedence than user-defined VLAN
ACLs or PBR ACLs. In the case of conflicting actions, the user-defined
interface ACL takes precedence. Specifically, if a user-defined interface ACL
drops a packet (deny), routing policy is not applied to the packet. Likewise, if
a user defined VLAN interface ACL drops a packet, routing policy is not
applied to the packet.
In many cases, the switch is capable of taking multiple actions on a packet,
irrespective of whether the action is configured on an ACL used in a route-
map or on an ACL configured on a port. For example, the system can both
rate limit packets on ingress with an interface ACL and set the ip precedence
on packets that do not exceed the rate limit with a PBR ACL.
The following table describes the action resolution mechanism when a packet
matches both the PBR rules configured on a VLAN routing interface and a
permit ACL rule configured on a physical interface (the deny ACL action is
included for emphasis):
PBR Action (VLAN) ACL Action (Interface) Result
set ip precedence deny deny
mirror both
redirect both (see Note 1)
rate limit both