Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

371

372

373

374

375

376

377

378

379

380

Access Control Lists

OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to lter trac such as IP,

transmission control protocol (TCP), or user datagram protocol (UDP) packets, and drop or forward matching packets. Use a route-map to

redistribute routes that match congured criteria.

Route-maps are software-based ltering in routing protocol for redistribution of routes from one protocol to another, as well as used in

decision criterion in route advertisements. A route-map denes which of the routes from the specied routing protocol are allowed to be

redistributed into the target routing process (see Route-maps).

An ACL is essentially a lter containing criterion to match (such as examine IP, TCP, or UDP packets), and an action to take (such as

forward or drop packets at the NPU). ACLs permit or deny trac based on MAC and/or IP addresses. The number of ACL entries is

hardware-dependent.

ACLs have only two actions — forward or drop. Route-maps not only permit or block redistributed routes but also modify information

associated with the route when it is redistributed into another protocol. When a packet matches a lter, the device drops or forwards the

packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet drops (implicit deny).

ACL rules do not consume hardware resources until you apply the ACL to an interface.

The devices processes ACLs in sequence so that if a packet does not match the criterion in the rst lter, the second lter (if congured)

applies. If there are multiple hardware-based ACLs congured on the system, lter rules are applied on the packet content based on the

priority provided by the inserted rule at the NPU.

In a route-map with more than one match criterion, two or more matches within the same route-map sequence have dierent match

commands. Matching a packet against these criterion is a logical AND operation. If no match is found in a route-map sequence, the process

moves to the next route-map sequence until a match is found, or until there are no more sequences. When a match is found, the packet is

forwarded and no additional route-map sequences process. If you include a continue clause in the route-map sequence, the next route-map

sequence also processes after a match is found.

IP ACLs

An ACL lters packets based on:

• IP protocol number

• Source and destination IP address

• Source and destination TCP port number

• Source and destination UDP port number

For ACL, TCP, and UDP lters, match criteria on specic TCP or UDP ports. For ACL TCP lters, you can also match criteria on established

TCP sessions.

When creating an ACL, the sequence of the lters is important. You have a choice of assigning sequence numbers to the lters as you

enter them, or OS10 assigns numbers in the order you create the lters. The sequence numbers display in the show running-

configuration

and show ip access-lists [in | out] command output.

Ingress and egress hot lock ACLs allow you to append or delete new rules into an existing ACL that are already written into content

addressable memory (CAM) without disrupting trac ow. Existing entries in the CAM are shued to accommodate the new entries. Hot

lock ACLs are enabled by default and support ACLs on all platforms.

376 Access Control Lists