Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4112F-ON/S4112T-ON
591592593594595596597598599600
Access Control Lists
OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to lter trac and drop or
forward matching packets. To redistribute routes that match congured criteria, use a route-map.
ACLs
ACLs are a lter containing criterion to match; for example, examine IP, TCP, or UDP packets, and an action to take such as forwarding or
dropping packets at the NPU. ACLs permit or deny trac based on MAC and/or IP addresses. The number of ACL entries is hardware-
dependent.
ACLs have only two actions — forward or drop. Route-maps not only permit or block redistributed routes but also modify information
associated with the route when it is redistributed into another protocol. When a packet matches a lter, the device drops or forwards the
packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet drops (implicit deny).
ACL rules do not consume hardware resources until you apply the ACL to an interface.
ACLs process in sequence. If a packet does not match the criterion in the rst lter, the second lter applies. If you congured multiple
hardware-based ACLs, lter rules apply on the packet content based on the priority NPU rule.
Route maps
Route-maps are software-based ltering in a routing protocol redistributing routes from one protocol to another and used in decision
criterion in route advertisements. A route-map denes which of the routes from the specied routing protocol redistributed into the target
routing process, see Route-maps.
Route-maps with more than one match criterion, two or more matches within the same route-map sequence have dierent match
commands. Matching a packet against this criterion is an AND operation. If no match is found in a route-map sequence, the process moves
to the next route-map sequence until a match is found, or until there are no more sequences. When a match is found, the packet is
forwarded and no additional route-map sequences process. If you include a continue clause in the route-map sequence, the next route-map
sequence also processes after a match is found.
The S5148F-ON platform has the following limitations:
ACL counter does not support byte count.
ACL rule does not look up the next header for IPv6 packets.
L2 Egress ACL does not work for unknown unicast trac.
L2 User ACL has higher priority than the L3 User ACL.
You cannot modify or extend the hardware table for each ACL type.
In Ipv6 packets, only the protocol number of rst header gets matched.
The egress Deny ACL entry does not block soft-forwarded packets and CPU-originated ICMP packets.
IP ACLs
An ACL lters packets based on the:
IP protocol number
Source and destination IP address
Source and destination TCP port number
9
592 Access Control Lists