The implementation of ACL filters is similar in all switches but there are some differences as summarized in the following tables.
Note
The InVSN Filter shares the port-based groups in the following table.
|
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8200 Series VSP 8400 Series |
VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
|---|---|---|---|---|
|
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are supported. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are supported. |
Application Telemetry and IPv6 filters are not supported |
|
All switches use a filter group as memory to store filter rules. The number of filter groups used can differ: |
||||
|
The switch supports four separate ingress filter groups:
|
The switch supports two ingress filter groups, where each group is shared by two filter types:
|
The switch supports two ingress filter groups, where each type can hold both Security and QoS actions in both Primary Bank and Secondary Bank ranges. |
The switch supports the following ingress filter group:
|
The switch supports one ingress filter group with two filter types:
|
|
For each ingress packet, a parallel search is performed on each of the four filter groups. |
For each ingress packet, a parallel search is performed on each of the two filter groups. |
For each ingress packet, a parallel search is performed on each of the two filter groups. |
For each ingress packet, a search is performed on the filter group. |
For each ingress packet, a search is performed on the filter group. |
|
Filter |
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8200 Series VSP 8400 Series |
VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
|---|---|---|---|---|---|
|
Can match both port-based and VLAN-based ACL/ACE |
Regardless of the type of matching ACEs (Security or QoS), the action of either the highest priority matching ACE or the default action will be performed. |
inVSN ACLs have highest precedence, followed by inPort ACLs. inVLAN ACLs have the lowest priority. If the matching ACEs are of the same type (Primary or Secondary), the ACE action applied is based on the precedence. |
Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (Primary or Secondary), then the VLAN-based ACL/ACE is ignored. |
Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored. |
Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored. Security ACEs have precedence over QoS ACEs. If packets match a Security and a QoS ACE, only the Security action is applied, the QoS action is ignored |
|
Filter |
VSP 4450 Series VSP 7200 Series VSP 8200 Series XA1400 Series |
VSP 7400 Series |
VSP 4900 Series VSP 8400 Series |
VSP 8600 Series |
|---|---|---|---|---|
|
ACE ID ranges supported |
Security ACEs: 1–1000 QoS ACEs: 1001–2000 (IPv4 filters only) |
IPv4 filters support both Security and QoS actions in both Primary Bank and Secondary Bank ranges: Primary Bank: 1-1000 Secondary Bank: 1001-2000 IPv6 filters: ACEs: 1–2000 support both Security and QoS actions |
IPv4 filters: Security ACEs: 1–1000 QoS ACEs: 1001–2000 IPv6 filters: ACEs: 1–2000 support both security and QoS actions |
ACEs: 1-1000 support both security and QoS actions. |
|
redirect-next-hop support |
Supported in both the Global Routing Table and VRF contexts. |
Supported in both the Global Routing Table and VRF contexts. |
Supported in both the Global Routing Table and VRF contexts. |
Supported in the Global Routing Table only. |
|
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8200 Series VSP 8400 Series |
VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
|---|---|---|---|---|
|
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is not supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs The Egress filters do not apply to the mirrored packets. |
|
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8200 Series VSP 8400 Series |
VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
|---|---|---|---|---|
|
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
Supports Viewing ACL Statistics by the ACE type Primary Bank and Secondary Bank. |
Supports Viewing ACL Statistics by the ACE type QoS. |
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
For QoS scaling and filter scaling information, see VOSS Release Notes.