ACL Filters Behavior Differences

The implementation of ACL filters is similar in all VOSS switches but there are some differences as summarized in the following tables.

Note

Note

The InVSN Filter shares the port-based groups in the following table.

Table 1. Hardware filter engine resources

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8000 Series

5520 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.

If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.

If you enable Application Telemetry, IPv6 security filter commands and configurations are supported.

If you enable Application Telemetry, IPv6 security filter commands and configurations are supported.

Application Telemetry and IPv6 filters are not supported

All switches use a filter group as memory to store filter rules. The number of filter groups used can differ:

The switch supports four separate ingress filter groups:

  1. port-based Security ACEs

  2. port-based QoS ACEs

  3. VLAN-based Security ACEs

  4. VLAN-based QoS ACEs

The switch supports two ingress filter groups, where each group is shared by two filter types:

  1. port-based and VLAN-based Security ACEs

  2. port-based and VLAN-based QoS ACEs

The switch supports two ingress filter groups, where each group is shared by two filter types:

  1. port-based and VLAN-based Security ACEs

  2. port-based and VLAN-based QoS ACEs

The switch supports the following ingress filter group:

  • port-based and VLAN-based ACEs

The switch supports one ingress filter group with two filter types:

  1. port-based and VLAN-based Security ACEs

  2. port-based and VLAN-based QoS ACEs

For each ingress packet, a parallel search is performed on each of the four filter groups.

For each ingress packet, a parallel search is performed on each of the two filter groups.

For each ingress packet, a parallel search is performed on each of the two filter groups.

For each ingress packet, a search is performed on the filter group.

For each ingress packet, a search is performed on the filter group.

Table 2. Incoming packet behavior

Filter

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8000 Series

5520 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Can match both port-based and VLAN-based ACL/ACE

Regardless of the type of matching ACEs (Security or QoS), the action of either the highest priority matching ACE or the default action will be performed.

Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (both Security or both QoS), then the VLAN-based ACL/ACE is ignored.

Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (both Security or both QoS), then the VLAN-based ACL/ACE is ignored.

Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored.

Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored.

Security ACEs have precedence over QoS ACEs. If packets match a Security and a QoS ACE, only the Security action is applied, the QoS action is ignored

Table 3. Action behavior

Filter

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8000 Series

5520 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

ACE ID ranges supported

Security ACEs: 1–1000

QoS ACEs: 1001–2000 (IPv4 filters only)

Security ACEs: 1–1000

QoS ACEs: 1001–2000 (IPv4 filters only)

Security ACEs: 1–1000

QoS ACEs: 1001–2000 (IPv4 filters only)

ACEs: 1-1000 support both security and QoS actions.

Security ACEs: 1–1000

QoS ACEs: 1001–2000 (IPv4 filters only)

redirect-next-hop support

Supported in both the Global Routing Table and VRF contexts.

Supported in both the Global Routing Table and VRF contexts.

Supported in both the Global Routing Table and VRF contexts.

Supported in the Global Routing Table only only.

Supported in both the Global Routing Table and VRF contexts.

Table 4. Egress filtering behavior

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8000 Series

5520 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is not supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs

The Egress filters do not apply to the mirrored packets.

Table 5. ACL statistics behavior

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8000 Series

5520 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Supports Viewing ACL Statistics by the ACE type Security and QoS.

Supports Viewing ACL Statistics by the ACE type Security and QoS.

Supports Viewing ACL Statistics by the ACE type Security and QoS.

Supports Viewing ACL Statistics by the ACE type QoS.

Supports Viewing ACL Statistics by the ACE type Security and QoS.

For QoS scaling and filter scaling information, see Release Notes for VOSS.