The implementation of ACL filters is similar in all VOSS switches but there are some differences as summarized in the following tables.
Note
The InVSN Filter shares the port-based groups in the following table.
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8000 Series |
5520 Series VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
---|---|---|---|---|
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are supported. |
If you enable Application Telemetry, IPv6 security filter commands and configurations are supported. |
Application Telemetry and IPv6 filters are not supported |
All switches use a filter group as memory to store filter rules. The number of filter groups used can differ: |
||||
The switch supports four separate ingress filter groups:
|
The switch supports two ingress filter groups, where each group is shared by two filter types:
|
The switch supports two ingress filter groups, where each group is shared by two filter types:
|
The switch supports the following ingress filter group:
|
The switch supports one ingress filter group with two filter types:
|
For each ingress packet, a parallel search is performed on each of the four filter groups. |
For each ingress packet, a parallel search is performed on each of the two filter groups. |
For each ingress packet, a parallel search is performed on each of the two filter groups. |
For each ingress packet, a search is performed on the filter group. |
For each ingress packet, a search is performed on the filter group. |
Filter |
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8000 Series |
5520 Series VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
---|---|---|---|---|---|
Can match both port-based and VLAN-based ACL/ACE |
Regardless of the type of matching ACEs (Security or QoS), the action of either the highest priority matching ACE or the default action will be performed. |
Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (both Security or both QoS), then the VLAN-based ACL/ACE is ignored. |
Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (both Security or both QoS), then the VLAN-based ACL/ACE is ignored. |
Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored. |
Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored. Security ACEs have precedence over QoS ACEs. If packets match a Security and a QoS ACE, only the Security action is applied, the QoS action is ignored |
Filter |
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8000 Series |
5520 Series VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
---|---|---|---|---|---|
ACE ID ranges supported |
Security ACEs: 1–1000 QoS ACEs: 1001–2000 (IPv4 filters only) |
Security ACEs: 1–1000 QoS ACEs: 1001–2000 (IPv4 filters only) |
Security ACEs: 1–1000 QoS ACEs: 1001–2000 (IPv4 filters only) |
ACEs: 1-1000 support both security and QoS actions. |
Security ACEs: 1–1000 QoS ACEs: 1001–2000 (IPv4 filters only) |
redirect-next-hop support |
Supported in both the Global Routing Table and VRF contexts. |
Supported in both the Global Routing Table and VRF contexts. |
Supported in both the Global Routing Table and VRF contexts. |
Supported in the Global Routing Table only only. |
Supported in both the Global Routing Table and VRF contexts. |
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8000 Series |
5520 Series VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
---|---|---|---|---|
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is not supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs. |
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs The Egress filters do not apply to the mirrored packets. |
VSP 4450 Series |
VSP 4900 Series VSP 7200 Series VSP 8000 Series |
5520 Series VSP 7400 Series |
VSP 8600 Series |
XA1400 Series |
---|---|---|---|---|
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
Supports Viewing ACL Statistics by the ACE type QoS. |
Supports Viewing ACL Statistics by the ACE type Security and QoS. |
For QoS scaling and filter scaling information, see Release Notes for VOSS.