ACL Filters Behavior Differences

The implementation of ACL filters is similar in all switches but there are some differences as summarized in the following tables.

Note

Note

The InVSN Filter shares the port-based groups in the following table.

Table 1. Hardware filter engine resources

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8200 Series

VSP 8400 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.

If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.

If you enable Application Telemetry, IPv6 security filter commands and configurations are supported.

If you enable Application Telemetry, IPv6 security filter commands and configurations are supported.

Application Telemetry and IPv6 filters are not supported

All switches use a filter group as memory to store filter rules. The number of filter groups used can differ:

The switch supports four separate ingress filter groups:

  1. port-based Security ACEs

  2. port-based QoS ACEs

  3. VLAN-based Security ACEs

  4. VLAN-based QoS ACEs

The switch supports two ingress filter groups, where each group is shared by two filter types:

  1. port-based and VLAN-based Security ACEs

  2. port-based and VLAN-based QoS ACEs

The switch supports two ingress filter groups, where each type can hold both Security and QoS actions in both Primary Bank and Secondary Bank ranges.

The switch supports the following ingress filter group:

  • port-based and VLAN-based ACEs

The switch supports one ingress filter group with two filter types:

  1. port-based and VLAN-based Security ACEs

  2. port-based and VLAN-based QoS ACEs

For each ingress packet, a parallel search is performed on each of the four filter groups.

For each ingress packet, a parallel search is performed on each of the two filter groups.

For each ingress packet, a parallel search is performed on each of the two filter groups.

For each ingress packet, a search is performed on the filter group.

For each ingress packet, a search is performed on the filter group.

Table 2. Incoming packet behavior

Filter

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8200 Series

VSP 8400 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Can match both port-based and VLAN-based ACL/ACE

Regardless of the type of matching ACEs (Security or QoS), the action of either the highest priority matching ACE or the default action will be performed.

inVSN ACLs have highest precedence, followed by inPort ACLs. inVLAN ACLs have the lowest priority. If the matching ACEs are of the same type (Primary or Secondary), the ACE action applied is based on the precedence.

Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (Primary or Secondary), then the VLAN-based ACL/ACE is ignored.

Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored.

Port-based ACLs have precedence over VLAN-based ACLs. If a packet matches both a Port-based and a VLAN-based ACL, then the VLAN-based ACL is ignored.

Security ACEs have precedence over QoS ACEs. If packets match a Security and a QoS ACE, only the Security action is applied, the QoS action is ignored

Table 3. Action behavior

Filter

VSP 4450 Series

VSP 7200 Series

VSP 8200 Series

XA1400 Series

VSP 7400 Series

VSP 4900 Series

VSP 8400 Series

VSP 8600 Series

ACE ID ranges supported

Security ACEs: 1–1000

QoS ACEs: 1001–2000 (IPv4 filters only)

IPv4 filters support both Security and QoS actions in both Primary Bank and Secondary Bank ranges:

Primary Bank: 1-1000

Secondary Bank: 1001-2000

IPv6 filters:

ACEs: 1–2000 support both Security and QoS actions

IPv4 filters:

Security ACEs: 1–1000

QoS ACEs: 1001–2000

IPv6 filters:

ACEs: 1–2000 support both security and QoS actions

ACEs: 1-1000 support both security and QoS actions.

redirect-next-hop support

Supported in both the Global Routing Table and VRF contexts.

Supported in both the Global Routing Table and VRF contexts.

Supported in both the Global Routing Table and VRF contexts.

Supported in the Global Routing Table only.

Table 4. Egress filtering behavior

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8200 Series

VSP 8400 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is not supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.

Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs

The Egress filters do not apply to the mirrored packets.

Table 5. ACL statistics behavior

VSP 4450 Series

VSP 4900 Series

VSP 7200 Series

VSP 8200 Series

VSP 8400 Series

VSP 7400 Series

VSP 8600 Series

XA1400 Series

Supports Viewing ACL Statistics by the ACE type Security and QoS.

Supports Viewing ACL Statistics by the ACE type Security and QoS.

Supports Viewing ACL Statistics by the ACE type Primary Bank and Secondary Bank.

Supports Viewing ACL Statistics by the ACE type QoS.

Supports Viewing ACL Statistics by the ACE type Security and QoS.

For QoS scaling and filter scaling information, see VOSS Release Notes.