ACL Filters Behavior Differences

The implementation of ACL filters is similar in all switches but there are some differences as summarized in the following tables.

Note

The InVSN Filter shares the port-based groups in the following table.

Table 1. Hardware filter engine resources
VSP 4900 Series	VSP 7400 Series
If you enable Application Telemetry, IPv6 security filter commands and configurations are blocked and not available.	If you enable Application Telemetry, IPv6 security filter commands and configurations are supported.
All switches use a filter group as memory to store filter rules. The number of filter groups used can differ:
The switch supports two ingress filter groups, where each group is shared by two filter types: port-based and VLAN-based Security ACEs port-based and VLAN-based QoS ACEs	The switch supports two ingress filter groups, where each type can hold both Security and QoS actions in both Primary Bank and Secondary Bank ranges.
For each ingress packet, a parallel search is performed on each of the two filter groups.

Table 2. Incoming packet behavior
Filter	VSP 4900 Series	VSP 7400 Series
Can match both port-based and VLAN-based ACL/ACE	inVSN ACLs have highest precedence, followed by inPort ACLs. inVLAN ACLs have the lowest priority. If the matching ACEs are of the same type (Primary or Secondary), the ACE action applied is based on the precedence.	Port-based ACLs have precedence over VLAN-based ACLs. If the matching ACEs are of the same type (Primary or Secondary), then the VLAN-based ACL/ACE is ignored.

Table 3. Action behavior
Filter	VSP 4900 Series	VSP 7400 Series
ACE ID ranges supported	IPv4 filters: Security ACEs: 1–1000 QoS ACEs: 1001–2000 IPv6 filters: ACEs: 1–2000 support both Security and QoS actions	IPv4 filters support both Security and QoS actions in both Primary Bank and Secondary Bank ranges: Primary Bank: 1-1000 Secondary Bank: 1001-2000 IPv6 filters: ACEs: 1–2000 support both Security and QoS actions
redirect-next-hop support	Supported in both the Global Routing Table and VRF contexts.	Supported in both the Global Routing Table and VRF contexts.

Table 4. Egress filtering behavior
VSP 4900 Series	VSP 7400 Series
Configuring an ACE with the ARP operation qualifier is supported for OutPort ACLs.	Configuring an ACE with the ARP operation qualifier is not supported for OutPort ACLs.

Table 5. ACL statistics behavior
VSP 4900 Series	VSP 7400 Series
Supports viewing ACL statistics by the ACE type Security and QoS.	Supports viewing ACL statistics by the ACE type Primary Bank and Secondary Bank.

For QoS scaling and filter scaling information, see VOSS Release Notes.