Feature Description

Rules in the first classifier are set up with an action to set class_id. Rules in the second classifier are setup to use the class_id as the key to match on the identity specific policies. The class_id is the common attribute between the two classifiers/tables, uniquely identifies the role of the identity.

This feature introduces one new ACL (Access Control List) action modifier for specifying the class-id from the first stage that will be input into the second stage. It also introduces one new ACL match criteria for matching the class-id within the second stage.

When a rule is installed in the first stage ACL table, it will be accounted for in the "Stage: LOOKUP" section of show access-list usage acl-slice port. When a rule is installed in the second stage ACL table, it is accounted for in the "Stage: INGRESS" section of this command. For example:

X460G2-48x-10G4.9 # show access-list usage acl-slice port 1
Ports 1-54
Stage: INGRESS
Slices:          Used: 0  Available: 16
Virtual Slice  * (physical slice  0) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  1) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  2) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  3) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  4) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  5) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  6) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  7) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  8) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  9) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 10) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 11) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 12) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 13) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 14) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice 15) Rules:   Used:      0  Available:    256
Stage: EGRESS
Slices:          Used: 0  Available: 4
Virtual Slice  * (physical slice  0) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  1) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  2) Rules:   Used:      0  Available:    256
Virtual Slice  * (physical slice  3) Rules:   Used:      0  Available:    256
Stage: LOOKUP
Slices:          Used: 0  Available: 4
Virtual Slice  * (physical slice  0) Rules:   Used:      0  Available:    512
Virtual Slice  * (physical slice  1) Rules:   Used:      0  Available:    512
Virtual Slice  * (physical slice  2) Rules:   Used:      0  Available:    512
Virtual Slice  * (physical slice  3) Rules:   Used:      0  Available:    512
Stage: EXTERNAL

Virtual Slice :  (*) Physical slice not allocated to any virtual slice.
X460G2-48x-10G4.10 #

Limitations

  • The second stage ACL will always override any qosprofile set in the First stage.
  • A first stage ACL rule will not work for untagged traffic when "vlan-id" is used as a matching condition or when applied to a vlan .
  • Matching "arp-sender-address" OR "arp-target-address" in the first stage ACL is not supported. However, matching both conditions is supported on select platforms.
  • L4 port ranges are not supported in the first stage ACL.
Click to expand in new window

First Stage ACL Support Actions

Platform Permit Deny Count Replace-dot1p-value qosprofile Replace-dot1p
Summit X450-G2 Y Y Y Y Y Y
Summit X460-G2 Y Y Y Y Y Y
Summit X670-G2 Y Y Y Y Y Y
Summit X770 Y Y Y Y Y Y
ExtremeSwitching X440G2 Y Y N Y Y Y
ExtremeSwitching X620 Y Y N Y Y Y
ExtremeSwitching X870 Y Y Y Y Y Y