Egress ACLs

Each of the four egress slices can be configured to one of the three combinations below. The rules that can be installed into a particular slice should be a subset of the combination to which that slice is configured.

The following are available combinations:
  • Combination 1:

    <vlan-id, ethernet-source-address, ethernet-destination-address, ethernet-type>

  • Combination 2:

    <vlan-id, diffserv-codepoint/ip-tos, destination-address, source-address, protocol, destination-port, source-port, tcp-flags>

  • Combination 3:

    <vlan-id, ip-tos, destination-address<ipv6>, source-address<ipv6>, protocol>

Use the the tables inCompatible and Conflicting Rules to determine which ACL (Access Control List) entries are compatible. If the entries are compatible, they can be on the same slice.

For example, the earlier example entries are applied to ports:

entry ex_A {
	if {
		source-address 10.10.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry ex_B {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
	} then {
		deny ;
	}
}

Entry ex_A consists of the following conditions (using the abbreviations from the following table), SIP, L4DP, and IP-Proto. Entry ex_B is DIP, L4SP. Since they are applied to ports, the selector for Field 1 is Port-list (the first item). The selector for Field 2 would be the first item, and Field 3 could be any item.

Our other example entries are also compatible with the entries ex_A and ex_B:

entry one {
	if {
		source-address 10.66.10.0/24 ;
		destination-port 23 ;
		protocol tcp ;
	} then {
		deny ;
	}
}
entry two {
	if {
		destination-address 192.168.0.0/16 ;
		source-port 1000 ;
	} then {
		deny ;
	}
}
entry three {
	if {
		source-address 10.5.2.246/32 ;
		destination-address 10.0.1.16/32 ;
		protocol udp ;
		source-port 100 ;
		destination-port 200 ;
	} then {
		deny ;
	}
}

Entry one is SIP, L4DP, and IP-Proto; entry two is DIP, and L4SP; entry three is SIP, DIP, IP-Proto, L4SP, and L4DP. All of these examples can use the first item in Field 2 in the tables.

However, if we add the following entry:

entry alpha {
	if {
		ethernet-destination-address 00:e0:2b:11:22:33 ;
	} then {
		deny ;
	}
}

This will not be compatible with the earlier one. Entry alpha is MACDA, and there is no MACDA in the first item for Field 2. Any entry with MACDA will have to use selector 7 or 8 from the following table (or 6 or 7 from the following table, depending on the platform). If an entry requires choosing a different selector from the table, it is not compatible and must go into a different slice.