Access Control List (ACL) Two-Stage Policy

This feature exposes the VLAN Content Aware Processor/VLAN Filter Processor (VCAP/VFP) using the ExtremeXOS Access Control List (ACL) manager.

The VCAP/VFP is used to filter packets before ingress processing. It can be used to assign the VLAN, set a class ID, or perform other more traditional ACL actions, such as drop or count. In general, this stage‘s scale, actions, and match criteria are more limited than the ingress stage.

Supported Platforms

  • BlackDiamond X8 and BlackDiamond 8800 series switches
  • Summit X770, X670, X670-G2, X480, X460, X460-G2, and X450-G2 series switches
  • E4G-200 and E4G-400 cell site routers

Limitations

  • The VFP match criteria, scale, and actions are more limited than that of the regular ingress ACLs—Ingress Content Aware Processor/Ingress Filter Processor (ICAP/IFP).
  • Rule actions in the VFP can be overridden by rule actions in the IFP.
  • Packets are always presented to the IFP even when the VFP drops the packet
  • The ?vlan-id‘ match criteria only works on packets received with an 802.1Q tag in the packet.

New CLI Commands

New ACL action modifier:

class-id value 0-4095

This action can be specified on any rule within a policy file or within a list of dynamic access-lists. When specified, this action signifies that the rule is installed in the “LOOKUP stage” access-list resource (VFP).

New ACL match criteria:

class-id value 0-4095

This match condition can be specified on any rule within a policy file or within a list of dynamic access-lists. A rule cannot both match a class-id and specify a class-id as an action. When a “class-id” match criteria is specified, the associated rule is programmed into the normal “INGRESS stage” access-list hardware resource (IFP).