Filter Restrictions and Expected Behaviors

This section lists known restrictions and expected behaviors that can first appear to be issues.

The following list describes the expected behavior with filters:

ACL: The incoming packets must be tagged to hit an entry of port-based ACLs containing a VLAN based qualifier in the ACE.
ACL: InVlan ACLs can match tagged or untagged traffic, with the port-default VLAN considered if the incoming packet is untagged. However, if an ACE of an InVlan ACL contains the qualifier vlan-tag-prio, it can be used to filter only tagged traffic and not the untagged traffic.
ACL: The outPort ACLs cannot match on the fields that are changed in the packet during forwarding decisions. Hence, the fields (Destination MAC, Source MAC, VLAN ID, etc.), which get modified during Layer 3 routing, cannot be used to match on the new contents of these fields in the outgoing packet.
ACL: The outPort ACLs cannot match on a destination port that is a member of an MLT. So if port 1/5 is a member of an MLT (static or via LACP), an ACE of an outPort filter with member 1/5 will not be hit.
ACL: In an outPort ACL, the ACEs containing Layer 3 qualifiers will only be hit for packets that are routed. So the qualifiers such as src-ip and dst-ip (in the filter acl ace ip <acl><ace> command) does not work for Layer 2 switched packets.
ACL: Each filter member port uses a separate TCAM entry, which impacts the overall ACE scaling number. For example, an inPort filter with 5 members that has one ACE configured uses 10 different TCAM entries (with at least 5 each for the user and default ACEs).
ACL: For outPort ACLs, the use of the ethertype qualifier results in two TCAM entries being used internally instead of one (one each for single tagged and untagged packets). The packets with multiple tags are unsupported as we cannot match on Ethertype field of such packets. If VLAN qualifiers are present in ACE (for example, vlan-id or vlan-tag-prio), the entry for untagged packets is not created internally. So a single TCAM entry is used that matches the tagged packets alone. This impacts the overall ACE scaling number.
There can be a single ACE hit for a packet. Port-based ACLs have precedence over VLAN based ACLs. However, the default ACEs have a lower priority than the user ACEs.
1. User ACE of InPort ACL
2. User ACE of InVlan ACL
3. Default ACE of InPort ACL
4. Default ACE of InVlan ACL
Note

If a packet matches a user ACE in both an inPort and inVLAN ACL, the inVLAN ACL is ignored.

If a packet matches a user ACE in VLAN-based ACL and the default ACE of an inPort ACL, the user ACE in the inVLAN ACL is hit and the inPort ACL is ignored.
ACL: The monitor actions (monitor-dst-port or monitor-dst-mlt) are not supported for outPort ACLs. They are only applicable to Ingress ACLs (InPort or InVlan). For flow-based mirroring, you can configure these monitor actions at the ACE level.
ACE: When an ACE with action count is disabled, the statistics associated with the ACE are reset.
For ACEs of port-based ACLs, you can configure VLAN qualifiers. Configuring Port qualifiers are not permitted.

For ACEs of VLAN-based ACLs, you can configure port qualifiers. Configuring VLAN qualifiers are not permitted.

Filters and QoS

Note the following VSP 8600 filters:

VSP 8600 does not support the following qualifiers in the egress direction (outPort). However, ingress support (inVlan/InPort) for these qualifiers are available.
- arprequest and arpresponse
- ip-frag-flag
- tcp-flags
The ip-options qualifier is not supported.
The QoS ACE action remark-dot1p on ingress (for port and VLAN ACLs) is not supported.

For more information, see VOSS User Guide.