Interface ACLs and rACLs

Layer 3 ACLs applied at global configuration level to filter CPU-bound traffic are called receive-path ACLs or rACLs. All other ACLs discussed in this section are applied to an interface (including VLAN or VE). They can be referred to an interface ACLs.

Traffic entering a device can be divided into two categories:

Datapath traffic
CPU-bound traffic

Rules in an ACL applied to an interface filter all traffic entering or exiting that interface—datapath traffic and CPU-bound traffic.

Rules in an rACL, applied at global configuration level, primarily filter CPU-bound traffic. Implementing rACLs offers the following advantages:

Shields the CPU from unnecessary and potentially harmful traffic.
Mitigates denial of service (DoS) attacks.
Protects the CPU by a single application, rather than needing to apply ACLs on multiple interfaces.

rACLs also support filtering multicast datapath traffic, which offers an alternative to applying ACLs containing multicast rules to all device interfaces.

When ACLs of multiple types are applied, processing priority is as follows: bACLs > rACLs > PBR > Layer 3 ACLs > Layer 2 ACLs. However, if any filter has a drop match, the packet is dropped irrespective of the priority.

To implement rACLs, refer to Implementation flows for rACLs and interface ACLs.

Otherwise, continue with ACLs applied to interfaces.