Layer 3 ACL configuration guidelines

We present configuration guidelines for all ACLs, then for Layer 3 ACLs, then for L3 ACLs applied to a user interface, then for ACLs applied to the management interface, and then guidelines for receive-path ACLs (rACLs).

The following guidelines are for all ACLs:

Guidelines for all Layer 3 ACLs

(All supported devices) In addition to the guidelines that apply to all ACLs, the following guidelines are relevant for Layer 3 ACLs:
  • In ingress Layer 3 ACLs, hard-drop rules affect control protocol and MY IP packets.
  • On Management interfaces, a hard-drop works the same as a denyaction.
  • Although L3 ACL deny rules do not drop protocol packets, best practice is to define an explicit permit rule for needed protocols.
(SLX 9150, and SLX 9250 devices) The following additional guidelines are relevant for Layer 3 ACLs:
  • For tunnel-termination cases, ingress ACLs are applicable for inner headers.
  • For tunnel-origination cases, egress ACLs are applicable for outer headers.
(SLX 9540 and SLX 9640 devices) The following additional guidelines are relevant for Layer 3 ACLs:
  • In egress Layer 3 ACLs, deny and hard-drop rules do not affect control protocol and MY IP packets.
    Note

    Note

    Due to hardware limitations, the IPv6 destination address for ingress ACL are not supported on all SLX devices.

Guidelines for Layer 3 ACLs applied to user interfaces

(All supported devices) In addition to the previous guidelines, the following guidelines are relevant for Layer 3 ACLs applied to user interfaces:
  • There is an implicit "deny" rule at the end of every Layer 3 ACL applied to a user interface. This denies all L3 streams that do not match any of the configured rules in the ACL.
  • Traffic generated by the CPU—for example, echo request packets—are not filtered by egress IPv4 ACLs.
(SLX 9540 and SLX 9640 devices) In addition to the previous guidelines, the following guidelines are relevant for Layer 3 ACLs applied to user interfaces:
  • Egress IPv4 ACLs are applicable only for routed traffic.

Guidelines for ACLs applied to the management interface

The following protection guards against malicious ICMP timestamp requests (icmp-type 13):
  • ICMP timestamp requests and responses are dropped by default.
  • If an ACL with a permit icmp any any rule is applied to the management interface, such a rule permits ICMP timestamp requests. However, ICMP timestamp responses are blocked.

The following additional guidelines are relevant for Layer 3 ACLs applied to the management interface:

If no ACLs are applied to the device management interface, ICMP pings are allowed. In addition, the following default rules are effective:
  • seq 0 permit tcp any any eq 22
  • seq 1 permit tcp any any eq 23
  • seq 2 permit tcp any any eq 80
  • seq 3 permit tcp any any eq 443
  • seq 4 permit udp any any eq 161
  • seq 5 permit udp any any eq 123
  • seq 6 permit tcp any any range 600-65535
  • seq 7 permit udp any any range 600-65535

Guidelines for rACLs

(All supported devices) The following additional guidelines are relevant for all receive-path ACLs (rACLs):
  • Interface ACLs and rACLs share the same resource (database-table).
  • In all rACLs, explicit and implicit rules are processed in the following order:
    1. Explicit rules, in an order determined by their seq numbers.
    2. An implicit deny any my-ip rule that affects all other CPU-bound traffic.
  • Under inband management, you need to include permit rules for your telnet/SSH access to the device.
(SLX 9150, and SLX 9250 devices) The following additional guidelines are relevant for all receive-path ACLs (rACLs):
  • IPv4 rACLs apply to multicast datapath traffic only if multicast destination-IPs are explicitly specified in rules.
  • In an IPv4 rACL rule, if a destination IP is not specified, my-ip (IP addresses configured on any Layer 3 interface) is interpreted as the destination IP. Such rules do not filter multicast traffic.
  • Multicast traffic is first filtered by rACLs, then by interface ACLs.
(SLX 9540 and SLX 9640 devices) The following additional guidelines are relevant for all receive-path ACLs (rACLs):
  • rACLS are supported only for unicast, routed traffic.
  • In an IPv4 rACL rule, if a destination IP is not specified, matches apply to all IP addresses configured on the device.
(All supported devices) The following guidelines are relevant for multiple rACLs:
  • Multiple rACLs are supported only in the default TCAM profile.
  • You can apply a maximum of 400 receive-path ACLs to a device, as follows:
    • 200 IPv4 receive-path ACLs
    • 200 IPv6 receive-path ACLs
  • Supported sequence numbers for rACLs range from 1 through 2047.
  • If you apply an rACL to a device without specifying a sequence number, numbers are assigned automatically, as follows:
    • The first rACL applied to the device is assigned 10.
    • Each additional rACL applied is assigned an increment of 10 above the highest applied sequence number.

The following table compares the effect of deny or hard-drop rACL matches for different types of packets.

Table 1. Effect of deny and hard-drop matches on different packet types
Packet type Deny or hard-drop match

Control packets

Not dropped

Data packets

NA

My IP packets (incl. ICMP, control or data)

Dropped