ACL Style Policy

Traditional ONEPolicy architecture uses a hierarchical approach to rule precedence where rule type dictates precedence. In addition, rule look-ups occur per role, per action type. This means, for example, that triggering a forward/drop rule without an explicit Class of Service (CoS) action results in applying the forward/drop action, and then continuing searching until a rule with CoS action matches. This hierarchical approach is implemented in hardware by maintaining one list for forward/drop actions, and one list for CoS actions. This implementation often results in underused resources, because not every rule has both forward/drop and CoS actions.

With ACL Style Policy, a mode of operation with a single ordered list per role is maintained. Rule look-ups occur in the provided ACL order per role. A match applies all actions specified, and the search stops. This approach can potentially double the advertised scale of classification rules as compared to the traditional model. It also provides a more standard approach to policy classification rules.

Default policy rule-model is hierarchical, unless you are upgrading from ExtremeXOS 30.5 with a saved configuration that is set to access list.

For information about configuring ACL Style Policy, see Configuring ACL Style Policy.

Limitations

SNMP for configuration of ACL Style Policy classification rules is not supported.

Traditional Versus ACL Style Policy Classification Rule Scaling

The following table compares the overall classification rule scale between "traditional" and ACL Style policy:

Table 1. Traditional Versus ACL Style Policy Classification Rule Scaling
Switch Model(s) Traditional ACL Style**
4120 Default: 184

Less System ACL: 184

Default: 440

Less System ACL: N/A

4220 Default: 440

Less System ACL: 440

Default: 952

Less System ACL: N/A

5320-48T

Default: 1,976

Less System ACL: 1,976

Default: 4,024

Less System ACL: N/A

5320-24T-4X-XT Default: 440

Less System ACL: 440

Default: 952

Less System ACL: N/A

5320-24T-24S-4XE-XT Default: 1,976

Less System ACL: 1,976

Default: 4,024

Less System ACL: N/A

5320-16P*

Default: 1,976

Less System ACL: 1,976

Default: 4,024

Less System ACL: N/A

Default: 4,024

Less System ACL: 4.024

Default: 8,120

Less System ACL: N/A

Default: 1,976

Less System ACL: 1,976

Default: 4,024

Less System ACL: N/A

Default: 4,024

Less System ACL: 4.024

Default: 8,120

Less System ACL: N/A

5720-MW

Default: 6,072

Less System ACL: 6,072

Default: 12,216

Less System ACL: N/A

5720-MXW

Default: 8,120

Less System ACL: 8,120

Default: 16,312

Less System ACL: N/A

7520-48Y-8C

Default: 1,976

Less System ACL: 1,976

Default: 3,512

Less System ACL: N/A

7520-48XT-6C Default: 1,976

Less System ACL: 1,976

Default: 3,512

Less System ACL: N/A

7720-32C Default: 1,976

Less System ACL: 1,976

Default: 3,512

Less System ACL: N/A

* - 5320-16P models do not support MAC and IPv6 rules.

** - Applies to role-based DACLs as well as static ACLs created via the Policy CLI, which are also associated with a profile. User-based DACLs may achieve lower ACL Style numbers.

ACL Style Classification Rule Architecture

RESTful API Support

ACL Style Policy implements a new RESTful API for configuration of classification rules.

Note

Note

RESTful API is not supported for Dynamically-created ACLs via RADIUS and COA.