ACL Introduction and Creation

12 June 2025 10:46

ACL allows configuration of network to permit and deny traffic based on the packet characteristics.
Each rule consists of specific criteria. If a match is found an action is taken.

- ACU Use Cases:

1. At the Network Perimeter:

It is recommended to take a restrictive approach in which you permit the required traffic and deny all
other traffic or a permissive approach where all traffic is allowed with specific traffic getting denied.

2. At the Core and Distribution Layer:

Access Control Lists Page 1

ACLs can improve performance and security. ACLs can be used to ensure different groups of clients
only have access to specific destinations.

3. At the Management Layer:

4. For Performance and Troubleshooting:

Access Control Lists Page 2

- ACL Creation:
ACL can be three types on AOS-CX (IPv4, IPv6, and MAC)

An ID must be unique but can be reused for an IPv4 and IPv6 list.

- ACL Rule Composition:

1. Sequence ID: Identifies the rule within the list, enabling to identify and remove if necessary. The ID
with the lowest number is processed first. Specifying a sequence ID is optional.
2. Action: Performed when there is a match
• Permit: Allowed to progress
• Deny: Dropped
• Count: The switch will log the hit count of matching packets
• Log: Matched events are logged and displayed.

- ACL Rule Creation:

- ACL Processing Order:

The ACL executes rules in a top-down manner - from lowest to highest sequence ID.

Access Control Lists Page 3

There is implicit rule at end of every ACL: deny any any statement.

- Sequence ID:

1. Sequence ID Automatic Assignment:

If not specified, the switch automatically adds the IDs in order, leaving spaces (new rules added at the
end of the ACL).

2. Sequence ID Manual Assignment:

It is a best practice to space the IDs (Preferably by tens)

3. Sequence ID Renumbering:

The start-sequence is the number that will be assigned to the first rule.
And increment is the incrementing value by which subsequence rules will be numbered.

Rules can be removed using no <sequence-number> command.

- IP Address Format in ACL Rules:

Access Control Lists Page 4

AOS-CX switches doesn't support wildcard masks.

The "log" parameter generates an event log message when a packet matches a rule. The log
parameter is irrespective of the action matched with (Permit or deny).
Depending on the platform. It increments hit counts for the specified entries. The first packet that hits
any log entry is copied to the CPU and logged to the operator's specified destination. The first matched
packet starts a five minute ACL "log timer" when the timer expires, the summary of all hit counts per
ACL is sent to the specified logging destination. This capability allows throttling of logging ACL hits.

The "count" keyword keeps track of each match on a rule.

Access Control Lists Page 5

Access Control Lists Page 6
Applying ACLs
12 June 2025 13:20

- Inbound and Outbound ACL Application:

The decision to apply an ACL inbound or outbound depends on several factors. If the aim is to restrict the
traffic coming from a specific VLAN then the ACL should be inbound. If there are multiple VLANs and the
restrictions have to be imposed only on a specific VLAN, then

1. ACLs on VLANs:

A. Inbound:

An Inbound ACL applied on a VLAN processes the following traffic:

• Traffic received on this VLAN and routed out another subnet.
• Traffic received on this VLAN interface and forwarded in the same subnet.
• Traffic received on this VLAN interface and destined to this network infrastructure device.

An Inbound ACL applied on a VLAN doesn't process the following traffic:

• Traffic received on another interface and routed to this VLAN interface.
• Traffic generated by the switch itself using its IP address on this VLAN and routed out another
VLAN.

Access Control Lists Page 7

B. Outbound:

Access Control Lists Page 8

Object Groups
12 June 2025 14:08

Provides a mechanism to optimize the creation and management of ACLs.

Object groups are useful for defining groups of IP addresses and Layer 4 ports for use exclusively in ACL
rules. Consists of two types, IP addresses and L4 ports.

Object group is created using "object-group" command. Object group can contain multiple objects in a
group but must be the same type.

Note that a Port group is preceded in the ACL with the keyword "group"

Access Control Lists Page 9

Classifier Policies
12 June 2025 14:18

Classifier policies are used to implement a multitude of policies related to filtering traffic, rate limiting the
traffic, changing QoS markings for DSCP or 802.1P, and traffic mirroring.

Classifier policy is configured over three steps:

1. Defining a class.
2. Configuring a policy.
3. Applying the policy.

- Defining a Class:

When defining a class traffic is indicated by a match command and ignore indicates which traffic to ignore.
Use show class command to verify configuration

- Configuring a Policy:

This code shows how to reference classes in a policy and assign a policy action(s), to a class. Use "dscp"
or "local-priority" parameters to define the policy.

Access Control Lists Page 10

or "local-priority" parameters to define the policy.

To display configured policies:

- Applying a Policy:
Policies can be applied globally, to an interface or VLAN.

To apply a policy to a VLAN or an interface use the apply command in the respective context.

Configuration Example:

Access Control Lists Page 11

Restrictions and Resource Utilization
12 June 2025 15:29

- Rules and Restrictions:

- Ternary Content Addressable Memory (TCAM) Overview:

TCAM is used to perform lookups at hardware speed and to provide an index corresponding to a given
search key. AOS-CX switches have internal TCAMs which are responsible for lookups inside the switch or
line card ASIC.

During ACL processing, first ACE match is performed by CPU using software but cached in the ASIC's
TCAM. All subsequent matches can be performed quicker and with less CPU utilization in the hardware
ASICs.

Hardware resources are consumed to enforce the following rules on the data plane:
• Management plane resources are used when an ACL is created.
• ASIC/TCAM data plane resources are used when an ACL is applied.
TCAMs lookups are finite hardware resource used in the application of ACLs and policies to packets being
processed in switch hardware. Analytics Data Collection (ADC) also consumes TCAM lookups.

- Resource Validation:

1. TCAM Resource Validation:

The "show resources" command can be used to verify allocated TCAM resources.

Access Control Lists Page 12

2. Troubleshooting TCAM Allocation Issue:
• The show access-list commands to see the active switch configuration (Configuration used in the
RAM and TCAM)
○ The ACLs that have been configured and accepted by the system.
○ The interfaces on which the ACLs have successfully been programmed In the hardware
• Use the show access-list commands configuration command to see the configured but not
necessarily accepted ACLS.
○ If the active ACLs and configured ACLs are not the same:

○ If the configured ACL is processing:

• If the switch shows a warning message or an in-progress message, additional changes can be made
until the error message is no longer shown in the output or you can run the access-list {all | ip <acl-
name> | mac <acl-name>} reset command.

- Software Resource Validation:

The switch resource capabilities can be seen with the show capacities and show capacities-status
commands.

Access Control Lists Page 13

commands.

Access Control Lists Page 14