ACLs and classifier policies interoperability considerations

Hardware capacity constraints

Due to hardware capacities, there are a limited number of features that can be enabled at the same time on the same line card.

There are two policy engine management resources available to use per line card. Each of these features uses one policy engine management resource when enabled. At most, two of the listed features can be configured at the same time.

Ingress Port IPv6 ACL
Ingress Port MAC ACL
Ingress VLAN IPv4 and/or IPv6 ACL
Ingress VLAN MAC ACL
Ingress Port Policy with IPv4 and/or MAC classes
Ingress Port Policy with IPv6 classes
Ingress VLAN Policy with IPv4 and/or MAC classes
Ingress VLAN Policy with IPv6 classes
Ingress Routed Port Policy with IPv4 classes
Ingress Routed Port Policy with IPv6 classes
Ingress Routed VLAN Policy with IPv4 classes
Ingress Routed VLAN Policy with IPv6 classes

These features are not classifier-related but use one policy engine management resource each:

Multi-Chassis LAG (VSX)
Ingress IPv4 and/or Analytics Data Collection (ADC)
Bidirectional Forwarding Detection (BFD)
Ingress Routed IPv4 and/or IPv6 Unicast Counters
Ingress Routed IPv4 and/or IPv6 Multicast Counters
Egress Routed IPv4 and/or IPv6 Unicast Counters
Egress Routed IPv4 and/or IPv6 Multicast Counters

Note: Port IPv4 ACLs use dedicated hardware and do not conflict with any of the preceding features.

Matching precedence order

VLAN ACLs, VLAN Policies, and Analytics Data Collection (ADC) are applied to all line cards.

In the case where a packet is matched by multiple classifier features with the same action, it follows a precedence order.

For example, if a packet matches an IPv6 ACL with a count action and a MAC ACL with a count action, the IPv6 count action takes precedence and the MAC ACLwill not count the packet. However, if a packet matches both an ACL and a policy with count actions, both will be counted. Regardless of precedence, if a packet is to be dropped by a configured feature, it will be dropped. Ingress packets do not take precedence over egress packets nor due egress packets take precedence over ingress packets.

The precedence order from highest to lowest is as follows:

Ingress Port IPv6 ACL
Ingress VLAN IPv6 ACL
Ingress Port IPv4 ACL
Ingress VLAN IPv4 ACL
Ingress Port MAC ACL
Ingress VLAN MAC ACL
Ingress Port Policy with IPv6 classes
Ingress Port Policy with IPv4 and/or MAC classes
Ingress VLAN Policy with IPv6 classes
Ingress VLAN Policy with IPv4 and/or MAC classes
Bidirectional Forwarding Detection (BFD)
Multi-Chassis LAG (VSX)
IPv6 Control Plane Policing
IPv4 Control Plane Policing
MAC Control Plane Policing
Ingress Routed IPv6 Port Policy
Ingress Routed IPv4 Port Policy
Ingress Routed IPv6 VLAN Policy
Ingress Routed IPv4 VLAN Policy
Ingress Routed IPv6 Unicast Counters
Ingress Routed IPv6 Multicast Counters
Ingress Routed IPv4 Unicast Counters
Ingress Routed IPv4 Multicast Counters
Ingress IPv6 Analytics Data Collection (ADC)
Ingress IPv4 Analytics Data Collection (ADC)
Egress Routed IPv4 Port ACL
Egress Routed IPv6 Unicast Counters
Egress Routed IPv6 Multicast Counters
Egress Routed IPv4 Unicast Counters
Egress Routed IPv4 Multicast Counters