ACLs and classifier policies interoperability considerations

Hardware capacity constraints

Due to hardware capacities, there are a limited number of features that can be enabled at the same time on the same line card.

There are nine policy engine management resources available to use. Each of these features uses one policy engine management resource when enabled:

Ingress Port IPv4 ACL
Ingress Port IPv6 ACL
Ingress Port MAC ACL
Ingress VLAN IPv4 ACL
Ingress VLAN IPv6 ACL
Ingress VLAN MAC ACL
Ingress Port Policy with IPv4 and/or MAC classes
Ingress Port Policy with IPv6 classes
Ingress VLAN Policy with IPv4 and/or MAC classes
Ingress VLAN Policy with IPv6 classes
Ingress Routed Port Policy with IPv4 classes
Ingress Routed Port Policy with IPv6 classes
Ingress Routed VLAN Policy with IPv4 classes
Ingress Routed VLAN Policy with IPv6 classes
Ingress IPv4 Analytics Data Collection (ADC)
Ingress IPv6 Analytics Data Collection (ADC)
Multi-Chassis LAG (VSX)

Features applied on egress use dedicated hardware and do not conflict with any of the preceding features.

Matching precedence order

VLAN ACLs, VLAN Policies, and Analytics Data Collection (ADC) are applied to all line cards.

In the case where a packet is matched by multiple classifier features with the same action, it follows a precedence order.

For example, if a packet matches an IPv6 ACL with a count action and a MAC ACL with a count action, the IPv6 count action takes precedence and the MAC ACLwill not count the packet. However, if a packet matches both an ACL and a policy with count actions, both will be counted. Regardless of precedence, if a packet is to be dropped by a configured feature, it will be dropped. Ingress packets do not take precedence over egress packets nor due egress packets take precedence over ingress packets.

The precedence order from highest to lowest is as follows:

Ingress Port IPv6 ACL
Ingress VLAN IPv6 ACL
Ingress Port IPv4 ACL
Ingress VLAN IPv4 ACL
Ingress Port MAC ACL
Ingress VLAN MAC ACL
Ingress IPv6 Analytics Data Collection (ADC)
Ingress IPv4 Analytics Data Collection (ADC)
Ingress Port Policy with IPv6 classes
Ingress Port Policy with IPv4 and/or MAC classes
Ingress VLAN Policy with IPv6 classes
Ingress VLAN Policy with IPv4 and/or MAC classes
IPv6 Control Plane Policing
IPv4 Control Plane Policing
MAC Control Plane Policing
Ingress Control Plane Policing
Ingress Routed IPv6 Port Policy
Ingress Routed IPv4 Port Policy
Ingress Routed IPv6 VLAN Policy
Ingress Routed IPv4 VLAN Policy
Ingress L3 Statistics
Multi-Chassis LAG (VSX)
Egress Routed IPv4 Port ACL
Egress Control Plane Policing
Egress L3 Statistics