ACLs and classifier policies interoperability considerations
Hardware capacity constraints
Due to hardware capacities, there are a limited number of features that can be enabled at the same time on the same line card.
Ingress Port IPv6 ACL Ingress Port MAC ACL Ingress VLAN IPv4 and/or IPv6 ACL Ingress VLAN MAC ACL Ingress Port Policy with IPv4 and/or MAC classes Ingress Port Policy with IPv6 classes Ingress VLAN Policy with IPv4 and/or MAC classes Ingress VLAN Policy with IPv6 classes Ingress Routed Port Policy with IPv4 classes Ingress Routed Port Policy with IPv6 classes Ingress Routed VLAN Policy with IPv4 classes Ingress Routed VLAN Policy with IPv6 classesThese features are not classifier-related but use one policy engine management resource each:
Multi-Chassis LAG (VSX) Ingress IPv4 and/or Analytics Data Collection (ADC) Bidirectional Forwarding Detection (BFD) Ingress Routed IPv4 and/or IPv6 Unicast Counters Ingress Routed IPv4 and/or IPv6 Multicast Counters Egress Routed IPv4 and/or IPv6 Unicast Counters Egress Routed IPv4 and/or IPv6 Multicast CountersNote: Port IPv4 ACLs use dedicated hardware and do not conflict with any of the preceding features.
Matching precedence order
VLAN ACLs, VLAN Policies, and Analytics Data Collection (ADC) are applied to all line cards.
In the case where a packet is matched by multiple classifier features with the same action, it follows a precedence order.
For example, if a packet matches an IPv6 ACL with a count action and a MAC ACL with a count action, the IPv6 count action takes precedence and the MAC ACLwill not count the packet. However, if a packet matches both an ACL and a policy with count actions, both will be counted. Regardless of precedence, if a packet is to be dropped by a configured feature, it will be dropped. Ingress packets do not take precedence over egress packets nor due egress packets take precedence over ingress packets.
The precedence order from highest to lowest is as follows:
Ingress Port IPv6 ACL Ingress VLAN IPv6 ACL Ingress Port IPv4 ACL Ingress VLAN IPv4 ACL Ingress Port MAC ACL Ingress VLAN MAC ACL Ingress Port Policy with IPv6 classes Ingress Port Policy with IPv4 and/or MAC classes Ingress VLAN Policy with IPv6 classes Ingress VLAN Policy with IPv4 and/or MAC classes Bidirectional Forwarding Detection (BFD) Multi-Chassis LAG (VSX) IPv6 Control Plane Policing IPv4 Control Plane Policing MAC Control Plane Policing Ingress Routed IPv6 Port Policy Ingress Routed IPv4 Port Policy Ingress Routed IPv6 VLAN Policy Ingress Routed IPv4 VLAN Policy Ingress Routed IPv6 Unicast Counters Ingress Routed IPv6 Multicast Counters Ingress Routed IPv4 Unicast Counters Ingress Routed IPv4 Multicast Counters Ingress IPv6 Analytics Data Collection (ADC) Ingress IPv4 Analytics Data Collection (ADC) Egress Routed IPv4 Port ACL Egress Routed IPv6 Unicast Counters Egress Routed IPv6 Multicast Counters Egress Routed IPv4 Unicast Counters Egress Routed IPv4 Multicast Counters