Allied Telesis x908, X900-12XT/S The logic of the operation of the hardware filters, Combining interface ACLs and QoS class-maps

Page 13 | AlliedWare Plus™ OS How To Note

The logic of the operation of the hardware filters

The logic of the operation of the hardware filters

The operation of the filters follows the standard ACL logic: if a packet matches an ACL on

the port, the comparison process stops and the action attached to the ACL is performed.

The switch checks ACLs in the order in which you attach them to the port.

For example, to reject all multicast traffic except 236.5.8.213, make one ACL to permit that

address and another ACL to deny all multicast traffic. Then attach the permit ACL to the

port before attaching the deny ACL.

If a packet fails to match any of the port’s ACLs, then the switch moves to the next stage of

comparison. The next stage is matching against QoS class-maps, if they exist. If the packet

matches a QoS class-map, it will be processed appropriately. If it does not match a class-map,

it will be processed as normal. Therefore, ACLs do not end in an implicit deny action to drop

non-matching traffic. But they also do not end in an implicit permit action that would bypass

other processing and forward non-matching traffic. The switch simply continues processing

non-matching traffic as normal.

Note: ACLs will match on packets that are destined for the switch itself (packets that would

be passed up to the switch's own CPU) in exactly the same way as they act on

packets that were destined to be forwarded directly by the switching chip.

Combining interface ACLs and QoS class-maps

The switch compares the packet with every interface ACL before it compares the packet

with any QoS class-maps. If the packet matches an interface ACL, the switch takes the action

specified by that ACL and stops the comparison process. If a packet matches both an

interface ACL and a QoS class-map, the packet only gets matched against the interface ACL.

It bypasses the QoS process.

If the action on the interface ACL is deny or send-to-cpu, then this is not a problem,

because the packet was never going to get into the QoS system anyway (given that it was

being discarded). But, if the action on the interface ACL is permit, copy-to-cpu, or copy-

to-mirror, and the packet would also be matched by a QoS class-map, then this is a problem.

The packet will not be matched by the QoS class-map, so the switch will not apply any

intended QoS-based filtering, policing, queue redirection, etc to the packet. Instead the

switch will forward the packet as if it belongs to the default class-map.

For this reason, we only recommend combining interface ACLs and QoS class-map filtering if

all your interface ACLs result in traffic being dropped. For traffic that you want forwarded

with QoS control, use QoS class-maps for both the filtering and the QoS actions. Of course,

you can also use QoS class-maps to drop traffic.