IPv6 PACL (Port ACL)

Lessons Discussion
1

This topic is to discuss the following lesson:

2

Hello, everyone.

Happy to be the first one to make a post here :smiley:

I am studying about ACLs for my ENCOR exam and the following piece of information is mentioned in my book:

PACLs have a few restrictions that vary from platform to platform. The following are some
of the most common restrictions:

  • PACLs only support filtering incoming traffic on an interface (no outbound filtering support)
  • PACLs cannot filter Layer 2 control packets, such as CDP, VTP, DTP, PAgP, UDLD, and
    > STP.
  • PACLs are supported only in hardware.
  • PACLs do not support ACLs to filter IPv6, ARP, or Multiprotocol Label Switching
    (MPLS) traffic

The highlighted restrictions don’t make much sense to me.

From an architectural perspective, what exactly prevents an ACL that is applied to an L2 interface (so a PACL) from being capable of outbound filtering or filtering IPv6? Sometimes it feels as if these restrictions are made up :smiley:

Also, why can’t the ACL filter CDP, VTP, etc messages?

//Edit: Rene could filter IPv6 packets inbound here which the following text explains - PACLs have a few restrictions that vary from platform to platform.

Thank you.

David

3

Hello David

Indeed some of these restrictions do seem somewhat arbitrary, however there are explanations for each.

  • Concerning no outbound filtering support: This has to do with the internal design of a switch, and the ASICs that are used for hardware processing. On a Layer 2 interface, traffic is typically already in the “switching path” once it reaches egress. Applying a PACL on outbound traffic would require the ASIC to re-analyze packets after the forwarding decision has been made, resulting in less efficiency. In general, switches prioritize ingress processing by design for speed/efficiency. Outbound filtering would require additional TCAM/CAM entries and logic.
  • Concerning control packets such as CDP, VTP, DTP etc… : This is not so much a limitation of the hardware, but a design choice. The reason is that the data plane and control plane packet filtering must remain independent and separate. If you want to filter control plane packets, you can use CoPP, even for L2 protocols, but again, check the restrictions that CoPP may have in such cases. The reasoning is similar to why ACLs don’t filter traffic generated by the router itself.
  • Concerning not supporting IPv6, ARP, or MPLS: This has to do with what the specific platform supports. Some support it while others don’t, as you suggested in your edit…

I hope this has been helpful!

Laz