Chapter 16. Access Lists

At some point, we all need to write an access list. Like most things in EOS, doing so is very similar to doing so in IOS, with some minor changes here and there that we’ll cover in this chapter.

There are a variety of different Access-Control List (ACL) types, depending on how and where they are applied. The types include:

Port-based ACL (PACL)

PACLs are applied to ports.

Router-based ACL (RACL)

RACLs are applied to SVIs.

MAC-Based ACLs (MACL or MAC ACL)

MACLs are ACLs that filter based on MAC address.

Control Plane ACL

ACL used to filter access to the CPU on the switch. This ACL is where you would filter SSH, SNMP, Telnet, and so on to the switch itself.

Let’s look at the benefits and limitations of ACLs in EOS. According to the Arista Configuration Guide for EOS version 4.9.3.2, the following are features for ACLs:

  • Ingress ACLs

  • Port ACL applied on layer-2 Ethernet interfaces

  • Port ACL on port-channel interfaces. Ports in a port-channel apply the port-channel’s ACL

  • Filters: IPv4 protocol, source and destination address, TCP and UDP ports, TCP flags, and TTL

  • List size: 512 active rules; diminished capacity if rules contain L4 and port range filters

  • Broadcast and multicast storm control

The same document also lists the following:

  • Egress ACLs

  • Filters based on IPv6/MAC

I’ve never had much of a use for egress ACLs on routers, so on the surface that’s not a big deal for me.

Note

There are some valid uses for egress ACLs on switches, especially cut-through models. Additionally, the ...

Get Arista Warrior now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.