Notes - Hybrid ACLs

Hybrid ACLs allow you to use network and port object groups to better scale the ACL and better manage it.

This feature is only available on physical routers. This feature uses external TCAM to offload part of the ACL lookup.

Hybrid ACLs are supported for both IPv4 and IPv6, in both the ingress and egress direction. The egress direction has been supported since 7.7.1.

Object Groups

Object groups can be configured on XRv9000, but not XRd. This is basically just like a prefix-set or extcommunity-set. It groups together networks or ports. These can only be applied to ACLs, and those ACLs can only be applied as security ACLs to the interface. (These ACLs can’t be applied to services such as SNMP, etc.)

Network object groups simply identify IP addresses. This can be based on subnet or even a range of addresses. Object groups can be nested within each other.

object-group network ipv4 EXAMPLE1
 2.2.2.0/24
 host 1.1.1.1
!
object-group network ipv4 EXAMPLE2
 object-group EXAMPLE1
 range 1.1.1.2 1.1.1.10
!
!
object-group network ipv6 EXAMPLE1
 2001:db8::3/128
!
object-group network ipv6 EXAMPLE2
 object-group EXAMPLE1
 range 2001:db8::5 2001:db8::a

Port object groups define layer 4 ports. These are TCP/UDP agnostic. These object groups can also be nested within each other.

object-group port EXAMPLE1
 eq 53
 range 60 62
!
object-group port EXAMPLE2
 lt 1024
 object-group EXAMPLE1

Using groups in an ACL

These network groups and port groups can be used in either the source or destination field of an ACL.

ipv4 access-list EXAMPLE
 permit tcp net-group EXAMPLE1 port-group EXAMPLE1 any

ipv6 access-list EXAMPLE
 permit tcp any net-group EXAMPLE1 port-group EXAMPLE1

The benefit of this is that you can create ACLs that essentially have many ACEs but only one or a few lines of configuration. The object groups get expanded into individual ACes.

To add networks or ports to a group you simply add it to the object-group. You don’t need to completely redefine the object-group like you do with an RPL.

object-group network ipv4 EXAMPLE1
 host 3.3.3.3

Applying the ACL to an interface

Using the hybrid ACL means that you also set a compression level when applying it to an interface.

int Gi0/0/0/0
 ipv6 access-group EXAMPLE ingress compress level 0

Different compression levels are available on different platforms.

Compression 0
- No compression. There is no advantage compared to just using a basic ACL. This uses 100% internal TCAM, which negatively impacts system resources.
Compression 2
- The source IP and destination IP are compressed. An initial match is preformed in external TCAM. Then internal TCAM processes the remaining fields for evaluating the ACE.
Compression 3
- The source IP, destination IP, and source port are compressed. These are looked up in external TCAM. The internal TCAM is used for the ACE.

The show command show access-lists <name> expanded will show the ACL expanded into all the individual ACEs.

In summary, hybrid ACLs (also called “scaled ACL” or “compressed ACL”) allow for both easier management (less configuration lines) and optimized router performance (compressed lookups in external TCAM).

PreviousNotes - Security ACLs NextNotes - MPP (IOS-XR)

Last updated 3 months ago