At some point, we all need to write an access list. Like most things in EOS, doing so is very similar to doing so in IOS, with some minor changes here and there that we’ll cover in this chapter.
There are a variety of different Access-Control List (ACL) types, depending on how and where they are applied. The types include:
PACLs are applied to ports.
RACLs are applied to SVIs.
MACLs are ACLs that filter based on MAC address.
ACL used to filter access to the CPU on the switch. This ACL is where you would filter SSH, SNMP, Telnet, and so on to the switch itself.
Let’s look at the benefits and limitations of ACLs in EOS. According to the Arista Configuration Guide for EOS version 18.104.22.168, the following are features for ACLs:
Port ACL applied on layer-2 Ethernet interfaces
Port ACL on port-channel interfaces. Ports in a port-channel apply the port-channel’s ACL
Filters: IPv4 protocol, source and destination address, TCP and UDP ports, TCP flags, and TTL
List size: 512 active rules; diminished capacity if rules contain L4 and port range filters
Broadcast and multicast storm control
The same document also lists the following:
Filters based on IPv6/MAC
I’ve never had much of a use for egress ACLs on routers, so on the surface that’s not a big deal for me.
There are some valid uses for egress ACLs on switches, especially cut-through models. Additionally, the ...