While creating questions surrounding the vSwitch ACL policies for the 1Y0-A26 Citrix XenServer Administration practice exam, it took some time to wrap my head around the hierarchy of ACL rules. The Citrix XenServer 6.0 vSwitch Controller User Guide does a great job explaining. So here, I’ve condensed it into a nutshell:
- Mandatory rules are evaluated before child rules and take precedence over all rules except mandatory rules of a parent (less specific) policy.
- For instance, a pool’s mandatory rule is a parent policy (less specific than) of a VLAN’s mandatory rule.
- Child rules are policy placeholders that indicate the location in the rule order at which the rule in child policy will be evaluated (for instance, the interface of a VM).
- Child rules divide the mandatory rules from the default rules.
- Default rules are evaluated last, after all mandatory rules and all child policy rules.
- They only take precedence over default rules of parent policies (less specific default rules).
- They are used to specify behavior that should only be applied if a more specific child policy does not specify conflicting behavior.
Take a look at the Citrix XenServer 6.0 vSwitch Controller User Guide, pages 16 and 17 for more information about configuring vSwitch Controller ACLs and their hierarchy.