XenServer vSwitch Controller ACL Configuration Hierarchy

While creating questions surrounding the vSwitch ACL policies for the 1Y0-A26 Citrix XenServer Administration practice exam, it took some time to wrap my head around the hierarchy of ACL rules. The Citrix XenServer 6.0 vSwitch Controller User Guide does a great job explaining. So here, I've condensed it into a nutshell:

  • Mandatory rules are evaluated before child rules and take precedence over all rules except mandatory rules of a parent (less specific) policy.
    • For instance, a pool's mandatory rule is a parent policy (less specific than) of a VLAN's mandatory rule.
  • Child rules are policy placeholders that indicate the location in the rule order at which the rule in child policy will be evaluated (for instance, the interface of a VM).
    • Child rules divide the mandatory rules from the default rules.
  • Default rules are evaluated last, after all mandatory rules and all child policy rules.
    • They only take precedence over default rules of parent policies (less specific default rules).
    • They are used to specify behavior that should only be applied if a more specific child policy does not specify conflicting behavior.

Take a look at the Citrix XenServer 6.0 vSwitch Controller User Guide, pages 16 and 17 for more information about configuring vSwitch Controller ACLs and their hierarchy.

Comments are closed.