How hardware-based acls work, How fragmented packets are processed, Hardware aging of layer 4 cam entries – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

How hardware-based ACLs work

When you bind an ACL to inbound or outbound traffic on an interface, the device programs the Layer 4
CAM with the ACL. Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM
entry. However, ACL rules that match on more than one TCP or UDP application port may require
several CAM entries. The Layer 4 CAM entries for ACLs do not age out. They remain in the CAM until
you remove the ACL:

• If a packet received on the interface matches an ACL rule in the Layer 4 CAM, the device permits or

denies the packet according to the ACL.

• If a packet does not match an ACL rule, the packet is dropped, since the default action on an

interface that has ACLs is to deny the packet.

How fragmented packets are processed

The default processing of fragments by hardware-based ACLs is as follows:

• The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled

the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and
destination application port numbers. The device uses the Layer 4 CAM entry if one is programmed,
or applies the interface's ACL entries to the packet and permits or denies the packet according to
the first matching ACL.

• For other fragments of the same packet, they are subject to a rule only if there is no Layer 4

information in the rule or in any preceding rules.

The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was
denied. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be
completed without the entire packet.

For tighter control, you can configure the port to drop all packet fragments. Refer to

Enabling strict

control of ACL filtering of fragmented packets

on page 128.

Hardware aging of Layer 4 CAM entries

Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into
the CAM. The entries never age out.

ACL configuration considerations

• See

ACL overview

on page 103 for details on which devices support inbound and outbound ACLs.

• Hardware-based ACLs are supported on the following devices:

‐

Gbps Ethernet ports

‐

10 Gbps Ethernet ports

‐

Trunk groups

‐

Virtual routing interfaces

NOTE
Brocade FCX devices do not support ACLs on Group VEs, even though the CLI contains commands
for this action.

How hardware-based ACLs work

106

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03