Configuring standard numbered acls – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 107
• Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are not
applied to traffic generated by the CPU. This must be enabled using the enable egress-acl-on-
control-traffic command. See
Applying egress ACLs to Control (CPU) traffic
on page 122 for details.
• The number of ACLs supported per device is listed in the Maximum number of ACL entries table.
• Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple
entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port 1, but
hardware-based ACLs do support ACL 101 containing multiple entries.
• For devices that support both, inbound ACLs and outbound ACLs can co-exist. When an inbound
ACL and an outbound ACL are configured on the same port, the outbound ACL is applied only on
outgoing traffic.
• ACLs are affected by port regions. For example, on the FSX and multiple ACL groups share 1015
ACL rules per port region. Each ACL group must contain one entry for the implicit deny all IP traffic
clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all ACL groups
contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port region. If all your ACL
groups contain 8 ACL entries, you could add 63 ACL groups, since you must account for the implicit
deny entry.
• By default, the first fragment of a fragmented packet received by the Brocade device is permitted or
denied using the ACLs, but subsequent fragments of the same packet are forwarded in hardware.
Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be
completed without the entire packet.
• ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP
Inspection (DAI) are enabled. Also, IP source guard and ACLs are supported together on the same
port, as long as both features are configured at the port-level or per-port-per-VLAN level. Brocade
ports do not support IP source guard and ACLs on the same port if one is configured at the port-level
and the other is configured at the per-port-per-VLAN level.
• Ingress MAC filters can be applied to the same port as an outbound ACL.
• A DOS attack configuration on a port will only apply on the ingress traffic.
• Outbound ACLs cannot be configured through a RADIUS server as dynamic or user-based ACLs.
However, outbound ACLs can still be configured with MAC-AUTH/DOT1X enabled, as they the two
are configured in different directions.
• The following ACL features and options are not supported on the FastIron devices:
‐
Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
‐
ACL logging of permitted packets- ACL logging is supported for packets that are sent to the
CPU for processing (denied packets) for inbound traffic. ACL logging is not supported for
packets that are processed in hardware (permitted packets).
‐
Flow-based ACLs
‐
Layer 2 ACLs
• You can apply an ACL to a port that has TCP SYN protection or ICMP smurf protection, or both,
enabled.
Configuring standard numbered ACLs
This section describes how to configure standard numbered ACLs with numeric IDs and provides
configuration examples.
Standard ACLs permit or deny packets based on source IP address. You can configure up to 99
standard numbered ACLs. There is no limit to the number of ACL entries an ACL can contain except for
the system-wide limitation. For the number of ACL entries supported on a device, refer to
Configuring standard numbered ACLs
FastIron Ethernet Switch Security Configuration Guide
107
53-1003088-03