beautypg.com

Troubleshooting acls, Policy-based routing (pbr), Troubleshooting acls policy-based routing (pbr) – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 144

background image

use: 3)

permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1)

permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)

deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1)

Syntax: show access-list [ ACL-num | ACL-name | all ]

The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of CAM
entries listed for the ACL itself is the total of the CAM entries used by the ACL entries.

For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4 session table flows in
use for the ACL.

The Total packets and Packets fields apply only to flow-based ACLs.

Troubleshooting ACLs

Use the following methods to troubleshoot access control lists (ACLs):

• To display the number of Layer 4 CAM entries being used by each ACL, enter the show access-

list ACL-num | ACL-name | all command. Refer to

Displaying ACL information

on page 143.

• To determine whether the issue is specific to fragmentation, remove the Layer 4 information (TCP

or UDP application ports) from the ACL, then reapply the ACL.

If you are using another feature that requires ACLs, either use the same ACL entries for filtering and
for the other feature, or change to flow-based ACLs.

Policy-based routing (PBR)

Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route
IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set routing
attributes for the traffic.

A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with PBR,
you can route IP packets based on their source IP address. With extended ACLs, you can route IP
packets based on all of the clauses in the extended ACL.

You can configure the Brocade device to perform the following types of PBR based on a packet Layer
3 and Layer 4 information:

• Select the next-hop gateway.
• Send the packet to the null interface (null0).

When a PBR policy has multiple next hops to a destination, PBR selects the first live next hop
specified in the policy that is up. If none of the policy's direct routes or next hops are available, the
packet is routed in the normal way.

Configuration considerations for policy-based routing

• PBR is supported in the full Layer 3 code only.
• PBR is not supported together with Ingress ACLs on the same port.
• Global PBR is not supported when IP Follow is configured on an interface.
• Global PBR is not supported with per-port-per-VLAN ACLs.
• A PBR policy on an interface takes precedence over a global PBR policy.

Troubleshooting ACLs

144

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: