beautypg.com

Configuring a pbr policy, Configuring the acls, Configuring a pbr policy configuring the acls – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 145

background image

• You cannot apply PBR on a port if that port already has ingress ACLs, ACL-based rate limiting,

DSCP-based QoS, MAC address filtering.

• The number of route maps that you can define is limited by the available system memory, which is

determined by the system configuration and how much memory other features use. When a route
map is used in a PBR policy, the PBR policy uses up to six instances of a route map, up to five ACLs
in a matching policy of each route map instance, and up to six next hops in a set policy of each route
map instance. Note that the CLI will allow you configure more than six next hops in a route map;
however, the extra next hops will not be placed in the PBR database. The route map could be used
by other features like BGP or OSPF, which may use more than six next hops.

• ACLs with the log option configured should not be used for PBR purposes.
• PBR ignores explicit or implicit deny ip any any ACL entries, to ensure that for route maps that use

multiple ACLs, the traffic is compared to all the ACLs. PBR also ignores any deny clauses in an ACL.
Traffic that matches a deny clause is routed normally using Layer 3 paths.

• PBR always selects the first next hop from the next hop list that is up. If a PBR policy's next hop goes

down, the policy uses another next hop if available. If no next hops are available, the device routes
the traffic in the normal way.

• PBR is not supported for fragmented packets. If the PBR ACL filters on Layer 4 information like

TCP/UDP ports, fragmented packed are routed normally.

• You can change route maps or ACL definitions dynamically and do not need to rebind the PBR policy

to an interface.

• PBR is supported only on the default VRF.

NOTE
On all platforms other than FSX, PBR will not be applied on tunnel interfaces.

Configuring a PBR policy

To configure PBR, you define the policies using IP ACLs and route maps, then enable PBR globally or
on individual interfaces. The device programs the ACLs into the packet processor on the interfaces and
routes traffic that matches the ACLs according to the instructions in the route maps.

To configure a PBR policy:

• Configure ACLs that contain the source IP addresses for the IP traffic you want to route using PBR.
• Configure a route map that matches on the ACLs and sets the route information.
• Apply the route map on untagged interface or on virtual interface.

Configuring the ACLs

PBR uses route maps to change the routing attributes in IP traffic. This section shows an example of
how to configure a standard ACL to identify the source subnet for IP traffic.

To configure a standard ACL to identify a source subnet, enter a command such as the following.

device(config)#access-list 99 permit 10.157.23.0 0.0.0.255

The command in this example configures a standard ACL that permits traffic from subnet
10.157.23.0/24. After you configure a route map that matches based on this ACL, the software uses the
route map to set route attributes for the traffic, thus enforcing PBR.

Configuring a PBR policy

FastIron Ethernet Switch Security Configuration Guide

145

53-1003088-03

See also other documents in the category Brocade Computer Accessories: