beautypg.com

Configuring acls, Acl overview, Acl benefits – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 461

background image

Configuring ACLs

ACL overview................................................................................................................ 461

Configuring and managing ACLs.................................................................................. 464

ACL overview

NOTE
In the Brocade Network OS 4.0.0 release, both Ingress Layer 2 MAC access control lists (ACLs) and
Layer 3 IP ACLs are supported. With the introduction of Network OS 4.0.0 extended IP ACLs support
IPv6 to access the switch or cluster from the management plane; however, management plane ACLs do
not support the use of remarks.

ACLs filter traffic for the Brocade VDX hardware platforms and permit or deny frames on ingress
interfaces that have the ACLs applied to them. You can apply ACLs on the three kinds of Layer 2
interfaces that Brocade Network OS 4.0.0 supports: physical 1-, 10-, and 4-gigabit Ethernet, VLAN, and
port-channel (both static and dynamic LAGs), and Layer 3 IP virtual interfaces.

Each ACL is a unique collection of "permit" and "deny" statements (rules) that apply to frames. When a
frame is received on an interface, the switch compares the fields in the frame against any ACLs applied
to the interface to verify that the frame has the required permissions to be forwarded. The switch
compares the frame sequentially against each rule in the ACL, and either forwards the frame or drops
the frame.

The switch examines ACLs associated with options configured on a given interface. As frames enter the
switch on an interface, ACLs associated with all inbound options configured on that interface are
examined.

ACL benefits

The primary benefits of ACLs are as follows:

• Provide a measure of security.
• Save network resources by reducing traffic.
• Block unwanted traffic or users.
• Reduce the chance of denial of service (DOS) attacks.

There are two types of ACLs:

Standard ACLs — Permit and deny traffic according to the source MAC address in the incoming

frame. Use standard MAC ACLs if you only need to filter traffic based on source addresses.

Extended ACLs — Permit and deny traffic according to the source and destination MAC addresses in

the incoming frame, as well as EtherType.

MAC ACLs are supported on the following interface types:

• Physical interfaces
• Logical interfaces (LAGs)
• VLANs

IP ACLs are supported on the following interface types:

Network OS Administrator’s Guide

461

53-1003225-04

See also other documents in the category Brocade Computer Accessories: