beautypg.com

How the brocade device processes acls, General configuration guidelines – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 113

background image

Multi-Service IronWare Security Configuration Guide

95

53-1003035-02

How the Brocade device processes ACLs

3

How the Brocade device processes ACLs

The Brocade device processes traffic that ACLs filter in hardware. The Brocade device creates an
entry for each ACL in the Content Addressable Memory (CAM) at startup or when the ACL is created.
The Brocade device uses these CAM entries to permit or deny packets in the hardware, without
sending the packets to the CPU for processing.

General configuration guidelines

Consider the following configuration guidelines:

ACLs are supported on physical interfaces, LAG groups, and virtual routing interfaces.

Both inbound and outbound ACLs are supported.

You can create up to 4096 ACL entries in all the ACL configurations on the device.

On the Brocade NetIron XMR and Brocade MLX series devices each port can support only one
inbound ACL; however, the ACL can contain multiple statements. For example, both ACLs 101
and 102 cannot be supported on port 1, but ACL 101 can contain multiple entries.

On Brocade NetIron CES and Brocade NetIron CER devices each port can support one inbound
L2 ACL and one inbound IP ACL. If both an inbound L2 ACL and an inbound IP ACL are bound to
the same port, incoming packets will be evaluated first by the IP ACL. Include a “permit any”
statement at the end of the IP ACL, or the implicit deny will prevent any packets not explicitly
permitted by the IP ACL from being evaluated by the L2 ACL.

You cannot enable any of the following features on the interface if an ACL is already applied to
that interface:

ACL-based rate limiting

Policy-based routing (PBR)

VLAN ID Translation or Inner VLAN ID translation feature

IP inbound and L2 inbound ACLs are mutually exclusive on the Brocade NetIron XMR and
Brocade MLX series devices, but both may be bound to the same port on Brocade NetIron CES
and Brocade NetIron CER devices. IP outbound and L2 outbound ACLs are mutually exclusive
on all platforms.

Support for ACLs on MPLS VPN Endpoints – ACLs can be supported on the following endpoints:

IPv4 and IPv6 inbound ACLs are not supported on VPLS, VLL, or VLL-Local endpoints and
vice-versa.

PBR route-map cannot be applied on VPLS, VLL, or VLL-Local endpoints and vice-versa.

The ip access-group redirect-deny-to-inter and ip access-group enable-deny-logging
commands cannot be applied on VPLS, VLL, or VLL-local endpoints and vice versa.

IPv4 ACL-based rate limiting is not supported on VPLS and VLL endpoints.

Layer-2 ACLs and Layer-2 ACL-based rate limiting is not supported on Layer-3 VPNs.

PBR policies are not supported on Layer-3 VPNs.

For all NetIron devices, if a port has an IPv4 or IPv6 ACL applied, you must remove the ACL
bindings before adding that port to a VLAN that has a VE interface.

See also other documents in the category Brocade Computer Accessories: