beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 114

background image

96

Multi-Service IronWare Security Configuration Guide

53-1003035-02

How the Brocade device processes ACLs

3

NOTE

For all NetIron devices running any previous version than 5.5, you must remove the ACL
bindings before adding a port to any VLAN and then re-apply the ACL bindings after VLAN is
configured on the port.

NOTE

On any NetIron device, the ACLs configured on a physical or virtual interface cannot be
removed by disabling or enabling the interfaces.

Configuration considerations for dual inbound ACLs on Brocade NetIron
CES and Brocade NetIron CER devices

You can bind both an inbound L2 ACL and an inbound IP ACL to the same port on the Brocade
NetIron CES and Brocade NetIron CER devices. The IP ACL will be applied first to incoming packets;
if an incoming packet is permitted by the IP ACL it will then be examined against the L2 ACL. “Deny”
actions take precedence (that is, if one ACL permits a packet and the other denies it, the packet
will be dropped), and there is an implicit “deny” at the end of each ACL. Therefore when binding
dual inbound ACLs to a single port, include a “permit any” filter as the last clause of the IP ACL. This
ensures that packets not explicitly denied by the IP ACL will be passed to the L2 ACL.

NOTE

Dual inbound ACLs can also affect the behavior of ACL accounting. Refer to

“ACL Accounting

interactions between L2 ACLs and IP ACLs”

for details.

Configuration considerations for IPv4 outbound
ACLs on VPLS, VLL, and VLL-Local endpoints

IPv4 outbound ACLs are supported on VPLS, VLL, and VLL-local endpoints with the following
configuration considerations:

First configure the port as a VPLS, VLL, or VLL-local endpoint and then bind the IPv4 outbound
ACL on it.

First remove the IPv4 outbound ACL from a VPLS, VLL, or VLL-local endpoint before removing
the port from the VPLS, VLL, or VLL-local instance or corresponding VLAN.

First remove the IPv4 outbound ACL from a VPLS, VLL, or VLL-local endpoint(s) before deleting
the VPLS, VLL, or VLL-local instance or corresponding VLAN.

If the VPLS, VLL, or VLL-local endpoint is a LAG port, you must first remove the IPv4 outbound
ACL from the primary LAG port before deleting the LAG. This restriction is applicable even if you
attempt to delete the lag using force keyword.

If a VLL or VLL-local endpoint is a LAG port with a IPv4 outbound ACL, you have to first remove
the IPv4 outbound ACL from the primary LAG port before dynamically removing a port from the
LAG.

Ensure that no VPLS, VLL, or VLL-local endpoint exists with an IPv4 outbound ACL before
entering the command: no router mpls.

See also other documents in the category Brocade Computer Accessories: