Disabling outbound acls for switching traffic – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Security Configuration Guide

97

53-1003035-02

Disabling outbound ACLs for switching traffic

3

Disabling outbound ACLs for switching traffic

By default, when an outbound ACL is applied to a virtual interface, the Brocade device always filters
traffic that is switched from one port to another within the same virtual routing interface. Additional
commands have been added that allow you to exclude switched traffic from outbound ACL filtering.
This exclusion can be configured globally or on per-port basis. This feature applies to IPv4 and IPv6
ACLs only.

All global and interface level command for disabling outbound ACLs for Switching Traffic are
mutually exclusive. If the global command is configured, the interface command is not accepted. If
the interface command has already been configured, configuring the global command will remove
all individual port commands from the Brocade device’s configuration.

NOTE

This feature is not recommended for MPLS interfaces.

CAM considerations for Brocade NetIron CES and Brocade NetIron CER devices

CAM entries are shared between ingress and egress ACLs. An ACL clause applied to the inbound
consumes one CAM entry and an egress ACL clause consumes four CAM entries. The maximum
number of egress ACL clauses is 2000 and the maximum number of ingress clauses is 8000.

Brocade NetIron CES and Brocade NetIron CER devices have a total of 8000 CAM entries per PPCR
(packet processor). The total number of CAM entries in Brocade NetIron CES and Brocade NetIron
CER devices depends on the number of PPCR (packet processors) in the system. See the table
below for the types of ports, the number of PPCR (packet processors), and the total number of CAM
entries available:

Globally enabling outbound ACLS for switching traffic

Configuring the acl-outbound exclude-switched-traffic command at the general configuration level,
allows you to globally exclude all switched traffic from outbound ACL filtering. This feature is
configured as shown in the following.

Brocade(config)# acl-outbound exclude-switched-traffic ipv4

Syntax: [no] acl-outbound exclude-switched-traffic ipv6 | ipv4

The ipv6 option limits the traffic excluded to IPv6 traffic only.

The ipv4 option limits the traffic excluded to IPv4 traffic only.

TABLE 15

CAM usage on Brocade NetIron CES and Brocade NetIron CER devices

Brocade NetIron CES and
Brocade NetIron CER
devices

PPCR (packet processor)

Total CAM entries

24-1G

1

8000

48-1G

2

16000

24-1G & 2-10G

2

16000

48-1G & 2-10G

3

24000