beautypg.com

Default acl action – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 116

background image

98

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Default ACL action

3

The ipv4 and ipv6 options are mutually exclusive within the same command. If you want to
configure this command to exclude both IPv4 and IPv6 traffic, you must use two separate
commands.

Enabling outbound ACLS for switching traffic per port

Configuring the if-acl-outbound exclude-switched-traffic command at the interface configuration
level, allows you to exclude all switched traffic from outbound ACL filtering on a per-port basis. With
this command, one or more physical ports (for instance all ports within a VLAN) can be configured
to exclude switched traffic from outbound ACL filtering.

This feature is configured as shown in the following.

Brocade(config)# interface ethernet 3/1

Brocade(config-if-e10000-3/1)# if-acl-outbound exclude-switched-traffic

Syntax: [no] if-acl-outbound exclude-switched-traffic [ ipv6 | ipv4 ]

The ipv6 option limits the traffic excluded to IPv6 traffic only.

The ipv4 option limits the traffic excluded to IPv4 traffic only.

The ipv4 and ipv6 options are mutually exclusive within the same command. If you want to
configure this command to exclude both IPv4 and IPv6 traffic, you must use two separate
commands.

Default ACL action

The default action when no ACLs is applied or binded on a Brocade interface is to permit all traffic,
if the ACL is applied on the interface, which is not configured, then the default action is deny all
traffic that is not explicitly permitted on the port:

If you want to tightly control access, configure ACLs consisting of permit entries for the access
you want to permit. The ACLs implicitly deny all other access.

If you want to secure access in environments with many users, you might want to configure
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.

If dual inbound ACLs (both L2 and IP) are bound to a single port on a Brocade NetIron CES or
Brocade NetIron CER device, consider ending the IP ACL with a “permit any any” filter to ensure
that the L2 ACL is also applied to incoming packets. (See also

“Configuration considerations

for dual inbound ACLs on Brocade NetIron CES and Brocade NetIron CER devices”

.)

NOTE

Do not apply an empty ACL (an ACL ID without any corresponding entries) to an interface. If you
accidentally do this, the software applies the default ACL action, deny all, to the interface and thus
denies all traffic.

See also other documents in the category Brocade Computer Accessories: