beautypg.com

Types of ip acls, Acl ids and entries, Enabling support for additional acl statements – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 117

background image

Multi-Service IronWare Security Configuration Guide

99

53-1003035-02

Types of IP ACLs

3

Types of IP ACLs

IP ACLs can be configured as standard or extended ACLs. A standard ACL permits or denies packets
based on source IP address. An extended ACL permits or denies packets based on source and
destination IP address and also based on IP protocol information.

Standard or extended ACLs can be numbered or named. Standard numbered ACLs have an ID of 1
– 99. Extended numbered ACLs are numbered 100 – 199. IDs for standard or extended ACLs can
be a character string. In this document, an ACL with a string ID is called a named ACL.

ACL IDs and entries

ACLs consist of ACL IDs and ACL entries:

ACL ID – An IPv4 ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an
extended ACL) or a character string. The ACL ID identifies a collection of individual ACL entries.
When you apply ACL entries to an interface, you do so by applying the ACL ID that contains the
ACL entries to the interface, instead of applying the individual entries to the interface. This
makes applying large groups of access filters (ACL entries) to interfaces simple.

ACL entry – An ACL entry are the filter commands associated with an ACL ID. These are also
called “statements”. The maximum number of ACL entries you can configure is a system-wide
parameter and depends on the Brocade device you are configuring. You can configure up to
the maximum number of entries in any combination in different ACLs. The total number of
entries in all ACLs cannot exceed the system maximum.

You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on
specific ports. You can apply only one IPv4 ACL to a port’s inbound traffic and similarly, only one
IPv4 ACL to a port's outbound traffic. The software applies the entries within an ACL in the order
they appear in the ACL’s configuration. As soon as a match is found, the software takes the action
specified in the ACL entry (permit or deny the packet) and stops further comparison for that packet.

Enabling support for additional ACL statements

You can enable support for up to 40,960 ACL statements. To enable the Brocade device to support
40,960 ACL entries, enter the following command at the Global CONFIG level of the CLI.

Brocade(config)# system-max ip-filter-sys 40960

Syntax: [no] system-max ip-filter-sys num

On the Brocade NetIron XMR and Brocade MLX series devices, the num parameter is a value from
0 to 40960. Default value is 4096.

On Brocade NetIron CES and Brocade NetIron CER devices, the num parameter is a value from 0 to
32768. Default value is 4096.

You can load ACLs dynamically by saving them in an external configuration file on flash card or TFTP
server, then loading them using one of the following commands:

copy slot1 | slot2 running from-name

ncopy slot1 | slot2 from-name running

copy tftp running-config ip-addr filename

See also other documents in the category Brocade Computer Accessories: