beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 153

background image

Multi-Service IronWare Security Configuration Guide

135

53-1003035-02

ACL filtering for traffic switched within a virtual routing interface

3

Behavior In Conservative ACL Fragment Mode – If the Brocade device is configured for
Conservative ACL Fragment mode using the acl-frag-conservative command, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

The initial fragment will not match the first ACL entry because the fragment keyword is present.
The packet will then match the second (deny) ACL entry and consequently will be dropped.

Non-initial IP fragments will match the first ACL entry based on L3 information. Because this is
a permit ACL entry, the matching packets are forwarded and rate-limited.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (deny) ACL entry and consequently will be
dropped.

ACL filtering for traffic switched within a virtual
routing interface

By default, a Brocade device does not filter traffic that is switched from one port to another within
the same virtual routing interface, even if an ACL is applied to the interface. You can enable the
Brocade device to filter switched traffic within a virtual routing interface. When you enable the
filtering, the Brocade device uses the ACLs applied to inbound traffic to filter traffic received by a
port from another port in the same virtual routing interface. This feature does not apply to ACLs
applied to outbound traffic.

To enable filtering of traffic switched within a virtual routing interface, enter the following command
at the configuration level for the interface.

Brocade(config-vif-1)# ip access-group ve-traffic

Syntax: [no] ip access-group ve-traffic

Filtering and priority manipulation based on
802.1p priority

Filtering and priority manipulation based on a packet’s 801.1p priority is supported in the Brocade
devices through the following QoS options:

priority – Assigns traffic that matches the ACL to a hardware forwarding queue. In addition to
changing the internal forwarding priority, if the outgoing interface is an 802.1q interface, this
option maps the specified priority to its equivalent 802.1p (QoS) priority and marks the packet
with the new 802.1p priority.

priority-force – Assigns packets of outgoing traffic that match the ACL to a specific hardware
forwarding queue, even though the incoming packet may be assigned to another queue.
Specify one of the following QoS queues:

0 – qosp0

1 – qosp1

2 – qosp2

3 – qosp3

See also other documents in the category Brocade Computer Accessories: