beautypg.com

Ip broadcast acl, Configuration considerations for ip broadcast acl – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 158

background image

140

Multi-Service IronWare Security Configuration Guide

53-1003035-02

IP broadcast ACL

3

NOTE

For IPv4 inbound ACL applied to management port, the user can log traffic matching both “permit”
and “deny” ACL filters that have the log keyword. The command ip access-group enable-deny-logging
is not be required to turn on logging on a management port.

NOTE

On Brocade NetIron CES or Brocade NetIron CER devices you can bind an ACL with accounting
clauses to the management port. However, no ACL counters will be incremented by packets
permitted or denied by those clauses.

IP broadcast ACL

The IP broadcast Access Control List (ACL) enables filtering of IP subnet-based directed broadcast
traffic. The IP broadcast ACL is configured by creating an ACL (standard or extended) and then
binding that ACL to the IP interface on the router for which filtering needs to be enabled. The IP
broadcast ACLs identify directed broadcast traffic based on the subnets configured on the
interfaces, and filter all the traffic for the respective VRF of an interface. An ACL entry is
programmed in CAM for each interface. Thereby, the need to add a filter for each trusted source
and destination subnet combination is eliminated.

As an example, suppose you define the standard ACL clause access-list 1 permit host 10.1.5.1 and
bind the ACL to the IP interface on the router using the ip subnet-broadcast-acl command. Multiple
ACL CAM entries are programmed for such a binding, as shown in the following example.

For example, a router has the following three interface IP addresses configured in the same VRF:

2.2.2.2/24

10.10.10.1/24

10.10.20.1/24

The ACL CAM is then programmed with the following three entries:

permit host 10.1.5.1 host 10.2.2.255

permit host 10.1.5.1 host 10.10.10.255

permit host 10.1.5.1 host 10.10.20.255

The ACL CAM is then implicitly programmed with the following three deny any entries:

deny host any host 10.2.2.255

deny host any host 10.10.10.255

deny host any host 10.10.20.255

Configuration considerations for IP broadcast ACL

The configuration considerations for binding an IP directed-broadcast ACL to an interface are as
follows:

If a physical port is a member of a virtual interface, then ACL binding is permitted only at the VE
level and not at the physical port level.

See also other documents in the category Brocade Computer Accessories: