beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 159

background image

Multi-Service IronWare Security Configuration Guide

141

53-1003035-02

IP broadcast ACL

3

For LAG ports, all ports within the LAG are required to have the same IP broadcast ACL applied
to them before the LAG is created. On deleting the LAG, the IP broadcast ACL binding is
replicated on all individual LAG ports.

IP directed-broadcast ACL binding is not be permitted on VPLS and VLL endpoints.

For interface-level inbound IPv4 ACL or Rate Limiting-ACLs (RL-ACLs) - Traffic matching IP
broadcast ACLs is not subject to interface-level ACLs or RL-ACLs. You must configure an IP
broadcast ACL so that only directed broadcast traffic matches the IP broadcast ACL clauses.

For interface-level inbound Layer 2 ACLs or RL-ACLs - For Brocade NetIron XMR and Brocade
MLX series devices, either an IPv4 inbound or Layer 2 inbound ACL can be configured on an
interface, but not both. But for Brocade NetIron CER and Brocade NetIron CES devices, both
the IPv4 inbound and Layer 2 inbound ACL can be configured on an interface.

IP broadcast ACLs do not support ACL-based logging, Sample Flow (sFlow), and mirroring
features.

Traffic matching IP broadcast ACLs is not subject to policy-based routing.

Configuring IP broadcast ACL and establishing the sequence of IP
broadcast ACL commands

You can enable filtering of directed broadcast traffic using ACLs at the IP interface level and the
global configuration level, with the interface-level command taking precedence over the global
configuration level command.

To enable filtering of directed broadcast traffic using ACLs globally, enter the following commands.

Brocade(config)# access-list 5 permit host 10.1.1.2

Brocade(config)# ip global-subnet-broadcast-acl 5

Syntax: [no] ip global-subnet-broadcast-acl acl-num

The acl-num parameter can be a standard or extended access list number. Enter a number from 1
through 99 for a standard ACL, and a number from 100 through 199 for an extended ACL.

The no option is used to disable filtering of directed broadcast traffic globally.

NOTE

The binding of global subnet broadcast ACLs filter only the traffic belonging to default VRF
interfaces.

NOTE

Only numbered IPv4 ACLs are supported.

To enable filtering of directed broadcast traffic on an individual interface, enter the following
commands.

Brocade(config)# access-list 5 permit host 10.1.1.2

Brocade(config)# interface ethernet 2/1

Brocade(config-if-e10000-2/1)# ip subnet-broadcast-acl 5

Syntax: [no] ip subnet-broadcast-acl acl-num

The acl-num parameter can be a standard or extended access list number. Enter a number from 1
through 99 for a standard ACL, and a number from 100 through 199 for an extended ACL.

See also other documents in the category Brocade Computer Accessories: