beautypg.com

Configuration guidelines for ip receive acls, Configuring racls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 165

background image

Multi-Service IronWare Security Configuration Guide

147

53-1003035-02

IP receive ACLs

3

deny icmp host 10.1.1.1 host 10.2.2.2

deny icmp host 10.1.1.1 host 10.10.10.1

deny icmp host 10.1.1.1 host 10.10.20.1

NOTE

You must rebind an rACL whenever it is changed, as described in

“Rebinding a rACL definition or

policy-map”

, otherwise now invalid entries will still be in CAM.

NOTE

For more information on configuring the acl-mirror-port command for IP Receive ACLs, refer to
Multi-Service IronWare Switching Configuration Guide.

Configuration guidelines for IP receive ACLs

Use the following considerations when configuring IP Receive ACLs:

For interface level inbound IPv4 ACL or RL-ACLs: Traffic matching rACLs will not be subject to
interface-level ACL or RL-ACLs. You must take care to configure an rACL such that only
management traffic matches the rACL clauses.

For interface level inbound L2 ACLs or RL-ACLs: On an interface, we support either launching
an IPv4 inbound or L2 inbound ACL CAM lookup, but not both. For interfaces with L2 inbound
ACLs, rACL filtering will be performed by software. Therefore, only traffic permitted by L2
inbound ACL will be processed by rACLs. Note that rate-limiting using rACLs will not be
applicable for such traffic.

VLAN ID translation or Inner VLAN ID translation: This feature programs L2 inbound ACL CAM
entries, and therefore, for ports in VLAN or Inner VLAN translation group, rACL filtering is
performed in software. Note that rate limiting using rACLs will not be applicable for traffic
incoming on such interfaces.

Global DOS attack policies: These are supported in software. The order of precedence is:

rACL filtering (either in hardware or software)

Global DOS attack policies (only in software)

NOTE

IP Receive ACLs are applicable only for line card interfaces. IP Receive ACLs are not applicable for
management ethernet interfaces.

Configuring rACLs

Configuring rACLs requires the following steps:

Configuring an rACL and establishing the sequence of rACL commands.

Applying rate limiting on rACLs defined traffic.

Specifying the maximum number of rACL entries.

Rebinding a rACL definition or policy map.

You can bind multiple rACLs, up to a maximum of 199. You must, however, ensure that no explicit
permit ip any any or deny ip any any clause exists in any of the rACLs except the last one.

See also other documents in the category Brocade Computer Accessories: