beautypg.com

Cam partitioning, Applying an ipv6 acl – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 224

background image

206

Multi-Service IronWare Security Configuration Guide

53-1003035-02

CAM partitioning

4

ipv6 access-list rtr: 3 entries

10: permit ipv6 host 3000::2 any

20: deny udp any any

30: deny ipv6 any any

Syntax: show ipv6 access-list { count | access-list-name }

The count parameter specifies displaying the total number of IPv6 access lists and the number of
filters configured for each list.

The access-list-name variable specifies displaying information for a specific IPv6 ACL.

CAM partitioning

Brocade NetIron CES and Brocade NetIron CER devices support CAM partitioning.

The size of the extended ingress IPv6 L4 key is 640 bits. The size of the standard ingress ACL key is
320 bits. In internal TCAM, different sized keys can reside next to each other in the same block. In
external TCAM, blocks are allocated for ACLs, and different sized keys cannot reside in the same
block. An ingress IPv6 L4 key cannot reside in the same block with other ingress ACLs.

You can configure CAM partition to have an ingress ACL into internal TCAM and an egress ACL into
external TCAM. The ingress IPv6 L4 key can reside in the same TCAM with other ingress ACLs, but
must reside in a different block in the external TCAM.

You can select one key per interface for the following packet types (port or VLAN).

IPv6 packets

IPv4 and ARP packets

Non-IP packets

The following key types apply to layer 2 ACLs:

Ingress L2 non-IP Key 0

Egress L2+IPv4+L4 Key

The following keys apply to ether type IPv4, IPv6, or ARP:

Ingress L2+IPv4/6 Key 1 -- ether type = IPv4 or IPv6

Ingress IPv4+L4 Key 2 -- ether type = ARP

Egress L2+IPv6 Key -- ether type = IPv6

Egress L2+IPv4+L4 Key - ether type = ARP or IPv4

At ingress, each packet is subjected to two lookups. You can direct the system to use a different key
for each lookup. Make sure that the source MAC, destination MAC, VLAN ID and ether type are the
same for all layer 2 ACL fields. If layer 2 field locations are not same, you will have to create a
separate TCAM entry for each layer 2 IPv6 ACL rule or packet type (IPv4, IPv6, and non-IP)
combination, for the layer 2 IPv6 ACL to work on all packet types.

Applying an IPv6 ACL

To apply an IPv6 ACL, (for example “access1”), to an interface, enter commands such as the
following.

See also other documents in the category Brocade Computer Accessories: