Ipv6 receive acls, Ipv6 receive acls overview, Ipv6 receive acls configuration considerations – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 235
Multi-Service IronWare Security Configuration Guide
217
53-1003035-02
IPv6 receive ACLs
4
IPv6 receive ACLs
This section discusses the following topics:
•
•
IPv6 receive ACLs configuration considerations
•
IPv6 receive ACL prerequisites
•
IPv6 receive ACL: basic configuration
•
IPv6 receive ACL: additional configuration
•
Syslog messages for IPv6 rACLs
•
Displaying accounting information for IPv6 rACLs
IPv6 receive ACLs overview
The IPv6 receive access-control list feature (rACL) provides hardware-based filtering capability for
IPv6 traffic, destined for the CPU in the default VRF, such as management traffic. Its purpose is to
protect the management module’s CPU from overloading due to large amounts of traffic sent to
one of the Brocade device’s IP interfaces. The rACL feature applies the specified ACL to every
interface on the Brocade device. This eliminates the need to add an ACL to each interface on a
Brocade device.
The rACL feature is configured by creating an ACL to filter traffic and then specifying that ACL in the
ipv6 receive access-list command. This applies the ACL to all interfaces on the device. The
destination IP address in an ACL specified by the rACL command is interpreted to apply to all
interfaces in the default VRF of the device. This is implemented by programming an ACL entry in
CAM that applies the ACL clause for each interface.
CAM entries are programmed differently for Gen-1 and Gen-2 interface modules. For Gen-1
interface modules, each rule is programmed for every IPv6 address interface so that the number of
CAM entries for each rule is equivalent to the number of interface addresses. For example, if “M”
IPv6 address interfaces are configured and there are “N” rACL rules, then there will be “M x N”
CAM entries in the IPv6 rACL CAM partition.
NOTE
The rACL feature does not program CAM entries on Gen-1 interface modules when an IPv6 interface
is in the down state.
For Gen-2 interface modules, one rule is programmed for all local IPv6 address interfaces. Hence,
if there are “N” IPv6 rACL rules to program, there will be “N” CAM entries in IPv6 rACL CAM
partition.
The IPv6 rACL feature supports mirroring and sflow for traffic filtered by IPv6 rACL.
IPv6 receive ACLs configuration considerations
•
IPv6 rACLs support is a new feature in Multi-Service IronWare R05.6.00. For backward
compatibility, the IPv6 rACL sub-partition is set to “0” by default, so that other sub-partitions of
the IPv6 CAM partition are not affected by this feature when the firmware is upgraded.