beautypg.com

Configuration rules and notes, General considerations – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 92

background image

74

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuration rules and notes

2

Layer-2 Access Control Lists (ACLs) filter incoming traffic based on Layer-2 MAC header fields in the
Ethernet IEEE 802.3 frame. Specifically, Layer-2 ACLs filter incoming traffic based on any of the
following Layer-2 fields in the MAC header:

Source Brocade NetIron CER MAC address and source MAC mask

Destination MAC address and destination MAC mask

VLAN ID

Ethernet type

802.1p

Layer-2 ACLs filter traffic at line-rate speed.

Configuration rules and notes

General considerations

On Brocade NetIron XMR and Brocade MLX series devices, you cannot bind Layer-2 ACLs and
IP ACLs to the same port. However, you can configure one port on the device to use Layer-2
ACLs and another port on the same device to use IP ACLs.

Brocade NetIron CES and Brocade NetIron CER devices allow Layer-2 ACLs and IP ACLs to be
bound to the same port. The IP ACL is first applied to the incoming packet. If the packet passes
the checks in the IP ACL, it is next subject to the Layer-2 ACL. See “Configuration
considerations for dual inbound ACLS on Brocade NetIron CES and Brocade NetIron CER
devices” and “ACL Accounting interactions between L2 ACLs and IP ACLs” for more details.

You cannot bind a Layer-2 ACL to a virtual interface.

The Layer-2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons.

Brocade devices process ACLs in hardware.

For all NetIron devices, if a port has an IPv4 or IPv6 ACL applied, you must remove the ACL
bindings before adding that port to a VLAN that has a VE interface.

NOTE

For all NetIron devices running any previous version than 5.5, you must remove the ACL
bindings before adding a port to any VLAN and then re-apply the ACL bindings after VLAN is
configured on the port.

You cannot edit or modify an existing Layer-2 ACL clause. If you want to change the clause, you
must delete it first, then re-enter the new clause.

You cannot add remarks to a Layer-2 ACL clause.

When you bind a Layer-2 ACL that is not defined, it implicitly denies all traffic.

The behavior of Layer-2 ACLs for dynamic LAG creation and deletion is that before a LAG is
formed all ports which will be parts of the LAG must have the same configuration. For example,
all of the ports can have no ACL, or have ACL 401 on inbound and outbound ports. After the
LAG is removed, all ACL bindings (if there are any) are propagated to all of the secondary ports.

Layer-2 inbound ACLs and Layer-2 inbound ACL-based rate limiting are not supported on
Layer-3 VPNs.

See also other documents in the category Brocade Computer Accessories: