beautypg.com

Types of layer-2 acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 93

background image

Multi-Service IronWare Security Configuration Guide

75

53-1003035-02

Configuration rules and notes

2

You can bind multiple rate limiting policies to a single port. However, once a matching ACL
clause is found for a packet, the device does not evaluate subsequent clauses in that rate
limiting ACL and subsequent rate limiting ACLs.

Only numbered ACLs support rate limiting.

Configuration considerations for dual inbound ACLS on Brocade
NetIron CES and Brocade NetIron CER devices

You can bind both an inbound L2 ACL and an inbound IP ACL to the same port on Brocade NetIron
CES and Brocade NetIron CER devices. The IP ACL will be applied first to incoming packets; if an
incoming packet is permitted by the IP ACL it will then be examined against the L2 ACL. “Deny”
actions take precedence (that is, if one ACL permits a packet and the other denies it, the packet
will be dropped), and there is an implicit “deny” at the end of each ACL. Therefore when binding
dual inbound ACLs to a single port, include a “permit any” filter as the last clause of the IP ACL. This
ensures that packets not explicitly permitted by the IP ACL will be passed to the L2 ACL.

Dual inbound ACLs can also affect the behavior of ACL accounting. Refer to

“Displaying Layer-2

ACLs”

for details.

Configuration considerations for VPLS, VLL,
and VLL-Local endpoints

L2 ACLs are supported on VPLS, VLL, and VLL-local endpoints with the following configuration
considerations:

First configure the port as a VPLS, VLL, or VLL-local endpoint and then bind the Layer-2 ACL on
it.

First remove the Layer-2 ACL from a VPLS, VLL, or VLL-local endpoint before removing the port
from the VPLS, VLL, or VLL-local instance or corresponding VLAN.

First remove the Layer-2 ACL from a VPLS, VLL, or VLL-local endpoint(s) before deleting the
VPLS, VLL, or VLL-local instance or corresponding VLAN.

If the VPLS, VLL, or VLL-local endpoint is a LAG port, you must first remove the Layer-2 ACL from
the primary LAG port before deleting the LAG. This restriction is applicable even if you are
deleting the LAG using the force keyword.

If a VLL or VLL-local endpoint is a LAG port with Layer-2 ACL, you have to first remove the
Layer-2 ACL from the primary LAG port before dynamically removing a port from the LAG.

Ensure that no VPLS, VLL, or VLL-local endpoint exists with an Layer-2 ACL before entering the
command: no router mpls.

Types of Layer-2 ACLs

Layer-2 ACLs can be numbered or named. Numbered Layer-2 ACL table IDs range from 400 to 599
and for a maximum of 200 configurable numbered Layer-2 ACL tables.

Within each Layer-2 ACL table, you can configure from 64 (default) to 256 clauses. Each clause or
entry can define a set of Layer-2 parameters for filtering. Once you completely define a Layer-2 ACL
table, you must bind it to the interface for filtering to take effect.

See also other documents in the category Brocade Computer Accessories: