beautypg.com

Acl editing and sequence numbers, Upgrade and downgrade considerations – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 94

background image

76

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuration rules and notes

2

There can be up to 500 named L2 ACLs. The maximum length of a named Layer-2 ACL is 255
characters. The Layer-2 ACL name cannot begin with digits 0 to 9 to avoid confusion with the
numbered L2 ACLs.

The device evaluates traffic coming into the port against each ACL clause. Once a matching entry is
found, the device either forwards or drops the traffic, depending upon the action specified for the
clause. Once a matching entry is found, the device does not evaluate the traffic against
subsequent clauses.

By default, if the traffic does not match any of the clauses in the ACL table, the device drops the
traffic. To override this behavior, specify a “permit any …” clause at the end of the table to match
and forward all traffic not matched by the previous clauses.

NOTE

Use precaution when placing entries within the ACL table. The Layer-2 ACL feature does not attempt
to resolve conflicts across multiple ACL clauses.

ACL editing and sequence numbers

Multi-Service IronWare R05.6.00 supports ACL editing and ACL entry sequence numbers for
Layer-2, IPv4 and IPv6 ACLs. This chapter describes the ACL editing feature applied to numbered
and named Layer-2 ACLs. Refer to

Appendix A, “ACL Editing and Sequence Numbers”

for a

functional description of the ACL editor as it applies to Layer-2, IPv4 and IPv6 ACLs.

Upgrade and downgrade considerations

Where ACL filters have been configured on R05.6.00 and you want to downgrade a device to an
earlier version of software, you should enable suppress-acl-seq prior to the downgrade.

NOTE

If suppress-acl-seq is not enabled before downgrade from Multi-Service IronWare R05.6.00, ACL
configurations created with the sequence parameter on R05.6.00 will not be allowed on older
releases and will result in an error.

By default, the suppress-acl-seq switch is OFF. When it is turned ON, the system hides or
suppresses sequence numbers for ACL filters while:

Executing show access-list commands

Displaying the running-config

Saving the running-config using write memory

Copying the running-config to a tftp server

To turn suppress-acl-seq ON, enter the following commands.

Brocade(config)# acl-policy

Brocade(config-acl-policy)# suppress-acl-seq

Brocade(config-acl-policy)# exit

Syntax: [no] suppress-acl-seq

The no version of this command turns suppress-acl-seq OFF.

See also other documents in the category Brocade Computer Accessories: