Access control lists – Brocade 6910 Ethernet Access Switch Configuration Guide (Supporting R2.2.0.0) User Manual

882

Brocade 6910 Ethernet Access Switch Configuration Guide

53-1002651-02

42

Access Control Lists

Access Control Lists

Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol,
Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP, next
header type), or any frames (based on MAC address or Ethernet type). To filter incoming packets,
first create an access list, add the required rules, and then bind the list to a specific port.

Configuring Access Control Lists –

An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses,
or other more specific criteria. This switch tests ingress packets against the conditions in an ACL
one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it
matches a deny rule. If no rules match, the packet is accepted.

Command Usage
The following restrictions apply to ACLs:

•

The maximum number of ACLs is 128.

•

The maximum number of rules per system is 512 rules.

•

An ACL can have up to 64 rules. However, due to resource restrictions, the average number of
rules bound to the ports should not exceed 20.

•

The maximum number of rules that can be bound to the ports is 64 for each of the following
list types: MAC ACLs, IP Standard ACLs, IP Extended ACLs, IPv6 Standard ACLs, and IPv6
Extended ACLs.

The maximum number of rules (Access Control Entries, or ACEs) stated above is the worst case
scenario. In practice, the switch compresses the ACEs in TCAM (a hardware table used to store
ACEs), but the actual maximum number of ACEs possible depends on too many factors to be
precisely determined. It depends on the amount of hardware resources reserved at runtime for this
purpose.

Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize
hardware resources more efficiency. Without compression, one ACE would occupy a fixed number
of entries in TCAM. So if one ACL includes 25 ACEs, the ACL would need (25 * n) entries in TCAM,
where “n” is the fixed number of TCAM entries needed for one ACE. When compression is
employed, before writting the ACE into TCAM, the software compresses the ACEs to reduce the
number of required TCAM entries. For example, one ACL may include 128 ACEs which classify a
continuous IP address range like 192.168.1.0~255. If compression is disabled, the ACL would
occupy (128*n) entries of TCAM, using up nearly all of the hardware resources. When using
compression, the 128 ACEs are compressed into one ACE classifying the IP address as
192.168.1.0/24, which requires only “n” entries in TCAM. The above example is an ideal case for
compression. The worst case would be if no any ACE can be compressed, in which case the used
number of TCAM entries would be the same as without compression. It would also require more
time to process the ACEs.

The order in which active ACLs are checked is as follows:

1. User-defined rules in IP and MAC ACLs for ingress ports are checked in parallel.

2. Rules within an ACL are checked in the configured order, from top to bottom.

3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC ACL on the

same packet is to deny it, the packet will be denied (because the decision to deny a packet has
a higher priority for security reasons). A packet will also be denied if the IP ACL denies it and
the MAC ACL accepts it.