beautypg.com

Hardware aging of layer 4 cam entries, Configuration considerations – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 934

background image

900

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuration considerations

The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.

For other fragments of the same packet, they are subject to a rule only if there is no Layer 4
information in the rule or in any preceding rules.

The fragments are forwarded even if the first fragment, which contains the Layer 4 information,
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.

For tighter control, you can configure the port to drop all packet fragments. Refer to

“Enabling strict

control of ACL filtering of fragmented packets”

on page 919.

Hardware aging of Layer 4 CAM entries

Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into
the CAM. The entries never age out.

Configuration considerations

Inbound ACLs are supported; however, outbound ACL are not supported.

Hardware-based ACLs are supported on:

Gbps Ethernet ports

10 Gbps Ethernet ports

Trunk groups

Virtual routing interfaces

ACLs on the TurboIron X Series devices apply to all traffic, including management traffic.

ACL logging is supported for denied packets and packets that are sent to the CPU to generate
the log if logging is enabled on the port and the ACL that is applied to that port. ACL logging is
not supported for packets that are processed in hardware (permitted packets).

The number of ACL rules supported per device is listed in

Table 140

.

Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple
entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port
1, but hardware-based ACLs do support ACL 101 containing multiple entries.

By default, the first fragment of a fragmented packet received by the device is permitted or
denied using the ACLs, but subsequent fragments of the same packet are forwarded in
hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.

The following ACL features and options are not supported:

Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.

ACL logging – ACL logging is supported for packets that are sent to the CPU for processing
(denied packets). ACL logging is not supported for packets that are processed in hardware
(permitted packets).

Flow-based ACLs

See also other documents in the category Brocade Computer Accessories: