How the bigiron rx processes acls, General configuration guidelines – Brocade BigIron RX Series Configuration Guide User Manual
Page 672
594
BigIron RX Series Configuration Guide
53-1002484-04
How the BigIron RX processes ACLs
22
You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate
limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the
traffic that you want to send to the other feature. If you use deny statements, the traffic specified
by the deny statements is not supplied to the other feature. Also, if you use an ACL in a route map
and you use a wildcard character as the source IP address, make sure you apply the route map to
interfaces instead of globally, to prevent loops. See the chapters for a specific feature for
information on using ACLs as input to those features.
How the BigIron RX processes ACLs
The BigIron RX processes traffic that ACLs filter in hardware. The device creates an entry for each
ACL in the Content Addressable Memory (CAM) at startup or when the ACL is created. The device
uses these CAM entries to permit or deny packets in the hardware, without sending the packets to
the CPU for processing.
General configuration guidelines
•
ACLs are supported on physical interfaces, trunk groups, and virtual routing interfaces.
•
ACLs are supported only for inbound traffic. An error message is displayed if you apply an ACL
to an outbound interface.
•
You can create up to 416 CAM entries, but you can have up to 8,000 statements (rules) in all
the ACL configurations on the device. Default is 4096 statements.
•
A port supports only one IPv4 ACL; However, the ACL can contain multiple statements. For
example, both ACLs 101 and 102 cannot be supported on port 1, but ACL 101 can contain
multiple entries.
•
IPv4 and IPv6 ACLs can co-exist on the same interface.
•
If you change the content of an ACL (add, change, or delete entries), you must remove and then
reapply the ACL to all the ports that use it. Otherwise, the older version of the ACL remains in
the CAM and continues to be used. You can easily re-apply ACLs using the ip rebind-acl <num>
| <name> | all command. Refer to
•
You cannot enable any of the following features on the interface if an ACL is already applied to
that interface:
•
Protection against ICMP or TCP Denial-of-Service (DoS) Attacks
•
ACL-based rate limiting
•
ACL Logging
•
Policy-based routing (PBR)
RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines
•
The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and
numbered ACLs for outbound access-group applications ACLs.
•
Egress filtering on subset ports of a VE is not supported, matching must apply to all VE
ports .
•
Matching the SPI field value is not supported for egress acl.
•
Matching field of fragment or fragmentation-offset is not supported.
•
A matching egress acl only compares to 3 bits of TOS field (delay, throughput, reliability)