Brocade Network Advisor SAN User Manual v11.1x (53-1002167-01, May 2011)
Brocade Network Advisor SAN User Manual 387
53-1002167-01
Chapter
15
Security Management
In this chapter
•Layer 2 access control list management . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
•Security configuration deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Layer 2 access control list management
A Layer 2 access control list (L2 ACL) enables you to filter traffic based on the information in the IP
packet header using the MAC address and Ethernet type.
NOTE
L2 ACLs can filter traffic for both Fabric OS and Internetwork OS FCoE devices.
An ACL is a unique collection of permit and deny statements (rules) that apply to frames. You can
use ACLs to permit or deny incoming frames from passing through an interface to which you
assigned the ACLs. When the interface receives the frame, the device compares the fields in the
frame against any ACLs assigned to the interface to verify that the frame has the required
permissions to be forwarded. The device compares the frame, sequentially, against each rule in the
assigned ACL. If the frame matches the ‘permit’ rule, the traffic is forwarded; otherwise, the traffic
is dropped.
You should configure the ACL on the device before you assign the ACL to an interface. You can
create multiple ACLs and save them to the device configuration. However, the ACL does not filter
traffic until you assign it to an interface. You can assign an ACL on the following interface types:
physical port , Virtual LAN (VLAN), or Link Aggregation Group (LAG).
You can create two types of ACLs:
• Standard ACL—Use to permit and deny traffic based on the source MAC address of incoming
frames. You should use standard ACLs when you only need to filter traffic based the source
address.
• Extended ACL—Use to permit and deny traffic based on the source and destination MAC
addresses and EtherType, of incoming frames.