Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
71727374757677787980
ServerIron ADX NAT64 Configuration Guide 59
53-1002444-02
DRAFT: BROCADE CONFIDENTIAL
Chapter
5
Access Control Lists
In this chapter
In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
ACL entries and the Layer 4 CAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring rule-based ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Modifying rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Displaying rule-based ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
ACL logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Dropping all fragments that exactly match a flow-based ACL . . . . . . . . . . . 85
Enabling ACL filtering of fragmented packets . . . . . . . . . . . . . . . . . . . . . . . . 86
Enabling filtering for packets denied by flow-based ACLs . . . . . . . . . . . . . . 88
Enabling strict TCP or UDP mode for flow-based ACLs . . . . . . . . . . . . . . . . . 88
ACLs and ICMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Using flow-based ACLs and NAT on the same interface . . . . . . . . . . . . . . . . 95
Troubleshooting rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
How ServerIron ADX ADX processes ACLs
This chapter describes the access control list (ACL) feature. ACLs allow you to filter traffic based on
the information in the IP packet header. Depending on the Foundry device, the device may also
support Layer 2 ACLs, which filter traffic based on Layer 2 MAC header fields.
You can use IP ACLs to provide input to other features such as distribution lists and rate limiting.
When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want
to send to the other feature. If you use deny statements, the traffic specified by the deny
statements is not supplied to the other feature.
There are two ways that IPv4 ACLs are processed in Foundry devices: in software (flow-based ACLs)
and in hardware (rule-based ACLs). This processing differs depending on the software release that
you are running. These differences are described in the following sections.
Prior to release 12.3.01
Prior to release 12.3.01, IPv4 ACLs were processed as described in the following:
For deny actions:
All deny packets are dropped in hardware.
For permit actions: