Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
71727374757677787980
ServerIron ADX NAT64 Configuration Guide 61
53-1002444-02
How ServerIron ADX ADX processes ACLs
5
DRAFT: BROCADE CONFIDENTIAL
Configuration guidelines for rule-based ACLs
Consider the following guidelines:
Rule-based ACLs support only one ACL per port. The ACL can contain multiple entries (rules).
For example, rule-based ACLs do not support ACLs 101 and 102 on port 1, but rule-based ACLs
do support ACL 101 containing multiple entries.
If you change the content of an ACL (add, change, or delete entries), you must remove and then
reapply the ACL to all the ports that use it. Otherwise, the older version of the ACL remains in
the CAM and continues to be used. You can easily re-apply ACLs using the ip rebind-acl <num>
| <name> | all command. Refer to Applying ACLs to interfaces” on page 75.
NOTE
Foundry recommends that you also remove and reapply a changed ACL.
ACL statistics are not supported with rule-based rate limiting.
If you use the <icmp-type> parameter with an extended ACL, the device uses the CPU to filter
packets using the ACL. The CPU is required to filter the ICMP message type.
You can use policy-based routing (PBR) and rule-based ACLs on the same port. However,
Foundry recommends that you use exactly the same ACL for each feature. Otherwise, it is
possible for the ACL’s Layer 4 CAM entry to be programmed incorrectly and give unexpected
results.
Processing of fragmented packets
The descriptions for rule-based ACLs above apply to non-fragmented packets. The default
processing of fragments by rule-based ACLs is as follows:
The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.
For other fragments of the same packet, one of the following occurs:
If the device has a CAM entry for the packet and has not been configured to send the
fragments to the CPU, the device uses the CAM entry to forward the fragments in
hardware.
The fragments are forwarded even if the first fragment, which contains the Layer 4
information, was denied. Generally, denying the first fragment of a packet is sufficient,
since a transaction cannot be completed without the entire packet. However, for stricter
fragment control, you can send fragments to the CPU for filtering.
If the device is configured to send fragments to the CPU for filtering, the device compares
the source and destination IP addresses to the ACL entries that contain Layer 4
information.
If the fragment’s source and destination addresses exactly match an ACL entry that
has Layer 4 information, the device assumes that the ACL entry is applicable to the
fragment and permits or denies the fragment according to the ACL entry. The device
does not compare the fragment to ACL entries that do not contain Layer 4 information.