Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
71727374757677787980
ServerIron ADX NAT64 Configuration Guide 63
53-1002444-02
ACL entries and the Layer 4 CAM
5
DRAFT: BROCADE CONFIDENTIAL
You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on
specific ports. You can apply only one ACL to a port’s inbound traffic and only one ACL to a port’s
outbound traffic. The software applies the entries within an ACL in the order they appear in the
ACLs configuration. As soon as a match is found, the software takes the action specified in the ACL
entry (permit or deny the packet) and stops further comparison for that packet.
Support for up to 4096 ACL entries
You can configure up to 4096 ACL entries on devices that have enough space to hold a
startup-config file that contains the ACLs.
For system-max configuration of 4096 ACL rules, the ip access-group max-l4-cam parameter must
be set to 4096. To configure the maximum ACL rule limit of 4096 ACL rules, the following must be
set:
1. The system-max for ip-filter-sys value must be set to 4096.
ServerIronADX(config)# system-max ip-filter-sys 4096
2. The ip access-group max-l4-cam parameter must be set to 4096 on the interface that the ACL
will be applied.
ServerIronADX(config)# interface ethernet 1
ServerIronADX(config-if-e1000-1)# ip access-group max-l4-cam 4096
3. Execute the write memory command to save the running configuration to the startup-config
reload the ServerIron ADX ADX.
The actual number of ACLs you can configure and store in the startup-config file depends on the
amount of memory available on the device for storing the startup-config. To store 4096 ACLs in the
startup-config file requires at least 250K bytes, which is larger than the space available on a
device’s flash memory module.
You can load ACLs dynamically by saving them in an external configuration file on flash card or TFTP
server, then loading them using one of the following commands.
copy tftp running-config <ip-addr> <filename>
ncopy tftp <ip-addr> <from-name> running-config
In this case, the ACLs are added to the existing configuration.
ACL entries and the Layer 4 CAM
Both standard and extended rule-based ACLs use Layer 4 CAM entries.
This section includes the following topics:
Aging out of entries in the Layer 4 CAM” on page 63
“Displaying the number of Layer 4 CAM entries” on page 64
“Specifying the maximum number of CAM entries” on page 64
Aging out of entries in the Layer 4 CAM
On a ServerIron ADX ADX device, the device permanently programs rule-based ACLs into the CAM.
The entries never age out.