Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
1761176217631764176517661767176817691770
FastIron Configuration Guide 1705
53-1002494-02
ACL overview
This chapter describes how Access Control Lists (ACLs) are implemented and configured in the
Brocade devices.
NOTE
For information about IPv6 ACLs, refer to Chapter 41, “IPv6 ACLs”.
ACL overview
Brocade devices support rule-based ACLs (sometimes called hardware-based ACLs), where the
decisions to permit or deny packets are processed in hardware and all permitted packets are
switched or routed in hardware. All denied packets are also dropped in hardware. In addition,
FastIron FWS devices support inbound ACLs only. Outbound ACLs are not supported on those
devices. FSX, FCX, and ICX devices support both inbound and outbound ACLs. The ACL features
supported on inbound and outbound traffic are as listed in Table 282 and Table 283 respectively
and discussed in more detail in the rest of this chapter.
NOTE
FastIron devices do not support flow-based ACLs.
Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable
Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup
(or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the
ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without
sending the packets to the CPU for processing.
Rule-based ACLs are supported on the following interface types:
Gbps Ethernet ports
10 Gbps Ethernet ports
Trunk groups
Virtual routing interfaces
Types of IP ACLs
You can configure the following types of IP ACLs:
Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are
1 – 99 or a character string.
Extended – Permits or denies packets based on source and destination IP address and also
based on IP protocol information. Valid extended ACL IDs are a number from 100 – 199 or a
character string.
1. ACL features for outbound traffic are only supported on specific FastIron SX 800 & FastIron SX 1600 modules.
Please check with your Brocade Support representative for details.
2. DSCP CoS mapping is not supported for outgoing traffic.