Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1761

1708 FastIron Configuration Guide

53-1002494-02

ACL configuration considerations

Hardware aging of Layer 4 CAM entries

Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into

the CAM. The entries never age out.

ACL configuration considerations

• See “ACL overview” on page 1705 for details on which devices support inbound and outbound

ACLs.

• Hardware-based ACLs are supported on the following devices:

• Gbps Ethernet ports

• 10 Gbps Ethernet ports

• Trunk groups

• Virtual routing interfaces

NOTE

Brocade FCX devices do not support ACLs on Group VEs, even though the CLI contains

commands for this action.

• Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are

not applied to traffic generated by the CPU. This must be enabled using the enable

egress-acl-on-control-traffic command. See “Applying egress ACLs to Control (CPU) traffic” on

page 1725 for details.

• The number of ACLs supported per device is listed in Table 284.

• Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple

entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port

1, but hardware-based ACLs do support ACL 101 containing multiple entries.

• For devices that support both, inbound ACLs and outbound ACLs can co-exist. When an

inbound ACL and an outbound ACL are configured on the same port, the outbound ACL is

applied only on outgoing traffic.

• ACLs are affected by port regions. For example, on the FESX and FSX, multiple ACL groups

share 1016 ACL rules per port region. Each ACL group must contain one entry for the implicit

deny all IP traffic clause. Also, each ACL group uses a multiple of 8 ACL entries. For example,

if all ACL groups contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port

region. If all your ACL groups contain 8 ACL entries, you could add 63 ACL groups, since you

must account for the implicit deny entry.

• By default, the first fragment of a fragmented packet received by the Brocade device is

permitted or denied using the ACLs, but subsequent fragments of the same packet are

forwarded in hardware. Generally, denying the first fragment of a packet is sufficient, since a

transaction cannot be completed without the entire packet.

• ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP

Inspection (DAI) are enabled. Also, IP source guard and ACLs are supported together on the

same port, as long as both features are configured at the port-level or per-port-per-VLAN level.

Brocade ports do not support IP source guard and ACLs on the same port if one is configured

at the port-level and the other is configured at the per-port-per-VLAN level.

• Ingress MAC filters can be applied to the same port as an outbound ACL.