Configuration Guide User guide

FastIron Configuration Guide 1747
53-1002494-02
Troubleshooting ACLs
For flow-based ACLs, the Total flows and Flows fields list the number of Layer 4 session table flows
in use for the ACL.
The Total packets and Packets fields apply only to flow-based ACLs.
Troubleshooting ACLs
Use the following methods to troubleshoot access control lists (ACLs):
To display the number of Layer 4 CAM entries being used by each ACL, enter the show
access-list <ACL-num> | <ACL-name> | all command. Refer to “Displaying ACL information”
on page 1746.
To determine whether the issue is specific to fragmentation, remove the Layer 4 information
(TCP or UDP application ports) from the ACL, then reapply the ACL.
If you are using another feature that requires ACLs, either use the same ACL entries for filtering and
for the other feature, or change to flow-based ACLs.
Policy-based routing (PBR)
Policy-Based Routing (PBR) allows you to use ACLs and route maps to selectively modify and route
IP packets in hardware. The ACLs classify the traffic. Route maps that match on the ACLs set
routing attributes for the traffic.
A PBR policy specifies the next hop for traffic that matches the policy. Using standard ACLs with
PBR, you can route IP packets based on their source IP address. With extended ACLs, you can route
IP packets based on all of the clauses in the extended ACL.
You can configure the Brocade device to perform the following types of PBR based on a packet
Layer 3 and Layer 4 information:
Select the next-hop gateway.
Send the packet to the null interface (null0).
When a PBR policy has multiple next hops to a destination, PBR selects the first live next hop
specified in the policy that is up. If none of the policy's direct routes or next hops are available, the
packet is routed in the normal way.
Configuration considerations for policy-based routing
PBR is supported in the full Layer 3 code only.
PBR is not supported on FastIron WS devices.
PBR is not supported together with ACLs on the same port.
Global PBR is not supported when IP Follow is configured on an interface.
Global PBR is not supported with per-port-per-VLAN ACLs.
A PBR policy on an interface takes precedence over a global PBR policy.
You cannot apply PBR on a port if that port already has ACLs, ACL-based rate limiting,
DSCP-based QoS, MAC address filtering.