ACL overview

TABLE 16 Supported ACL features on outbound traffic (Continued)

Feature

Brocade ICX 6650

 

 

Extended named and numbered

Yes

ACLs

 

 

 

User input preservation for ACL

Yes

TCP/UDP port numbers

 

 

 

ACL comment text

Yes

 

 

Strict control of ACL filtering of

Yes

fragmented packets

 

 

 

ACL support for switched traffic in

Yes

the router image

NOTE: This feature is enabled by

 

 

default for outbound ACLs

 

on platforms that support

 

outbound ACL support.

 

There is no CLI command

 

to enable or disable it.

 

 

Filtering on IP precedence and ToS

Yes

value

 

 

 

QoS options for IP ACLs

Yes

 

 

Hardware usage statistics

Yes

 

 

This chapter describes how Access Control Lists (ACLs) are implemented and configured in the Brocade devices.

NOTE

For information about IPv6 ACLs, refer to Chapter 4, “IPv6 ACLs”.

ACL overview

Brocade devices support rule-based ACLs (sometimes called hardware-based ACLs), where the decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in hardware. All denied packets are also dropped in hardware. Brocade ICX 6650 support both inbound and outbound ACLs. The ACL features supported on inbound and outbound traffic are as listed in Table 15 and Table 16 respectively and discussed in more detail in the rest of this chapter.

Brocade ICX 6650 devices do not support flow-based ACLs.

Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup (or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.

Rule-based ACLs are supported on the following interface types:

Gbps Ethernet ports

10 Gbps Ethernet ports

Trunk groups

82

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 102
Image 102
Brocade Communications Systems 6650 manual ACL overview Supported ACL features on outbound traffic