ACL configuration considerations

ACL configuration considerations

See “ACL overview” on page 82 for details on which devices support inbound and outbound ACLs.

Hardware-based ACLs are supported on the following devices:

-Gbps Ethernet ports

-10 Gbps Ethernet ports

-Trunk groups

-Virtual routing interfaces

Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are not applied to traffic generated by the CPU. This must be enabled using the enable egress-acl-on-control-traffic command. See “Applying egress ACLs to Control (CPU) traffic” on page 101 for details.

Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port 1, but hardware-based ACLs do support ACL 101 containing multiple entries.

For devices that support both, inbound ACLs and outbound ACLs can co-exist. When an inbound ACL and an outbound ACL are configured on the same port, the outbound ACL is applied only on outgoing traffic.

ACLs are affected by port regions. Each ACL group must contain one entry for the implicit deny all IP traffic clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all ACL groups contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port region. If all your ACL groups contain 8 ACL entries, you could add 63 ACL groups, since you must account for the implicit deny entry.

By default, the first fragment of a fragmented packet received by the Brocade device is permitted or denied using the ACLs, but subsequent fragments of the same packet are forwarded in hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet.

ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspection (DAI) are enabled. Also, IP source guard and ACLs are supported together on the same port, as long as both features are configured at the port-level or per-port-per-VLAN level. Brocade ports do not support IP source guard and ACLs on the same port if one is configured at the port-level and the other is configured at the per-port-per-VLAN level.

Ingress MAC filters can be applied to the same port as an outbound ACL.

A DOS attack configuration on a port will only apply on the ingress traffic.

Outbound ACLs cannot be configured through a RADIUS server as dynamic or user-based ACLs. However, outbound ACLs can still be configured with MAC-AUTH/DOT1X enabled, as they the two are configured in different directions.

The following ACL features and options are not supported on the Brocade ICX 6650 devices:

-Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.

-ACL logging of permitted packets– ACL logging is supported for packets that are sent to the CPU for processing (denied packets) for inbound traffic. ACL logging is not supported for packets that are processed in hardware (permitted packets).

-Flow-based ACLs

-Layer 2 ACLs

Brocade ICX 6650 Security Configuration Guide

85

53-1002601-01

 

Page 105
Image 105
Brocade Communications Systems 6650 manual ACL configuration considerations