Numbered and named acls, Default acl action, How hardware-based acls work – Brocade TurboIron 24X Series Configuration Guide User Manual

Brocade TurboIron 24X Series Configuration Guide

899

53-1003053-01

How hardware-based ACLs work

You configure ACLs on a global basis, then apply them to the incoming traffic on specific ports. The
software applies the entries within an ACL in the order they appear in the ACL configuration. As
soon as a match is found, the software takes the action specified in the ACL entry (permit or deny
the packet) and stops further comparison for that packet.

Numbered and named ACLs

When you configure an ACL, you can refer to the ACL by a numeric ID or by an alphanumeric name.
The commands to configure numbered ACLs are different from the commands for named ACLs.

•

Numbered ACL – If you refer to the ACL by a numeric ID, you can use 1 – 99 for a standard ACL
or 100 – 199 for an extended ACL.

•

Named ACL – If you refer to the ACL by a name, you specify whether the ACL is a standard ACL
or an extended ACL, then specify the name.

You can configure up to 99 standard numbered IP ACLs and 100 extended numbered IP ACLs. You
also can configure up to 99 standard named ACLs and 100 extended named ACLs by number.

Default ACL action

The default action when no ACLs are configured on a device is to permit all traffic. However, once
you configure an ACL and apply it to a port, the default action for that port is to deny all traffic that
is not explicitly permitted on the port:

•

If you want to tightly control access, configure ACLs consisting of permit entries for the access
you want to permit. The ACLs implicitly deny all other access.

•

If you want to secure access in environments with many users, you might want to configure
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.

How hardware-based ACLs work

When you bind an ACL to inbound traffic on an interface, the device programs the Layer 4 CAM with
the ACL. Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM entry.
However, ACL rules that match on more than one TCP or UDP application port may require several
CAM entries. The Layer 4 CAM entries for ACLs do not age out. They remain in the CAM until you
remove the ACL:

•

If a packet received on the interface matches an ACL rule in the Layer 4 CAM, the device
permits or denies the packet according to the ACL.

•

If a packet does not match an ACL rule, the packet is dropped, since the default action on an
interface that has ACLs is to deny the packet.

How fragmented packets are processed

The descriptions above apply to non-fragmented packets. The default processing of fragments by
hardware-based ACLs is as follows: