Hardware aging of layer 4 cam entries, Configuration considerations – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 934
900
Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Configuration considerations
•
The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.
•
For other fragments of the same packet, they are subject to a rule only if there is no Layer 4
information in the rule or in any preceding rules.
The fragments are forwarded even if the first fragment, which contains the Layer 4 information,
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.
For tighter control, you can configure the port to drop all packet fragments. Refer to
control of ACL filtering of fragmented packets”
Hardware aging of Layer 4 CAM entries
Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into
the CAM. The entries never age out.
Configuration considerations
•
Inbound ACLs are supported; however, outbound ACL are not supported.
•
Hardware-based ACLs are supported on:
•
Gbps Ethernet ports
•
10 Gbps Ethernet ports
•
Trunk groups
•
Virtual routing interfaces
•
ACLs on the TurboIron X Series devices apply to all traffic, including management traffic.
•
ACL logging is supported for denied packets and packets that are sent to the CPU to generate
the log if logging is enabled on the port and the ACL that is applied to that port. ACL logging is
not supported for packets that are processed in hardware (permitted packets).
•
The number of ACL rules supported per device is listed in
.
•
Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple
entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port
1, but hardware-based ACLs do support ACL 101 containing multiple entries.
•
By default, the first fragment of a fragmented packet received by the device is permitted or
denied using the ACLs, but subsequent fragments of the same packet are forwarded in
hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.
•
The following ACL features and options are not supported:
•
Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
•
ACL logging – ACL logging is supported for packets that are sent to the CPU for processing
(denied packets). ACL logging is not supported for packets that are processed in hardware
(permitted packets).
•
Flow-based ACLs