Configuration rules and notes, Configuring layer 2 acls, Creating a layer 2 acl table – Brocade BigIron RX Series Configuration Guide User Manual
Page 666
588
BigIron RX Series Configuration Guide
53-1002484-04
Configuration rules and notes
21
Configuration rules and notes
•
You cannot bind Layer 2 ACLs and IP ACLs to the same port. However, you can configure one
port on the device to use Layer 2 ACLs and another port on the same device to use IP ACLs.
•
You cannot bind a Layer 2 ACL to a virtual interface.
•
The Layer 2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons.
•
BigIron RX processes ACLs in hardware.
•
You can use Layer 2 ACLs to block management access to the BigIron RX. For example, you can
use a Layer 2 ACL clause to block a certain host from establishing a connection to the device
through Telnet.
•
You cannot edit or modify an existing Layer 2 ACL clause. If you want to change the clause, you
must delete it first, then re-enter the new clause.
•
You cannot add remarks to a Layer 2 ACL clause.
Configuring Layer 2 ACLs
Configuring a Layer 2 ACL is similar to configuring standard and extended ACLs. Layer 2 ACL table
IDs range from 400 to 499, for a maximum of 100 configurable Layer 2 ACL tables. Within each
Layer 2 ACL table, you can configure from 64 (default) to 256 clauses. Each clause or entry can
define a set of Layer 2 parameters for filtering. Once you completely define a Layer 2 ACL table, you
must bind it to the interface for filtering to take effect.
The device evaluates traffic coming into the port against each ACL clause. When a match occurs,
the device takes the corresponding action. Once a match entry is found, the device either forwards
or drops the traffic, depending upon the action specified for the clause. Once a match entry is
found, the device does not evaluate the traffic against subsequent clauses.
By default, if the traffic does not match any of the clauses in the ACL table, the device drops the
traffic. To override this behavior, specify a “permit any any…” clause at the end of the table to
match and forward all traffic not matched by the previous clauses.
NOTE
Use precaution when placing entries within the ACL table. The Layer 2 ACL feature does not attempt
to resolve conflicts and assumes you know what you are doing.
Creating a Layer 2 ACL table
You create a Layer 2 ACL table by defining a Layer 2 ACL clause.
To create a Layer 2 ACL table, enter commands (clauses) such as the following at the Global
CONFIG level of the CLI. Note that you can add additional clauses to the ACL table at any time by
entering the command with the same table ID and different MAC parameters.
BigIron RX(config)# access-list 400 deny any any any etype arp
BigIron RX(config)# access-list 400 deny any any any etype ipv6
BigIron RX(config)# access-list 400 permit any any 100
This configuration creates a Layer 2 ACL with an ID of 400. When applied to an interface, this Layer
2 ACL table will deny all ARP and IPv6 traffic, and permit all other traffic in VLAN 100.