Default acl action, Types of ip acls, Acl ids and entries – Brocade BigIron RX Series Configuration Guide User Manual

Page 673: Types of ip, Acls

Advertising
background image

BigIron RX Series Configuration Guide

595

53-1002484-04

Disabling or re-enabling Access Control Lists (ACLs)

22

ACLs that specify spi, .tos min monrtary cost, fragment or fragmentation-offset will cause
a configuration conflict and an error message "ACL configuration conflict specified filter
not supported" is entered in syslog.

802.1p-priority is not supported as a matching egress acl condition.

dscp-marking is not available as a condition matching egress acl action.

deny-logging is not supported for egress ACLs.

Disabling or re-enabling Access Control Lists (ACLs)

The ACL feature is always enabled on BigIron RX; it cannot be disabled.

Default ACL action

The default action when no ACLs are configured on a BigIron RX is to permit all traffic. However,
once you configure an ACL and apply it to a port, the default action for that port is to deny all traffic
that is not explicitly permitted on the port.

To control access more tightly, configure ACLs consisting of permit entries for the access you
want to permit. The ACLs implicitly deny all other access.

To secure access in environments with many users, you can configure ACLs that consist of
explicit deny entries, then add an entry to permit all access to the end of each ACL. The
software permits packets that are not denied by the deny entries.

NOTE

Do not apply an empty ACL (an ACL ID without any corresponding entries) to an interface. If you
accidentally do this, the software applies the default ACL action, deny all, to the interface and thus
denies all traffic.

Types of IP ACLs

IP ACLs can be configured as standard, extended, or super. A standard ACL permits or denies
packets based on a source IP address. An extended ACL permits or denies packets based on
source and destination IP addresses and also based on IP protocol information. Super ACLs can
match on any field in a packet header from Layer 2 to Layer 4. Super ACLs support all options
currently supported in ACL and MAC ACL, including QoS marking.

Standard or extended ACLs can be numbered or named. Standard ACLs are numbered from 1 – 99,
extended ACLs are numbered 100 – 199. Super ACLs may be assigned numbered IDs only, from
500 - 599. IDs for standard or extended ACLs can also be a character string (named). In this
document, an ACL with a string ID is called a named ACL.

ACL IDs and entries

ACLs consist of ACL IDs and ACL entries:

Advertising
Popular Brands
Popular manuals