Enabling support for additional acl statements, Acl-based inbound mirroring, Acl-based – Brocade BigIron RX Series Configuration Guide User Manual

Page 674: Inbound mirroring

Advertising
background image

596

BigIron RX Series Configuration Guide

53-1002484-04

Enabling support for additional ACL statements

22

ACL ID – An ACL ID is a number from 1 – 99 (standard), 100 – 199 (extended) or 500 – 599
(super) or a character string (super ACLs are numbered only). The ACL ID identifies a collection
of individual ACL entries. When you apply ACL entries to an interface, you do so by applying the
ACL ID that contains the ACL entries to the interface, instead of applying the individual entries
to the interface. This makes it easier to apply large groups of access filters (ACL entries) to
interfaces.

NOTE

This process differs from the process of assigning IP access policies. When you use IP access
policies, you apply the individual policies directly to the interfaces.

ACL entry – An ACL entry contains the filter commands associated with an ACL ID. These are
also called “statements.” The maximum number of ACL entries you can configure is a
system-wide parameter and depends on the BigIron RX you are configuring. You can configure
up to the maximum number of entries in any combination in different ACLs. The total number
of entries in all ACLs cannot exceed the system maximum.

You configure ACLs on a global basis, then apply them to the incoming traffic on specific ports. You
can apply only one ACL to a port’s inbound traffic. The software applies the entries within an ACL in
the order they appear in the ACL’s configuration. As soon as a match is found, the software takes
the action specified in the ACL entry (for example, permit or deny the packet) and stops further
comparison for that packet.

Enabling support for additional ACL statements

You can enable support for additional ACL statements if the BigIron RX has enough space for a
startup-config file that contains the ACLs. Enter the following command at the Global CONFIG level
of the CLI.

BigIron RX(config)# system-max ip-filter-sys 5000

Syntax: [no] system-max ip-filter-sys <num>

Enter up to 8000 for <num>. The default is 4000 statements.

You can load ACLs dynamically by saving them in an external configuration file on a flash card or a
TFTP server, then loading them using one of the following commands:

copy slot1 | slot2 running <from-name>

ncopy slot1 | slot2 <from-name> running

copy tftp running-config <ip-addr> <filename>

ncopy tftp <ip-addr> <from-name> running-config

In this case, the ACLs are added to the existing configuration.

ACL-based inbound mirroring

ACLs can be used to select traffic for mirroring from one port to another. Using this feature, you can
monitor traffic in the mirrored port using a protocol analyzer.

Advertising
Popular Brands
Popular manuals