Access control list, How serveriron processes acls, Prior to release 12.3.01 – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

ServerIron ADX Security Guide

49

53-1002440-03

Chapter

2

Access Control List

How ServerIron processes ACLs

This chapter describes the Access Control List (ACL) feature. ACLs allow you to filter traffic based on
the information in the IP packet header. Depending on the Brocade device, the device may also
support Layer 2 ACLs, which filter traffic based on Lay 2 MAC header fields.

You can use IP ACLs to provide input to other features such as distribution lists and rate limiting.
When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want
to send to the other feature. If you use deny statements, the traffic specified by the deny
statements is not supplied to the other feature.

There are two ways that IPv4 ACLs are processed in Brocade devices: in software and in hardware.
This processing differs depending on the software release that you are running. These differences
are described in the following sections.

Prior to release 12.3.01

Prior to release 12.3.01, IPv4 ACLs were processed as described in the following:

For deny actions:

All deny packets are dropped in hardware.

For permit actions:

For pass-through traffic, packets are processed in hardware.

For Layer 4 - 7 traffic, packets are forwarded to the BPs and the BPs perform the ACL
processing.

Beginning with release 12.3.01 and later

Beginning with release 12.3.01, IPv4 ACLs are processed as described in the following:

For deny actions:

All deny packets are dropped in hardware.

For permit actions:

For pass-through traffic, packets are processed in hardware.

For Layer 4 - 7 traffic, packets are processed in hardware and then forwarded to the BPs. The
BPs do not take any action on the ACLs.