Acl entries and the layer 4 cam, Aging out of entries in the layer 4 cam, Displaying the number of layer 4 cam entries – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 67

Advertising
background image

ServerIron ADX Security Guide

53

53-1002440-03

ACL entries and the Layer 4 CAM

2

1. The system-max for Ip-filter-sys value must be set to 4096.

ServerIronADX(config)# system-max ip-filter-sys 4096

2. The Ip access-group max-l4-cam parameter must be set to 4096 on the interface that the ACL

will be applied

ServerIronADX(config)# interface ethernet 1

ServerIronADX(config-if-e1000-1)# ip access-group max-l4-cam 4096

3. Execute the write memory command to save the running configuration to the startup-config

reload the ServerIron ADX.

The actual number of ACLs you can configure and store in the startup-config file depends on the
amount of memory available on the device for storing the startup-config. To store 4096 ACLs in the
startup-config file requires at least 250K bytes, which is larger than the space available on a
device’s flash memory module.

You can load ACLs dynamically by saving them in an external configuration file on flash card or TFTP
server, then loading them using one of the following commands.

copy tftp running-config <ip-addr> <filename>

ncopy tftp <ip-addr> <from-name> running-config

In this case, the ACLs are added to the existing configuration.

ACL entries and the Layer 4 CAM

Rule-based ACLs both use Layer 4 CAM entries.

Aging out of entries in the Layer 4 CAM

On a ServerIron ADX device, the device permanently programs rule-based ACLs into the CAM. The
entries never age out.

Displaying the number of Layer 4 CAM entries

To display the number of Layer 4 CAM entries used by each ACL, enter the following command.

Syntax: show access-list <acl-num> | <acl-name> | all

The Rule cam use field lists the number of CAM entries used by the ACL or entry. The number of
CAM entries listed for the ACL itself is the total of the CAM entries used by the ACL’s entries.

ServerIronADX(config)# show access-list all

Extended IP access list 100 (Total flows: N/A, Total packets: N/A, Total rule cam

use: 3)

permit udp host 192.168.2.169 any (Flows: N/A, Packets: N/A, Rule cam use: 1)

permit icmp any any (Flows: N/A, Packets: N/A, Rule cam use: 1)

deny ip any any (Flows: N/A, Packets: N/A, Rule cam use: 1)

Advertising
Popular Brands
Popular manuals