Ip acls, Ip acl parameters, Ip acls ip acl parameters – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

• Logical interfaces (LAGs)
• VLANs

IP ACLs

The IP ACLs control access to the switch. The policies do not control the egress and outbound
management traffic initiated from the switch. The IP ACLs support both IPv4 and IPv6 simultaneously.

An IP ACL is a set of rules that are applied to the interface as a packet filtering firewall. Each rule
defines whether traffic of a combination of source and destination IP address, protocol, or port, is to be
denied or permitted.

Each ACL must have a unique name, but there is no limit to the number of ACLs to be defined. An
ACL can contain rules for only one version of IP (either IPv4 or IPv6). Only one ACL by the version of
IP can be active on the interface at a time. In other words, one ACL for IPv4 addresses and one ACL
for IPv6 address on the interface for packet filtering can be active at the same time.

For filtering the traffic, each rule of the ACL applied to the interface is checked in the ascending order
of their sequence numbers. A maximum of 2048 rules can be added to an access list. When the ACL
is applied to an interface, only the 256 lowest-numbered rules are applied. If an ACL does not contain
any rules and is applied to the interface, it becomes "no-op" and all ingress traffic is denied through
the interface. For Layer 2 ACL, if there are no rules applied to the interface then the action is permitted
through that interface. But in Layer 3 ACL or IP ACL, it is denied.

After an IP ACL rule is created, it is not possible to modify any of its options.

The default configuration of the switch consists of two ACLs; one IPv4 ACL and one IPv6 ACL is
applied to the interface.

There are two types of IP access lists:

• Standard — Contains rules for only the source IP address. The rules are applicable to all ports of

that source IP address.

• Extended — Contains rules for a combination of IP protocol, source IP address, destination IP

address, source port, and destination port.

NOTE
If an IP ACL is applied to a VE interface, routed-traffic and VLAN-switched traffic is filtered by the ACL,
regardless if the VE interface is in the “shutdown” or “no shutdown” state.

IP ACL parameters

The following lists the parameters and their definitions for IP ACLs.

NOTE
For Network OS 3.0 and later, on the Brocade VDX 67xx series, the only supported parameter for
Extended IP ACL rules is the eq parameter.

IP ACLs

462

Network OS Administrator’s Guide

53-1003225-04