Rebinding of ip broadcast acl cam entries, Ip receive acls, Warning message for rebinding ip broadcast acl – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 164
146
Multi-Service IronWare Security Configuration Guide
53-1003035-02
IP receive ACLs
3
Rebinding of IP broadcast ACL CAM entries
To rebind IP broadcast ACL CAM entries, enter the following command.
Brocade(config)# ip rebind-subnet-broadcast-acl
Syntax: [no] ip rebind-subnet-broadcast-acl
The no option is used to disable rebinding of IP broadcast ACL CAM entries.
NOTE
The ip rebind-subnet-broadcast-acl command is applicable only for Brocade NetIron XMR and
Brocade MLX series devices. For Brocade NetIron CES and Brocade NetIron CER devices, rebinding
of an IP broadcast ACL is done using the ip rebind-acl all command.
Warning message for rebinding IP broadcast ACL
When binding an IP broadcast ACL globally or at the IP interface level, if you make a configuration
change to the default VRF by adding or deleting the IP address from an interface, the following
warning message is triggered asking you to rebind the IP broadcast ACL.
Warning: IP Address configuration change detected, rebind IP subnet broadcast ACLs
to update the CAM
The warning message is not triggered if you make an ACL configuration change to the default VRF
by adding or deleting or modifying the ACL definition.
IP receive ACLs
The IP receive access-control list feature (rACL) provides hardware-based filtering capability for IPv4
traffic destined for the CPU in the default VRF such as management traffic. Its purpose is to protect
the management module’s CPU from overloading due to large amounts of traffic sent to one of the
Brocade device’s IP interfaces. Using the rACL command, the specified ACL is applied to every
interface on the Brocade device. This eliminates the need to add an ACL to each interface on a
Brocade device.
The rACL feature is configured by creating an ACL to filter traffic and then specifying that ACL in the
rACL command. This applies the ACL to all interfaces on the device. The destination IP address in
an ACL specified by the rACL command is interpreted to apply to all interfaces in the default VRF of
the device. This is implemented by programming an ACL entry in CAM that applies the ACL clause
for each interface.
For example there are the following three interfaces defined on a device:
•
loopback 1 = 10.2.2.2
•
ethernet 4/1 = 10.10.10.1
•
virtual ethernet interface 1 = 10.10.20.1
The access list defined in the following command will act to deny ICMP traffic to each of the defined
interfaces.
Brocade(config)# access-list 170 deny icmp host 10.1.1.1 any
The ACL CAM would then be programmed with the following three entries: