Router acls, Port acls – Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

Brocade Mobility RFS7000-GR Controller System Reference Guide

323

53-1001944-01

Configuring firewalls and access control lists

6

Router ACLs

Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular
direction on an interface, applying a new one will replace the existing ACL. Router ACLs are
applicable only if the switch acts as a gateway, and traffic is inbound only.

The switch supports two types of Router ACLs:

•

Standard IP ACL—Uses the source IP address as matching criteria.

•

Extended IP ACL—Uses the source IP address, destination IP address and IP protocol type as
basic matching criteria. It can also include other parameters specific to a protocol type (like
source and destination port for TCP/UDP protocols).

Router ACLs are stateful and are not applied on every packet routed through the switch. Whenever
a packet is received from a Layer 3 interface, it is examined against existing sessions to determine
if it belongs to an established session. ACLs are applied on the packet in the following manner.

1. If the packet matches an existing session, it is not matched against ACL rules and the session

decides where to send the packet.

2. If no existing sessions match the packet, it is matched against ACL rules to determine whether

to accept or reject it. If ACL rules accept the packet, a new session is created and all further
packets belonging to that session are allowed. If ACL rules reject the packet, no session is
established.

A session is computed based on:

•

Source IP address

•

Destination IP address

•

Source Port

•

Destination Port

•

ICMP identifier

•

Incoming interface index

•

IP Protocol

NOTE

Port and router ACLs can be applied only in an inbound direction. WLAN ACLs support applying ACLs
in the inbound and outbound direction.

Each session has a default idle time-out interval. If no packets are received within this interval, the
session is terminated and a new session must be initiated. These intervals are fixed and cannot be
configured by the user.

The default idle time-out intervals for different sessions are:

•

ICMP and UDP sessions— 30 seconds

•

TCP sessions— 2 hours

Port ACLs

The switch supports Port ACLs on physical interfaces and inbound traffic only. The following Port
ACLs are supported:

•

Standard IP ACL— Uses a source IP address as matching criteria.