Acl overview – Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 102
82
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
ACL overview
This chapter describes how Access Control Lists (ACLs) are implemented and configured in the
Brocade devices.
NOTE
For information about IPv6 ACLs, refer to
.
ACL overview
Brocade devices support rule-based ACLs (sometimes called hardware-based ACLs), where the
decisions to permit or deny packets are processed in hardware and all permitted packets are
switched or routed in hardware. All denied packets are also dropped in hardware. Brocade ICX
6650 support both inbound and outbound ACLs. The ACL features supported on inbound and
outbound traffic are as listed in
respectively and discussed in more detail in
the rest of this chapter.
Brocade ICX 6650 devices do not support flow-based ACLs.
Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable
Memory (CAM) space allocated for the ports. The ACLs are programmed into hardware at startup
(or as new ACLs are entered and bound to ports). Devices that use rule-based ACLs program the
ACLs into the CAM entries and use these entries to permit or deny packets in the hardware, without
sending the packets to the CPU for processing.
Rule-based ACLs are supported on the following interface types:
•
Gbps Ethernet ports
•
10 Gbps Ethernet ports
•
Trunk groups
Extended named and numbered
ACLs
Yes
User input preservation for ACL
TCP/UDP port numbers
Yes
ACL comment text
Yes
Strict control of ACL filtering of
fragmented packets
Yes
ACL support for switched traffic in
the router image
Yes
NOTE: This feature is enabled by
default for outbound ACLs
on platforms that support
outbound ACL support.
There is no CLI command
to enable or disable it.
Filtering on IP precedence and ToS
value
Yes
QoS options for IP ACLs
Yes
Hardware usage statistics
Yes
TABLE 16
Supported ACL features on outbound traffic (Continued)
Feature
Brocade ICX 6650