How Hardware-Based Acls Work; How Fragmented Packets Are Processed; Hardware Aging Of Layer 4 Cam Entries; Configuration Considerations - Dell PowerConnect B-FCXs Configuration Manual

16

How hardware-based ACLs work

How hardware-based ACLs work
When you bind an ACL to inbound traffic on an interface, the device programs the Layer 4 CAM with
the ACL. Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM entry.
However, ACL rules that match on more than one TCP or UDP application port may require several
CAM entries. The Layer 4 CAM entries for ACLs do not age out. They remain in the CAM until you
remove the ACL:
•
•

How fragmented packets are processed

The descriptions above apply to non-fragmented packets. The default processing of fragments by
hardware-based ACLs is as follows:
•
•
The fragments are forwarded even if the first fragment, which contains the Layer 4 information,
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.
For tighter control, you can configure the port to drop all packet fragments. Refer to
control of ACL filtering of fragmented packets"

Hardware aging of Layer 4 CAM entries

Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into
the CAM. The entries never age out.

Configuration considerations

•
•
550
If a packet received on the interface matches an ACL rule in the Layer 4 CAM, the device
permits or denies the packet according to the ACL.
If a packet does not match an ACL rule, the packet is dropped, since the default action on an
interface that has ACLs is to deny the packet.
The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.
For other fragments of the same packet, they are subject to a rule only if there is no Layer 4
information in the rule or in any preceding rules.
PowerConnect devices support inbound ACLs. Outbound ACL are not supported.
Hardware-based ACLs are supported on:
•
Gbps Ethernet ports
•
10 Gbps Ethernet ports
•
Trunk groups
•
Virtual routing interfaces
on page 572.
PowerConnect B-Series FCX Configuration Guide
"Enabling strict
53-1002266-01