Layer 2 ACLs
This chapter presents information to configure and view Layer 2 ACLs.
Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in the
Ethernet/IEEE 802.3 frame. Specifically, Layer 2 ACLs filter incoming traffic based on any of the
following Layer 2 fields in the MAC header:
•
•
•
•
The Layer 2 ACL feature is unique to Brocade devices and differs from software-based MAC
address filters. MAC address filters use the CPU to filter traffic; therefore, performance is limited by
the CPU's processing power. Layer 2 ACLs filter traffic at line-rate speed.
Filtering based on ethertype
Layer 2 ACLs can filter traffic based on protocol type. For each Layer 2 ACL etype entry bound to a
port, a CAM entry is written to the corresponding CAM. You can conserve CAM space by configuring
only the Layer 2 ACLs needed. For instance, to filter only IPV4-Len-5 traffic, specify that particular
etype. This results in one CAM entry. Configuration examples are provided in the section
"Configuring Layer 2 ACLs"
You can configure Layer 2 ACLs to use the etype argument to filter on the following etypes:
•
•
•
Configuration rules and notes
•
•
•
•
•
•
BigIron RX Series Configuration Guide
53-1001986-01
Source MAC address and source MAC mask
Destination MAC address and destination MAC mask
VLAN ID
Ethernet type
on page 510
IPv4-Len-5 (Etype=0x0800, IPv4, HeaderLen 20 bytes)
ARP (Etype=0x0806, IP ARP)
IPv6 (Etype=0x86dd, IP version 6)
You cannot bind Layer 2 ACLs and IP ACLs to the same port. However, you can configure one
port on the device to use Layer 2 ACLs and another port on the same device to use IP ACLs.
You cannot bind a Layer 2 ACL to a virtual interface.
The Layer 2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons.
BigIron RX processes ACLs in hardware.
You can use Layer 2 ACLs to block management access to the BigIron RX. For example, you can
use a Layer 2 ACL clause to block a certain host from establishing a connection to the device
through Telnet.
You cannot edit or modify an existing Layer 2 ACL clause. If you want to change the clause, you
must delete it first, then re-enter the new clause.
Chapter
20
509