Acl Configuration Considerations - Brocade Communications Systems ICX 6650 Security Configuration Manual

ACL configuration considerations

•
•
•
•
•
•
•
•
•
•
•
•
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
See "ACL overview" on page 82 for details on which devices support inbound and outbound
ACLs.
Hardware-based ACLs are supported on the following devices:
-
Gbps Ethernet ports
-
10 Gbps Ethernet ports
-
Trunk groups
-
Virtual routing interfaces
Inbound ACLs apply to all traffic, including management traffic. By default outbound ACLs are
not applied to traffic generated by the CPU. This must be enabled using the enable
egress-acl-on-control-traffic command. See
page 101 for details.
Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple
entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port 1,
but hardware-based ACLs do support ACL 101 containing multiple entries.
For devices that support both, inbound ACLs and outbound ACLs can co-exist. When an
inbound ACL and an outbound ACL are configured on the same port, the outbound ACL is
applied only on outgoing traffic.
ACLs are affected by port regions. Each ACL group must contain one entry for the implicit deny
all IP traffic clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all
ACL groups contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port region. If
all your ACL groups contain 8 ACL entries, you could add 63 ACL groups, since you must
account for the implicit deny entry.
By default, the first fragment of a fragmented packet received by the Brocade device is
permitted or denied using the ACLs, but subsequent fragments of the same packet are
forwarded in hardware. Generally, denying the first fragment of a packet is sufficient, since a
transaction cannot be completed without the entire packet.
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP
Inspection (DAI) are enabled. Also, IP source guard and ACLs are supported together on the
same port, as long as both features are configured at the port-level or per-port-per-VLAN level.
Brocade ports do not support IP source guard and ACLs on the same port if one is configured
at the port-level and the other is configured at the per-port-per-VLAN level.
Ingress MAC filters can be applied to the same port as an outbound ACL.
A DOS attack configuration on a port will only apply on the ingress traffic.
Outbound ACLs cannot be configured through a RADIUS server as dynamic or user-based ACLs.
However, outbound ACLs can still be configured with MAC-AUTH/DOT1X enabled, as they the
two are configured in different directions.
The following ACL features and options are not supported on the Brocade ICX 6650 devices:
-
Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
-
ACL logging of permitted packets– ACL logging is supported for packets that are sent to the
CPU for processing (denied packets) for inbound traffic. ACL logging is not supported for
packets that are processed in hardware (permitted packets).
-
Flow-based ACLs
-
Layer 2 ACLs
ACL configuration considerations
"Applying egress ACLs to Control (CPU) traffic" on
85