Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 74
- Page / 149
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
62 ServerIron ADX NAT64 Configuration Guide
53-1002444-02
How ServerIron ADX ADX processes ACLs
5
DRAFT: BROCADE CONFIDENTIAL
• If both the fragment’s source and destination addresses do not exactly match an ACL
entry, the device skips the ACL entry and compares the packet to the next ACL entry.
This is true even if either the source or destination address (but not both) does exactly
match an ACL entry.
• If the source and destination addresses do not exactly match any ACL entry on the
applicable interface, the device drops the fragment.
NOTE
By default, 10 Gigabit Ethernet modules also forward the first fragment instead of using the
ACLs to permit or deny the fragment.
You can modify the handling of denied fragments. In addition, you can throttle the fragment rate on
an interface that used rule-based ACLs. Refer to “Dropping all fragments that exactly match a
flow-based ACL” on page 85 and “Enabling ACL filtering of fragmented packets” on page 86.
Default ACL action
The default action when no ACLs are configured on a device is to permit all traffic. However, once
you configure an ACL and apply it to a port, the default action for that port is to deny all traffic that
is not explicitly permitted on the port:
• If you want to tightly control access, configure ACLs consisting of permit entries for the access
you want to permit. The ACLs implicitly deny all other access.
• If you want to secure access in environments with many users, you might want to configure
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.
ACL IDs and entries
ACLs consist of ACL IDs and ACL entries:
• ACL ID: An ACL ID is a number from 1 through 99 (for a standard ACL) or 100 through 199 (for
an extended ACL) or a character string. The ACL ID identifies a collection of individual ACL
entries. When you apply ACL entries to an interface, you do so by applying the ACL ID that
contains the ACL entries to the interface, instead of applying the individual entries to the
interface. This makes applying large groups of access filters (ACL entries) to interfaces simple.
NOTE
This is different from IP access policies. If you use IP access policies, you apply the individual
policies to interfaces.
• ACL entry: An ACL entry are the filter commands associated with an ACL ID. These are also
called statements. The maximum number of ACL entries you can configure is a system-wide
parameter and depends on the device you are configuring. You can configure up to the
maximum number of entries in any combination in different ACLs. The total number of entries
in all ACLs cannot exceed the system maximum.
Layer 3 switch code on devices can support up to 8192 ACL entries.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 9
- Command syntax conventions 10
- Notice to the reader 11
- Related publications 11
- Getting technical help 11
- NAT64 and NAT46 Overview 13
- Stateless NAT46 translation 14
- Protocol support 15
- NAT64 fragmentation support 17
- References 18
- Stateful NAT64 Configuration 19
- Operation of stateful NAT64 20
- 53-1002444-02 23
- Enabling connection logging 28
- Displaying NAT64 information 31
- Displaying NAT64 translations 32
- Displaying NAT64 statistics 33
- Displaying NAT64 resources 37
- Stateless NAT64 Configuration 39
- Operation of stateless NAT64 40
- High availability for NAT64 52
- Clearing NAT64 information 53
- Stateless NAT46 Configuration 55
- Operation of stateless NAT46 56
- High availability for NAT46 67
- Displaying NAT46 information 68
- Clearing NAT46 information 69
- Access Control Lists 71
- Rule-based ACLs 72
- Default ACL action 74
- ACL IDs and entries 74
- Configuring rule-based ACLs 77
- Modifying rule-based ACLs 85
- Reordering ACLs 86
- Applying ACLs to interfaces 87
- Adding comments to named ACLs 89
- ACL logging 94
- Displaying ACL log entries 95
- Clearing the ACL statistics 97
- Throttling the fragment rate 98
- DRAFT: BROCADE CONFIDENTIAL 100
- Enabling strict TCP mode 101
- Enabling strict UDP mode 102
- ACLs and ICMP 103
- Numbered ACLs 104
- Named ACLs 105
- • Enable the strict TCP mode 107
- IPv6 Access Control Lists 109
- Configuration notes 110
- Processing of IPv6 ACLs 110
- Configuring IPv6 ACLs 111
- IPv6 ACL syntax 114
- Syntax Description 116
- Displaying IPv6 ACLs 118
- Logging IPv6 ACLs 119
- Network Address Translation 121
- Configuring NAT 122
- Configuring static NAT 123
- Configuring dynamic NAT 123
- Enabling IP NAT 124
- NAT configuration examples 125
- IP NAT with VIP overlap 129
- Translation timeouts 130
- Stateless static IP NAT 132
- IP NAT redundancy 133
- Displaying NAT information 144
- Displaying NAT translation 147
- Displaying VRRPE information 148
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(16 pages)
(82 pages)© 2020, manymanuals.com. All rights reserved. | 0.416 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals