Brocade Communications Systems 12.4.00a Manual De Usuario
52
ServerIron ADX Security Guide
53-1002440-03
Types of IP ACLs
2
•
If you want to secure access in environments with many users, you might want to configure
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.
Types of IP ACLs
Rule-based ACLs can be configured as standard or extended ACLs. A standard ACL permits or
denies packets based on source IP address. An extended ACL permits or denies packets based on
source and destination IP address and also based on IP protocol information.
denies packets based on source IP address. An extended ACL permits or denies packets based on
source and destination IP address and also based on IP protocol information.
Standard or extended ACLs can be numbered or named. Standard numbered ACLs have an idea of
1 – 99. Extended numbered ACLs are numbered 100 – 199. IDs for standard or extended ACLs can
be a character string. In this document, ACLs with a string ID is called a named ACL.
1 – 99. Extended numbered ACLs are numbered 100 – 199. IDs for standard or extended ACLs can
be a character string. In this document, ACLs with a string ID is called a named ACL.
ACL IDs and entries
ACLs consist of ACL IDs and ACL entries:
•
ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended
ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you
apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries
to the interface, instead of applying the individual entries to the interface. This makes applying
large groups of access filters (ACL entries) to interfaces simple.
ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you
apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries
to the interface, instead of applying the individual entries to the interface. This makes applying
large groups of access filters (ACL entries) to interfaces simple.
NOTE
This is different from IP access policies. If you use IP access policies, you apply the individual
policies to interfaces.
policies to interfaces.
•
ACL entry – An ACL entry are the filter commands associated with an ACL ID. These are also
called “statements”. The maximum number of ACL entries you can configure is a system-wide
parameter and depends on the device you are configuring. You can configure up to the
maximum number of entries in any combination in different ACLs. The total number of entries
in all ACLs cannot exceed the system maximum.
called “statements”. The maximum number of ACL entries you can configure is a system-wide
parameter and depends on the device you are configuring. You can configure up to the
maximum number of entries in any combination in different ACLs. The total number of entries
in all ACLs cannot exceed the system maximum.
•
Layer 3 switch code on devices can support up to 4096 ACL entries.
You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on
specific ports. You can apply only one ACL to a port’s inbound traffic and only one ACL to a port’s
outbound traffic. The software applies the entries within an ACL in the order they appear in the
ACL’s configuration. As soon as a match is found, the software takes the action specified in the ACL
entry (permit or deny the packet) and stops further comparison for that packet.
specific ports. You can apply only one ACL to a port’s inbound traffic and only one ACL to a port’s
outbound traffic. The software applies the entries within an ACL in the order they appear in the
ACL’s configuration. As soon as a match is found, the software takes the action specified in the ACL
entry (permit or deny the packet) and stops further comparison for that packet.
Support for up to 4096 ACL entries
You can configure up to 4096 ACL entries on devices that have enough space to hold a
startup-config file that contains the ACLs.
startup-config file that contains the ACLs.
For system-max configuration of 4096 ACL rules, the Ip access-group max-l4-cam parameter must
be set to 4096. To configure the maximum ACL rule limit of 4096 ACL rules, the following must be
set:
be set to 4096. To configure the maximum ACL rule limit of 4096 ACL rules, the following must be
set: