BigIron RX Series Configuration Guide 523
53-1002253-01
Chapter
21
Access Control List
This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic
based on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IP
ACLs” on page 524.
You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate
limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the
traffic that you want to send to the other feature. If you use deny statements, the traffic specified
by the deny statements is not supplied to the other feature. Also, if you use an ACL in a route map
and you use a wildcard character as the source IP address, make sure you apply the route map to
interfaces instead of globally, to prevent loops. See the chapters for a specific feature for
information on using ACLs as input to those features.
How the BigIron RX processes ACLs
The BigIron RX processes traffic that ACLs filter in hardware. The device creates an entry for each
ACL in the Content Addressable Memory (CAM) at startup or when the ACL is created. The device
uses these CAM entries to permit or deny packets in the hardware, without sending the packets to
the CPU for processing.
General configuration guidelines
• ACLs are supported on physical interfaces, trunk groups, and virtual routing interfaces.
• ACLs are supported only for inbound traffic. An error message is displayed if you apply an ACL
to an outbound interface.
• You can create up to 416 CAM entries, but you can have up to 8,000 statements (rules) in all
the ACL configurations on the device. Default is 4096 statements.
• A port supports only one IPv4 ACL; However, the ACL can contain multiple statements. For
example, both ACLs 101 and 102 cannot be supported on port 1, but ACL 101 can contain
multiple entries.
• IPv4 and IPv6 ACLs can co-exist on the same interface.
• If you change the content of an ACL (add, change, or delete entries), you must remove and then
reapply the ACL to all the ports that use it. Otherwise, the older version of the ACL remains in
the CAM and continues to be used. You can easily re-apply ACLs using the ip rebind-acl <num>
| <name> | all command. Refer to “Applying ACLs to interfaces” on page 562.
• You cannot enable any of the following features on the interface if an ACL is already applied to
that interface:
• Protection against ICMP or TCP Denial-of-Service (DoS) Attacks
• ACL-based rate limiting
• ACL Logging
• Policy-based routing (PBR)
To Next Page
Loading...
