December 2005 © Foundry Networks, Inc. 12 - 1
Chapter 12
Rule-Based IP Access Control Lists (ACLs)
FESX, FSX, and FWSX devices support rule-based ACLs (sometimes called hardware-based ACLs), where the
decisions to permit or deny packets are processed in hardware and all permitted packets are switched or routed in
hardware.
Rule-based ACLs program the ACL entries you assign to an interface into Content Addressable Memory (CAM)
space allocated for the port(s). The ACLs are programmed into hardware at startup (or as new ACLs are entered
and bound to ports). Devices that use rule-based ACLs program the ACLs into the CAM entries and use these
entries to permit or deny packets in the hardware, without sending the packets to the CPU for processing.
Rule-based ACLs are supported on physical interfaces, trunk groups, and virtual routing interfaces.
NOTE: The FESX, FSX, and FWSX devices support hardware-based ACLs only. These devices do not support
flow-based ACLs. In contrast, FES devices support flow-based ACLs only.
This chapter contains the following information:
Table 12.1: Chapter Contents
Description See Page
ACL Overview 12-2
How hardware-based ACLs work 12-3
Configuration considerations 12-4
Configuring standard numbered ACLs 12-4
Configuring standard named ACLs 12-6
Configuring extended numbered ACLs 12-8
Configuring extended named ACLs 12-13
Adding a comment to an ACL entry 12-18
Enabling ACL filtering of fragmented packets 12-20
Enabling ACL filtering based on VLAN membership or VE
port membership
12-20
To Next Page
Loading...
Need help?
General
