Foundry Configuration Guide for the FESX, FSX, and FWSX
12 - 2 © Foundry Networks, Inc. December 2005
ACL Overview
This section provides an overview of ACLs.
Types of IP ACLs
You can configure the following types of IP ACLs:
• Standard – Permits or denies packets based on source IP address. Valid standard ACL IDs are 1 – 99 or a
character string.
• Extended – Permits or denies packets based on source and destination IP address and also based on IP
protocol information. Valid extended ACL IDs are a number from 100 – 199 or a character string.
ACL IDs and Entries
ACLs consist of ACL IDs and ACL entries:
• ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended ACL) or a
character string. The ACL ID identifies a collection of individual ACL entries. When you apply ACL entries to
an interface, you do so by applying the ACL ID that contains the ACL entries to the interface, instead of
applying the individual entries to the interface. This makes applying large groups of access filters (ACL
entries) to interfaces simple. See also “Numbered and Named ACLs” on page 12-3.
NOTE: This is different from IP access policies. If you use IP access policies, you apply the individual
policies to interfaces.
• ACL entry – Also called an ACL rule, a filter command associated with an ACL ID. The maximum number of
ACL rules you can configure is a system-wide parameter and depends on the device you are configuring. You
can configure up to the maximum number of entries in any combination in different ACLs. The total number of
entries in all ACLs cannot exceed the system maximum.
• One-Gigabit ports on the FESX support up to 1016 ACL rules. On the FSX, multiple ACL groups share
1016 ACL rules per port region. Each ACL group must contain one entry for the implicit deny all IP traffic
clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all ACL groups contain 5
ACL entries, you could add 127ACL groups (1016/8) in that port region. If all your ACL groups contain 8
ACL entries, you could add 63 ACL groups, since you must account for the implicit deny entry.
• 10-Gigabit ports on the FESX and FSX support up to 1024 ACL rules.
You configure ACLs on a global basis, then apply them to the incoming or outgoing traffic on specific ports. You
can apply only one ACL to a port’s inbound traffic and only one ACL to a port’s outbound traffic. The software
applies the entries within an ACL in the order they appear in the ACL’s configuration. As soon as a match is found,
Filtering on IP Precedence and ToS Values 12-22
QoS options for IP ACLs 12-23
Using ACLs to rate limit traffic 12-24
Using ACLs to count packets 12-25
Using ACLs to control multicast features 12-25
Displaying ACL information 12-25
Troubleshooting ACLs 12-25
Table 12.1: Chapter Contents
Description See Page
To Next Page
Loading...
Need help?
General
