Foundry Configuration Guide for the FESX, FSX, and FWSX
12 - 4 © Foundry Networks, Inc. December 2005
The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was denied.
Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the
entire packet.
For tighter control, you can configure the port to drop all packet fragments. See “Enabling Strict Control of ACL
Filtering of Fragmented Packets” on page 12-20.
Hardware Aging of Layer 4 CAM Entries
Rule-based ACLs use Layer 4 CAM entries. The device permanently programs rule-based ACLs into the CAM.
The entries never age out.
Configuration Considerations
• Hardware-based ACLs are supported on all Ethernet ports and on 10 Gigabit Ethernet ports.
• Hardware-based ACLs are supported on physical interfaces, trunk groups, and virtual routing interfaces.
• Hardware-based ACLs are supported only for inbound traffic.
• ACLs on the FESX, FSX, and FWSX apply to all traffic, including management traffic.
• ACL logging is supported for packets that are sent to the CPU for processing. ACL logging is not supported
for packets that are processed in hardware.
• Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple entries
(rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port 1, but hardware-
based ACLs do support ACL 101 containing multiple entries.
• One-Gigabit ports on all FESX and FWSX devices support up to 1016 ACL rules. 10-Gigabit ports on all
FESX and FWSX devices support up to 1024 ACL rules. ACLs on the FSX are affected by port regions.
Multiple ACL groups share 1016 ACL rules per port region. Each ACL group must contain one entry for the
implicit deny all IP traffic clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all
ACL groups contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port region. If all your ACL
groups contain 8 ACL entries, you could add 63 ACL groups, since you must account for the implicit deny
entry.
• By default, the first fragment of a fragmented packet received by the Foundry device is permitted or denied
using the ACLs, but subsequent fragments of the same packet are forwarded in hardware. Generally, denying
the first fragment of a packet is sufficient, since a transaction cannot be completed without the entire packet.
• The following ACL features and options are not supported on the FESX and FSX:
• Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
• Enabling CPU filtering of all fragmented packets on a port (ip access-group frag inspect command)
• Configuring a port to drop all packet fragments (ip access-group frag deny command)
• Flow-based ACLs
• ACL statistics
NOTE: You can apply an ACL to a port that has TCP SYN protection and/or ICMP smurf protection enabled.
Configuring Standard Numbered ACLs
This section describes how to configure standard numbered ACLs with numeric IDs and provides configuration
examples.
Standard ACLs permit or deny packets based on source IP address. You can configure up to 99 standard
numbered ACLs. There is no limit to the number of ACL entries an ACL can contain except for the system-wide
limitation. For the number of ACL entries supported on a device, see “ACL IDs and Entries” on page 12-2.
To Next Page
Loading...
Need help?
General
