Foundry Switch and Router Installation and Configuration Guide
13 - 2 December 2000
•“Displaying the Log Entries” on page 13-24
•“Policy-Based Routing (PBR)” on page 13-25
•“Using ACLs to Restrict Remote Access” on page 3-4
Usage Guidelines for Access Control Lists (ACLs)
This section provides some guidelines for implementing ACLs to ensure wire-speed ACL performance.
For optimal ACL performance, use the following guidelines:
• Apply ACLs to inbound traffic rather than outbound traffic.
• Use the default filtering behavior as much as possible. For example, if you are concerned with filtering only a
few specific addresses, create deny entries for those addresses, then create a single entry to permit all other
traffic. For tighter control, create explicit permit entries and use the default deny action for all other
addresses.
• Use deny ACLs sparingly. When a deny ACL is applied to an interface, the software sends all packets sent or
received on the interface (depending on the traffic direction of the ACL) to the CPU for examination.
• Adjust system resources if needed:
• If IP traffic is going to be high, increase the size of the IP forwarding cache to allow more routes. To do
so, use the system-max ip-cache <num> command at the global CONFIG level of the CLI.
• If much of the IP traffic you are filtering is UDP traffic, increase the size of the session table to allow more
ACL sessions. To do so, use the system-max session-limit <num> command at the global CONFIG
level of the CLI.
Avoid the following implementations when possible:
• Do not apply ACLs to outbound traffic. The system creates separate inbound ACLs to ensure that an
outbound ACL is honored for traffic that normally would be forwarded to other ports.
• Do not enable the strict TCP ACL mode unless you need it for tighter security.
• Avoid ICMP-based ACLs where possible. If you are interested in providing protection against ICMP Denial of
Service (DoS) attacks, use Foundry’s DoS protection features. See “Protecting Against Denial of Service
Attacks” on page A-1.
If the IP traffic in your network is characterized by a high volume of short sessions, this also can affect ACL
performance, since this traffic initially must go to the CPU. All ICMP ACLs go to the CPU, as do all TCP SYN,
SYN ACK, FIN, and RST packets and the first UDP packet of a session.
ACL Support on the Foundry Products
Foundry ACLs have two basic types of uses:
• Filtering forwarded traffic through the device
• Controlling management access to the device itself
In general, Layer 3 Switches (including the NetIron Internet Backbone router) support both types of ACLs. Layer
2 Switches support ACLs only for access control. However, you can filter IP traffic on a Layer 2 Switch that has
been upgraded to Layer 3 routing code by configuring IP access policies.
The following table lists the ACL functions supported on each Foundry Layer 3 Switch and Layer 2 Switch.
Product Packet Forwarding ACLs
Supported
Management Access ACLs
Supported
NetIron Internet Backbone router X X
To Next Page
Loading...
Need help?
General
