Technical data
ServerIron ADX NAT64 Configuration Guide v
53-1002288-02
DRAFT: BROCADE CONFIDENTIAL
Chapter 4 Access Control List
How ServerIron processes ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Prior to release 12.3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Beginning with release 12.3.01 and later . . . . . . . . . . . . . . . . . 41
Rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
How fragmented packets are processed . . . . . . . . . . . . . . . . . .42
Default ACL action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Types of IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
ACL IDs and entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
ACL entries and the Layer 4 CAM. . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Aging out of entries in the Layer 4 CAM . . . . . . . . . . . . . . . . . . .45
Displaying the number of Layer 4 CAM entries . . . . . . . . . . . . .45
Specifying the maximum number of CAM entries for
rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Configuring numbered and named ACLs. . . . . . . . . . . . . . . . . . . . . .46
Configuring standard numbered ACLs . . . . . . . . . . . . . . . . . . . .46
Configuring extended numbered ACLs . . . . . . . . . . . . . . . . . . . .48
Extended ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring standard or extended named ACLs . . . . . . . . . . . .54
Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Displaying ACLs using keywords . . . . . . . . . . . . . . . . . . . . . . . . .56
Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Adding, inserting, replacing, or deleting a comment. . . . . . . . .60
Displaying a list of ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Applying an ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Reapplying modified ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Displaying ACL log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Displaying ACL statistics for flow-based ACLs . . . . . . . . . . . . . .67
Clearing flow-based ACL statistics . . . . . . . . . . . . . . . . . . . . . . .67
Dropping all fragments that exactly match a flow-based ACL . . . . .67
Clearing the ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Enabling ACL filtering of fragmented packets . . . . . . . . . . . . . . . . . .68
Filtering fragmented packets for rule-based ACLs. . . . . . . . . . . 68
Enabling hardware filtering for packets denied by flow-based
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Enabling strict TCP or UDP mode for flow-based ACLs . . . . . . . . . . . 71
Enabling strict TCP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Enabling strict UDP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Configuring ACL packet and flow counters. . . . . . . . . . . . . . . . .73
ACLs and ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Using flow-based ACLs to filter ICMP packets based on
the IP packet length. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
ICMP filtering with flow-based ACLs . . . . . . . . . . . . . . . . . . . . . . 74
Using ACLs and NAT on the same interface (flow-based ACLs) . . . . 77