BigIron RX Series Configuration Guide 50953-1001986-01Chapter20Layer 2 ACLsThis chapter presents information to configure and view Layer 2 ACLs.Layer 2 Access Control Lists (ACLs) filter incoming traffic based on Layer 2 MAC header fields in theEthernet/IEEE 802.3 frame. Specifically, Layer 2 ACLs filter incoming traffic based on any of thefollowing Layer 2 fields in the MAC header:• Source MAC address and source MAC mask• Destination MAC address and destination MAC mask• VLAN ID• Ethernet typeThe Layer 2 ACL feature is unique to Brocade devices and differs from software-based MACaddress filters. MAC address filters use the CPU to filter traffic; therefore, performance is limited bythe CPU’s processing power. Layer 2 ACLs filter traffic at line-rate speed.Filtering based on ethertypeLayer 2 ACLs can filter traffic based on protocol type. For each Layer 2 ACL etype entry bound to aport, a CAM entry is written to the corresponding CAM. You can conserve CAM space by configuringonly the Layer 2 ACLs needed. For instance, to filter only IPV4-Len-5 traffic, specify that particularetype. This results in one CAM entry. Configuration examples are provided in the section“Configuring Layer 2 ACLs” on page 510You can configure Layer 2 ACLs to use the etype argument to filter on the following etypes:• IPv4-Len-5 (Etype=0x0800, IPv4, HeaderLen 20 bytes)• ARP (Etype=0x0806, IP ARP)• IPv6 (Etype=0x86dd, IP version 6)Configuration rules and notes• You cannot bind Layer 2 ACLs and IP ACLs to the same port. However, you can configure oneport on the device to use Layer 2 ACLs and another port on the same device to use IP ACLs.• You cannot bind a Layer 2 ACL to a virtual interface.• The Layer 2 ACL feature cannot perform SNAP and LLC encapsulation type comparisons.• BigIron RX processes ACLs in hardware.• You can use Layer 2 ACLs to block management access to the BigIron RX. For example, you canuse a Layer 2 ACL clause to block a certain host from establishing a connection to the devicethrough Telnet.• You cannot edit or modify an existing Layer 2 ACL clause. If you want to change the clause, youmust delete it first, then re-enter the new clause.