beautypg.com

Configuring the conservative acl fragment mode, Named acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 147

background image

Multi-Service IronWare Security Configuration Guide

129

53-1003035-02

Enabling ACL filtering of fragmented or non-fragmented packets

3

Named ACLs

Brocade(config)# ip access-list extended entry

Brocade(config-ext-nacl)# deny ip any any fragment

Brocade(config)# int eth 1/1

Brocade(config-if-e10000-1/1)# ip access-group entry in

Brocade(config)# write memory

The first line in the example defines ACL entry to deny any fragmented packets. Other packets will
be denied or permitted, based on the next filter condition.

Next, after assigning the ACL to Access Group entry, the access group is bound to port 1/1. It will be
used to filter incoming traffic.

Syntax: ip access-list extended acl-name | acl-num deny | permit ip-protocol source-ip |

hostname wildcard [operator source-tcp/udp-port] destination-ip | hostname [icmp-type |
num] wildcard
[operator destination-tcp/udp-port] [precedence name | num] [tos name | num]
[fragment] | [non-fragmented]

Enter extended to indicate the named ACL is an extended ACL.

The acl-name | acl-num parameter allows you to specify an IPv4 ACL name or number. If using a
name, specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name,
if you enclose the name in quotation marks (for example, “ACL for Net1”). The acl-num parameter
allows you to specify an ACL number if you prefer. If you specify a number, enter a number from 100
– 199 for extended ACLs.

Enter the fragment keyword to allow the ACL to filter fragmented packets. Use the non-fragmented
keyword to filter non-fragmented packets.

NOTE

The fragmented and non-fragmented parameters cannot be used together in an ACL entry.

Complete the configuration by specifying options for the ACL entry. Options you can use are
discussed in the appropriate sections for configuring ACLs in this chapter.

Configuring the conservative ACL fragment mode

The acl-frag-conservative command allows you to change the operation of ACLs on fragmented
packets.

When a a packet exceeds the maximum packet size, the packet is fragmented into a number of
smaller packets that contain portions of the contents of the original packet. This packet flow begins
with an initial packet that contains all of the Layer-3 and Layer-4 header information contained in
the original packet and is following by a number of packets that contain only the Layer-3 header
information. This packet flow contains all of the information contained in the original packet
distributed through the packet flow into packets that are small enough to avoid the maximum
packet size limit. This provides a particular problem for ACL processing. If the ACL is filtering based
on Layer-4 information, the non-initial packets within the fragmented packet flow will not match the
Layer-4 information even if the original packet that was fragmented would have matched the filter.
Consequently, packets that the ACL was designed to filter for are not processed by the ACL.

See also other documents in the category Brocade Computer Accessories: