beautypg.com

Layer-4 information in an acl – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 148

background image

130

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Enabling ACL filtering of fragmented or non-fragmented packets

3

This can be a particular problem for Deny ACLs because packets can be dropped that should be
forwarded. For this reason, the conservative ACL fragment mode has been created to treat
fragmented packets differently both when the fragmented keyword is and is not used. While under
normal operation, fragmented packets are treated the same as all other packets, when the
acl-frag-conservative command is enabled, the device only applies Layer-4 information within an
ACL to non-fragmented packets and to the initial packet within a fragmented packet flow.

Layer-4 information in an ACL

An ACL entry with one or more of the following keywords is consider to have Layer-4 information:

TCP or UDP source or destination port. (In the case of ICMP, matching based on ICMP type or
code values)

TCP SYN flag

TCP Established flag

ACL operation with the device configured in conservative ACL fragment mode

Operation of ACLs with Fragmented packets when the device is configured in Conservative ACL
Fragment mode, through use of the acl-frag-conservative command, can be described to follow one
these four procedures:

ACL entries with Layer-3 Information only that do not contain the fragment keyword.

ACL entries with Layer-3 Information only that do contain the fragment keyword.

ACL entries with Layer-3 and Layer-4 Information that do not contain the fragment keyword.

ACL entries with Layer-3 and Layer-4 Information that do contain the fragment keyword.

Detailed operation of ACLs under each of these conditions are described as follows.

ACL entries with Layer-3 information only that do not contain the fragment keyword
In this situation, the operation of the ACL is exactly like it is during normal operation
(acl-frag-conservative command not configured). Any packet or fragment that matches the Layer-3
information specified in the ACL will be matched as described in

Table 16

.

ACL entries with Layer-3 information only that do contain the fragment keyword
In this situation, any packet that is not fragmented will not match because the fragment keyword is
configured in the ACL. Non-initial packets within a fragmented packet flow that contain the Layer-3
information specified in the ACL will be matched as described in

Table 17

.

TABLE 16

ACL entry with Layer-3 information only and no fragment keyword

Packet matches AND is either a non-fragmented
or the 1st packet within a fragmented packet flow

Packet matches AND is a non-initial packet
within a fragmented packet flow

permit

Yes – Matches because the packet matches the
Layer-3 Information in the ACL.

Yes – Matches because the packet matches
the Layer-3 Information in the ACL.

deny

Yes – Matches because the packet matches the
Layer-3 Information in the ACL.

Yes – Matches because the packet matches
the Layer-3 Information in the ACL.

See also other documents in the category Brocade Computer Accessories: