Table 17 – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 149
Multi-Service IronWare Security Configuration Guide
131
53-1003035-02
Enabling ACL filtering of fragmented or non-fragmented packets
3
ACL entries with Layer-3 and Layer-4 information that do not contain the fragment keyword
In this situation, any packet that is not fragmented or is the 1st packet within a fragmented packet
flow and also contains the Layer-3 and Layer-4 information specified in the ACL will be matched.
Packets that are non-initial packets within a fragmented packet flow and match the Layer-3
information will be matched for the permit clause because in conservative ACL fragment mode,
Layer-4 information is disregarded for non-initial packets. Also, non-initial packets within a
fragmented packet flow will not be matched for the deny clause because in conservative ACL
fragment mode, the deny clause is not invoked for non-initial packets within a fragmented packet
flow. Refer to
for operation in this scenario.
ACL entries with Layer-3 and Layer-4 information that contains the fragment keyword
In this situation, any packet that is not fragmented or is the 1st packet within a fragmented packet
flow will not be matched because the fragment keyword is specified in the ACL. Packets that are
non-initial packets within a fragmented packet flow, match the fragment keyword and match the
Layer-3 information will be matched for the permit clause because in conservative ACL fragment
mode, Layer-4 information is disregarded for non-initial packets. Also, non-initial packets within a
fragmented packet flow will not be matched for the deny clause because in conservative ACL
fragment mode, the deny clause is not invoked for non-initial packets within a fragmented packet
flow. Refer to
for operation in this scenario.
TABLE 17
ACL entry with Layer-3 information only and fragment keyword in ACL
Packet matches AND is either a non-fragmented
or the 1st packet within a fragmented packet flow
Packet matches AND is a non-initial packet within
a fragmented packet flow
permit
No – Does not match because fragment keyword
is in ACL and packet is either non-fragmented or
the 1st packet within a fragmented packet flow.
Yes – Matches because fragment keyword is in
ACL and packet is a non-initial packet within a
fragmented packet flow and the packet matches
the Layer-3 information in the ACL.
deny
No – Does not match because fragment keyword
is in ACL and packet is either non-fragmented or
the 1st packet within a fragmented packet flow.
Yes – Matches because fragment keyword is in
ACL and packet is a non-initial packet within a
fragmented packet flow and the packet matches
the Layer-3 information in the ACL.
TABLE 18
ACL entry with Layer-3 and Layer-4 information and no fragment keyword in ACL
Packet matches AND is either a
non-fragmented or the 1st packet within a
fragmented packet flow
Packet matches AND is a non-initial packet within a
fragmented packet flow
permit
Yes – Matches because the packet matches
the Layer-3 and Layer-4 Information in the ACL.
Yes – Matches because the packet matches the
Layer-3 Information in the ACL and in conservative
mode, Layer-4 information is disregarded for
non-initial packets within a fragmented packet flow.
deny
Yes – Matches because the packet matches
the Layer-3 and Layer-4 Information in the ACL.
No – Does not match because in conservative mode,
the deny clause is not invoked for non-initial packets
within a fragmented packet flow.