Configuring the conservative acl fragment mode – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

132

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Enabling ACL filtering of fragmented or non-fragmented packets

3

Configuring the conservative ACL fragment mode

The Conservative ACL Fragment Mode is configured using the acl-frag-conservative command as
shown in the following.

Brocade(config)# acl-frag-conservative

Syntax: [no] acl-frag-conservative

Examples of ACL filtering in normal and conservative ACL fragment modes

The following examples illustrate how an ACL with the fragment keyword operates for filtering
applications in both the normal and conservative mode:

•

ACL Configuration Example with Fragment Keyword and Permit Clause

•

ACL Configuration Example with Fragment Keyword and Deny Clause

ACL configuration example with fragment keyword and permit clause
In the following example, ACL 100 is configured to process fragmented IP packets in Normal and
Conservative ACL modes as described.

Brocade(config)# access-list 100 permit tcp 10.1.0.0.0.0.0.255 any fragment

Brocade(config)# access-list 100 deny ip any any

Behavior In Normal ACL Fragment Mode – In the normal Brocade device mode, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

All TCP fragments (both initial and subsequent fragments) from the specified IP address, will
match the first ACL entry. Because this is a permit ACL entry, the matching packets are
forwarded.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (deny) ACL entry and consequently will be
dropped.

Behavior In Conservative ACL Fragment Mode – If the Brocade device is configured for
Conservative ACL Fragment mode using the acl-frag-conservative command, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

The initial fragment will not match the first ACL entry because the fragment keyword is present.
The packet will then match the second (deny) ACL entry and consequently will be dropped.

Non-initial TCP fragments from the specified IP address, will match the first ACL entry based on
Layer-3 information. Because this is a permit ACL entry, the matching packets are forwarded.

TABLE 19

ACL entry with Layer-3 and Layer-4 information and fragment keyword in ACL

Packet matches AND is either a non-fragmented
or the 1st packet within a fragmented packet flow

Packet matches AND is a non-initial packet within a
fragmented packet flow

permit No – Does not match because fragment keyword

is in ACL and packet is either non-fragmented or
the 1st packet within a fragmented packet flow.

Yes – Matches because the packet matches the
Layer-3 Information in the ACL and in conservative
mode, Layer-4 information is disregarded for
non-initial packets within a fragmented packet flow.

deny

No – Does not match because fragment keyword
is in ACL and packet is either non-fragmented or
the 1st packet within a fragmented packet flow.

No – Does not match because in conservative
mode, the deny clause is not invoked for non-initial
packets within a fragmented packet flow.