beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 151

background image

Multi-Service IronWare Security Configuration Guide

133

53-1003035-02

Enabling ACL filtering of fragmented or non-fragmented packets

3

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (deny) ACL entry and consequently will be
dropped.

ACL configuration example with fragment keyword and deny clause

In the following example, ACL 101 is configured to process fragmented IP packets in Normal and
Conservative ACL modes as described.

Brocade(config)# access-list 101 deny tcp 10.1.0.0.0.0.0.255 any fragment

Brocade(config)# access-list 101 permit ip any any

Behavior In Normal ACL Fragment Mode – In the normal Brocade device mode, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

All TCP fragments (both initial and subsequent fragments) from the specified IP address will
match the first ACL entry. Because this is a deny ACL entry, the matching packets are dropped.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (permit) ACL entry and consequently will be
forwarded.

Behavior In Conservative ACL Fragment Mode – If the Brocade device is configured for
Conservative ACL Fragment mode using the acl-frag-conservative command, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

The initial fragment will not match the first ACL entry because the fragment keyword is present.
The packet will then match the second (permit) ACL entry and consequently will be forwarded.

Non-initial TCP fragments will match the first ACL entry based on Layer-3 information. Because
this is a deny ACL entry with Layer-3 information only, the matching packets are dropped.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (permit) ACL entry and consequently will be
forwarded.

Examples of ACL-based rate limiting in normal and conservative ACL fragment
modes

The following examples illustrate how an ACL with the fragment keyword operates for rate limiting
applications in both the normal and conservative mode:

ACL-based Rate Limiting Configuration Example with Fragment Keyword and Deny Clause

ACL-based Rate Limiting Configuration Example with Fragment Keyword and Permit Clause

ACL-based rate limiting configuration example with fragment keyword and deny clause
In the following example, ACL 102 is configured to process fragmented IP packets in Normal and
Conservative ACL modes as described.

Brocade(config)# interface ethernet 3/1

Brocade(config-if-e1000-3/1)# enable

Brocade(config-if-e1000-3/1)# rate-limit strict-acl

Brocade(config-if-e1000-3/1)# rate-limit input access-group 102 499992736

750000000

See also other documents in the category Brocade Computer Accessories: