beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 152

background image

134

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Enabling ACL filtering of fragmented or non-fragmented packets

3

Brocade(config-if-e1000-3/1)# no spanning-tree

Brocade(config-if-e1000-3/1)# exit

Brocade(config)# access-list 102 deny ip any any fragment

Brocade(config)# access-list 102 permit ip any any

Behavior In Normal ACL Fragment Mode – In the normal Brocade device mode, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

All IP fragments (both initial and subsequent fragments) will match the first ACL entry. Because
this is a deny ACL entry, and rate-limit strict-acl is configured, the matching packets are
dropped.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (permit) ACL entry and consequently will be
forwarded and rate-limited.

Behavior In Conservative ACL Fragment Mode – If the Brocade device is configured for
Conservative ACL Fragment mode using the acl-frag-conservative command, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

The initial fragment will not match the first ACL entry because the fragment keyword is present.
The packet will then match the second (permit) ACL entry and consequently will be forwarded
and rate-limited.

Non-initial IP fragments will match the first ACL entry based on Layer-3 information. Because
this is a deny ACL entry with Layer-3 information only, and rate-limit strict-acl is configured, the
matching packets are dropped.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (permit) ACL entry and consequently will be
forwarded and rate-limited.

ACL-based rate limiting configuration example with fragment keyword and permit
clause

In the following example, ACL 103 is configured to process fragmented IP packets in Normal and
Conservative ACL modes as described.

Brocade(config)# interface ethernet 3/1

Brocade(config-if-e1000-3/1)# enable

Brocade(config-if-e1000-3/1)# rate-limit strict-acl

Brocade(config-if-e1000-3/1)# rate-limit input access-group 103 499992736

750000000

Brocade(config-if-e1000-3/1)# no spanning-tree

Brocade(config-if-e1000-3/1)# exit

Brocade(config)# access-list 103 permit ip any any fragment

Brocade(config)# access-list 102 deny ip any any

Behavior In Normal ACL Fragment Mode – In the normal Brocade device mode, fragmented and
non-fragmented packets will be dropped or forwarded as described in the following:

All IP fragments (both initial and subsequent fragments) will match the first ACL entry. Because
this is a permit ACL entry, the matching packets are forwarded and rate-limited.

Non-fragmented packets will not match the first ACL entry because the fragment keyword is
present. The packet will then match the second (deny) ACL entry and consequently will be
dropped.

See also other documents in the category Brocade Computer Accessories: