beautypg.com

Brocade TurboIron 24X Series Configuration Guide User Manual

Page 954

background image

920

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Enabling ACL support for switched traffic in the router image

The fragments are forwarded even if the first fragment, which contains the Layer 4 information,
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.

For tighter control, you can configure the port to drop all packet fragments. To do so, enter
commands such as the following.

TurboIron(config)#interface ethernet 1

TurboIron(config-if-1)#ip access-group frag deny

This option begins dropping all fragments received by the port as soon as you enter the command.
This option is especially useful if the port is receiving an unusually high rate of fragments, which
can indicate a hacker attack.

Syntax: [no] ip access-group frag deny

Enabling ACL support for switched traffic in the router image

By default, when an ACL is applied to a physical or virtual routing interface, the Layer 3 device
filters routed traffic only. It does not filter traffic that is switched from one port to another within
the same VLAN or virtual routing interface, even if an ACL is applied to the interface.

You can enable the device to filter switched traffic within a VLAN or virtual routing interface. When
filtering is enabled, the device uses the ACLs applied to inbound traffic to filter traffic received by a
port from another port in the same virtual routing interface.

To enable this feature, enter a command such as the following.

TurboIron(config)#access-list 101 bridged-routed

Applying the ACL rule above to an interface, enables filtering of traffic switched within a VLAN or
virtual routing interface.

Syntax: [no] ip access-list <ACL-ID> bridged-routed

The <ACL-ID> parameter specifies a standard or extended numbered or named ACL.

You can use this feature in conjunction with enable ACL-per-port-per-vlan, to assign an ACL to a
single port within a virtual interface. In this case, all of the Layer 3 traffic (bridged and routed) are
filtered by the ACL.

TurboIron(config)#enable ACL-per-port-per-vlan

TurboIron(config)#write memory

TurboIron(config)#exit

TurboIron#reload

Enabling ACL filtering based on VLAN membership or VE port
membership

NOTE

This section applies to IPv4 ACLs only.

You can apply an inbound IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) or to
specific ports on a virtual interface (VE) (Layer 3 Devices only).

See also other documents in the category Brocade Computer Accessories: