beautypg.com

Enabling acl, Filtering of fragmented or non-fragmented packets, Enabling – Brocade BigIron RX Series Configuration Guide User Manual

Page 717: Enabling acl filtering of fragmented or, Non-fragmented packets, Numbered acls, Named acls

background image

BigIron RX Series Configuration Guide

639

53-1002484-04

Enabling ACL filtering of fragmented or non-fragmented packets

22

Enabling ACL filtering of fragmented or non-fragmented
packets

By default, when an extended ACL is applied to a port, the port will use the ACL to permit or deny
the first fragment of a fragmented packet, but forward subsequent fragments of the same packet
in hardware. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.

To define an extended ACL to deny or permit traffic with fragmented or unfragmented packets,
enter a command such as those shown in one of the methods below.

Numbered ACLs

BigIron RX(config)# access-list 111 deny ip any any fragment

BigIron RX(config)# interface ethernet 1/1

BigIron RX(config-if-e10000-1/1)# ip access-group 111 in

BigIron RX(config)# write memory

The first line in the example defines ACL 111 to deny any fragmented packets. Other packets will be
denied or permitted, based on the next filter condition.

Next, after assigning the ACL to Access Group 111, the access group is bound to port 1/1. It will be
used to filter incoming traffic.

Refer to

“Extended ACL syntax”

on page 604 for the complete syntax for extended ACLs.

Refer to

“Super ACL syntax”

on page 614 for the complete syntax for super ACLs.

Named ACLs

BigIron RX(config)# ip access-list extended entry

BigIron RX(config-ext-nacl)# deny ip any any fragment

BigIron RX(config-ext-nacl)# exit

BigIron RX(config)# interface ethernet 1/1

BigIron RX(config-if-e10000-1/1)# ip access-group entry in

BigIron RX(config)# write memory

The first line in the example defines ACL entry to deny any fragmented packets. Other packets will
be denied or permitted, based on the next filter condition.

Next, after assigning the ACL to Access Group entry, the access group is bound to port 1/1. It will be
used to filter incoming traffic.

Syntax: ip access-list extended <acl-name> | <acl-num> deny | permit <ip-protocol> <source-ip>

| <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> |
<hostname> [ | <num>] <wildcard>
[<operator> <destination-tcp/udp-port>] [precedence <name> | <num>] [tos <name> |
<num>] [ip-pkt-len <value>] [log] [fragment] | [non-fragmented]

Enter extended to indicate the named ACL is an extended ACL.

See also other documents in the category Brocade Computer Accessories: