Access control list, How the brocade virtual adx processes acls, How fragmented packets are processed – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 37: Chapter 2
Brocade Virtual ADX Security Guide
25
53-1003250-01
Chapter
2
Access Control List
How the Brocade Virtual ADX processes ACLs
This chapter describes the Access Control List (ACL) feature. ACLs allow you to filter traffic based on
the information in the IP packet header.
You can use IP ACLs to provide input to other features such as distribution lists and rate limiting.
When you use an ACL this way, use permit statements in the ACL to specify the traffic that you want
to send to the other feature. If you use deny statements, the traffic specified by the deny
statements is not supplied to the other feature.
IPv4 ACLs are processed in Brocade Virtual ADX devices in only one way, as software based (flow
based) ACLs.
How fragmented packets are processed
The descriptions for ACLs above apply to non-fragmented packets. The default processing of
fragments by ACLs is as follows:
•
The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device applies the interface's ACL
entries to the packet and permits or denies the packet according to the first matching ACL.
•
For other fragments of the same packet, one of the following occurs:
•
If the device has ACL rules that permit the packets, the device accepts the packets.
The fragments are forwarded even if the first fragment, which contains the Layer 4
information, was denied. Generally, denying the first fragment of a packet is sufficient,
since a transaction cannot be completed without the entire packet.
•
The device compares the source and destination IP addresses to the ACL entries that
contain Layer 4 information.
•
If the fragment’s source and destination addresses exactly match an ACL entry that
has Layer 4 information, the device assumes that the ACL entry is applicable to the
fragment and permits or denies the fragment according to the ACL entry. The device
does not compare the fragment to ACL entries that do not contain Layer 4 information.
•
If both the fragment’s source and destination addresses do not exactly match an ACL
entry, the device skips the ACL entry and compares the packet to the next ACL entry.
This is true even if either the source or destination address (but not both) does exactly
match an ACL entry.
•
If the source and destination addresses do not exactly match any ACL entry on the
applicable interface, the device drops the fragment.
You can modify the handling of denied fragments. Refer to