Dell Force10 MXL Blade - IP Fragment Handling; IP Fragments ACL Examples

Dell Force10 MXL Blade

690 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

74 | Access Control Lists (ACLs)

www.dell.com | support.dell.com

Figure 5-1. Using the Order Keyword in ACLs

IP Fragment Handling

FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and

subsequent packets. It extends the existing ACL command syntax with the

fragments keyword for all Layer

3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).

• Both standard and extended ACLs support IP fragments.

• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these

fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the

packet as a whole cannot be reassembled.

• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.

• For IP ACL, FTOS always applies implicit deny. You do not have to configure it.

• For IP ACL, FTOS applies implicit permit for second and subsequent fragments just prior to the

implicit deny.

• If an explicit deny is configured, the second and subsequent fragments do not hit the implicit permit

rule for fragments.

IP Fragments ACL Examples

The following configuration permits all packets (both fragmented & non-fragmented) with destination IP

10.1.1.1. The second rule does not get hit at all (Figure 5-2).

Figure 5-2. Permit All Packets

FTOS(conf)#ip access-list standard acl1

FTOS(conf-std-nacl)#permit 20.0.0.0/8

FTOS(conf-std-nacl)#exit

FTOS(conf)#ip access-list standard acl2

FTOS(conf-std-nacl)#permit 20.1.1.0/24 order 0

FTOS(conf-std-nacl)#exit

FTOS(conf)#class-map match-all cmap1

FTOS(conf-class-map)#match ip access-group acl1

FTOS(conf-class-map)#exit

FTOS(conf)#class-map match-all cmap2

FTOS(conf-class-map)#match ip access-group acl2

FTOS(conf-class-map)#exit

FTOS(conf)#policy-map-input pmap

FTOS(conf-policy-map-in)#service-queue 3 class-map cmap1

FTOS(conf-policy-map-in)#service-queue 1 class-map cmap2

FTOS(conf-policy-map-in)#exit

FTOS(conf)#interface tengig 1/0

FTOS(conf-if-ti-1/0)#service-policy input pmap

FTOS(conf)#ip access-list extended ABC

FTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32

FTOS(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments

FTOS(conf-ext-nacl)

Table of Contents

Other manuals for Dell Force10 MXL Blade

Reference Guide732 pages

Getting Started Guide38 pages

Related product manuals

Preview: Dell Force10 C150

Dell Force10 C150

Preview: Dell Force10 S25-01-GE-24P

Dell Force10 S25-01-GE-24P

Preview: Dell FORCE10 Open Automation

Dell FORCE10 Open Automation

Preview: Dell Force10 S2410-01-10GE-24P

Dell Force10 S2410-01-10GE-24P

Preview: Dell PowerEdge FX2

Dell PowerEdge FX2

Preview: Dell PowerEdge FC640

Dell PowerEdge FC640

Dell Precision FX100

Preview: Dell PowerEdge FC430

Dell PowerEdge FC430

Preview: Dell PowerEdge FC630

Dell PowerEdge FC630

Preview: Dell PowerEdge FC830

Dell PowerEdge FC830

Preview: Dell PowerEdge 1950

Dell PowerEdge 1950

Preview: Dell PowerEdge R730xd

Dell PowerEdge R730xd