Foundry Configuration Guide for the FESX, FSX, and FWSX
12 - 20 © Foundry Networks, Inc. December 2005
The next example shows the comment text for a named ACL in a show access-list display:
Syntax: show access-list <acl-num> | <acl-name> | all
Enabling Strict Control of ACL Filtering of Fragmented Packets
The default processing of fragments by hardware-based ACLs is as follows:
• The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same
way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination
application port numbers. The device uses the Layer 4 CAM entry if one is programmed, or applies the
interface's ACL entries to the packet and permits or denies the packet according to the first matching ACL.
• For other fragments of the same packet, they are subject to a rule only if there is no Layer 4 information in the
rule or in any preceding rules.
The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was denied.
Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be completed without the
entire packet.
For tighter control, you can configure the port to drop all packet fragments. To do so, enter commands such as the
following:
FastIron SuperX Router(config)# interface ethernet 1/1
FastIron SuperX Router(config-if-1/1)# ip access-group frag deny
This option begins dropping all fragments received by the port as soon as you enter the command. This option is
especially useful if the port is receiving an unusually high rate of fragments, which can indicate a hacker attack.
Syntax: [no] ip access-group frag deny
Enabling ACL Filtering Based on VLAN Membership or
VE Port Membership
Starting with release 02.3.03, you can apply an inbound ACL to specific VLAN members on a port (Layer 2
devices only) or to specific ports on a virtual interface (VE) (Layer 3 Devices only).
By default, this feature support is disabled. To enable it, enter the following commands at the Global CONFIG
level of the CLI:
FESX424 Switch (config)# enable acl-per-port-per-vlan
FESX424 Switch (config)# write memory
FESX424 Switch (config)# exit
FESX424 Switch# reload
After entering the above commands, you can:
• Apply an ACL to specific VLAN members on a port – see Page 12-21
• Apply an ACL to a subset of ports on a VE – see Page 12-21
FESX424 Router# show access-list TCP/UDP
IP access list rate-limit 100 aaaa.bbbb.cccc
Extended IP access list TCP/UDP (Total flows: N/A, Total packets: N/A)
ACL Comments: The following line permits TCP packets
permit tcp 0.0.0.40 255.255.255.0 0.0.0.2 255.255.255.0 (Flows: N/A, Packets: N/A)
ACL Comments: The following line permits UDP packets
permit udp 0.0.0.52 255.255.255.0 0.0.0.2 255.255.255.0 (Flows: N/A, Packets: N/A)
deny ip any any (Flows: N/A, Packets: N/A)
To Next Page
Loading...
Need help?
General
