Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6000
81828384858687888990
Access Control Lists (ACLs) | 67
Figure 6-1. Using the Order Keyword in ACLs
IP Fragment Handling
FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and
subsequent packets. It extends the existing ACL command syntax with the
fragments keyword for all
Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).
Both standard and extended ACLs support IP fragments.
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.
For IP ACL, FTOS always applies implicit deny. You do not have to configure it.
For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit
rule for fragments.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with
the fragments option and apply it to a loopback interface, the command is accepted, but the ACL
entries are not actually installed the offending rule in CAM.
FTOS(conf)#ip access-list standard acl1
FTOS(config-std-nacl)#permit 20.0.0.0/8
FTOS(config-std-nacl)#exit
FTOS(conf)#ip access-list standard acl2
FTOS(config-std-nacl)#permit 20.1.1.0/24 order 0
FTOS(config-std-nacl)#exit
FTOS(conf)#class-map match-all cmap1
FTOS(conf-class-map)#match ip access-group acl1
FTOS(conf-class-map)#exit
FTOS(conf)#class-map match-all cmap2
FTOS(conf-class-map)#match ip access-group acl2
FTOS(conf-class-map)#exit
FTOS(conf)#policy-map-input pmap
FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1
FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2
FTOS(conf-policy-map-in)#exit
FTOS(conf)#interface te 10/0
FTOS(conf-if-te-10/0)#service-policy input pmap