DELL S50V User Manual
140
|
IP Access Control Lists (ACL), Prefix Lists, and Route-maps
www.dell.com | support.dell.com
In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
UDP fragments, use a configuration similar to the following.
Configure a standard IP ACL
To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface
Reference document.
Reference document.
to set up extended ACLs.
Note the following when configuring ACLs with the
fragments
keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is permitted.
•If a packet's FO = 0 , the next ACL entry is processed.
•If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is denied.
•If a packet's FO = 0, the next ACL line is processed.
•If a packet's FO = 0, the next ACL line is processed.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
FTOS(conf-ext-nacl)#
deny ip any any fragment
FTOS(conf-ext-nacl)
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp any any fragment
FTOS(conf-ext-nacl)#permit udp any any fragment
FTOS(conf-ext-nacl)#deny ip any any log
FTOS(conf-ext-nacl)