Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
108
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Enabling strict control of ACL filtering of fragmented packets
Syntax: show log
Enabling strict control of ACL filtering of fragmented packets
The default processing of fragments by hardware-based ACLs is as follows:
•
The first fragment of a packet is permitted or denied using the ACLs. The first fragment is
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.
handled the same way as non-fragmented packets, since the first fragment contains the Layer
4 source and destination application port numbers. The device uses the Layer 4 CAM entry if
one is programmed, or applies the interface's ACL entries to the packet and permits or denies
the packet according to the first matching ACL.
•
For other fragments of the same packet, they are subject to a rule only if there is no Layer 4
information in the rule or in any preceding rules.
information in the rule or in any preceding rules.
The fragments are forwarded even if the first fragment, which contains the Layer 4 information,
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.
was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction
cannot be completed without the entire packet.
For tighter control, you can configure the port to drop all packet fragments. To do so, enter
commands such as the following.
commands such as the following.
Brocade(config)# interface ethernet 1/1/1
Brocade(config-if-e10000-1/1/1)# ip access-group frag deny
Brocade(config-if-e10000-1/1/1)# ip access-group frag deny
This option begins dropping all fragments received by the port as soon as you enter the command.
This option is especially useful if the port is receiving an unusually high rate of fragments, which
can indicate a hacker attack.
This option is especially useful if the port is receiving an unusually high rate of fragments, which
can indicate a hacker attack.
Syntax: [no] ip access-group frag deny
Brocade# show log
Syslog logging: enabled (0 messages dropped, 2 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 9 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
Syslog logging: enabled (0 messages dropped, 2 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 9 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
Dynamic Log Buffer (50 lines):
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.6(0)(Ethernet 4 0000.0004.01
10.20.18.6(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.2(0)(Ethernet 4 0000.0004.01
10.20.18.2(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.4(0)(Ethernet 4 0000.0004.01
10.20.18.4(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.3(0)(Ethernet 4 0000.0004.01
10.20.18.3(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.5(0)(Ethernet 4 0000.0004.01
10.20.18.5(0), 1 event(s)
0d00h12m18s:I:ACL: 122 applied to port 4 by from console session
0d00h10m12s:I:ACL: 122 removed from port 4 by from console session
0d00h09m56s:I:ACL: 122 removed from port 4 by from console session
0d00h09m38s:I:ACL: 122 removed from port 4 by from console session
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.6(0)(Ethernet 4 0000.0004.01
10.20.18.6(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.2(0)(Ethernet 4 0000.0004.01
10.20.18.2(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.4(0)(Ethernet 4 0000.0004.01
10.20.18.4(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.3(0)(Ethernet 4 0000.0004.01
10.20.18.3(0), 1 event(s)
0d00h12m18s:W:ACL: ACL: List 122 denied tcp 10.20.15.5(0)(Ethernet 4 0000.0004.01
10.20.18.5(0), 1 event(s)
0d00h12m18s:I:ACL: 122 applied to port 4 by from console session
0d00h10m12s:I:ACL: 122 removed from port 4 by from console session
0d00h09m56s:I:ACL: 122 removed from port 4 by from console session
0d00h09m38s:I:ACL: 122 removed from port 4 by from console session