Dell Force10 S55T S55 Configuration Guide FTOS 8.3.5.3 - Page 104
IP Fragment Handling, Using the Order Keyword in ACLs
View all Dell Force10 S55T manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 104 highlights
www.dell.com | support.dell.com ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4. In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 7-2. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254. Figure 7-2. Using the Order Keyword in ACLs Force10(conf)#ip access-list standard acl1 Force10(config-std-nacl)#permit 20.0.0.0/8 Force10(config-std-nacl)#exit Force10(conf)#ip access-list standard acl2 Force10(config-std-nacl)#permit 20.1.1.0/24 order 0 Force10(config-std-nacl)#exit Force10(conf)#class-map match-all cmap1 Force10(conf-class-map)#match ip access-group acl1 Force10(conf-class-map)#exit Force10(conf)#class-map match-all cmap2 Force10(conf-class-map)#match ip access-group acl2 Force10(conf-class-map)#exit Force10(conf)#policy-map-input pmap Force10(conf-policy-map-in)#service-queue 7 class-map cmap1 Force10(conf-policy-map-in)#service-queue 4 class-map cmap2 Force10(conf-policy-map-in)#exit Force10(conf)#interface gig 1/0 Force10(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). • Both standard and extended ACLs support IP fragments. • Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the packet as a whole cannot be reassembled. • Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry. • For IP ACL, FTOS always applies implicit deny. You do not have to configure it. • For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the implicit deny. • If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit rule for fragments. 104 | Access Control Lists (ACL), Prefix Lists, and Route-maps