Dell MX9116n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 506
L3 ACL rules, Permit ACL with L3 information only, Permit all packets from host
View all Dell MX9116n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 506 highlights
L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied. TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Permit ACL with L3 information only If a packet's L3 information matches the information in the ACL, the packet's fragment offset (FO) is checked: • If a packet's FO > 0, the packet is permitted • If a packet's FO = 0, the next ACL entry processes Deny ACL with L3 information only If a packet's L3 information does not match the L3 information in the ACL, the packet's FO is checked: • If a packet's FO > 0, the packet is denied • If a packet's FO = 0, the next ACL line processes Permit all packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# deny ip any any fragment Permit only first fragments and non-fragmented packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment OS10(conf-ipv4-acl)# deny ip any any fragment To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar configuration. When an ACL filters packets, it looks at the FO to determine whether it is a fragment: • FO = 0 means it is either the first fragment or the packet is a non-fragment • FO > 0 means it is the fragments of the original packet Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESS-LIST mode and then assigning a sequence number to the filter. 506 Access Control Lists