Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 594
Control-plane ACL qualifiers, IP fragment handling, Control-plane ACL
![]() |
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 594 highlights
To configure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny traffic as needed, similar to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in CONTROL-PLANE mode instead of VTY mode. For example: OS10# configure terminal OS10(config)# control-plane OS10(config-control-plane)# ip access-group acl_name in where acl_name is the name of the control-plane ACL, a maximum of 140 characters. NOTE: Apply control-plane ACLs on ingress traffic only. Control-plane ACL qualifiers This section lists the control-plane ACL rule qualifiers. • IPv4 qualifiers: - DST_IP-Destination IP address - SRC_IP-Source IP address - IP_TYPE-IP type - IP_PROTOCOL-Protocols such as TCP, UDP, and so on - L4_DST_PORT-Destination port number NOTE: The destination port number qualifier supports only the eq option. Port range is not supported. • IPv6 qualifiers: - DST_IPv6-Destination address - SRC_IPv6-Source address - IP_TYPE-IP Type; for example, IPv4 or IPv6 - IP_PROTOCOL-TCP, UDP, and so on - L4_DST_PORT-Destination port NOTE: The destination port number qualifier supports only the eq option. Port range is not supported. • MAC qualifiers: - OUT_PORT-Egress CPU port - SRC_MAC-Source MAC address - DST_MAC-Destination MAC address - ETHER_TYPE-Ethertype - OUTER_VLAN_ID-VLAN ID - IP_TYPE-IP type - OUTER_VLAN_PRI-DOT1P value IP fragment handling OS10 supports a configurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules: • Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied eventually, the first fragment must be denied and the packet as a whole cannot be reassembled. • The system applies implicit permit for the second and subsequent fragment prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. 594 Access Control Lists
![](/manual_guide/products/dell-powerswitch-s3048on-os10-enterprise-edition-user-guide-release-10410-b76d862/594.png)