Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 596
Permit all packets from host, Permit only first fragments and non-fragmented packets from host
View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 596 highlights
Permit all packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# deny ip any any fragment Permit only first fragments and non-fragmented packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment OS10(conf-ipv4-acl)# deny ip any any fragment To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar configuration. When an ACL filters packets, it looks at the FO to determine whether it is a fragment: • FO = 0 means it is either the first fragment or the packet is a non-fragment • FO > 0 means it is the fragments of the original packet Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESS-LIST mode and then assigning a sequence number to the filter. User-provided sequence number • Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode. ip access-list access-list-name • Configure a drop or forward filter in IPV4-ACL mode. seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp | udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address} [count [byte]] [fragments] Auto-generated sequence number If you are creating an ACL with only one or two filters, you can let the system assign a sequence number based on the order in which you configure the filters. The system assigns sequence numbers to filters using multiples of ten values. • Configure a deny or permit filter to examine IP packets in IPV4-ACL mode. {deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments] • Configure a deny or permit filter to examine TCP packets in IPV4-ACL mode. {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [fragments] • Configure a deny or permit filter to examine UDP packets in IPV4-ACL mode. {deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [fragments] 596 Access Control Lists