Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R2 - Page 374
L3 ACL rules, Permit ACL with L3 information only, Permit all packets from host
View all Dell S5148F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 374 highlights
The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1, but permit the first fragment and non-fragmented packets with destination IP 10.1.1.1. The second example shows ACLs which permits all packets - both fragmented and non-fragmented - with destination IP 10.1.1.1. Deny second and subsequent fragments OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 Permit all packets on interface OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied. TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Permit ACL with L3 information only If a packet's L3 information matches the information in the ACL, the packet's fragment offset (FO) is checked: • If a packet's FO > 0, the packet is permitted • If a packet's FO = 0, the next ACL entry processes Deny ACL with L3 information only If a packet's L3 information does not match the L3 information in the ACL, the packet's FO is checked: • If a packet's FO > 0, the packet is denied • If a packet's FO = 0, the next ACL line processes Permit all packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# deny ip any any fragment Permit only first fragments and non-fragmented packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment OS10(conf-ipv4-acl)# deny ip any any fragment 374 Access Control Lists