Ip Fragment Handling - Dell Force10 Z9000 Configuration Manual
Ftos configuration guide for z9000 system
Hide thumbs
Also See for Force10 Z9000:
- Reference manual (1483 pages) ,
- Configuration manual (848 pages) ,
- Manual (56 pages)
Table of Contents
Advertisement
ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Therefore, (without the keyword
and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be
buffered in queue 4.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use
order
the
order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order
numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended.
By default, all ACL rules have an order of 254.
Figure 6-2. Using the Order Keyword in ACLs
FTOS(conf)#ip access-list standard acl1
FTOS(config-std-nacl)#permit 20.0.0.0/8
FTOS(config-std-nacl)#exit
FTOS(conf)#ip access-list standard acl2
FTOS(config-std-nacl)#
FTOS(config-std-nacl)#exit
FTOS(conf)#class-map match-all cmap1
FTOS(conf-class-map)#match ip access-group acl1
FTOS(conf-class-map)#exit
FTOS(conf)#class-map match-all cmap2
FTOS(conf-class-map)#match ip access-group acl2
FTOS(conf-class-map)#exit
FTOS(conf)#policy-map-input pmap
FTOS(conf-policy-map-in)#service-queue 7 class-map cmap1
FTOS(conf-policy-map-in)#service-queue 4 class-map cmap2
FTOS(conf-policy-map-in)#exit
FTOS(conf)#interface gig 1/0
FTOS(conf-if-gi-1/0)#service-policy input pmap
IP Fragment Handling
FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and
subsequent packets. It extends the existing ACL command syntax with the
Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).
•
Both standard and extended ACLs support IP fragments.
•
Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
•
Implementing the required rules will use a significant number of CAM entries per TCP/UDP entry.
•
For IP ACL, FTOS always applies implicit deny. You do not have to configure it.
•
For IP ACL, FTOS applies implicit permit for second and subsequent fragment just prior to the
implicit deny.
•
If an explicit deny is configured, the second and subsequent fragments will not hit the implicit permit
rule for fragments.
|
Access Control Lists (ACLs)
94
order
keyword to specify the order in which you want to apply ACL rules, as shown in
permit 20.1.1.0/24 order 0
) packets within the range 20.1.1.0/24 match positive against cmap1
Figure
6-2. The
fragments
keyword for all
Advertisement
Chapters
Table of Contents
Troubleshooting
