Configure A Standard Ip Acl - Dell Force10 Z9000 Configuration Manual

Ftos configuration guide for z9000 system

Hide thumbs Also See for Force10 Z9000:

Reference manual (1483 pages)

Configuration manual (848 pages)

Manual (56 pages)

Table of Contents

To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/

UDP fragments, use a configuration similar to the following.

FTOS(conf)#ip access-list extended ABC

FTOS(conf-ext-nacl)#permit tcp any any fragment

FTOS(conf-ext-nacl)#permit udp any any fragment

FTOS(conf-ext-nacl)#deny ip any any log

FTOS(conf-ext-nacl)

Note the following when configuring ACLs with the fragments keyword.

When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.

FO = 0 means it is either the first fragment or the packet is a non-fragment.

FO > 0 means it is dealing with the fragments of the original packet.

Permit ACL line with L3 information only, and the fragments keyword is present:

If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is

If a packet's FO > 0, the packet is permitted.

If a packet's FO = 0 , the next ACL entry is processed.

Deny ACL line with L3 information only, and the fragments keyword is present:

If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is

If a packet's FO > 0, the packet is denied.

If a packet's FO = 0, the next ACL line is processed.