Ip Fragmentation Protection; Ip Option Attack Protection; Ip Receive Access List - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series configuration guide v02.7.02
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
7
Configuring an interface as the source for Syslog packets
IP fragmentation protection
Beginning with this release, IP packet filters on the device switches will drop undersized fragments
and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858.
When packets are fragmented on the network, the first fragment of a packet must be large enough
to contain all the necessary header information. Fragments, once reassembled, must meet certain
criteria before they are allowed to pass through the network. There are no CLI commands for this
new security feature.
IP option attack protection
An attack on the network could be accomplished using the options field of an IP packet header. For
example, the source routing option makes it possible for the sender to specify a route to follow.
To protect against attacks contained in the option field, device devices drop any IP packet that
contains an option in its header, except for packets. IGMP packets are processes even if they
contain IP options. If you want other packets that contain options in their headers to be processed,
enter a command such as the following.
BigIron RX(config)#ip ip-option-process
Syntax: [no] ip ip-option-process
IP receive access list
The IP receive access list feature uses IPv4 ACLs to filter the packets intended for the management
process to protect the management module from being overloaded with heavy traffic that was sent
to one of the Layer 3 Switch IP interfaces. The feature applies to IPv4 unicast and multicast
packets.
Configuring IP receive access list
IP receive access list is a global configuration command. Once it is applied, the command will be
effective on all the management modules on the device. To configure the feature, do the following.
1. Create a numbered ACL that will be used as the IP receive ACL. This ACL can be a standard (1–
2. Configure ACL 10 as the IP receive access list by entering the following command.
Specify an access list number for <num>.
The IP receive ACL is applied globally to all interfaces on the device.
178
99) or extended (100–199) ACL. Named ACLs are not supported.
Example
BigIron RX(config)# access-list 10 deny host 209.157.22.26 log
BigIron RX(config)# access-list 10 deny 209.157.29.12 log
BigIron RX(config)# access-list 10 deny host IPHost1 log
BigIron RX(config)# access-list 10 permit any
BigIron RX(config)# write memory
BigIron RX(config)# ip receive access-list 10
Syntax: [no] ip receive access-list <num>
BigIron RX Series Configuration Guide
53-1001810-01
Advertisement
Table of Contents
