Enabling Hardware Filtering For Packets Denied By Flow-Based Acls75 - Brocade Communications Systems ServerIron ADX 12.4.00a Security Manual

The <num> parameter specifies the maximum number of fragments the device or an individual
interface can receive and send to the CPU in a one-second interval.
•
•
The <num> parameter specifies the maximum number of fragments per second.
•
•
The drop | forward parameter specifies the action to take if the threshold (<num> parameter) is
exceeded:
•
•
The <mins> parameter specifies the number of minutes the device will enforce the drop or forward
action after a threshold has been exceeded. You can specify from 1 – 30 minutes, for
frag-rate-on-system or frag-rate-on-interface.
Syslog messages for exceeded fragment thresholds
If a fragment threshold is exceeded, the device generates one of the following Syslog messages.
TABLE 4
Message level
Notification
Notification
Enabling hardware filtering for packets denied by flow-based ACLs
By default, packets denied by ACLs are filtered by the CPU. You can enable the device to create
CAM entries for packets denied by ACLs. This causes the filtering to occur in hardware instead of in
the CPU.
When you enable hardware filtering of denied packets, the first time the device filters a packet
denied by an ACL, the device sends the packet to the CPU for processing. The CPU also creates a
CAM entry for the denied packet. Subsequent packets with the same address information are
filtered using the CAM entry. The CAM entry ages out after two minutes if not used.
To enable hardware filtering of denied packets, enter the following command at the global CONFIG
level of the CLI.
ServerIronADX(config)# hw-drop-acl-denied-packet
ServerIron ADX Security Guide
53-1002440-03
Enabling hardware filtering for packets denied by flow-based ACLs
frag-rate-on-system – Sets the threshold for the entire device. The device can send to the CPU
only the number of fragments you specify per second, regardless of which interfaces the
fragments come in on. If the threshold is exceeded, the device takes the exceed action you
specify.
frag-rate-on-interface – Sets the threshold for individual interfaces. If an individual interface
receives more than the specified maximum number of fragments, the device takes the exceed
action you specify.
For frag-rate-on-system, you can specify from 600 – 12800. The default is 6400.
For frag-rate-on-interface, you can specify from 300 – 8000. The default is 4000.
drop – fragments are dropped without filtering by the ACLs
forward – fragments are forwarded in hardware without filtering by the ACLs
Syslog messages for exceeded fragment threshold
Message
ACL system fragment packet inspect rate
<rate> exceeded
ACL port fragment packet inspect rate <rate>
exceeded on port <portnum>
Explanation
The <rate> indicates the maximum rate
allowed.
The <rate> indicates the maximum rate
allowed.
The <portnum> indicates the port.
2
75