Table of Contents
Advertisement
Enabling Strict TCP Mode
By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against
the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control
packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset)
packets.
In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is
established. For example, data packets for a session never occur if the TCP SYN for that session is dropped.
Therefore, by filtering the control packets, the Foundry device also implicitly filters the data packets associated
with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding
data packets without examining them. Since the data packets are present in normal TCP traffic only if a
corresponding TCP control session is established, comparing the packets for the control session to the ACLs is
sufficient for filtering the entire session including the data.
However, it is possible to generate TCP data packets without corresponding control packets, in test or research
situations for example. In this case, the default ACL mode does not filter the data packets, since there is no
corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode
compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data
packets.
Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets
against the configured ACLs.
To enable the strict ACL TCP mode, use the following CLI method.
NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the
interfaces before changing the ACL mode.
To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:
BigIron(config)# ip strict-acl-tcp
Syntax: [no] ip strict-acl-tcp
This command configures the device to compare all TCP packets against the configured ACLs before forwarding
them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
BigIron(config)# no ip strict-acl-tcp
Enabling Strict UDP Mode
By default, when you use ACLs to filter UDP traffic, the Foundry device does not compare all UDP packets against
the ACLs. Instead, the device does the following:
•
Compares the source and destination information against entries in the session table. The session table
contains forwarding entries based on Layer 3 and Layer 4 information.
•
If the session table contains a matching entry, the device forwards the packet, assuming that the first
packet the device received that contains the same address information was permitted by the ACLs.
•
If the session table does not contain a matching entry, the device sends the packet to the CPU, where
the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit
ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for
the packet's forwarding information and forwards the packet.
For tighter control, the software provides the strict ACL UDP mode. When you enable strict UDP processing, the
device sends every UDP packet to the CPU and compares the packet against the configured ACLs.
To enable the strict ACL UDP mode, use the following CLI method.
December 2000
Using Access Control Lists (ACLs)
13 - 23
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
