Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 129

Advertising
background image

or applies the interface's ACL entries to the packet and permits or denies the packet according to the
first matching ACL.

• For other fragments of the same packet, they are subject to a rule only if there is no Layer 4

information in the rule or in any preceding rules.

The fragments are forwarded even if the first fragment, which contains the Layer 4 information, was
denied. Generally, denying the first fragment of a packet is sufficient, since a transaction cannot be
completed without the entire packet.

For tighter control, you can configure the port to drop all packet fragments. To do so, enter commands
such as the following.

device(config)#interface ethernet 1/1

Brocade(config-if-1/1)#ip access-group frag deny

This option begins dropping all fragments received by the port as soon as you enter the command. This
option is especially useful if the port is receiving an unusually high rate of fragments, which can indicate
a hacker attack.

Syntax: [no] ip access-group frag deny

Enabling ACL support for switched traffic in the router image

NOTE
The bridged-routed CLI parameter applies to FSX devices only. For Brocade FCX Series and ICX
devices, ACL support for switched traffic in the router image is enabled by default. There is no
command to enable or disable it. For outbound traffic, ACL support is enabled on switched traffic by
default. The bridged-routed command is not applicable.

To enable ACL support for switched traffic on FSX 0-port management modules (SX-FI-ZMR-XL
module and SX-FI-ZMR-XL-PREM6 module), enter the following command.

device(config)# ip access-list extended 111

device(config-ext-nacl)#bridged-routed

Syntax: bridged-routed

Applying the ACL rule above to an interface on the FSX 0-port management module enables filtering of
switched traffic within a VLAN or virtual routing interface.To display the configuration for ACL support for
switched traffic, use the show ip access-list <ACL-num> command. The following output from the show
ip access-list 111 command displays the configuration of the bridged-routed parameter.

device(config-ext-nacl)#show ip access-list 111

Extended IP access list 111: 5 entries

bridged-routed

permit ip host 1.1.1.111 host 2.2.2.111

permit ospf any any

permit pim any any

deny ip 20.20.20.96 0.0.0.15 any

permit ip any any dscp-marking 40 802.1p-priority-marking 4 internal-priority-marking

4

You can use the bridged-routed feature in conjunction with enable ACL-per-port-per-vlan , to assign
an ACL to certain ports of a VLAN under the virtual interface configuration level. In this case, all of the
Layer 3 traffic (bridged and routed) are filtered by the ACL. The following shows an example
configuration.

device(config)#vlan 101 by port

device(config-vlan-101)#tagged ethernet 1 to 4

Enabling ACL support for switched traffic in the router image

FastIron Ethernet Switch Security Configuration Guide

129

53-1003088-03

Advertising
Popular Brands
Popular manuals