Ip fragmentation protection, Ip option attack protection, Ip receive access list – Brocade BigIron RX Series Configuration Guide User Manual

188

BigIron RX Series Configuration Guide

53-1002484-04

Configuring an interface as the source for Syslog packets

7

Syntax: [no] ip syslog source-interface ethernet [<slotnum>/]<portnum> | loopback <num> | ve

<num>

The <num> parameter is a loopback interface or virtual interface number. If you specify an
Ethernet, the <slotnum>/]<portnum> is the port’s number including the slot number, if you are
configuring a device.

The default is the lowest-numbered IP or IPv6 address configured on the port through which the
packet is sent. The address therefore changes, by default, depending on the port.

IP fragmentation protection

Beginning with this release, IP packet filters on the device switches will drop undersized fragments
and overlapping packet fragments to prevent tiny fragment attacks as explained in RFC 1858.
When packets are fragmented on the network, the first fragment of a packet must be large enough
to contain all the necessary header information. Fragments, once reassembled, must meet certain
criteria before they are allowed to pass through the network. There are no CLI commands for this
new security feature.

IP option attack protection

An attack on the network could be accomplished using the options field of an IP packet header. For
example, the source routing option makes it possible for the sender to specify a route to follow.

To protect against attacks contained in the option field, devices drop any IP packet that contains an
option in its header, except for packets. IGMP packets are processes even if they contain IP
options. If you want other packets that contain options in their headers to be processed, enter a
command such as the following.

BigIron RX(config)#ip ip-option-process

Syntax: [no] ip ip-option-process

IP receive access list

The IP receive access list feature uses IPv4 ACLs to filter the packets intended for the management
process to protect the management module from being overloaded with heavy traffic that was sent
to one of the Layer 3 Switch IP interfaces. The feature applies to IPv4 unicast and multicast
packets.

Configuring IP receive access list

IP receive access list is a global configuration command. Once it is applied, the command will be
effective on all the management modules on the device. To configure the feature, do the following.

1. Create a numbered ACL that will be used as the IP receive ACL. This ACL can be a standard (1–

99) or extended (100–199) ACL. Named ACLs are not supported.

BigIron RX(config)# access-list 10 deny host 209.157.22.26 log

BigIron RX(config)# access-list 10 deny 209.157.29.12 log

BigIron RX(config)# access-list 10 deny host IPHost1 log

BigIron RX(config)# access-list 10 permit any

BigIron RX(config)# write memory

2. Configure ACL 10 as the IP receive access list by entering the following command.