Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
919293949596979899100
88 ServerIron ADX NAT64 Configuration Guide
53-1002444-02
Enabling filtering for packets denied by flow-based ACLs
5
DRAFT: BROCADE CONFIDENTIAL
forward: Fragments are forwarded in hardware without filtering by the ACLs
The <mins> parameter specifies the number of minutes the device will enforce the drop or forward
action after a threshold has been exceeded. You can specify from 1 to 30 minutes, for
frag-rate-on-sys or frag-rate-on-interface.
Syslog messages for exceeded fragment thresholds
If a fragment threshold is exceeded, the device generates one of the syslog messages shown in
Table 11.
Enabling filtering for packets denied by flow-based ACLs
By default, packets denied by ACLs are filtered by the CPU. You can enable the device to create
CAM entries for packets denied by ACLs. This causes the filtering to occur in hardware instead of in
the CPU.
When you enable hardware filtering of denied packets, the first time the device filters a packet
denied by an ACL, the device sends the packet to the CPU for processing. The CPU also creates a
CAM entry for the denied packet. Subsequent packets with the same address information are
filtered using the CAM entry. The CAM entry ages out after two minutes if not used.
To enable hardware filtering of denied packets, enter the following command at the global CONFIG
level of the CLI.
ServerIronADX(config)# hw-drop-acl-denied-packet
Syntax: [no] hw-drop-acl-denied-packet
Enabling strict TCP or UDP mode for flow-based ACLs
By default, when you use ACLs to filter TCP or UDP traffic, the Foundry device does not compare all
TCP or UDP packets against the ACLs.
For TCP and UDP, the device first compares the source and destination information in a TCP control
packet or a UDP packet against entries in the session table. The session table contains forwarding
entries based on Layer 3 and Layer 4 information:
If the session table contains a matching entry, the device forwards the packet, assuming that
the first packet the device received with the same address information was permitted by the
ACLs.
TABLE 11 Syslog messages for exceeded fragment threshold
Message level Message Explanation
Notification ACL system fragment packet inspect rate
<rate> exceeded
The <rate> indicates the maximum rate
allowed.
Notification ACL port fragment packet inspect rate <rate>
exceeded on port <portnum>
The <rate> indicates the maximum rate
allowed.
The <portnum> indicates the port.