Concept Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series

111

112

113

114

115

116

117

118

119

120

DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32

DellEMC(conf-ext-nacl)

Layer 4 ACL Rules Examples

The following examples show the ACL commands for Layer 4 packet ltering.

Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3

information in the ACL line, the packet's FO is checked.

• If a packet's FO > 0, the packet is permitted.

• If a packet's FO = 0, the next ACL entry is processed.

Deny ACL line with L3 information only, and the fragments keyword is present:If a packet's L3 information does match the L3

information in the ACL line, the packet's FO is checked.

• If a packet's FO > 0, the packet is denied.

• If a packet's FO = 0, the next ACL line is processed.

Example of Permitting All Packets from a Specied Host

In this rst example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied.

DellEMC(conf)#ip access-list extended ABC

DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24

DellEMC(conf-ext-nacl)#

deny ip any any fragment

DellEMC(conf-ext-nacl)

Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specied Host

In the following example, the TCP packets that are rst fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to

24 are permitted. Additionally, all TCP non-rst fragments from host 10.1.1.1 are permitted. All other IP packets that are non-rst fragments

are denied.

DellEMC(conf)#ip access-list extended ABC

DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24

DellEMC(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment

DellEMC(conf-ext-nacl)#

deny ip any any fragment

DellEMC(conf-ext-nacl)

Example of Logging Denied Packets

To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a conguration

similar to the following.

DellEMC(conf)#ip access-list extended ABC

DellEMC(conf-ext-nacl)#permit tcp any any fragment

DellEMC(conf-ext-nacl)#permit udp any any fragment

DellEMC(conf-ext-nacl)#

deny ip any any log

DellEMC(conf-ext-nacl)

When conguring ACLs with the fragments keyword, be aware of the following.

When an ACL lters packets, it looks at the fragment oset (FO) to determine whether it is a fragment.

• FO = 0 means it is either the rst fragment or the packet is a non-fragment.

• FO > 0 means it is dealing with the fragments of the original packet.

Congure a Standard IP ACL

To congure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.

For a complete list of all the commands related to IP ACLs, refer to the Dell EMC Networking OS Command Line Interface Reference

Guide. To set up extended ACLs, refer to Congure an Extended IP ACL.

Access Control Lists (ACLs)

117