Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON

121

122

123

124

125

126

127

128

129

130

Continue Clause

Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed.

If you congure the continue command at the end of a module, the next module (or a specied module) is processed even after a match

is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the

route-map “test” module 10, module 30 is processed.

NOTE: If you congure the continue clause without specifying a module, the next sequential module is processed.

Example of Using the continue Clause in a Route Map

route-map test permit 10

match commu comm-list1

set community 1:1 1:2 1:3

set as-path prepend 1 2 3 4 5

continue 30!

IP Fragment Handling

Dell EMC Networking OS supports a congurable option to explicitly deny IP fragmented packets, particularly second and subsequent

packets.

It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/

deny ip/tcp/udp/icmp).

• Both standard and extended ACLs support IP fragments.

• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments. If the packet is to be

denied eventually, the rst fragment would be denied and hence the packet as a whole cannot be reassembled.

• Implementing the required rules uses a signicant number of CAM entries per TCP/UDP entry.

• For IP ACL, Dell EMC Networking OS always applies implicit deny. You do not have to congure it.

• For IP ACL, Dell EMC Networking OS applies implicit permit for second and subsequent fragment just prior to the implicit deny.

• If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

• Loopback interfaces do not support ACLs using the IP fragment option. If you congure an ACL with the fragments option and

apply it to a Loopback interface, the command is accepted but the ACL entries are not actually installed the oending rule in CAM.

IP Fragments ACL Examples

The following examples show how you can use ACL commands with the fragment keyword to lter fragmented packets.

Example of Permitting All Packets on an Interface

The following conguration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not

get hit at all.

DellEMC(conf)#ip access-list extended ABC

DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32

DellEMC(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments

DellEMC(conf-ext-nacl)

Example of Denying Second and Subsequent Fragments

To deny the second/subsequent fragments, use the same rules in a dierent order. These ACLs deny all second and subsequent fragments

with destination IP 10.1.1.1 but permit the rst fragment and non-fragmented packets with destination IP 10.1.1.1.

DellEMC(conf)#ip access-list extended ABC

DellEMC(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments

Access Control Lists (ACLs)

125