Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON

401

402

403

404

405

406

407

408

409

410

Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting trac ow. Existing

entries in the CAM shue to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms.

NOTE: Hot-lock ACLs support ingress ACLs only.

MAC ACLs

MAC ACLs lter trac on the Layer 2 (L2) header of a packet. This trac ltering is based on:

Source MAC packet

address

MAC address range—address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches

all source addresses.

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches

all destination addresses.

Packet protocol Set by its EtherType eld contents and Assigned protocol number for all protocols.

VLAN ID Set in the packet header

Class of service Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of

one ACL per packet direction per ACL type.

IP fragment handling

OS10 supports a congurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This

option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules:

• Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied

eventually, the rst fragment must be denied and the packet as a whole cannot be reassembled.

• The system applies implicit permit for the second and subsequent fragment prior to the implicit deny.

• If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

IP fragments ACL

When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain portions of the

contents of the original packet. This packet ow begins with an initial packet that contains all of the Layer 3 (L3) and Layer 4 (L4) header

information contained in the original packet, and is followed by a number of packets that contain only the L3 header information.

This packet ow contains all of the information from the original packet distributed through packets that are small enough to avoid the

maximum packet size limit. This provides a particular problem for ACL processing.

If the ACL lters based on L4 information, the non-initial packets within the fragmented packet ow will not match the L4 information, even

if the original packet would have matched the lter. Because of this ltering, packets are not processed by the ACL.

The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all second and

subsequent fragments with destination IP 10.1.1.1, but permit the rst fragment and non-fragmented packets with destination IP 10.1.1.1. The

second example shows ACLs which permits all packets — both fragmented and non-fragmented — with destination IP 10.1.1.1.

Deny second and subsequent fragments

OS10(config)# ip access-list ABC

OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments

OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32

406

Access Control Lists