Manualshelf

Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4148U-ON
881882883884885886887888889890
Permit all packets from host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# deny ip any any fragment
Permit only rst fragments and non-fragmented packets from
host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment
OS10(conf-ipv4-acl)# deny ip any any fragment
To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar
conguration. When an ACL lters packets, it looks at the FO to determine whether it is a fragment:
FO = 0 means it is either the rst fragment or the packet is a non-fragment
FO > 0 means it is the fragments of the original packet
Assign sequence number to lter
IP ACLs lter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP
host addresses. Trac passes through the lter by lter sequence. Congure the IP ACL by rst entering IP ACCESS-LIST mode and then
assigning a sequence number to the lter.
User-provided sequence number
Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.
ip access-list access-list-name
Congure a drop or forward lter in IPV4-ACL mode.
seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp
| udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address}
[count [byte]] [fragments]
Auto-generated sequence number
If you are creating an ACL with only one or two lters, you can let the system assign a sequence number based on the order you congure
the lters. The system assigns sequence numbers to lters using multiples of ten values.
Congure a deny or permit lter to examine IP packets in IPV4-ACL mode.
{deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments]
Congure a deny or permit lter to examine TCP packets in IPV4-ACL mode.
{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [fragments]
Congure a deny or permit lter to examine UDP packets in IPV4-ACL mode.
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [fragments]
884
Access Control Lists