Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5148F-ON

371

372

373

374

375

376

377

378

379

380

To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar

conguration. When an ACL lters packets, it looks at the FO to determine whether it is a fragment:

• FO = 0 means it is either the rst fragment or the packet is a non-fragment

• FO > 0 means it is the fragments of the original packet

Assign sequence number to lter

IP ACLs lter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP

host addresses. Trac passes through the lter by lter sequence. Congure the IP ACL by rst entering IP ACCESS-LIST mode and then

assigning a sequence number to the lter.

User-provided sequence number

• Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.

ip access-list access-list-name

• Congure a drop or forward lter in IPV4-ACL mode.

seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp

| udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address}

[count [byte]] [fragments]

Auto-generated sequence number

If you are creating an ACL with only one or two lters, you can let the system assign a sequence number based on the order in which you

congure the lters. The system assigns sequence numbers to lters using multiples of ten values.

• Congure a deny or permit lter to examine IP packets in IPV4-ACL mode.

{deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments]

• Congure a deny or permit lter to examine TCP packets in IPV4-ACL mode.

{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [fragments]

• Congure a deny or permit lter to examine UDP packets in IPV4-ACL mode.

{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [fragments]

Assign sequence number to lter

OS10(config)# ip access-list acl1

OS10(conf-ipv4-acl)# seq 5 deny tcp any any capture session 1 count

View ACLs and packets processed through ACL

OS10# show ip access-lists in

Ingress IP access-list acl1

Active on interfaces :

ethernet1/1/5

seq 5 permit ip any any count (10000 packets)

L2 and L3 ACLs

Congure both L2 and L3 ACLs on an interface in L2 mode. Rules apply if you use both L2 and L3 ACLs on an interface.

• L3 ACL lters packets and then the L2 ACL lters packets

• Egress L3 ACL lters packets

Rules apply in order:

372

Access Control Lists