Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5148F-ON

371

372

373

374

375

376

377

378

379

380

• Source and destination TCP port number

• Source and destination UDP port number

For ACL, TCP, and UDP lters, match criteria on specic TCP or UDP ports. For ACL TCP lters, you can also match criteria on established

TCP sessions.

When creating an ACL, the sequence of the lters is important. You can assign sequence numbers to the lters as you enter them or OS10

can assign numbers in the order you create the lters. The sequence numbers display in the show running-configuration and

show ip access-lists [in | out] command output.

Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting trac ow. Existing

entries in the CAM shue to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms.

NOTE: Hot-lock ACLs support ingress ACLs only.

MAC ACLs

MAC ACLs lter trac on the Layer 2 (L2) header of a packet. This trac ltering is based on:

Source MAC packet

address

MAC address range—address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches

all source addresses.

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches

all destination addresses.

Packet protocol Set by its EtherType eld contents and Assigned protocol number for all protocols.

VLAN ID Set in the packet header

Class of service Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of

one ACL per packet direction per ACL type.

IP fragment handling

OS10 supports a congurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This

option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules:

• Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied

eventually, the rst fragment must be denied and the packet as a whole cannot be reassembled.

• The system applies implicit permit for the second and subsequent fragment prior to the implicit deny.

• If you congure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

IP fragments ACL

When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain portions of the

contents of the original packet. This packet ow begins with an initial packet that contains all of the Layer 3 (L3) and Layer 4 (L4) header

information contained in the original packet, and is followed by a number of packets that contain only the L3 header information.

This packet ow contains all of the information from the original packet distributed through packets that are small enough to avoid the

maximum packet size limit. This provides a particular problem for ACL processing.

If the ACL lters based on L4 information, the non-initial packets within the fragmented packet ow will not match the L4 information, even

if the original packet would have matched the lter. Because of this ltering, packets are not processed by the ACL.

Access Control Lists

373