Support User Manuals

Dell FCX624-S Laptop User Manual

Open as PDF

of 1494

PowerConnect B-Series FCX Configuration Guide 573

53-1002266-01

Enabling ACL support for switched traffic in the router image

16

The fragments are forwarded even if the first fragment, which contains the Layer 4 information,

was denied. Generally, denying the first fragment of a packet is sufficient, since a transaction

cannot be completed without the entire packet.

For tighter control, you can configure the port to drop all packet fragments. To do so, enter

commands such as the following.

PowerConnect(config)#interface ethernet 1/1

PowerConnect(config-if-1/1)#ip access-group frag deny

This option begins dropping all fragments received by the port as soon as you enter the command.

This option is especially useful if the port is receiving an unusually high rate of fragments, which

can indicate a hacker attack.

Syntax: [no] ip access-group frag deny

Enabling ACL support for switched traffic in the router image

NOTE

PowerConnect B-Series FCX Series devices, ACL support for switched traffic in the router image is

enabled by default. There is no command to enable or disable it.

By default, when an ACL is applied to a physical or virtual routing interface, the Layer 3 device

filters routed traffic only. It does not filter traffic that is switched from one port to another within

the same VLAN or virtual routing interface, even if an ACL is applied to the interface.

You can enable the device to filter switched traffic within a VLAN or virtual routing interface. When

filtering is enabled, the device uses the ACLs applied to inbound traffic to filter traffic received by a

port from another port in the same virtual routing interface..

In this case, all of the Layer 3 traffic (bridged and routed) are filtered by the ACL. The following

shows an example configuration.

PowerConnect(config)#vlan 101 by port

PowerConnect(config-vlan-101)#tagged ethernet 1 to 4

PowerConnect(config-vlan-101)#router-interface ve 101

PowerConnect(config-vlan-101)#exit

PowerConnect(config)#enable ACL-per-port-per-vlan

PowerConnect(config)#ip access-list 101 bridged-routed

PowerConnect(config)#write memory

PowerConnect(config)#exit

PowerConnect#reload

...

PowerConnect(config-vif-101)#ip access group 1 in ethernet 1 ethernet 3 ethernet 4

Enabling ACL filtering based on VLAN membership or VE port

membership

NOTE

This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VLAN

membership or VE port membership.

previous next