Brocade Communications Systems 12.4.00a Default ACL action

ServerIron ADX Security Guide 51

53-1002440-03

Default ACL action 2

The descriptions for rule-based ACLs above apply to non-fragmented packets. The default

processing of fragments by rule-based ACLs is as follows:

•The first fragment of a packet is permitted or denied using the ACLs. The first fragment is

handled the same way as non-fragmented packets, since the first fragment contains the Layer

4 source and destination application port numbers. The device uses the Layer 4 CAM entry if

one is programmed, or applies the interface's ACL entries to the packet and permits or denies

the packet according to the first matching ACL.

•For other fragments of the same packet, one of the following occurs:

•If the device has a CAM entry for the packet and has not been configured to send the

fragments to the CPU, the device uses the CAM entry to forward the fragments in

hardware.

The fragments are forwarded even if the first fragment, which contains the Layer 4

information, was denied. Generally, denying the first fragment of a packet is sufficient,

since a transaction cannot be completed without the entire packet. However, for stricter

fragment control, you can send fragments to the CPU for filtering.

•If the device is configured to send fragments to the CPU for filtering, the device compares

the source and destination IP addresses to the ACL entries that contain Layer 4

information.

•If the fragment’s source and destination addresses exactly match an ACL entry that

has Layer 4 information, the device assumes that the ACL entry is applicable to the

fragment and permits or denies the fragment according to the ACL entry. The device

does not compare the fragment to ACL entries that do not contain Layer 4 information.

•If both the fragment’s source and destination addresses do not exactly match an ACL

entry, the device skips the ACL entry and compares the packet to the next ACL entry.

This is true even if either the source or destination address (but not both) does exactly

match an ACL entry.

•If the source and destination addresses do not exactly match any ACL entry on the

applicable interface, the device drops the fragment.

NOTE

By default, 10 Gigabit Ethernet modules also forward the first fragment instead of using the

ACLs to permit or deny the fragment.

You can modify the handling of denied fragments. In addition, you can throttle the fragment rate on

an interface that used rule-based ACLs. Refer to “Dropping all fragments that exactly match a

flow-based ACL” on page72 and “Enabling ACL filtering of fragmented packets” on page 73.

Default ACL action

The default action when no ACLs is configured on a device is to permit all traffic. However, once you

configure an ACL and apply it to a port, the default action for that port is to deny all traffic that is

not explicitly permitted on the port:

•If you want to tightly control access, configure ACLs consisting of permit entries for the access

you want to permit. The ACLs implicitly deny all other access.