ServerIron ADX Security Guide 75
53-1002440-03
Enabling hardware filtering for packets denied by flow-based ACLs 2
The <num> parameter specifies the maximum number of fragments the device or an individual
interface can receive and send to the CPU in a one-second interval.
frag-rate-on-system – Sets the threshold for the entire device. The device can send to the CPU
only the number of fragments you specify per second, regardless of which interfaces the
fragments come in on. If the threshold is exceeded, the device takes the exceed action you
specify.
frag-rate-on-interface – Sets the threshold for individual interfaces. If an individual interface
receives more than the specified maximum number of fragments, the device takes the exceed
action you specify.
The <num> parameter specifies the maximum number of fragments per second.
For frag-rate-on-system, you can specify from 600 – 12800. The default is 6400.
For frag-rate-on-interface, you can specify from 300 – 8000. The default is 4000.
The drop | forward parameter specifies the action to take if the threshold (<num> parameter) is
exceeded:
drop – fragments are dropped without filtering by the ACLs
forward – fragments are forwarded in hardware without filtering by the ACLs
The <mins> parameter specifies the number of minutes the device will enforce the drop or forward
action after a threshold has been exceeded. You can specify from 1 – 30 minutes, for
frag-rate-on-system or frag-rate-on-interface.

Syslog messages for exceeded fragment thresholds

If a fragment threshold is exceeded, the device generates one of the following Syslog messages.
Enabling hardware filtering for packets denied by flow-based ACLs
By default, packets denied by ACLs are filtered by the CPU. You can enable the device to create
CAM entries for packets denied by ACLs. This causes the filtering to occur in hardware instead of in
the CPU.
When you enable hardware filtering of denied packets, the first time the device filters a packet
denied by an ACL, the device sends the packet to the CPU for processing. The CPU also creates a
CAM entry for the denied packet. Subsequent packets with the same address information are
filtered using the CAM entry. The CAM entry ages out after two minutes if not used.
To enable hardware filtering of denied packets, enter the following command at the global CONFIG
level of the CLI.
ServerIronADX(config)# hw-drop-acl-denied-packet
TABLE 4 Syslog messages for exceeded fragment threshold
Message level Message Explanation
Notification ACL system fragment packet inspect rate
<rate> exceeded
The <rate> indicates the maximum rate
allowed.
Notification ACL port fragment packet inspect rate <rate>
exceeded on port <portnum>
The <rate> indicates the maximum rate
allowed.
The <portnum> indicates the port.