Enterasys Networks X-PeditionTM manual Packet Filtering, LANd Attack, ACL Violations Alarm Example

Features

To configure ACLs, you define them by number only then apply them to an interface. Any number of entries can be defined in a single ACL and may actually conflict, but they are analyzed in the order in which they appear in the show access-listscommand.

Input and output filters are applied separately and an interface can have only one ACL applied to its input side, and one to its output side. Also, the ACL netmask is complemented. For example, 0.0.0.255 indicates that the least significant byte is ignored.

The XSR implementation of ACLs is limited by the following conditions:

•The total number of ACL entries allowed is 500.

•For crypto maps and ACLs applied to the same interface, the XSR gives precedence to the crypto map, which is always consulted before the ACL on a port for both inbound and outbound traffic. If IPSec encrypts or decrypts packets due to the crypto map configuration then the ACL is ignored.

The XSR can log ACL violations on a per-source IP, per-ACL group basis and periodically display a packet counter with the access-list log command. ACL violations logging is updated every five minutes but, as an alternative, you can control the log based on the number of packets denied or permitted with the access-listlog-update threshold command. The functionality is applied to both standard and extended control lists. After the update is reported, the log is cleared for the entry with that source IP and ACL group.

Be aware that router performance will be affected by copying packet information for logging alarms and displaying alarms once every five minutes. Also, when reporting is enabled for every packet and too many packets must be logged, some message loss may occur due to flooding.

ACL Violations Alarm Example

The ACL violations alarm displays the ACL group (encompassing all ACL entries for that number), permit/deny action, source IP address and number of packets that arrived in the last five minutes. For example, if 11 packets originate from the server at IP address 15.15.15.2 and 20 packets derive from the server at IP address 21.21.7.5 with the following CLI configuration:

XSR(config)#access-list 101 deny ip 15.15.15.0 0.0.0.255 16.16.16.0 0.0.0.255 log XSR(config)#access-list 101 permit ip 21.21.0.0 0.0.255.255 any any log

The first alarms logged will display as follows:

XSR(config)#access-list 101 deny 15.15.15.2 1 packet

XSR(config)#access-list 101 permit 21.21.7.5 1 packet

After five minutes, the alarms logged will display as follows:

XSR(config)#access-list 101 deny 15.15.15.2 10 packets

XSR(config)#access-list 101 permit 21.21.7.5 19 packets

Packet Filtering

Packet filtering is configured via standard and extended access-listcommands. For more information, refer to the XSR CLI Reference Guide.

LANd Attack

Protection against LANd attacks is triggered when a packet arrives with the IP source address equal to the IP destination address. This is an illegal IP packet and it is discarded by the XSR when the protection is enabled with the HostDos command. See the Firewall section for more details.

16-2 Configuring Security on the XSR