Ethernet Switches & Routers

Reply
Occasional Visitor
Posts: 1
Registered: ‎07-20-2015

ICX6450 Block fragment?

We are trying to tune our ICX6450 switches, to prevent certain malicious traffic.
Most of the ACLs are in place and properly working, but I am not able to use fragments attribute - as it does not appear to exit


xxxxxxxxxxxxxxxxxx(config)#access-list 102 deny udp any any fragment
Invalid input -> fragment


I know our SW: Version 07.4.00bT313 is fairly obsolete, so not sure if the access-list variable fragments simply isnt part of that OS version or not?

I appreciate if anyone can shed some light upon this?

Frequent Contributor
Posts: 91
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

It does not appear to be available in the code on the ICX 6450 for me either...

 

Specifically, I am looking at a ICX6450-C12-PD running the most recent Router code ICX64R08030a and bootrom 10.1.05T310

 

!
ver 08.0.30aT313
!

 

I am licneced: ICX6450_BASE_ROUTER_SOFT_PACKAGE

 

 

SSH@MYSWITHCNAME(config)# access-list 102 deny udp any any ?
802.1p-priority-marking Mark packets with 802.1p priority value
802.1p-priority-matching Match UDP packets with given 802.1p priority
value
dscp-marking Mark UDP packets with DSCP and COS parameters
dscp-matching Match UDP packets with given DSCP value
eq Match only packets on a given port number
gt Match only packets with a greater port number
internal-priority-marking Set internal queuing priority (traffic class)
log Log matches against this entry
lt Match only packets with a lower port number
mirror mirror traffic that matches against this entry
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value
traffic-policy Attach traffic policy by name
<cr>

Frequent Contributor
Posts: 91
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

If you tell me what you are trying to accomplish, I could probably come up with some pointers in that there are usually more than one way to accomplish a particular goal.

 

Personally, I never tried to turn any of our switches into a firewall though.

 

The ONLY traffic I generally put an access list on is Management Traffic.

 

Usually, I do something like this (with a Standard Access List):

 

access-list 99 permit 10.0.1.0 0.0.255.255

<implicit deny>

 

Then I setup SSH (with the highest bit encryption and ONLY  secure web management)...

 

Tagg the services with that ACL:

ssh access-group 99

web access-group 99

 

no web-management http

no telnet server

 

 

You get the idea...  You can do the same with community strings.

 

For example:

snmp-server community ..... ro 99

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.