07-20-2015 05:54 AM
We are trying to tune our ICX6450 switches, to prevent certain malicious traffic.
Most of the ACLs are in place and properly working, but I am not able to use fragments attribute - as it does not appear to exit
xxxxxxxxxxxxxxxxxx(config)#access-list 102 deny udp any any fragment
Invalid input -> fragment
I know our SW: Version 07.4.00bT313 is fairly obsolete, so not sure if the access-list variable fragments simply isnt part of that OS version or not?
I appreciate if anyone can shed some light upon this?
07-20-2015 12:34 PM
It does not appear to be available in the code on the ICX 6450 for me either...
Specifically, I am looking at a ICX6450-C12-PD running the most recent Router code ICX64R08030a and bootrom 10.1.05T310
I am licneced: ICX6450_BASE_ROUTER_SOFT_PACKAGE
SSH@MYSWITHCNAME(config)# access-list 102 deny udp any any ?
802.1p-priority-marking Mark packets with 802.1p priority value
802.1p-priority-matching Match UDP packets with given 802.1p priority
dscp-marking Mark UDP packets with DSCP and COS parameters
dscp-matching Match UDP packets with given DSCP value
eq Match only packets on a given port number
gt Match only packets with a greater port number
internal-priority-marking Set internal queuing priority (traffic class)
log Log matches against this entry
lt Match only packets with a lower port number
mirror mirror traffic that matches against this entry
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value
traffic-policy Attach traffic policy by name
07-20-2015 12:40 PM
If you tell me what you are trying to accomplish, I could probably come up with some pointers in that there are usually more than one way to accomplish a particular goal.
Personally, I never tried to turn any of our switches into a firewall though.
The ONLY traffic I generally put an access list on is Management Traffic.
Usually, I do something like this (with a Standard Access List):
access-list 99 permit 10.0.1.0 0.0.255.255
Then I setup SSH (with the highest bit encryption and ONLY secure web management)...
Tagg the services with that ACL:
ssh access-group 99
web access-group 99
no web-management http
no telnet server
You get the idea... You can do the same with community strings.
snmp-server community ..... ro 99