Ethernet Switches & Routers

Reply
Occasional Visitor
Posts: 1
Registered: ‎07-20-2015

ICX6450 Block fragment?

We are trying to tune our ICX6450 switches, to prevent certain malicious traffic.
Most of the ACLs are in place and properly working, but I am not able to use fragments attribute - as it does not appear to exit


xxxxxxxxxxxxxxxxxx(config)#access-list 102 deny udp any any fragment
Invalid input -> fragment


I know our SW: Version 07.4.00bT313 is fairly obsolete, so not sure if the access-list variable fragments simply isnt part of that OS version or not?

I appreciate if anyone can shed some light upon this?

Frequent Contributor
Posts: 134
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

It does not appear to be available in the code on the ICX 6450 for me either...

 

Specifically, I am looking at a ICX6450-C12-PD running the most recent Router code ICX64R08030a and bootrom 10.1.05T310

 

!
ver 08.0.30aT313
!

 

I am licneced: ICX6450_BASE_ROUTER_SOFT_PACKAGE

 

 

SSH@MYSWITHCNAME(config)# access-list 102 deny udp any any ?
802.1p-priority-marking Mark packets with 802.1p priority value
802.1p-priority-matching Match UDP packets with given 802.1p priority
value
dscp-marking Mark UDP packets with DSCP and COS parameters
dscp-matching Match UDP packets with given DSCP value
eq Match only packets on a given port number
gt Match only packets with a greater port number
internal-priority-marking Set internal queuing priority (traffic class)
log Log matches against this entry
lt Match only packets with a lower port number
mirror mirror traffic that matches against this entry
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value
traffic-policy Attach traffic policy by name
<cr>

Frequent Contributor
Posts: 134
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

If you tell me what you are trying to accomplish, I could probably come up with some pointers in that there are usually more than one way to accomplish a particular goal.

 

Personally, I never tried to turn any of our switches into a firewall though.

 

The ONLY traffic I generally put an access list on is Management Traffic.

 

Usually, I do something like this (with a Standard Access List):

 

access-list 99 permit 10.0.1.0 0.0.255.255

<implicit deny>

 

Then I setup SSH (with the highest bit encryption and ONLY  secure web management)...

 

Tagg the services with that ACL:

ssh access-group 99

web access-group 99

 

no web-management http

no telnet server

 

 

You get the idea...  You can do the same with community strings.

 

For example:

snmp-server community ..... ro 99

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook