Ethernet Switches & Routers

Occasional Visitor
Posts: 1
Registered: ‎07-20-2015

ICX6450 Block fragment?

We are trying to tune our ICX6450 switches, to prevent certain malicious traffic.
Most of the ACLs are in place and properly working, but I am not able to use fragments attribute - as it does not appear to exit

xxxxxxxxxxxxxxxxxx(config)#access-list 102 deny udp any any fragment
Invalid input -> fragment

I know our SW: Version 07.4.00bT313 is fairly obsolete, so not sure if the access-list variable fragments simply isnt part of that OS version or not?

I appreciate if anyone can shed some light upon this?

Frequent Contributor
Posts: 137
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

It does not appear to be available in the code on the ICX 6450 for me either...


Specifically, I am looking at a ICX6450-C12-PD running the most recent Router code ICX64R08030a and bootrom 10.1.05T310


ver 08.0.30aT313





SSH@MYSWITHCNAME(config)# access-list 102 deny udp any any ?
802.1p-priority-marking Mark packets with 802.1p priority value
802.1p-priority-matching Match UDP packets with given 802.1p priority
dscp-marking Mark UDP packets with DSCP and COS parameters
dscp-matching Match UDP packets with given DSCP value
eq Match only packets on a given port number
gt Match only packets with a greater port number
internal-priority-marking Set internal queuing priority (traffic class)
log Log matches against this entry
lt Match only packets with a lower port number
mirror mirror traffic that matches against this entry
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value
traffic-policy Attach traffic policy by name

Frequent Contributor
Posts: 137
Registered: ‎07-20-2015

Re: ICX6450 Block fragment?

If you tell me what you are trying to accomplish, I could probably come up with some pointers in that there are usually more than one way to accomplish a particular goal.


Personally, I never tried to turn any of our switches into a firewall though.


The ONLY traffic I generally put an access list on is Management Traffic.


Usually, I do something like this (with a Standard Access List):


access-list 99 permit

<implicit deny>


Then I setup SSH (with the highest bit encryption and ONLY  secure web management)...


Tagg the services with that ACL:

ssh access-group 99

web access-group 99


no web-management http

no telnet server



You get the idea...  You can do the same with community strings.


For example:

snmp-server community ..... ro 99

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.