ServerIron ADX NAT64 Configuration Guide 85
53-1002444-02
Dropping all fragments that exactly match a flow-based ACL
5
DRAFT: BROCADE CONFIDENTIAL
• IGMP
• IGRP
• IP
• OSPF
• TCP
• UDP
• Protocol number, if an ACL is configured for a protocol not listed above
For TCP and UDP, a separate set of statistics is listed for each application port.
Clearing flow-based ACL statistics
To clear the ACL statistics, enter the following command at the Privileged EXEC level of the CLI.
ServerIronADX(config)# clear ip acl-traffic
Syntax: clear ip acl-traffic
Dropping all fragments that exactly match a flow-based ACL
For a packet fragment that is sent to the CPU for processing, the device compares the fragment’s
source and destination IP addresses against the interface’s ACL entries. By default, if the
fragment’s source and destination IP addresses exactly match an ACL entry that also has Layer 4
information (source and destination TCP or UDP application ports), the device permits or denies the
fragment according to the ACL.
On an individual interface basis, you can configure an IronCore device to automatically drop a
fragment whose source and destination IP addresses exactly match an ACL entry that has Layer 4
information, even if that ACL entry’s action is permit. To do so, enter the following command at the
configuration level for an interface.
ServerIronADX(config-if-1/1)# ip access-group frag deny
Syntax: [no] ip access-group frag deny
Clearing the ACL statistics
Statistics on the ACL account report can be cleared:
• When a software reload occurs
• When the ACL is bound to or unbound from an interface
• When you enter the clear access-list command, as in the following example.
ServerIronADX(config)# clear access-list all
Syntax: clear access-list all | ethernet <slot>/<port>
Enter all to clear all statistics for all ACLs.
Use ethernet <slot>/<port> to clear statistics for ACLs a physical port.
Comments to this Manuals