Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 99
- Page / 149
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
ServerIron ADX NAT64 Configuration Guide 87
53-1002444-02
Enabling ACL filtering of fragmented packets
5
DRAFT: BROCADE CONFIDENTIAL
You can protect against fragment flooding by specifying the maximum number of fragments the
device or an individual interface is allowed to send to the CPU in a one-second interval. If the device
or an interface receives more than the specified number of fragments in a one-second interval, the
device either drops or forwards subsequent fragments in hardware, depending on the action you
specify. In addition, the device starts a holddown timer and continues to either drop or forward
fragments until the holddown time expires.
The device also generates a syslog message.
To specify the maximum fragment rate per second, enter commands such as the following.
The first command sets the fragment threshold at 15,000 per second, for the entire device. If the
device receives more than 15,000 packet fragments in a one-second interval, the device takes the
specified action. The action specified with this command is to drop the excess fragments and
continue dropping fragments for a holddown time of ten minutes. After the ten minutes have
passed, the device starts sending fragments to the CPU again for processing.
The second command sets the fragment threshold at 5,000 for individual interfaces. If any
interface on the device receives more than 5,000 fragments in a one-second interval, the device
takes the specified action. In this case, the action is to forward the fragments in hardware without
filtering them. The device continues forwarding fragments in hardware for five minutes before
beginning to send fragments to the CPU again.
Both thresholds apply to the entire device. Thus, if an individual interface’s fragment threshold is
exceeded, the drop or forward action and the holddown time apply to all fragments received by the
device.
Syntax: [no] ip access-list frag-rate-on-sys <num> exceed-action deny | forward reset-interval
<mins>
and
Syntax: [no] ip access-list frag-rate-on-interface <num> exceed-action drop | forward reset-interval
<mins>
The <num> parameter specifies the maximum number of fragments the device or an individual
interface can receive and send to the CPU in a one-second interval.
• frag-rate-on-sys: Sets the threshold for the entire device. The device can send to the CPU only
the number of fragments you specify per second, regardless of which interfaces the fragments
come in on. If the threshold is exceeded, the device takes the exceed action you specify.
• frag-rate-on-interface: Sets the threshold for individual interfaces. If an individual interface
receives more than the specified maximum number of fragments, the device takes the exceed
action you specify.
The <num> parameter specifies the maximum number of fragments per second.
• For frag-rate-on-system, you can specify from 600 through 12800. The default is 6400.
• For frag-rate-on-interface, you can specify from 300 through 8000. The default is 4000.
The drop | forward parameter specifies the action to take if the threshold (<num> parameter) is
exceeded:
• drop: Fragments are dropped without filtering by the ACLs
ServerIronADX(config)# ip access-list frag-rate-on-sys 15000 exceed-action deny
reset-interval 10
ServerIronADX(config)#ip access-list frag-rate-on-interface 5000 exceed-action
forward reset-interval 5
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 9
- Command syntax conventions 10
- Notice to the reader 11
- Related publications 11
- Getting technical help 11
- NAT64 and NAT46 Overview 13
- Stateless NAT46 translation 14
- Protocol support 15
- NAT64 fragmentation support 17
- References 18
- Stateful NAT64 Configuration 19
- Operation of stateful NAT64 20
- 53-1002444-02 23
- Enabling connection logging 28
- Displaying NAT64 information 31
- Displaying NAT64 translations 32
- Displaying NAT64 statistics 33
- Displaying NAT64 resources 37
- Stateless NAT64 Configuration 39
- Operation of stateless NAT64 40
- High availability for NAT64 52
- Clearing NAT64 information 53
- Stateless NAT46 Configuration 55
- Operation of stateless NAT46 56
- High availability for NAT46 67
- Displaying NAT46 information 68
- Clearing NAT46 information 69
- Access Control Lists 71
- Rule-based ACLs 72
- Default ACL action 74
- ACL IDs and entries 74
- Configuring rule-based ACLs 77
- Modifying rule-based ACLs 85
- Reordering ACLs 86
- Applying ACLs to interfaces 87
- Adding comments to named ACLs 89
- ACL logging 94
- Displaying ACL log entries 95
- Clearing the ACL statistics 97
- Throttling the fragment rate 98
- DRAFT: BROCADE CONFIDENTIAL 100
- Enabling strict TCP mode 101
- Enabling strict UDP mode 102
- ACLs and ICMP 103
- Numbered ACLs 104
- Named ACLs 105
- • Enable the strict TCP mode 107
- IPv6 Access Control Lists 109
- Configuration notes 110
- Processing of IPv6 ACLs 110
- Configuring IPv6 ACLs 111
- IPv6 ACL syntax 114
- Syntax Description 116
- Displaying IPv6 ACLs 118
- Logging IPv6 ACLs 119
- Network Address Translation 121
- Configuring NAT 122
- Configuring static NAT 123
- Configuring dynamic NAT 123
- Enabling IP NAT 124
- NAT configuration examples 125
- IP NAT with VIP overlap 129
- Translation timeouts 130
- Stateless static IP NAT 132
- IP NAT redundancy 133
- Displaying NAT information 144
- Displaying NAT translation 147
- Displaying VRRPE information 148
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(16 pages)
(82 pages)© 2020, manymanuals.com. All rights reserved. | 0.440 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals