From: Capt.Spock (capt.spock@gmail.com)
Date: Thu Mar 03 2005 - 16:52:45 GMT-3
There is explanation above the example...
The first fragment of the IP packet is considered a nonfragment and is
treated independently of the subsequent fragments. An initial fragment
will not match an access list permit or deny entry that contains the
fragments keyword, the packet is compared to the next access list
entry, and so on, until it is either permitted or denied by an access
list entry that does not contain the fragments keyword. Therefore, you
may need two access list entries for every deny entry. The first deny
entry of the pair will not include the fragments keyword, and applies
to the initial fragment. The second deny entry of the pair will
include the fragments keyword and applies to the subsequent fragments.
In the cases where there are multiple deny access list entries for the
same host but with different Layer 4 ports, a single deny access-list
entry with the fragments keyword for that host is all that needs to be
added. Thus all the fragments of a packet are handled in the same
manner by the access list.
On Thu, 3 Mar 2005 09:49:04 -0800, marvin greenlee
<marvin@ccbootcamp.com> wrote:
> The router will not let you specify both.
>
> Router(config)#access-list 101 deny tcp any host 1.1.1.1 eq 80 ?
> ack Match on the ACK bit
> dscp Match packets with given dscp value
> established Match established connections
> fin Match on the FIN bit
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> precedence Match packets with given precedence value
> psh Match on the PSH bit
> rst Match on the RST bit
> syn Match on the SYN bit
> time-range Specify a time-range
> tos Match packets with given TOS value
> urg Match on the URG bit
> <cr>
>
> Router(config)#access-list 101 deny tcp any host 1.1.1.1 frag ?
> dscp Match packets with given dscp value
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> precedence Match packets with given precedence value
> time-range Specify a time-range
> tos Match packets with given TOS value
> <cr>
>
> Marvin Greenlee, CCIE#12237, CCSI# 30483
> Network Learning Inc
> marvin@ccbootcamp.com
> www.ccbootcamp.com (Cisco Training)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Matt
> White
> Sent: Thursday, March 03, 2005 7:43 AM
> To: ccielab@groupstudy.com
> Subject: Fragment control in access-lists. [bcc][faked-from]
> Importance: Low
>
> According to the example on the Doc CD (link below), that in order to
> deny fragments to, say, a web server, you initially need to deny
> fragments to everything then permit 80 in.
>
> Can someone explain why you cannot initially deny fragments to just
> port 80, or am I just completely off base here?
>
> Thanks.
>
> !
> access-list 101 deny ip any host 1.1.1.1 fragments
> access-list 101 permit tcp any host 1.1.1.1 eq 80
> access-list 101 deny ip any any
> !
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
> _c/ipcprt1/1cfip.htm#1129413
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:40 GMT-3