RE: Fragment control in access-lists. [bcc][faked-from]

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Fri Mar 04 2005 - 16:45:05 GMT-3

• Next message: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Previous message: DaveW: "Re: ip pim auto-rp listener ??"
• Maybe in reply to: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Next in thread: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

So if I understand this correctly.

The first packet is not considered a fragment.

So, the first packet matches the second statement to permit web traffic.

Then all subsequent packets that ARE fragments will be matched by the
first ACL.

Yes?

-----Original Message-----
From: marvin greenlee [mailto:marvin@ccbootcamp.com]
Sent: Thursday, March 03, 2005 9:49 AM
To: 'Matt White'; ccielab@groupstudy.com
Subject: RE: Fragment control in access-lists. [bcc][faked-from]

The router will not let you specify both.

Router(config)#access-list 101 deny tcp any host 1.1.1.1 eq 80 ?
  ack Match on the ACK bit
  dscp Match packets with given dscp value
  established Match established connections
  fin Match on the FIN bit
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  precedence Match packets with given precedence value
  psh Match on the PSH bit
  rst Match on the RST bit
  syn Match on the SYN bit
  time-range Specify a time-range
  tos Match packets with given TOS value
  urg Match on the URG bit
  <cr>

Router(config)#access-list 101 deny tcp any host 1.1.1.1 frag ?
  dscp Match packets with given dscp value
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  precedence Match packets with given precedence value
  time-range Specify a time-range
  tos Match packets with given TOS value
  <cr>

Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Matt White
Sent: Thursday, March 03, 2005 7:43 AM
To: ccielab@groupstudy.com
Subject: Fragment control in access-lists. [bcc][faked-from]
Importance: Low

According to the example on the Doc CD (link below), that in order to
deny fragments to, say, a web server, you initially need to deny
fragments to everything then permit 80 in.

Can someone explain why you cannot initially deny fragments to just port
80, or am I just completely off base here?

Thanks.

!
access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any
!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fipr
_c/ipcprt1/1cfip.htm#1129413

• Next message: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Previous message: DaveW: "Re: ip pim auto-rp listener ??"
• Maybe in reply to: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Next in thread: marvin greenlee: "RE: Fragment control in access-lists. [bcc][faked-from]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:40 GMT-3