RE: Fragment control in access-lists. [bcc][faked-from]

From: ccie2be (ccie2be@nyc.rr.com)
Date: Fri Mar 04 2005 - 17:27:35 GMT-3

Andrew,

I believe you're correct in this scenario.

However, I think a better to think about this is to realize that when the
fragment keyword is added to the end of an acl statement, it only applies to
non-initial fragments.

Of course, given how confusing this fragment thing is, I might not be fully
understanding this myself even though I've looked at this issue several
times.

If I get something like this on the lab, I'll probably leave it until I'm
done with everything else and then bring up the acl command reference and
slowly go through it to make sure I don't get things backwards.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edwards, Andrew M
Sent: Friday, March 04, 2005 2:45 PM
To: marvin greenlee; Matt White; ccielab@groupstudy.com
Subject: RE: Fragment control in access-lists. [bcc][faked-from]

So if I understand this correctly.

The first packet is not considered a fragment.

So, the first packet matches the second statement to permit web traffic.

Then all subsequent packets that ARE fragments will be matched by the
first ACL.

Yes?

-----Original Message-----
From: marvin greenlee [mailto:marvin@ccbootcamp.com]
Sent: Thursday, March 03, 2005 9:49 AM
To: 'Matt White'; ccielab@groupstudy.com
Subject: RE: Fragment control in access-lists. [bcc][faked-from]

The router will not let you specify both.

Router(config)#access-list 101 deny tcp any host 1.1.1.1 eq 80 ?
  ack Match on the ACK bit
  dscp Match packets with given dscp value
  established Match established connections
  fin Match on the FIN bit
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  precedence Match packets with given precedence value
  psh Match on the PSH bit
  rst Match on the RST bit
  syn Match on the SYN bit
  time-range Specify a time-range
  tos Match packets with given TOS value
  urg Match on the URG bit
  <cr>

Router(config)#access-list 101 deny tcp any host 1.1.1.1 frag ?
  dscp Match packets with given dscp value
  log Log matches against this entry
  log-input Log matches against this entry, including input interface
  precedence Match packets with given precedence value
  time-range Specify a time-range
  tos Match packets with given TOS value
  <cr>

Marvin Greenlee, CCIE#12237, CCSI# 30483
Network Learning Inc
marvin@ccbootcamp.com
www.ccbootcamp.com (Cisco Training)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Matt White
Sent: Thursday, March 03, 2005 7:43 AM
To: ccielab@groupstudy.com
Subject: Fragment control in access-lists. [bcc][faked-from]
Importance: Low

According to the example on the Doc CD (link below), that in order to
deny fragments to, say, a web server, you initially need to deny
fragments to everything then permit 80 in.

Can someone explain why you cannot initially deny fragments to just port
80, or am I just completely off base here?

Thanks.

!
access-list 101 deny ip any host 1.1.1.1 fragments
access-list 101 permit tcp any host 1.1.1.1 eq 80
access-list 101 deny ip any any
!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fipr
_c/ipcprt1/1cfip.htm#1129413

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:40 GMT-3