From: Bob Sinclair (bsinclair@netmasterclass.net)
Date: Tue May 10 2005 - 17:32:57 GMT-3
Tim,
Richard Deal covers this topic well in his book Cisco Router Firewall
Security. Non-initial fragments will not have the UDP port information. So
if you want to deny all UDP DNS fragments, denying UDP fragments is as
specific as you can get. According to Deal, non-initial fragments are denied
by the implicit deny-any at the end of the access-list in recent IOS. Initial
fragments and unfragmented packets can be explicitly denied by UDP port.
HTH,
Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net
----- Original Message -----
From: ccie2be
To: Group Study
Sent: Tuesday, May 10, 2005 4:02 PM
Subject: fragment filtering
Hi guys,
I'm a bit confused about this. I've read the Doc-CD CR several times and
some other sources as well.
It seems that if the fragment keyword is added to the end of an acl entry,
it deals with non-initial fragments.
But, suppose this were the task:
Filter udp fragments coming in int e0 going to the DNS server.
Does this mean initial and non-initial fragments? IF so, how would I do
this?
Now, suppose I also had to filter ip fragments. Would the acl entry for
this affect the previous acl entry?
If possible, a couple of examples would be very helpful.
TIA, Tim
_______________________________________________________________________
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3