From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue May 10 2005 - 18:51:35 GMT-3
Hey Bob,
Thanks for getting back to me. I happen to have the Richard Deal book but
I'm not 100% sure of what he's saying and how to apply the info he provides.
For example, he talks mostly about NON-INITIAL fragments.
" When filtering fragments, noninitial fragments that match Layer 3
information in your ACL have the appropriate action taken against them:
permit or deny."
Is this the same as saying, "If the fragment keyword is used, noninitial
fragments that match Layer 3 information in your ACL have the appropriate
action taken against them: permit or deny."
Or, put another way, is the difference between these 2 acl entries as noted?
access-list 101 deny ip any any fragments <- all ip traffic including
initial and non-initial fragments are dropped
access-list 101 deny ip any any <- Only initial
fragments and unfragmented ip traffic is dropped; non-initial fragments pass
thru
As a practical matter for the lab, it seems to me, I have to sort acl
entries into 2 groups:
Group 1 - has no port information
Group 2 - has port info ie the acl includes either tcp or udp
For Group 1, the behavior is as described above.
For Group 2, I'm still not that clear.
Last thing: Is there any simple way to verify the configuration will work as
intended?
I hate it when I take the lab and find I'm not sure about some little detail
and don't know how to verify if I did the config correctly.
Can you help clear up this confusion for me? I would be tremendously
appreciative.
TIA, Tim
_____
From: Bob Sinclair [mailto:bsinclair@netmasterclass.net]
Sent: Tuesday, May 10, 2005 4:33 PM
To: ccie2be; Group Study
Subject: Re: fragment filtering
Tim,
Richard Deal covers this topic well in his book Cisco Router Firewall
Security. Non-initial fragments will not have the UDP port information. So
if you want to deny all UDP DNS fragments, denying UDP fragments is as
specific as you can get. According to Deal, non-initial fragments are
denied by the implicit deny-any at the end of the access-list in recent IOS.
Initial fragments and unfragmented packets can be explicitly denied by UDP
port.
HTH,
Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net
----- Original Message -----
From: ccie2be <mailto:ccie2be@nyc.rr.com>
To: Group Study <mailto:ccielab@groupstudy.com>
Sent: Tuesday, May 10, 2005 4:02 PM
Subject: fragment filtering
Hi guys,
I'm a bit confused about this. I've read the Doc-CD CR several times and
some other sources as well.
It seems that if the fragment keyword is added to the end of an acl entry,
it deals with non-initial fragments.
But, suppose this were the task:
Filter udp fragments coming in int e0 going to the DNS server.
Does this mean initial and non-initial fragments? IF so, how would I do
this?
Now, suppose I also had to filter ip fragments. Would the acl entry for
this affect the previous acl entry?
If possible, a couple of examples would be very helpful.
TIA, Tim
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3