From: Petr Lapukhov (petrsoft@gmail.com)
Date: Sun May 28 2006 - 03:00:27 ART
Victor,
the best thing on "fragments" i found is
http://www.cisco.com/warp/public/105/acl_wp.html
Basically, IOS does NOT keep any state information. You
need CBAC to do that :). Fragments keyword simply istructs to
check if we have a "non-initial" (frag_offset>0) fragment.
HTH
Petr
2006/5/28, Victor Cappuccio <cvictor@protokolgroup.com>:
>
> Hello
>
> Please sorry this dummy question but I wish to know if the router, when a
> initial fragment goes though, if it creates a State Table kind of the
> Originator / Flag and Flag Offset of the sender?
>
> Assuming this configuration
>
> access-list 101 deny ip any host X.X.X.1 fragments
> access-list 101 permit tcp any host X.X.X.1 eq 25
> access-list 101 deny ip any any
>
> Ok Suppose the Initial Fragment (containing l4 information), has passed
> (2nd
> Access-List), but how the router how's exactly when the following pkts are
> from the same flow and sent to the same port number in L4 ?
>
> I understand that in this new IOS Versions the fragment keyword in the ACL
> would also force the IOS to check the second access-list for noninitial
> and
> initial fragments, but is there something stored in memory to check for
> Originator / Flag and Flag Offset?
>
> What if a fragment of a big chuck comes out of order?
>
> Is there anyway to see this?
>
> Thanks
> Victor.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:22 ART