From: Tony Paterra (apaterra@gmail.com)
Date: Thu Jul 06 2006 - 18:08:19 ART
All, a question on packet fragmentation... How can I deny all
fragmented packets on an interface? My first reaction was to build an
access list along the lines of the following...
access-list 100 deny ip any any fragments
access-list 100 permit ip any any
But then when I thought about it some more... I realized that this
would still allow initial fragments through (and then catch everything
after it with a non-zero offset). I know how to deny non-initial
fragments (above), but I'm not sure how to handle initial fragmented
packets. Pardon the somewhat simple question, but what defines a
"fragmented" packet? Is it just a packet that has a non-zero offset
in it's L3 header (i.e. inial fragments with a zero-offset are not
considered "fragmented")?
Adios,
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART