From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Thu Jul 06 2006 - 19:17:37 ART
access-list 100 permit tcp any any(or web server add) eq www established
Don't forget this at the beginning, for return traffic.
Also you need 2 lines in ACL to get non-initial and initial
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/t
iap_r/apl_a1ht.htm#wp1148147
Faryar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Paterra
Sent: Thursday, July 06, 2006 4:08 PM
To: Cisco certification
Subject: Packet fragmentation question...
All, a question on packet fragmentation... How can I deny all
fragmented packets on an interface? My first reaction was to build an
access list along the lines of the following...
access-list 100 deny ip any any fragments access-list 100 permit ip any
any
But then when I thought about it some more... I realized that this
would still allow initial fragments through (and then catch everything
after it with a non-zero offset). I know how to deny non-initial
fragments (above), but I'm not sure how to handle initial fragmented
packets. Pardon the somewhat simple question, but what defines a
"fragmented" packet? Is it just a packet that has a non-zero offset in
it's L3 header (i.e. inial fragments with a zero-offset are not
considered "fragmented")?
Adios,
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART