From: Faryar Zabihi \(fzabihi\) (fzabihi@cisco.com)
Date: Thu Jul 06 2006 - 19:29:10 ART
If requirement is deny fragmented traffic, the initial is not fragmented
and there is nothing in the requirements to handle the initial. TCP
port 80 not IP in your ACL
Faryar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Faryar Zabihi (fzabihi)
Sent: Thursday, July 06, 2006 5:18 PM
To: Tony Paterra; Cisco certification
Subject: RE: Packet fragmentation question...
access-list 100 permit tcp any any(or web server add) eq www established
Don't forget this at the beginning, for return traffic.
Also you need 2 lines in ACL to get non-initial and initial
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/t
iap_r/apl_a1ht.htm#wp1148147
Faryar
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Paterra
Sent: Thursday, July 06, 2006 4:08 PM
To: Cisco certification
Subject: Packet fragmentation question...
All, a question on packet fragmentation... How can I deny all
fragmented packets on an interface? My first reaction was to build an
access list along the lines of the following...
access-list 100 deny ip any any fragments access-list 100 permit ip any
any
But then when I thought about it some more... I realized that this
would still allow initial fragments through (and then catch everything
after it with a non-zero offset). I know how to deny non-initial
fragments (above), but I'm not sure how to handle initial fragmented
packets. Pardon the somewhat simple question, but what defines a
"fragmented" packet? Is it just a packet that has a non-zero offset in
it's L3 header (i.e. inial fragments with a zero-offset are not
considered "fragmented")?
Adios,
-- Tony Paterra apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:46 ART