From: Chris Broadway (midatlanticnet@gmail.com)
Date: Tue Sep 05 2006 - 12:52:18 ART
Group,
After reading the link below on fragments I have a question too. Scenerio
#1 says that the ACL will stop all fragments. I don't think this is so, and
I am looking for some opinions. The first line will stop *non-initial
fragments* only. The second line will permit all non-fragments and *initial
fragments*. Because the second line permits initial fragments, the Scenerio
cannot say "ALL FRAGMENTS" are blocked. What say you all.
-Broadway
On 9/4/06, Jeff Ryan <jeffryanwn@hotmail.com> wrote:
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
> In looking at this link, specifically Scenario #1 ACL 101 example it
> states
> that this would permit only non-fragmented HTTP flows to the server. Of
> course, the deny statement would kill any IGP or EGP connection unless we
> specifically permitted it...
>
> In the diagram in this link if I had a bgp tcp session with a router out
> this
> link:
>
> access-list 101 deny ip any host 171.16.23.1 fragments
> access-list 101 permit tcp any host 171.16.23.1 eq 80
> access-list 101 permit tcp any any eq bgp
> access-list 101 permit tcp any eq bgp any
> access-list 101 deny ip any any
> !
> int s0 (internet link)
> ip access-group 101 in
> !
>
>
> Any comments?
>
> Jeff
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART