Fw: Q. Initial fragments

From: Pierre-Alex (paguanel@hotmail.com)
Date: Tue Sep 05 2006 - 17:24:15 ART

• Next message: xprtofnet: "Radius without radius server address ?"
• Previous message: Tony Paterra: "Re: Q. Initial fragments"
• Maybe in reply to: sabrina pittarel: "Q. Initial fragments"
• Next in thread: sabrina pittarel: "Re: Q. Initial fragments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Hi Sabrina,
>
> Here are the rules:
>
>
>
> =============== INITAL FRAGMENTS ===========================
>
> You can filter intial fragments with a ACL with layer 3 info (Rule1) or an
> ACL with layer 3 and 4 info (rule 3)
>
> Rule1: If the ACL contains layer 3 info only and the keyword "fragment" is
> not present, then do the ACL action (permit or deny) and exit the ACL
>
> Rule2: If the ACL contains layer 3 info only and the keyword "fragment" is
> not present, then process the next line of ACL
>
> Rule3: If the ACL contains layer 3 and layer 4 info and there is a match
> with the non inital fragment do the ACL action (permit or deny) and exit
> the ACL
>
> Rule4: If the ACL contains layer 3 and layer 4 info and there is not a
> match with the non inital fragment then process the next line of ACL.
>
>
>
>
> =============== NON INITAL FRAGMENTS ===========================
>
> Rule 1: You can block non initial fragements with an acl that contains
> only layer 3 information.
>
> Rule 2: If the ACL contains both layer 3 and layer 4 information and the
> action is deny, the next ACL will be processed.
>
> Rule 3: If the ACL contains both layer 3 and layer 4 information and the
> action is permit, the packet will be permited, and the ACL will be exited.
>
>
> Example:
>
> Task:
>
> Make sure that the router denies web traffic to port 80 to server
> 171.16.23.1 .
> Non-initial fragments should NOT be forwarded to the server.
>
> ===============
> access-list 100 deny tcp any host 171.16.23.1 eq 80
> ! this line will deny web traffic to host 171.16.23.1 but will allow
> fragements
>
> access-list 100 deny ip any host 171.16.23.1
> ! this line will prevent non-initial fragments to the server
>
> access-list 100 permit ip any any
> ! this line is necessary to allow other traffic
>
> ===============
>
> reference:
>
> http://www.cisco.com/warp/public/105/acl_wp.html
>
>
> HTH
>
> Pierre-Alex
>
>
> ----- Original Message -----
> From: "sabrina pittarel" <sabri_esame@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Tuesday, September 05, 2006 7:30 AM
> Subject: Q. Initial fragments
>
>
>> Hi,
>> we all know that an ACL can block non initial fragments, but is there a
>> way to configure your router to block initial fragments as well?
>>
>> Sabrina
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.405 / Virus Database: 268.11.7/436 - Release Date: 9/1/2006

• Next message: xprtofnet: "Radius without radius server address ?"
• Previous message: Tony Paterra: "Re: Q. Initial fragments"
• Maybe in reply to: sabrina pittarel: "Q. Initial fragments"
• Next in thread: sabrina pittarel: "Re: Q. Initial fragments"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART