From: sabrina pittarel (sabri_esame@yahoo.com)
Date: Tue Sep 05 2006 - 18:06:20 ART
Thanks.
I guess you have a problem with INITAL FRAGMENTS Rule2.
It should be:
Rule2: If the ACL contains layer 3 info only and the keyword "fragment" is
present, then process the next line of ACL
You have a "fragment is not present", which is same as Rule1, so you cannot have a different action.
Still, these rules divide packets into 2 categories:
1) initial fragments and non fragmented packets
2) non initial fragments.
I'm trying to find a way to break category 1) into 2 more:
a) initial fragments
b) non fragmented packets
So that I'll be able to selectively drop all fragmented packets (categories 1a) and 2)) and allow non fragmented packets only (category 1b))
Sabrina
----- Original Message ----
From: Pierre-Alex <paguanel@hotmail.com>
To: sabrina pittarel <sabri_esame@yahoo.com>
Sent: Tuesday, September 5, 2006 12:39:52 PM
Subject: Re: Q. Initial fragments
Hi Sabrina,
Here are the rules:
=============== INITAL FRAGMENTS ===========================
You can filter intial fragments with a ACL with layer 3 info (Rule1) or an
ACL with layer 3 and 4 info (rule 3)
Rule1: If the ACL contains layer 3 info only and the keyword "fragment" is
not present, then do the ACL action (permit or deny) and exit the ACL
Rule2: If the ACL contains layer 3 info only and the keyword "fragment" is
not present, then process the next line of ACL
Rule3: If the ACL contains layer 3 and layer 4 info and there is a match
with the non inital fragment do the ACL action (permit or deny) and exit the
ACL
Rule4: If the ACL contains layer 3 and layer 4 info and there is not a match
with the non inital fragment then process the next line of ACL.
=============== NON INITAL FRAGMENTS ===========================
Rule 1: You can block non initial fragements with an acl that contains only
layer 3 information.
Rule 2: If the ACL contains both layer 3 and layer 4 information and the
action is deny, the next ACL will be processed.
Rule 3: If the ACL contains both layer 3 and layer 4 information and the
action is permit, the packet will be permited, and the ACL will be exited.
Example:
Task:
Make sure that the router denies web traffic to port 80 to server
171.16.23.1 .
Non-initial fragments should NOT be forwarded to the server.
===============
access-list 100 deny tcp any host 171.16.23.1 eq 80
! this line will deny web traffic to host 171.16.23.1 but will allow
fragements
access-list 100 deny ip any host 171.16.23.1
! this line will prevent non-initial fragments to the server
access-list 100 permit ip any any
! this line is necessary to allow other traffic
===============
reference:
http://www.cisco.com/warp/public/105/acl_wp.html
HTH
Pierre-Alex
----- Original Message -----
From: "sabrina pittarel" <sabri_esame@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 05, 2006 7:30 AM
Subject: Q. Initial fragments
> Hi,
> we all know that an ACL can block non initial fragments, but is there a
> way to configure your router to block initial fragments as well?
>
> Sabrina
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.11.7/436 - Release Date: 9/1/2006
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:39 ART