From: Victor Cappuccio (cvictor@protokolgroup.com)
Date: Tue Sep 05 2006 - 19:15:25 ART
Paul I was wrong the initial fragment Offset = 0 and MF = 1 was passed :S
Sorry
-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de Paul
Dardinski
Enviado el: Martes, 05 de Septiembre de 2006 05:58 p.m.
Para: sabrina pittarel; Cisco certification
Asunto: RE: Q. Initial fragments
The virtual-reassembly shows the "drop-fragments" keyword, which should
drop all. However, see Victor's previous post, pretty clear that even
the first frag was dropped as I saw it using straight "fragments" key on
an acl.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
sabrina pittarel
Sent: Tuesday, September 05, 2006 5:33 PM
To: Tony Paterra
Cc: ccielab@groupstudy.com; jeffryanwn@hotmail.com; Pierre-Alex; Victor
Cappuccio; Chris Broadway
Subject: Re: Q. Initial fragments
Small correction in my previous sentence:
"But from the feeling of it looks like the router will try to get all
fragments before forwarding them.
So if I put an ingress ACL that drops all *NON INITIAL* "ingress"
fragments and I enable virtual reassembly, then even if the initial
fragment will make it through the the ACL it will be dropped after a
while because the whole packet could not virtually reassembled"
Sabrina
----- Original Message ----
From: sabrina pittarel <sabri_esame@yahoo.com>
To: Tony Paterra <apaterra@gmail.com>
Cc: ccielab@groupstudy.com; jeffryanwn@hotmail.com; Pierre-Alex
<paguanel@hotmail.com>; Victor Cappuccio <cvictor@protokolgroup.com>;
Chris Broadway <midatlanticnet@gmail.com>
Sent: Tuesday, September 5, 2006 2:21:13 PM
Subject: Re: Q. Initial fragments
Sound promising.
I'll read it in detail this evening.
But from the feeling of it looks like the router will try to get all
fragments before forwarding them.
So if I put an ingress ACL that drops all "ingress" fragments and I
enable virtual reassembly, then even if the initial fragment will make
it through the the ACL it will be dropped after a while because the
whole packet could not virtually reassembled.
Sabrina
----- Original Message ----
From: Tony Paterra <apaterra@gmail.com>
To: sabrina pittarel <sabri_esame@yahoo.com>
Cc: ccielab@groupstudy.com
Sent: Tuesday, September 5, 2006 12:41:42 PM
Subject: Re: Q. Initial fragments
Sabrina,
Check out the virtual-reassembly feature... It's enabled under an
interface as:
'ip virtual-reassembly'
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft
/123t/123t_8/gt_vfrag.htm
On 9/5/06, sabrina pittarel <sabri_esame@yahoo.com> wrote:
> Hi,
> we all know that an ACL can block non initial fragments, but is there
a way to configure your router to block initial fragments as well?
>
> Sabrina
>
>
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART