ACL fragment blocking

From: Mark Turner (markturner101@gmail.com)
Date: Thu Sep 06 2007 - 18:14:21 ART

• Next message: Usankin, Andrew: "Etherchannels and QoS settings"
• Previous message: Shine Joseph: "RE: RIP Conditional advertisiment"
• Next in thread: Antonio Soares: "RE: ACL fragment blocking"
• Maybe reply: Antonio Soares: "RE: ACL fragment blocking"
• Maybe reply: NET HE: "RE: ACL fragment blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

After going through the DOC cd and previous group study posts I am
still unclear about matching fragments in an acl. Assume that a web
server with the ip address 172.16.1.1 is receiving bad tcp fragments
and you want to block them and allow all other traffic From what i
have read by using the fragment keyword, only non initial fragments
are filtered. The first fragment of a packet (packets that arnt
filtered) wont match this condition. Does the below config meet the
requirement of blocking bad tcp fragments?

access-list 100 deny ip any host 172.16.1.1 fragments
access-list 100 permit any any

Thanks,

Mark

• Next message: Usankin, Andrew: "Etherchannels and QoS settings"
• Previous message: Shine Joseph: "RE: RIP Conditional advertisiment"
• Next in thread: Antonio Soares: "RE: ACL fragment blocking"
• Maybe reply: Antonio Soares: "RE: ACL fragment blocking"
• Maybe reply: NET HE: "RE: ACL fragment blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART