RE: ACL fragment blocking

From: NET HE (he_net@hotmail.com)
Date: Tue Sep 11 2007 - 23:53:27 ART

• Next message: Japson Jacob (jjacobj): "Reflexive ACLs"
• Previous message: Toh Soon, Lim: "Re: OPTIONS TO INJECT DEFAULT ROUTE INTO NSSA"
• Maybe in reply to: Mark Turner: "ACL fragment blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As you also mentioned, ACL with fragment parameter is only applied to
non-initial fragments which only have layer3 information. Your config
doesn't block the first fragment, which has layer3 and layer4 information
and is regarded as nonfragment. So you need to add another entry as the
first in your ACL,

(DOC CD says you may need 2 ACL entries for every deny, the first entry
doesn't include fragment keyword, and applies to the initial fragment, and
the second entry includes fragment keyword for subsequent fragments)

option 1: access-list 100 deny ip any host 172.16.1.1
  - but it will block all traffic coming to 172.16.1.1, I don't think it
will be.
option 2: access-list 100 deny tcp any host 172.16.1.1
  - but it will block all tcp traffic coming to 172.16.1.1, I don't think it
will be.
option3: access-list 100 deny tcp any host 172.16.1.1 eq www
  - but it will block all tcp www traffic coming to 172.16.1.1, I don't
think it will be
option4: access-list 100 deny tcp host 10.0.1.1 (specific source) host
172.16.1.1 eq www
  - this may be the best match you are looking for.

Best Regards,
Net (Xin) He

>X-OriginalArrivalTime: 06 Sep 2007 21:14:49.0810 (UTC)
>FILETIME=[F59CC320:01C7F0CA]
>
>Hello,
>
>After going through the DOC cd and previous group study posts I am
>still unclear about matching fragments in an acl. Assume that a web
>server with the ip address 172.16.1.1 is receiving bad tcp fragments
>and you want to block them and allow all other traffic From what i
>have read by using the fragment keyword, only non initial fragments
>are filtered. The first fragment of a packet (packets that arnt
>filtered) wont match this condition. Does the below config meet the
>requirement of blocking bad tcp fragments?
>
>access-list 100 deny ip any host 172.16.1.1 fragments
>access-list 100 permit any any
>
>Thanks,
>
>Mark
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Japson Jacob (jjacobj): "Reflexive ACLs"
• Previous message: Toh Soon, Lim: "Re: OPTIONS TO INJECT DEFAULT ROUTE INTO NSSA"
• Maybe in reply to: Mark Turner: "ACL fragment blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:11 ART