From: Scott Morris (smorris@internetworkexpert.com)
Date: Mon Sep 15 2008 - 10:00:03 ART
The "to" part will depend on what the task says and where your IP's are
at....
Your problem on the second outbound idea there is that locally generate
packets are not subject to outbound ACLs on a router. You can always bring
a switch/SVI into one of your router ports' VLANs and pretend it's a host to
see a difference in output.
HTH,
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mohamed Tandou
Sent: Monday, September 15, 2008 7:58 AM
To: ccielab@groupstudy.com
Subject: Fragment direction
Hello GS,
in what direction should i apply the ip access-group if i want to prevent
fragmentation to a webb server.
When i applied inboud i get this:
*Mar 1 00:48:17.303: IP Fragment, Ident = 1, fragment offset = 0
*Mar 1 00:48:17.303: ICMP type=8, code=0
*Mar 1 00:48:17.303: IP: recv fragment from 11.11.12.1 offset 0 bytes *Mar
1 00:48:17.491: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500, access
denied
*Mar 1 00:48:17.491: IP Fragment, Ident = 1, fragment offset = 1480
*Mar 1 00:48:17.679: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:17.679: IP Fragment, Ident = 1, fragment offset = 2960
*Mar 1 00:48:17.867: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:17.867: IP Fragment, Ident = 1, fragment offset = 4440
*Mar 1 00:48:18.055: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:18.055: IP Fragment, Ident = 1, fragment offset = 5920
*Mar 1 00:48:18.243: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:18.243: IP Fragment, Ident = 1, fragment offset = 7400
*Mar 1 00:48:18.431: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:18.431: IP Fragment, Ident = 1, fragment offset = 8880
*Mar 1 00:48:18.619: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:18.619: IP Fragment, Ident = 1, fragment offset = 10360
*Mar 1 00:48:18.807: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
*Mar 1 00:48:18.807: IP Fragment, Ident = 1, fragment offset = 11840
*Mar 1 00:48:18.995: IP: s=11.11.12.1 (Serial0/0), d=11.11.12.2, len 1500,
access denied
But i applied outbound i get this:
*Mar 1 00:51:26.539: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.539: IP Fragment, Ident = 5, fragment offset = 0
*Mar 1 00:51:26.539: ICMP type=0, code=0
*Mar 1 00:51:26.539: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.539: IP Fragment, Ident = 5, fragment offset = 1480
*Mar 1 00:51:26.539: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.539: IP Fragment, Ident = 5, fragment offset = 2960
*Mar 1 00:51:26.543: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.543: IP Fragment, Ident = 5, fragment offset = 4440
*Mar 1 00:51:26.543: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.543: IP Fragment, Ident = 5, fragment offset = 5920
*Mar 1 00:51:26.543: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.543: IP Fragment, Ident = 5, fragment offset = 7400
*Mar 1 00:51:26.547: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.547: IP Fragment, Ident = 5, fragment offset = 8880
*Mar 1 00:51:26.547: IP: s=11.11.12.2 (local),
d=11.11.25.6(FastEthernet0/0), len 1500, sending fragment
*Mar 1 00:51:26.547: IP Fragment, Ident = 5, fragment offset = 10360
Can someone help me out here ?
Thanks
Moh
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:18 ART