From: Jared Scrivener (jscrivener@ipexpert.com)
Date: Tue Feb 10 2009 - 12:44:47 ARST
Your first option denies fragments of IP packets with TCP as the layer 4
protocol as well as fragments of all IP packets (which includes the first
statement anyway), whereas your second just covers fragments of all IP
packets.
The first ACL is overkill, so just use the second option.
Cheers,
Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: jscrivener@ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Tuesday, 10 February 2009 9:39 AM
To: Cisco certification
Subject: "Fragment Keyword"
Hi group
I tried the "fragment" keyword today .. Read some papers on this and tried
the things out .
1 thing is confusing me ( may be this is basic) .
If question says "permit only non-fragmented and initial fragments" ..
I have folloeing ACL configured :
OPTION 1
**************
Extended IP access list FRAGMENTED
10 deny tcp any any fragments
20 deny ip any any fragments
30 permit ip any any
OPTION 2
**************
Extended IP access list FRAGMENTED
10 deny ip any any fragments
20 permit ip any any
How are these 2 different . WHich one will be marked correct / incorrect
Please put some light on this
Gaurav Madan
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST