From: Daniel Kutchin (daniel@kutchin.com)
Date: Tue Feb 10 2009 - 14:55:30 ARST
(Corrected)
Essentially they are the same.
On TCP-Traffic Option 1 does the job more thoroughly.
OPTION 2 catches the TAILS (non-initial fragments) of TCP
fragments as well as the TAILS of TCP and IP fragments.
OPTION 1 additionally catches the HEADS (initial fragments)
of TCP Packets.
If you want to explicitly block FRAGMENTED TCP packets, then
Option 1 will deliver a cleaner traffic at the destination.
The TCP HEADS allowed thro in Option 2 will be good for
forensics but not to the application at the destination.
(Nor to the traffic pipe).
To repaint the picture:
The following line does _NOT_ block IP HEAD
(i.e. IP initial fragments). Just IP TAIL (non-initial),
and TCP Tail (if they don't contain Layer-4 info)
20 deny ip any any fragments
The following line blocks HEADS and TAILS (if they
contain Layer-4 Info) of TCP fragments.
10 deny tcp any any fragments
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00
800949b8.shtml
-
Daniel
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
GAURAV MADAN
Sent: Dienstag, 10. Februar 2009 15:39
To: Cisco certification
Subject: "Fragment Keyword"
Hi group
I tried the "fragment" keyword today .. Read some papers on this and tried
the things out .
1 thing is confusing me ( may be this is basic) .
If question says "permit only non-fragmented and initial fragments" ..
I have folloeing ACL configured :
OPTION 1
**************
Extended IP access list FRAGMENTED
10 deny tcp any any fragments
20 deny ip any any fragments
30 permit ip any any
OPTION 2
**************
Extended IP access list FRAGMENTED
10 deny ip any any fragments
20 permit ip any any
How are these 2 different . WHich one will be marked correct / incorrect
Please put some light on this
Gaurav Madan
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST