https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711291#M534562 <HTML><HEAD></HEAD><BODY><P style="padding: 0pt; margin: 0pt;">Hi Mike,</P><P></P><P style="padding: 0pt; margin: 0pt;">Thanks for the information. I'm using RBE on an 887VA dsl interface, and I was informed that turning off ip virtual reassembly was recommended for this scenario. However, when I tried that on v15.1 it took the command but displayed nothing even in show run all. So I don't know if it is on or off or even exists. </P><P></P><P style="padding: 0pt; margin: 0pt;">When it is used, how does ip virtural reassembly control fragments?</P><P></P><P style="padding: 0pt; margin: 0pt;">I like the ZBF. I'm just not very comfortable with how to accomplish certain tasks yet. </P></BODY></HTML> Mon, 01 Aug 2011 01:38:19 GMT lcaruso 2011-08-01T01:38:19Z https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711289#M534559 <P>Hi,</P><P></P><P>I know interface ACLs are not applicable with ZBF, so a different implementation is used. That's documented elsehwere. </P><P></P><P>What I don't know is, given the outside interface ACL for my router (below), how do I implement some of those features? For example, the Guide to Harden Cisco IOS Devices recommends dropping fragments. How would I do that with ZBF?</P><P></P><P>Another question is with ZBF are some of these ACEs shown below no longer necessary?</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><SPAN style="font-family: 'courier new', courier;">ip access-list extended outside_in</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; tcp any any fragments</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; udp any any fragments</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; icmp any any fragments</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip any any fragments</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip host 0.0.0.0 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip host 255.255.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 0.0.0.0 0.255.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 10.0.0.0 0.255.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 127.0.0.0 0.255.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 169.254.0.0 0.0.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 172.16.0.0 0.15.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 192.0.0.0 0.0.0.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 192.0.2.0 0.0.0.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 192.168.0.0 0.0.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 198.18.0.0 0.1.255.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 198.51.100.0 0.0.0.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 203.0.113.0 0.0.0.255 any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> deny&nbsp;&nbsp; ip 224.0.0.0 31.255.255.255 any</SPAN></P></PRE><P></P><P>Thanks.</P> Mon, 11 Mar 2019 21:05:58 GMT https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711289#M534559 lcaruso 2019-03-11T21:05:58Z https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711290#M534560 <HTML><HEAD></HEAD><BODY><P>Hi Larry, </P><P></P><P>Fragments are not entire bad on an IP network, it is common that if the packets are too big it will fragment them. ZBF has a queue for the fragments and it the packet has an anomaly, it will drop it. Now, if you want to control the IP fragments coming into your network, you can use the command IP virtual reassembly, that way you can limit the amount of fragments that come in to the network. </P><P></P><P>Fragmentation attacks should not be a problem if you have Stateful firewall such as zone based firewall. </P><P></P><P>Hope this helps. </P><P></P><P>Mike </P></BODY></HTML> Sun, 31 Jul 2011 03:47:38 GMT https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711290#M534560 Maykol Rojas 2011-07-31T03:47:38Z https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711291#M534562 <HTML><HEAD></HEAD><BODY><P style="padding: 0pt; margin: 0pt;">Hi Mike,</P><P></P><P style="padding: 0pt; margin: 0pt;">Thanks for the information. I'm using RBE on an 887VA dsl interface, and I was informed that turning off ip virtual reassembly was recommended for this scenario. However, when I tried that on v15.1 it took the command but displayed nothing even in show run all. So I don't know if it is on or off or even exists. </P><P></P><P style="padding: 0pt; margin: 0pt;">When it is used, how does ip virtural reassembly control fragments?</P><P></P><P style="padding: 0pt; margin: 0pt;">I like the ZBF. I'm just not very comfortable with how to accomplish certain tasks yet. </P></BODY></HTML> Mon, 01 Aug 2011 01:38:19 GMT https://community.cisco.com/t5/network-security/zbf-vs-interface-acl/m-p/1711291#M534562 lcaruso 2011-08-01T01:38:19Z