cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1523
Views
0
Helpful
2
Replies
Highlighted
Contributor

fragmented packet and access list

Hi everybody

Please consider the following scenario:

Sw(config)# access-list 120 permit tcp any host 199.199.199.2 eq smtp

the above access list is applied outbound on an interface  on the above switch.

Suppose  switch receives a packet with destination 199.199.199.2 and destined for smtp tcp port

Let assume switch has to fragment the packet into three fragments, fragment1,fragment2,fragment3.

The switch encapsulates the first fragment in ip header, this fragment contains tcp header and portion of data.

Switch checks the ip packet contents against the access list 120 . Since the packet matches the access list, it is allowed.

Now switch encapsulates the 2nd fragment in ip header. This fragment contains no layer 4 information just data.

What will happen now? Will switch  drop it because the packet has no layer 4 info and therefore does not match the access list 120?

thanks and have a great weekend.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Expert

fragmented packet and access list

Hello Sarah,

your understanding is correct only fragment1 has a complete L4 header.

with  extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.

However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

if the fragment keyword is not used and  the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.

if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).

So in your case actually all fragments should be permitted allowing effective communication.

Hope to help

Giuseppe

View solution in original post

2 REPLIES 2
Hall of Fame Expert

fragmented packet and access list

Hello Sarah,

your understanding is correct only fragment1 has a complete L4 header.

with  extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.

However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

if the fragment keyword is not used and  the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.

if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).

So in your case actually all fragments should be permitted allowing effective communication.

Hope to help

Giuseppe

View solution in original post

Contributor

fragmented packet and access list

Thanks Giuseppe.

Would you please give me an example for using fragment key word with access list? 

Have a great weekend.

CreatePlease to create content
Content for Community-Ad