08-10-2012 08:20 PM - edited 03-07-2019 08:17 AM
Hi everybody
Please consider the following scenario:
Sw(config)# access-list 120 permit tcp any host 199.199.199.2 eq smtp
the above access list is applied outbound on an interface on the above switch.
Suppose switch receives a packet with destination 199.199.199.2 and destined for smtp tcp port
Let assume switch has to fragment the packet into three fragments, fragment1,fragment2,fragment3.
The switch encapsulates the first fragment in ip header, this fragment contains tcp header and portion of data.
Switch checks the ip packet contents against the access list 120 . Since the packet matches the access list, it is allowed.
Now switch encapsulates the 2nd fragment in ip header. This fragment contains no layer 4 information just data.
What will happen now? Will switch drop it because the packet has no layer 4 info and therefore does not match the access list 120?
thanks and have a great weekend.
Solved! Go to Solution.
08-12-2012 05:15 AM
Hello Sarah,
your understanding is correct only fragment1 has a complete L4 header.
with extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.
However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.
see
if the fragment keyword is not used and the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.
if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).
So in your case actually all fragments should be permitted allowing effective communication.
Hope to help
Giuseppe
08-12-2012 05:15 AM
Hello Sarah,
your understanding is correct only fragment1 has a complete L4 header.
with extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.
However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.
see
if the fragment keyword is not used and the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.
if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).
So in your case actually all fragments should be permitted allowing effective communication.
Hope to help
Giuseppe
08-12-2012 09:07 AM
Thanks Giuseppe.
Would you please give me an example for using fragment key word with access list?
Have a great weekend.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide