Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3421
Views
0
Helpful
1
Replies

IP Fragments

Go to solution
cisco_lite
Level 1
Level 1

‎01-08-2009 12:26 AM - edited ‎03-06-2019 03:18 AM

Why do I need below on the ACL if implicit deny i.e. 'deny ip any any' exists.

deny tcp any any fragments

deny udp any any fragments

deny icmp any any fragments

deny ip any any fragments

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-08-2009 01:24 AM

Hello Cisco_Lite,

two possible reasons:

A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)

b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)

when you do sh ip access-list xxx you get counters for each line in the ACL

Hope to help

Giuseppe

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-08-2009 01:24 AM

Hello Cisco_Lite,

two possible reasons:

A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)

b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)

when you do sh ip access-list xxx you get counters for each line in the ACL

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card