Access Control List for tcp and ip traffic

Answered Question
Jan 13th, 2008

hi

can anybody help me to understand the cretiria chossing IP or TCP protocol for an extended ACE .If u want to block HTTP traffic for example using TCP protocol, what if the traffic is fragmented. will it block all the fragments or only the first? Using IP protocol for block HTTP will be blocked and other traffic ?

thanks

I have this problem too.
0 votes
Correct Answer by shrikar.dange about 8 years 10 months ago

hi,

I will like to add more points to arun's statements:

The default behaviour (without fragment keyword) of an access-list depends on whether the packet contains L3 or L3&L4 info.

The default for entries that contain L3 is to aplly the entry to all non-fragmented/intial or non-initial fragments of packets.

For entries that contain L3 & L4 info, the entry is applied to nonfragments & initial fragments.

The entry is also applied to non-intial fragments as follows:

If the non-initial fragments L3 info matches the entry & is a permit statement, the fragment is permitted.If the deny statement then the next entry is proccessed.

If the fragment keyword is used the entry is applied to only nonintial fragments.

The fragments keyword CAN NOT be configured for entries that contain L4 info such as TCP/UDP port no.s

HTH,

regards,

shri :)

Correct Answer by s.arunkumar about 8 years 10 months ago

For a fragmented packet only initial fragmented packets contains L4 and L3 info and non-initial fragments have L3 info.

Some ACL are not capable of checking L4 info.For them access-list behaviour is as follows

1.The "permit" ACL is checked evenif no L4 info

2.The "deny" ACL is never checked if no L4 data..

This can cause problems to non-initial fragment packets as they contain mainly L3 info only..Hence to manipulate the behaviour towards non-initial fragment packets "fragment" keyword is used,by which ACL can be defined with only L3 info for non-initial fragments.

If ur access-list have "fragment" key word it means the access-list will be applied only for noninitial fragment packets.So u should have a seperate ACL for initial fragments,without "fragment" keyword.

arun :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
m.sir Mon, 01/14/2008 - 05:57

With IP access list you can only deny/permit traffic based on source or destination IP address

with ACL

access-list 101 deny ip host 10.10.10.1 host 10.10.11.1

You will block all communication between 10.10.10.1 and 10.10.11.1

With TCP/UDP/ICMP etc ACL you can be more specific you block traffic also by source destination TCP/UDP port

with ACL

access-list 101 deny tcp host 10.10.10.1 host 10.10.11.1 eq www

(you will block all HTTP traffic (running on TCP port 80)

but you can permit all other traffic

access-list 101 permit ip host 10.10.10.1 host 10.10.11.1

M.

Hope that helps rate if it does

bkoum Mon, 01/14/2008 - 07:59

my problem is the fragment keyword...whats the meaning exactly...

Correct Answer
s.arunkumar Mon, 01/14/2008 - 21:22

For a fragmented packet only initial fragmented packets contains L4 and L3 info and non-initial fragments have L3 info.

Some ACL are not capable of checking L4 info.For them access-list behaviour is as follows

1.The "permit" ACL is checked evenif no L4 info

2.The "deny" ACL is never checked if no L4 data..

This can cause problems to non-initial fragment packets as they contain mainly L3 info only..Hence to manipulate the behaviour towards non-initial fragment packets "fragment" keyword is used,by which ACL can be defined with only L3 info for non-initial fragments.

If ur access-list have "fragment" key word it means the access-list will be applied only for noninitial fragment packets.So u should have a seperate ACL for initial fragments,without "fragment" keyword.

arun :)

Correct Answer
shrikar.dange Mon, 01/14/2008 - 22:33

hi,

I will like to add more points to arun's statements:

The default behaviour (without fragment keyword) of an access-list depends on whether the packet contains L3 or L3&L4 info.

The default for entries that contain L3 is to aplly the entry to all non-fragmented/intial or non-initial fragments of packets.

For entries that contain L3 & L4 info, the entry is applied to nonfragments & initial fragments.

The entry is also applied to non-intial fragments as follows:

If the non-initial fragments L3 info matches the entry & is a permit statement, the fragment is permitted.If the deny statement then the next entry is proccessed.

If the fragment keyword is used the entry is applied to only nonintial fragments.

The fragments keyword CAN NOT be configured for entries that contain L4 info such as TCP/UDP port no.s

HTH,

regards,

shri :)

Actions

This Discussion