IP Fragments

Answered Question
Jan 8th, 2009


Why do I need below on the ACL if implicit deny i.e. 'deny ip any any' exists.


deny tcp any any fragments

deny udp any any fragments

deny icmp any any fragments

deny ip any any fragments

Correct Answer by Giuseppe Larosa about 8 years 1 month ago

Hello Cisco_Lite,

two possible reasons:


A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)


b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)


when you do sh ip access-list xxx you get counters for each line in the ACL


Hope to help

Giuseppe



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Thu, 01/08/2009 - 01:24

Hello Cisco_Lite,

two possible reasons:


A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)


b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)


when you do sh ip access-list xxx you get counters for each line in the ACL


Hope to help

Giuseppe



Actions

This Discussion