Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Control List for tcp and ip traffic

hi

can anybody help me to understand the cretiria chossing IP or TCP protocol for an extended ACE .If u want to block HTTP traffic for example using TCP protocol, what if the traffic is fragmented. will it block all the fragments or only the first? Using IP protocol for block HTTP will be blocked and other traffic ?

thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Bronze

Re: Access Control List for tcp and ip traffic

For a fragmented packet only initial fragmented packets contains L4 and L3 info and non-initial fragments have L3 info.

Some ACL are not capable of checking L4 info.For them access-list behaviour is as follows

1.The "permit" ACL is checked evenif no L4 info

2.The "deny" ACL is never checked if no L4 data..

This can cause problems to non-initial fragment packets as they contain mainly L3 info only..Hence to manipulate the behaviour towards non-initial fragment packets "fragment" keyword is used,by which ACL can be defined with only L3 info for non-initial fragments.

If ur access-list have "fragment" key word it means the access-list will be applied only for noninitial fragment packets.So u should have a seperate ACL for initial fragments,without "fragment" keyword.

arun :)

Re: Access Control List for tcp and ip traffic

hi,

I will like to add more points to arun's statements:

The default behaviour (without fragment keyword) of an access-list depends on whether the packet contains L3 or L3&L4 info.

The default for entries that contain L3 is to aplly the entry to all non-fragmented/intial or non-initial fragments of packets.

For entries that contain L3 & L4 info, the entry is applied to nonfragments & initial fragments.

The entry is also applied to non-intial fragments as follows:

If the non-initial fragments L3 info matches the entry & is a permit statement, the fragment is permitted.If the deny statement then the next entry is proccessed.

If the fragment keyword is used the entry is applied to only nonintial fragments.

The fragments keyword CAN NOT be configured for entries that contain L4 info such as TCP/UDP port no.s

HTH,

regards,

shri :)

5 REPLIES
Silver

Re: Access Control List for tcp and ip traffic

Hi There

Have a look at this document for information on ACL's, http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#proacl

Best Regards,

Michael

Gold

Re: Access Control List for tcp and ip traffic

With IP access list you can only deny/permit traffic based on source or destination IP address

with ACL

access-list 101 deny ip host 10.10.10.1 host 10.10.11.1

You will block all communication between 10.10.10.1 and 10.10.11.1

With TCP/UDP/ICMP etc ACL you can be more specific you block traffic also by source destination TCP/UDP port

with ACL

access-list 101 deny tcp host 10.10.10.1 host 10.10.11.1 eq www

(you will block all HTTP traffic (running on TCP port 80)

but you can permit all other traffic

access-list 101 permit ip host 10.10.10.1 host 10.10.11.1

M.

Hope that helps rate if it does

New Member

Re: Access Control List for tcp and ip traffic

my problem is the fragment keyword...whats the meaning exactly...

Bronze

Re: Access Control List for tcp and ip traffic

For a fragmented packet only initial fragmented packets contains L4 and L3 info and non-initial fragments have L3 info.

Some ACL are not capable of checking L4 info.For them access-list behaviour is as follows

1.The "permit" ACL is checked evenif no L4 info

2.The "deny" ACL is never checked if no L4 data..

This can cause problems to non-initial fragment packets as they contain mainly L3 info only..Hence to manipulate the behaviour towards non-initial fragment packets "fragment" keyword is used,by which ACL can be defined with only L3 info for non-initial fragments.

If ur access-list have "fragment" key word it means the access-list will be applied only for noninitial fragment packets.So u should have a seperate ACL for initial fragments,without "fragment" keyword.

arun :)

Re: Access Control List for tcp and ip traffic

hi,

I will like to add more points to arun's statements:

The default behaviour (without fragment keyword) of an access-list depends on whether the packet contains L3 or L3&L4 info.

The default for entries that contain L3 is to aplly the entry to all non-fragmented/intial or non-initial fragments of packets.

For entries that contain L3 & L4 info, the entry is applied to nonfragments & initial fragments.

The entry is also applied to non-intial fragments as follows:

If the non-initial fragments L3 info matches the entry & is a permit statement, the fragment is permitted.If the deny statement then the next entry is proccessed.

If the fragment keyword is used the entry is applied to only nonintial fragments.

The fragments keyword CAN NOT be configured for entries that contain L4 info such as TCP/UDP port no.s

HTH,

regards,

shri :)

173
Views
0
Helpful
5
Replies