cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2684
Views
0
Helpful
2
Replies

fragmented packet and access list

sarahr202
Level 5
Level 5

Hi everybody

Please consider the following scenario:

Sw(config)# access-list 120 permit tcp any host 199.199.199.2 eq smtp

the above access list is applied outbound on an interface  on the above switch.

Suppose  switch receives a packet with destination 199.199.199.2 and destined for smtp tcp port

Let assume switch has to fragment the packet into three fragments, fragment1,fragment2,fragment3.

The switch encapsulates the first fragment in ip header, this fragment contains tcp header and portion of data.

Switch checks the ip packet contents against the access list 120 . Since the packet matches the access list, it is allowed.

Now switch encapsulates the 2nd fragment in ip header. This fragment contains no layer 4 information just data.

What will happen now? Will switch  drop it because the packet has no layer 4 info and therefore does not match the access list 120?

thanks and have a great weekend.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

your understanding is correct only fragment1 has a complete L4 header.

with  extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.

However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

if the fragment keyword is not used and  the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.

if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).

So in your case actually all fragments should be permitted allowing effective communication.

Hope to help

Giuseppe

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sarah,

your understanding is correct only fragment1 has a complete L4 header.

with  extended ACL you have an option to permit fragments, but in your case your ACL is made of a single statement and only first fragment is a match for the ACL line. So it looks like that Fragment2 and Fragment3 would be dropped by the ACL by the implict deny ip any at the end of the ACL.

However, checking the Security Command reference we find that IOS is somewhat conservative in its treatment of fragments.

see

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a2.html#GUID-9EA733A3-1788-4882-B8C3-AB0A2949120C

if the fragment keyword is not used and  the ACL statement checks L4 information, non inital fragments are checked against the L3 portion of the ACL statement so that noninitial fragments are permitted.

if the fragments keyword is present in a separate ACL statement only initial fragments are checked (fragment keyword cannot be used in an ACL statement matching L4 information).

So in your case actually all fragments should be permitted allowing effective communication.

Hope to help

Giuseppe

Thanks Giuseppe.

Would you please give me an example for using fragment key word with access list? 

Have a great weekend.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco