Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP Fragments

Why do I need below on the ACL if implicit deny i.e. 'deny ip any any' exists.

deny tcp any any fragments

deny udp any any fragments

deny icmp any any fragments

deny ip any any fragments

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: IP Fragments

Hello Cisco_Lite,

two possible reasons:

A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)

b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)

when you do sh ip access-list xxx you get counters for each line in the ACL

Hope to help

Giuseppe

1 REPLY
Hall of Fame Super Silver

Re: IP Fragments

Hello Cisco_Lite,

two possible reasons:

A) you want to be sure the router is never involved with fragmented traffic it will drop it if it sees the more fragment set in ip header (this requires these lines to be before permitted traffic lines)

b) the reason for multiple lines is to be able to trace fragments received and dropped per protocol type

( deny ip any any fragments would be enough to drop all fragments but no info if the fragments are UDP rather then TCP can be seen)

when you do sh ip access-list xxx you get counters for each line in the ACL

Hope to help

Giuseppe

1072
Views
0
Helpful
1
Replies
This widget could not be displayed.