The fragments keyword cannot be configured for an access list entry that contains any L4 information. Ex: access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80 fragments is invalid.
Without the fragments keyword (default), an access list entry that contains only L3 information (eg: access-list 101 permit ip host 10.10.10.1 host 10.10.10.2) is matched with all types of packets – non-fragmented packets, initial and non-initial packet fragments.
Note: The fragments keyword indicates that an access list entry will be matched with non-initial fragments.
Without the fragments keyword (default), an access list entry that contains L3 and L4 information (eg: access-list 101 permit tcp host 10.10.10.1 host 10.10.10.2 eq telnet) is matched with non-fragmented packets and initial packet fragments and is either permitted or denied accordingly.
- When a permit statement (without the fragments keyword) is matched with non-initial packet fragments, the non-initial fragments are permitted.
- When a deny statement (without the fragments keyword) is matched with non-initial packet fragments, the next access list entry is processed, and the fragments are not being denied!
Do not simply add the fragments keyword to every access list entry, as the 1st fragment (initial fragment) will not be matched with an access list permit or deny entry that contains the fragments keyword – the packet is compared to the next access list entry, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, 2 deny access list entries are needed for every deny entry. The 1st deny entry of the pair will not include the fragments keyword to be applied for initial fragments; the 2nd deny entry of the pair will include the fragments keyword to be applied for non-initial fragments.
Note: Packet fragments are considered individual packets and each is counted individually as a packet in access list accounting.
When there are multiple deny access list entries for a particular host with different L4 ports, only a single deny access list entry with the fragments keyword for the host is required. All the packet fragments are handled in the same manner by the access list.
The fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list has entries that match L4 through L7 information. It is possible for non-initial fragments to be matched with the access list and are policy routed, even if the 1st fragment was not policy routed (or the reverse).
This feature provides a better match capability between initial and non-initial fragments and hence allows the configuration of advanced policy routing.
No comments:
Post a Comment