29-3
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter29 Configuring Network Securi ty with ACLs Understanding ACLs
Figure29-1 Using ACLs to Control Traffic to a Network
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP po rt
numbers, Internet Control Message Protocol (ICMP) type and code, an d so on. A ll o ther frag me nts a re
missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all pa cket fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch (config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch (config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SM TP) and
Telnet, respectively.
Host A
Host B
101365
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Human
Resources
network