Configuring IP Services

Filtering IP Packets Using Access Lists

The behavior of access-list entries regarding the presence or absence of the fragments keyword can be summarized as follows:

If the Access-List Entry has...

Then..

 

 

 

 

...no fragments keyword, and

For an access-list entry containing only Layer 3 information:

 

assuming all of the access-list entry

 

The entry is applied to nonfragmented packets, initial

 

information matches,

 

 

 

 

 

fragments and noninitial fragments.

 

 

 

 

 

 

 

For an access list entry containing Layer 3 and Layer 4

 

 

information:

 

 

 

The entry is applied to nonfragmented packets and initial

 

 

 

 

 

fragments.

 

 

 

 

 

If the entry matches and is a permit statement, the

 

 

 

 

 

 

packet or fragment is permitted.

 

 

 

 

 

If the entry matches and is a deny statement, the

 

 

 

 

 

 

packet or fragment is denied.

 

 

 

The entry is also applied to noninitial fragments in the

 

 

 

 

 

following manner. Because noninitial fragments contain

 

 

 

 

 

only Layer 3 information, only the Layer 3 portion of an

 

 

 

 

 

access-list entry can be applied. If the Layer 3 portion of

 

 

 

 

 

the access-list entry matches, and

 

 

 

 

 

If the entry is a permit statement, the noninitial

 

 

 

 

 

 

fragment is permitted.

 

 

 

 

 

If the entry is a deny statement, the next access-list

 

 

 

 

 

 

entry is processed.

 

 

 

 

 

 

 

 

 

Note

 

Note that the deny statements are handled

 

 

 

 

 

 

differently for noninitial fragments versus

 

 

 

 

 

 

nonfragmented or initial fragments.

 

 

 

 

 

 

 

 

...the fragments keyword, and

The access-list entry is applied only to noninitial fragments.

 

assuming all of the access-list entry

 

 

 

 

 

 

information matches,

 

 

 

 

 

 

 

Note

 

The fragments keyword cannot be configured for

 

 

 

 

 

 

an access-list entry that contains any Layer 4

 

 

 

 

 

 

information.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Cisco IOS IP Configuration Guide

IPC-94

Page 139 Page 141
Page 140
Image 140
Cisco Systems 78-11741-02 manual If the Access-List Entry has Then, IPC-94
Page 139 Page 141
Top Page Image Contents