Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 301

Chapter 16 Configuring Access Control
Table 16-1 ACE Types and Parameters (continued)
ACE Type
Layer 2
parameters
1. IP ACEs.
2. For Ethernet packets that are not IP version 4 or IPX.
Handling Fragmented and Unfragmented Traffic
TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4
source/destination ports). This situation makes it difficult to enforce security based on the application.
However, you can identify fragments and distinguish them from the rest of the TCP/UDP traffic.
Layer 4 parameters of ACEs can filter unfragmented traffic and fragmented traffic with fragments that
have offset 0. IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot
be filtered. The following examples show how ACEs handle packet fragmentation.
This example shows that if the traffic from 1.1.1.1 port 68 is fragmented, only the first fragment goes to
port 4/3, and the rest of the traffic from port 68 does not hit this entry.
redirect 4/3 tcp host 1.1.1.1 eq 68 host 255.255.255.255
This example shows that the traffic coming from 1.1.1.1 port 68 and going to 2.2.2.2 port 34 is permitted.
If packets are fragmented, the first fragment hits this entry and is permitted; fragments that have an offset
other than 0 are also permitted as a default result for fragments.
permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
This example shows that the fragment that has offset 0 of the traffic from 1.1.1.1 port 68 going to 2.2.2.2
port 34 is denied. The fragments that have an offset other than 0 are permitted as a default.
deny tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
In releases prior to software release 6.1(1), the fragment filtering was completely transparent; you would
type an ACE such as permit tcp .... port eq port_number and the software would implicitly install the
following ACE at the top of the ACL: permit tcp any any fragments.
In software release 6.1(1) and later releases, there is a fragment option. If you do not specify the
fragment keyword, the behavior is the same as in previous releases. If you specify the fragment
keyword, the system does not automatically install a global permit statement for fragments. This
keyword allows you to control how fragments are handled.
78-13315-02
1 1
TCP or UDP ICMP
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
1
Other IP IPX
Supported ACLs
2
Ethernet
Ethertype
Ethernet
source
address
Ethernet
destination
address
16-5