Benefits Of Fragment Control In An Ip Extended Access List - Cisco MWR 1941-DC - 1941 Mobile Wireless Router Software Configuration Manual

Mobile wireless edge router

Hide thumbs Also See for MWR 1941-DC - 1941 Mobile Wireless Router:

Hardware installation manual (106 pages)

User manual (40 pages)

Rack mounting instructions (13 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

Table of Contents

Chapter 6

Configuring the MWR 1941-DC in a Cell Site DCN

Filtering IP Packets Using Access Lists

The fragments keyword can be applied to dynamic access lists also.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a

packet in access list accounting and access list violation counts.

The fragments keyword cannot solve all cases involving access lists and IP fragments.

Note

Turbo Access Lists

A turbo access list treats fragments and uses the fragments keyword in the same manner as a nonturbo

access list.

Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the

match ip address command and the access list had entries that match on Layer 4 through 7 information.

It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment

was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the

action taken for initial and noninitial fragments can be made and it is more likely policy routing will

occur as intended.

Benefits of Fragment Control in an IP Extended Access List

If the fragments keyword is used in additional IP access list entries that deny fragments, the fragment

control feature provides the following benefits:

Additional Security

You are able to block more of the traffic you intended to block, not just the initial fragment of such

packets. The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached

because they are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic

improves security and reduces the risk from potential hackers.

Reduced Cost

By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to

block.

Reduced Storage

By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination

does not have to store the fragments until the reassembly timeout period is reached.

Expected Behavior is Achieved

The noninitial fragments will be handled in the same way as the initial fragment, which is what you

would expect. There are fewer unexpected policy routing results and fewer fragment of packets being

routed when they should not be.

For an example of fragment control in an IP extended access list, see the

"IP Extended Access List with

Fragment Control Example" section on page

6-62.

Cisco MWR 1941-DC Mobile Wireless Edge Router Software Configuration Guide

6-55

OL-11503-01

Table of Contents

Benefits Of Fragment Control In An Ip Extended Access List - Cisco MWR 1941-DC - 1941 Mobile Wireless Router Software Configuration Manual

Benefits of Fragment Control in an IP Extended Access List

Related Manuals for Cisco MWR 1941-DC - 1941 Mobile Wireless Router

Related Content for Cisco MWR 1941-DC - 1941 Mobile Wireless Router

Table of Contents