Handling Fragmented And Unfragmented Traffic - Cisco WS-C3550-12G Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for WS-C3550-12G:
- User manual (436 pages) ,
- Manual (278 pages) ,
- Datasheet (19 pages)
Table of Contents
Advertisement
Understanding ACLs
With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the
map.
in VLAN 10 from being forwarded.
Figure 19-2 Using VLAN Maps to Control Traffic
Host A
(VLAN 10)
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port
numbers, ICMP type and code, and so on. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments.
ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments
in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
•
•
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch (config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch (config)# access-list 102 permit tcp any host 10.1.1.2
Switch (config)# access-list 102 deny tcp any any
In the first and second ACEs in the examples, the eq keyword after the destination address means to
Note
test for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol
(SMTP) and Telnet, respectively.
•
Catalyst 3550 Multilayer Switch Software Configuration Guide
19-4
Figure 19-2
illustrates how a VLAN map is applied to deny a specific type of traffic from Host A
Si
Catalyst 3550 switch
bridging traffic
= VLAN map denying specific type
of traffic from Host A
= Packet
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.
If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a
complete packet because all Layer 4 information is present. The remaining fragments also match the
first ACE, even though they do not contain the SMTP port information, because the first ACE only
checks Layer 3 information when applied to fragments. The information in this example is that the
packet is TCP and that the destination is 10.1.1.1.
Chapter 19
Configuring Network Security with ACLs
Host B
(VLAN 10)
78-11194-03
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
