Cisco WS-C6506 Software Manual page 402

Supported ACLs
Handling Fragmented and Unfragmented Traffic
TCP/UDP or any Layer 4 protocol traffic, when fragmented, loses the Layer 4 information (Layer 4
source/destination ports). This situation makes it difficult to enforce security that is based on the
application. However, you can identify the fragments and distinguish them from the rest of the TCP/UDP
traffic.
The Layer 4 parameters of the ACEs can filter the unfragmented and fragmented traffic with fragments
that have offset 0. The IP fragments that have an offset other than 0 miss the Layer 4 port information
and cannot be filtered. The following examples show how the ACEs handle the packet fragmentation.
This example shows that if the traffic from 1.1.1.1, port 68 is fragmented, only the first fragment goes
to port 4/3, and the rest of the traffic from port 68 does not hit this entry.
redirect 4/3 tcp host 1.1.1.1 eq 68 host 255.255.255.255
This example shows that the traffic coming from 1.1.1.1, port 68 and going to 2.2.2.2, port 34 is
permitted. If the packets are fragmented, the first fragment hits this entry and is permitted; the fragments
that have an offset other than 0 are also permitted as a default result for the fragments.
permit tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
This example shows that the fragment that has offset 0 of the traffic from 1.1.1.1, port 68 going to
2.2.2.2, port 34 is denied. The fragments that have an offset other than 0 are permitted as a default.
deny tcp host 1.1.1.1 eq 68 host 2.2.2.2 eq 34
In the releases prior to software release 6.1(1), the fragment filtering was completely transparent; you
would type an ACE such as permit tcp .... port eq port_number and the software would implicitly install
the following ACE at the top of the ACL: permit tcp any any fragments.
Software release 6.1(1) and later releases, have a fragment option. If you do not specify the fragment
keyword, the behavior is the same as in the previous releases. If you specify the fragment keyword, the
system does not automatically install a global permit statement for the fragments. This keyword allows
you to control how the fragments are handled.
In this example, 10.1.1.2 is configured to serve the HTTP connections. If you do not use a fragment ACE,
all the fragments for the TCP traffic are permitted as the permit tcp any any fragments ACE is added
automatically at the top of the ACL as follows:
permit tcp any any fragments
1.
2.
3.
In the above example, if you change the entry 1 as follows:
1. deny tcp any host 10.1.1.2 eq www
A permit tcp any any fragments ACE is not added at the top of the ACL. If the entry is a deny
statement, the next access-list entry is processed.
The deny statements are handled differently for the noninitial fragments versus the nonfragmented or
Note
initial fragments.
When you specify the fragment keyword, the system does not install the global permit TCP or UDP
fragments statement. When you specify the fragment keyword for at least one ACE, the software
implicitly installs the ACEs to permit the flows to a specific IP address (or subnet) that you specify.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-6
permit tcp any host 10.1.1.2 eq www
deny ip any host 10.1.1.2
permit ip any any
Chapter 15 Configuring Access Control
OL-8978-04