Filter
Top Products
25-3
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 25 Configuring Network Security with ACLs
Understanding ACLs
Figure 25-1 Using ACLs to Control Traffic to a Network
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port
numbers, Internet Control Message Protocol (ICMP) type and code, and so on. All other fragments are
missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs
that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a
fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
• Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
• Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch (config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch (config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch (config)# access-list 102 deny tcp any any
Note In the first and second ACEs in the examples, the eq keyword after the destination address means to test
for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and
Telnet, respectively.
Host A
Host B
65285
Research &
Development
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Catalyst 2950 switch
Human
Resources
network