Handling Fragmented And Unfragmented Traffic - Cisco Catalyst 3560-X Software Configuration Manual

Hide thumbs Also See for Catalyst 3560-X:

Command reference manual (1188 pages)

Software configuration manual (1438 pages)

Manual (276 pages)

Table of Contents

Understanding ACLs

With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the

VLAN 10 from being forwarded. You can apply only one VLAN map to a VLAN.

Handling Fragmented and Unfragmented Traffic

IP packets can be fragmented as they cross the network. When this happens, only the fragment

containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port

numbers, ICMP type and code, and so on. All other fragments are missing this information.

Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs

that do test Layer 4 information cannot be applied in the standard manner to most of the fragments in a

fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some

Layer 4 information, the matching rules are modified:

Consider access list 102, configured with these commands, applied to three fragmented packets:

Switch(config)# access-list 102 permit tcp any host 10.1.1.1 eq smtp

Switch(config)# access-list 102 deny tcp any host 10.1.1.2 eq telnet

Switch(config)# access-list 102 permit tcp any host 10.1.1.2

Switch(config)# access-list 102 deny tcp any any

In the first and second ACEs in the examples, the eq keyword after the destination address means to test

for the TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and

Telnet, respectively.

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

shows how a VLAN map is applied to prevent a specific type of traffic from Host A in

Using VLAN Maps to Control Traffic

= VLAN map denying specific type

of traffic from Host A

Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as

TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4

information might have been.

Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains

Layer 4 information.

Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port.

If this packet is fragmented, the first fragment matches the first ACE (a permit) as if it were a

complete packet because all Layer 4 information is present. The remaining fragments also match the

first ACE, even though they do not contain the SMTP port information, because the first ACE only

checks Layer 3 information when applied to fragments. The information in this example is that the

packet is TCP and that the destination is 10.1.1.1.

Configuring Network Security with ACLs

Troubleshooting

Catalyst 3750-x

Handling Fragmented And Unfragmented Traffic - Cisco Catalyst 3560-X Software Configuration Manual

Handling Fragmented and Unfragmented Traffic

Troubleshooting

Related Manuals for Cisco Catalyst 3560-X

Related Content for Cisco Catalyst 3560-X

This manual is also suitable for:

Table of Contents