hit counter script

Handling Fragmented And Unfragmented Traffic - Cisco IE-3000-8TC Software Configuration Manual

Software configuration guide
Hide thumbs Also See for IE-3000-8TC:
Table of Contents

Advertisement

Chapter 34
Configuring Network Security with ACLs
Figure 34-1
When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and
voice VLANs.
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC
addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an
IP access list and a MAC access list to the interface.
You cannot apply more than one IP access list and one MAC access list to a Layer 2 interface. If an IP
Note
access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access
list or MAC access list to the interface, the new ACL replaces the previously configured one.

Handling Fragmented and Unfragmented Traffic

IP packets can be fragmented as they cross the network. When this happens, only the fragment
containing the beginning of the packet contains the Layer 4 information, such as TCP or UDP port
numbers, ICMP type and code, and so on. All other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments.
ACEs that do test Layer 4 information cannot be applied in the standard manner to most of the fragments
in a fragmented IP packet. When the fragment contains no Layer 4 information and the ACE tests some
Layer 4 information, the matching rules are modified:
OL-13018-03
Using ACLs to Control Traffic to a Network
Human
Resources
network
= ACL denying traffic from Host B
and permitting traffic from Host A
= Packet
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as
TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4
information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains
Layer 4 information.
Host A
Host B
Research &
Development
network
Cisco IE 3000 Switch Software Configuration Guide
Understanding ACLs
34-3

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Ie 3000

Table of Contents