547
Configuring Network Security with ACLs
Information About Network Security with ACLs
Handling Fragmented and Unfragmented Traffic
IP packets can be fragmented as they cross the network. When this happens, only the fragment containing the beginning
of the packet contains the Layer 4 information, such as TCP or UDP port numbers, ICMP type and code, and so on. All
other fragments are missing this information.
Some ACEs do not check Layer 4 information and therefore can be applied to all packet fragments. ACEs that do test
Layer 4 information cannot be applied in the standard manner to most of the fragments in a fragmented IP packet. When
the fragment contains no Layer 4 information and the ACE tests some Layer 4 information, the matching rules are
modified:
Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so
on) are considered to match the fragment regardless of what the missing Layer 4 information might have been.
Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information.
Consider access list 102, configured with these commands, applied to three fragmented packets:
Switch(config)#
access-list 102 permit tcp any host 10.1.1.1 eq smtp
Switch(config)#
access-list 102 deny tcp any host 10.1.1.2 eq telnet
Switch(config)#
access-list 102 permit tcp any host 10.1.1.2
Switch(config)#
access-list 102 deny tcp any any
Note:
In the first and second ACEs in the examples, the
eq
keyword after the destination address means to test for the
TCP-destination-port well-known numbers equaling Simple Mail Transfer Protocol (SMTP) and Telnet, respectively.
Packet A is a TCP packet from host 10.2.2.2., port 65000, going to host 10.1.1.1 on the SMTP port. If this packet is
fragmented, the first fragment matches the first ACE (a permit) as if it were a complete packet because all Layer 4
information is present. The remaining fragments also match the first ACE, even though they do not contain the SMTP
port information, because the first ACE only checks Layer 3 information when applied to fragments. The information
in this example is that the packet is TCP and that the destination is 10.1.1.1.
Packet B is from host 10.2.2.2, port 65001, going to host 10.1.1.2 on the Telnet port. If this packet is fragmented,
the first fragment matches the second ACE (a deny) because all Layer 3 and Layer 4 information is present. The
remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information.
Instead, they match the third ACE (a permit).
Because the first fragment was denied, host 10.1.1.2 cannot reassemble a complete packet, so packet B is
effectively denied. However, the later fragments that are permitted will consume bandwidth on the network and
resources of host 10.1.1.2 as it tries to reassemble the packet.
Fragmented packet C is from host 10.2.2.2, port 65001, going to host 10.1.1.3, port ftp. If this packet is fragmented,
the first fragment matches the fourth ACE (a deny). All other fragments also match the fourth ACE because that ACE
does not check any Layer 4 information and because Layer 3 information in all fragments shows that they are being
sent to host 10.1.1.3, and the earlier permit ACEs were checking different hosts.
IPv4 ACLs
Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers.
1.
Create an ACL by specifying an access list number or name and the access conditions.
2.
Apply the ACL to interfaces or terminal lines.
Summary of Contents for IE 4000
Page 12: ...8 Configuration Overview Default Settings After Initial Switch Configuration ...
Page 52: ...48 Configuring Interfaces Monitoring and Maintaining the Interfaces ...
Page 108: ...104 Configuring Switch Clusters Additional References ...
Page 128: ...124 Performing Switch Administration Additional References ...
Page 130: ...126 Configuring PTP ...
Page 140: ...136 Configuring CIP Additional References ...
Page 146: ...142 Configuring SDM Templates Configuration Examples for Configuring SDM Templates ...
Page 192: ...188 Configuring Switch Based Authentication Additional References ...
Page 244: ...240 Configuring IEEE 802 1x Port Based Authentication Additional References ...
Page 298: ...294 Configuring VLANs Additional References ...
Page 336: ...332 Configuring STP Additional References ...
Page 408: ...404 Configuring DHCP Additional References ...
Page 450: ...446 Configuring IGMP Snooping and MVR Additional References ...
Page 490: ...486 Configuring SPAN and RSPAN Additional References ...
Page 502: ...498 Configuring Layer 2 NAT ...
Page 770: ...766 Configuring IPv6 MLD Snooping Related Documents ...
Page 930: ...926 Configuring IP Unicast Routing Related Documents ...
Page 976: ...972 Configuring Cisco IOS IP SLAs Operations Additional References ...
Page 978: ...974 Dying Gasp ...
Page 990: ...986 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...
Page 994: ...990 Configuring MODBUS TCP Displaying MODBUS TCP Information ...
Page 996: ...992 Ethernet CFM ...
Page 1066: ...1062 Using an SD Card SD Card Alarms ...