Fragmented and Unfragmented Traffic
One inherent problem with IP ACLs is the fact that IP packets can be fragmented as they cross your network. When this happens, only the first fragment contains the beginning of the packet that contains the Layer 4 information such as TCP or UDP port numbers, ICMP type and code, and so on. All the other fragments do not contain this information.
Some ACEs are not capable of checking the Layer 4 information, making them ideal for application to all packet fragments. The ACEs that can test Layer 4 information cannot be applied in a standard manner to most of the fragments in a fragmented IP packet. When a fragment contains no Layer 4 information and your ACE is configured to test some Layer 4 information, the ...
Get CCIE Practical Studies: Security (CCIE Self-Study) now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
