Skip navigation
Cisco Learning Home > CCIE Security Study Group > Discussions
975 Views 5 Replies Latest reply: Apr 10, 2012 5:42 AM by Dr. RDX RSS

Currently Being Moderated

Drop Fragments

Mar 19, 2012 5:08 PM

Dr. RDX 271 posts since
May 25, 2009

If question asks to drop fragment there can be various ways to do it ,

 

Topology

R1 --- R2 --- R3 ( R3 tries to ping R1 with packet size 3000 )

SOLUTION 1

interface FastEthernet0/0

Desc. R2 interface facing R3

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly max-fragments 1

duplex auto

speed auto

 

SOLUTION 2

interface FastEthernet0/0

Desc. R2 interface facing R3

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly drop-fragments

duplex auto

speed auto

 

SOLUTION 3

ip access-list extended fragments

permit ip any any fragments

!

class-map match-all fragments

match access-group name fragments

!

policy-map fragments

class fragments

   drop

!

control-plane transit

service-policy input fragments

 

I am doing configuration on R2 . Solution 1 and 2 seems to work fine but with solution 3 R3 is easily able to send larger packets to R1 and R2 is not blocking it . Because the data needs to pass through the router, I applied the service-policy to transit sub interface . I even tried applying this policy to aggregate control-plane and still it wasnt able to block it . When I applied this policy to FastEthernet0/0 ( service-policy input fragments ) it worked .

 

My question is that shouldnt it work with control plane transit ?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)