Posted on February 18, 2021 3:16 am
 |  Asked by Malcolm Scott
 |  35 views
0
0
Print Friendly, PDF & Email

Hi all,

Is there a way to permit/deny IP fragments in an ACL?

In the Cisco world this would be e.g. “deny ip any any fragments”, but I haven’t found an equivalent in EOS.

Thanks,

Malcolm

0
Answered on February 18, 2021 3:18 am

Hi Malcolm,

Thanks for reaching out.

I have tested this in lab.I could see the required fragments option present in ACL feature.

switch(config)#ip access-list test123
switch(config-acl-test123)#10 deny ip any any ?
dscp                  Match packets by DSCP value or name
ecn                    Match packets by ECN Codepoints
fragments    Match non-head fragment packets
inner                 inner qualifier
ip-length          Match IP packet length
log                     Log matches against this rule
metadata          Match packets based on packet internal attributes
nexthop-group Match nexthop-group
payload              Match packets based on payload
tracked               Match packets in existing ICMP/UDP/TCP connections
ttl                         Match TTL (Time-to-Live) value
<cr>

switch(config-acl-test123)#10 deny ip any any fragments

switch(config-acl-test123)#20 permit ip any any fragments

Could you please mention the platform model and EOS version on which you are testing this feature.

 

Thanks,

Bhavana.

0
Posted by Malcolm Scott
Answered on February 18, 2021 9:15 pm

Hi Bhavana,

Sorry, you're absolutely right that this works in IPv4 access lists.  The option does not seem to exist for IPv6 though:

gn09-sw0b.net(config)#ipv6 access-list mas90test
gn09-sw0b.net(config-ipv6-acl-mas90test)#deny ip any any ?
dscp Match packets by DSCP value or name
ecn Match packets by ECN Codepoints
hop-limit Match Hop Limit value
ip-length Match IP packet length
log Log matches against this rule
nexthop-group Match nexthop-group
tracked Match packets in existing ICMP/UDP/TCP connections
<cr>

This is EOS 4.23.2F on a DCS-7050QX-32S-R.

Thanks,

Malcolm

0
Answered on February 19, 2021 4:37 am

Hi Malcolm,

Thanks for your response.

Eventhough we don't have an option explicitly(via CLI) to permit/deny ipv6 fragments (like for Ipv4)we are permitting those by default.
You can check this as below:

switch(config)#ipv6 access-list acltest1

switch(config-ipv6-acl-acltest1)#exit
switch(config)#sh run all section acltest1

ipv6 access-list acltest1
no counters per-entry
fragment-rules   -->Eventhough we didn't configure via CLI, IPv6 fragments are permitted by default.

(or) you can also check the same via below commands:

switch(config)#ipv6 access-list acltest1

switch(config-ipv6-acl-acltest1)#sh active all
ipv6 access-list acltest1
no counters per-entry
fragment-rules

We can also disable this feature by issuing "no fragment-rules" command under the ACL incase if we want to deny Ipv6 fragments which are permitted by default.

switch(config)#ipv6 access-list acltest1

switch(config-ipv6-acl-acltest1)#no fragment-rules

switch(config)#sh run all sec acltest1
ipv6 access-list acltest1
no counters per-entry
no fragment-rules

 

Thanks,

Bhavana.

Post your Answer

You must be logged in to post an answer.