Perhaps to try to catch a hacker? Sending numerous IP fragments is a known hacker technique. It can result in a denial of service because the host doing the reassembling has to gather up the fragments and wait for them to complete, which can cause buffer overruns and excess CPU usage. A hacker could ping (or whatever) your router (or devices behind the router) with fragments in an attempt to cause the recipient to slow down and possibly stop doing its job.
You would only want to have this filter on for a short time and use it for logging purposes. Having it on indefinitely would make matters even worse. Other than that, I can't think of a use for such an ACL. Priscilla At 07:18 AM 1/23/02, bergenpeak wrote: >Looking at extended ACLs I see there's an option to define ACL >statements which can key on whether the IP packet contains a >fragment. > >Besides for NAT purposes, could someone provide me with a scenario >where one would need develop an ACL to key on IP packets carrying >fragements? I'd be particularly interested in situations where one >might want to block a TCP application and decided that one had to >block traffic to the TCP port as well as fragments going to the server. > >Thanks ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32988&t=32922 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
