6-55
Cisco MWR 1941-DC Mobile Wireless Edge Router Software Configuration Guide
OL-11503-01
Chapter 6 Configuring the MWR 1941-DC in a Cell Site DCN
Filtering IP Packets Using Access Lists
The
fragments
keyword can be applied to dynamic access lists also.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a
packet in access list accounting and access list violation counts.
Note
The
fragments
keyword cannot solve all cases involving access lists and IP fragments.
Turbo Access Lists
A turbo access list treats fragments and uses the
fragments
keyword in the same manner as a nonturbo
access list.
Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the
match ip addres
s command and the access list had entries that match on Layer 4 through 7 information.
It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment
was not policy routed or the reverse.
By using the
fragments
keyword in access list entries as described earlier, a better match between the
action taken for initial and noninitial fragments can be made and it is more likely policy routing will
occur as intended.
Benefits of Fragment Control in an IP Extended Access List
If the
fragments
keyword is used in additional IP access list entries that deny fragments, the fragment
control feature provides the following benefits:
Additional Security
You are able to block more of the traffic you intended to block, not just the initial fragment of such
packets. The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached
because they are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic
improves security and reduces the risk from potential hackers.
Reduced Cost
By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to
block.
Reduced Storage
By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination
does not have to store the fragments until the reassembly timeout period is reached.
Expected Behavior is Achieved
The noninitial fragments will be handled in the same way as the initial fragment, which is what you
would expect. There are fewer unexpected policy routing results and fewer fragment of packets being
routed when they should not be.
For an example of fragment control in an IP extended access list, see the
“IP Extended Access List with
Fragment Control Example” section on page 6-62
.
Summary of Contents for MWR 1941-DC - 1941 Mobile Wireless Router
Page 49: ...P A R T 1 Implementing the MWR 1941 DC Router in an IP RAN ...
Page 50: ......
Page 107: ...P A R T 2 Implementing the MWR 1941 DC Router in a Cell Site DCN ...
Page 108: ......