Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ACL Question
(QID:SW237) View the exhibit. Consider the following scenario:

A packet sourced from host port 65001, is going to host on the Telnet port. Assuming that this ACL is properly applied on the switch, if this packet is fragmented, which of the following conditions will result, based upon the access list shown in the exhibit?

Switch(config)#access-list 102 permit tcp any host eq smtp
Switch(config)#access-list 102 deny tcp any host eq telnet
Switch(config)#access-list 102 permit tcp any host
Switch(config)#access-list 102 deny tcp any any

Your WRONG Answer: The source host on will not receive an acknowledgement reply to the initial Telnet packet from host Therefore, the host will abort the attempted Telnet session.

Correct Answer: The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit).

Can someone explain to me why the correct answer is correct?  Based on the second line of the ACL wouldn't the first packet be denied/dropped?
If I understand what you are saying.  The correct answer is correct because the TCP session does not go through the three way handshake because it fails on the second ACE, so the session is not established.  Thus the remaining fragments don't matter anyway, as there is no session for them to be associated with.
ACE performs filtering on fragmented packets in two way :

- If the ACE is permitting the first fragment, then the remaining fragment is also permitted, based only on layer 3 information only (because  remaining fragments never have any layer 4 information).
- if the ACE is denying the first fragment, it will not check the remaining fragment, because it do not have layer 4 information. So it will neither deny or permit, just skip to the next ACE. Here, the next ACE permit the packet based on the layer 3 information.

Forum Jump:

Users browsing this thread: 1 Guest(s)