Hi Guys, Can somebody give an explanation why the VACL below blocks IP Fragments?
vlan access-map ICMP 10 action drop match ip address 123 vlan access-map ICMP 20 action forward ! vlan filter ICMP vlan-list 1-4094 access-list 123 permit icmp any any unreachable Setup is really simple: R6 ---SW---R5 As you can see below only fragmented ICMP packets are dropped. If I remove the VACL the ping will be successful for both cases (frag no frag). In the captures I can see that R5 (8.9.5.5) receives the initial fragment but the non initial fragments get dropped by the SW so after a while R6 will send a TTL Exceeded message back to R6. R6#ping 8.9.5.5 repeat 5 size 1500 Type escape sequence to abort. Sending 5, 1500-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R6#ping 8.9.5.5 repeat 5 size 1501 Type escape sequence to abort. Sending 5, 1501-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: .... Thanks!
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
