Hi Ernesto, I think the problem in my case is a little bit different, because:
1. Packets are sent without the DF flag so PMTUD will not happen. 2. Packets are fragmented by the initiating router, so 1 echo request will be sent in 2 pieces (1 initial frag + 1 non initial frag). I can see this on the captures from the initiating router. However only one packet, the initial fragment, reaches the destination router the non initial fragment gets blocked by the VACL. And this non-initial fragment is not an icmp unreachable packet. Oszkar On Tue, Jul 3, 2012 at 1:34 PM, Ernesto González <[email protected]>wrote: > *To save you some time in reading the entire document to find the > following paragraph:* > > Problems with PMTUD > > There are three things that can break PMTUD, two of which are uncommon and > one of which is common. > > - > > A router can drop a packet and not send an ICMP message. (Uncommon) > - > > A router can generate and send an ICMP message but the ICMP message > gets blocked by a router or firewall between this router and the sender. > (Common) > - > > A router can generate and send an ICMP message, but the sender ignores > the message. (Uncommon) > > The first and last of the three bullets above are uncommon and are usually > the result of an error, but the middle bullet describes a common problem. > People that implement ICMP packet filters tend to block all ICMP message > types rather than only blocking certain ICMP message types. A packet filter > can block all ICMP message types *except* those that are "unreachable" or > "time-exceeded." The success or failure of PMTUD hinges upon ICMP > unreachable messages getting through to the sender of a TCP/IP packet. ICMP > time-exceeded messages are important for other IP issues. An example of > such a packet filter, implemented on a router is shown below. > > access-list 101 permit icmp any any unreachable > access-list 101 permit icmp any any time-exceeded > access-list 101 deny icmp any any > access-list 101 permit ip any any > > > Hope this helps. > > > > On Tue, Jul 3, 2012 at 2:27 PM, Ernesto González <[email protected]>wrote: > >> >> ICMP unreachables are used to notify that fragmentation of the packet is >> required. >> >> >> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml >> >> -- >> Ernesto Gonzalez G. >> >> >> >> Hi Guys, >> >> Can somebody give an explanation why the VACL below blocks IP Fragments? >> >> >> vlan access-map ICMP 10 >> >> action drop >> >> match ip address 123 >> >> vlan access-map ICMP 20 >> >> action forward >> >> ! >> >> vlan filter ICMP vlan-list 1-4094 >> >> >> access-list 123 permit icmp any any unreachable >> >> >> Setup is really simple: R6 ---SW---R5 >> >> As you can see below only fragmented ICMP packets are dropped. If I remove >> the VACL the ping will be successful for both cases (frag no frag). >> >> In the captures I can see that R5 (8.9.5.5) receives the initial fragment >> but the non initial fragments get dropped by the SW so after a while R6 >> will send a TTL Exceeded message back to R6. >> >> >> R6#ping 8.9.5.5 repeat 5 size 1500 >> >> Type escape sequence to abort. >> >> Sending 5, 1500-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: >> >> !!!!! >> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms >> >> R6#ping 8.9.5.5 repeat 5 size 1501 >> >> >> Type escape sequence to abort. >> >> Sending 5, 1501-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: >> >> .... >> >> >> Thanks! >> >> >> > > > -- > Ernesto Gonzalez G. >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
