Seems like explicitly excluding the fragments will "fix" the problem..
access-list 123 deny icmp any any fragments access-list 123 permit icmp any any unreachable Still not sure why VACL drop the fragments by default , but I have checked with CAT 3560/CAT3750 different IOS versions and had the same result... any thoughts? Oszkar On Mon, Jul 2, 2012 at 11:13 AM, Imre Oszkar <[email protected]> wrote: > Hi Guys, > > Can somebody give an explanation why the VACL below blocks IP Fragments? > > > vlan access-map ICMP 10 > > action drop > > match ip address 123 > > vlan access-map ICMP 20 > > action forward > > ! > > vlan filter ICMP vlan-list 1-4094 > > > access-list 123 permit icmp any any unreachable > > > Setup is really simple: R6 ---SW---R5 > > As you can see below only fragmented ICMP packets are dropped. If I remove > the VACL the ping will be successful for both cases (frag no frag). > > In the captures I can see that R5 (8.9.5.5) receives the initial fragment > but the non initial fragments get dropped by the SW so after a while R6 > will send a TTL Exceeded message back to R6. > > > R6#ping 8.9.5.5 repeat 5 size 1500 > > Type escape sequence to abort. > > Sending 5, 1500-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: > > !!!!! > > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms > > R6#ping 8.9.5.5 repeat 5 size 1501 > > > Type escape sequence to abort. > > Sending 5, 1501-byte ICMP Echos to 8.9.5.5, timeout is 2 seconds: > > .... > > > Thanks! > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
