Consider the following scenario:
A packet sourced from host 10.2.2.2, port 65001, is going to host 10.1.1.2 on the Telnet port.
Assuming that this ACL is properly applied on the switch, if this packet is fragmented, which
of the following conditions will result, based upon the access list shown in the exhibit?
A.
Because the first fragment is denied, host 10.1.1.2 cannot reassemble a complete packet,
and a TCP reset is sent to the source host, informing the host to stop sending additional
traffic.
B.
All fragments will be denied due to the Layer 4 requirement of the ACE.
C.
The remaining fragments in the packet do not match the second ACE because they are
missing Layer 4 information. Instead, they match the third ACE (a permit).
D.
The source host on 10.2.2.2 will not receive an acknowledgement reply to the initial
Telnet packet from host
10.1.1.2. Therefore, the host will abort the attempted Telnet session.
ACE performs filtering on fragmented packets in two way :
– If the ACE is permitting the first fragment, then the remaining fragment is also permitted, based only on layer 3 information only (because remaining fragments never have any layer 4 information).
– if the ACE is denying the first fragment, it will not check the remaining fragment, because it do not have layer 4 information. So it will neither deny or permit, just skip to the next ACE. Here, the next ACE permit the packet based on the layer 3 information.