[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dropping IPv6 Fragments

On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:

> Likewise with the acl I have the property that the initial packet has 
> all the info in it while the fragment does not. 

For iACLs, just filter non-initial fragments directed to infrastructure IPs.  Cisco & Juniper ACLs have ACL matching criteria for non-initial fragments.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton