Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-93
Cisco IOS IP Configuration Guide
Note When making the standard and extended access list, remember that, by default, the end of the access
list contains an implicit deny statement for everything if it did not find a match before reaching the
end. Further, with standard access lists, if you omit the mask from an associated IP host address
access list specification, 0.0.0.0 is assumed to be the mask.
After creating an access list, you must apply it to a line or interface, as shown in section “Applying
Access Lists” later in this chapter.
See the “Named Access List Example” section at the end of this chapter for an example of a named
access list.
Specifying IP Extended Access Lists with Fragment Control
This section describes the functionality added to IP extended named and numbered access lists. You can
now specify whether the system examines noninitial IP fragments of packets when applying an IP
extended access list.
Prior to this feature, nonfragmented packets and the initial fragment of a packet were processed by IP
extended access lists (if such an access list was applied), but noninitial fragments were permitted by
default. The IP Extended Access Lists with Fragment Control feature now allows more granularity of
control over noninitial packets.
Because noninitial fragments contain only Layer 3 information, access-list entries containing only
Layer 3 information can and now are applied to noninitial fragments. The fragment has all the
information the system needs to filter, so the entry is applied to the fragments.
This feature adds the optional fragments keyword to four IP access list commands [access-list (IP
extended), deny (IP), dynamic, and permit (IP)]. By specifying the fragments keyword in an access
list entry, that particular access list entry applies only to noninitial fragments of packets; the fragment is
either permitted or denied accordingly.