Filter
Top Products
Configuring IP Services
Filtering IP Packets Using Access Lists
IPC-94
Cisco IOS IP Configuration Guide
The behavior of access-list entries regarding the presence or absence of the fragments keyword can be
summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
If the Access-List Entry has... Then..
...no fragments keyword, and
assuming all of the access-list entry
information matches,
For an access-list entry containing only Layer 3 information:
• The entry is applied to nonfragmented packets, initial
fragments and noninitial fragments.
For an access list entry containing Layer 3 and Layer 4
information:
• The entry is applied to nonfragmented packets and initial
fragments.
–
If the entry matches and is a permit statement, the
packet or fragment is permitted.
–
If the entry matches and is a deny statement, the
packet or fragment is denied.
• The entry is also applied to noninitial fragments in the
following manner. Because noninitial fragments contain
only Layer 3 information, only the Layer 3 portion of an
access-list entry can be applied. If the Layer 3 portion of
the access-list entry matches, and
–
If the entry is a permit statement, the noninitial
fragment is permitted.
–
If the entry is a deny statement, the next access-list
entry is processed.
Note Note that the deny statements are handled
differently for noninitial fragments versus
nonfragmented or initial fragments.
...the fragments keyword, and
assuming all of the access-list entry
information matches,
The access-list entry is applied only to noninitial fragments.
Note The fragments keyword cannot be configured for
an access-list entry that contains any Layer 4
information.