In earlier releases, the non-fragmented packets and the initial fragments of a packet were
processed by IP extended access lists (if you apply this access list), but non-initial
fragments were permitted, by default. However, now, the IP Extended Access Lists with Fragment Control
feature allows more granularity of control over non-initial fragments of a packet. Using this feature, you can specify
whether the system examines non-initial IP fragments of packets when applying an IP extended
As non-initial fragments contain only Layer 3 information, these access-list entries
containing only Layer 3 information, can now be applied to non-initial fragments also. The
fragment has all the information the system requires to filter, so the access-list entry is applied to
the fragments of a packet.
This feature adds the optional
keyword to the following
IP access list commands:
By specifying the
in an access-list entry, that particular access-list entry applies only to non-initial
fragments of packets; the fragment is either permitted or denied accordingly.
The behavior of access-list entries regarding the presence or absence of the
keyword can be summarized as follows:
If the Access-List Entry has...
keyword and all of the access-list
entry information matches,
For an access-list entry containing only Layer 3 information:
The entry is applied to non-fragmented packets, initial fragments, and
For an access-list entry containing Layer 3 and Layer 4 information:
- The entry is applied to non-fragmented packets and initial fragments.
If the entry matches and is a permit
statement, the packet or fragment is
If the entry matches and is a deny
statement, the packet or fragment is denied.
- The entry is also applied to non-initial fragments in the following
manner. Because non-initial fragments contain only Layer 3 information,
only the Layer 3 portion of an access-list entry can be applied. If the
Layer 3 portion of the access-list entry matches, and
If the entry is a
the non-initial fragment is permitted.
If the entry is a deny statement, the next access-list entry is
Note that the deny statements are handled differently for
non-initial fragments versus non-fragmented or initial fragments.
keyword and all of the
access-list entry information matches,
The access-list entry is applied only to non-initial fragments.
keyword cannot be configured for
an access-list entry that contains any Layer 4 information.
You should not add the
keyword to every access-list
entry, because the first fragment of the IP packet is considered a non-fragment and is
treated independently of the subsequent fragments. Because an initial fragment will not
match an access list permit or deny entry that contains the
keyword, the packet is compared to the next access list entry until it is
either permitted or denied by an access list entry that does not contain the
keyword. Therefore, you may need two access list
entries for every deny entry. The first deny entry of the pair will not include the
keyword, and applies to the initial fragment. The
second deny entry of the pair will include the
and applies to the subsequent fragments. In the cases where there are multiple
access list entries for the same host but with
different Layer 4 ports, a single deny access-list entry with the
keyword for that host is all that has to be
added. Thus all the fragments of a packet are handled in the same manner by the access
Packet fragments of IP datagrams are considered individual packets and each fragment counts
individually as a packet in access-list accounting and access-list violation counts.
keyword cannot solve all cases involving access
lists and IP fragments.
Within the scope of ACL processing, Layer 3 information refers to fields located within the IPv4 header; for example, source, destination, protocol. Layer 4 information refers to other data contained beyond the IPv4 header; for example, source and destination ports for TCP or UDP, flags for TCP, type and code for ICMP.