Cisco WS-X6066-SLB-APC - Content Switching Module Software Manual page 302

Supported ACLs
In this example, 10.1.1.2 is configured to serve HTTP connections. If you do not use a fragment ACE,
all the fragments for TCP traffic are permitted as the permit tcp any any fragments ACE is added
automatically at the top of the ACL as follows:
permit tcp any any fragments
1. permit tcp any host 10.1.1.2 eq www
2. deny ip any host 10.1.1.2
3. permit ip any any
In the above example if you change entry 1 as follows:
1. deny tcp any host 10.1.1.2 eq www
there will not be a permit tcp any any fragments ACE added at the top of ACL. If the entry
is a deny statement, the next access-list entry is processed.
The deny statements are handled differently for noninitial fragments versus nonfragmented or initial
Note
fragments.
When you specify the fragment keyword, the system does not install the global permit TCP or UDP
fragments statement. When you specify the fragment keyword for at least one ACE, the software
implicitly installs ACEs to permit flows to a specific IP address (or subnet) that you specify.
In this ACL example, the deny tcp any host 10.1.1.2 fragment entry stops fragmented traffic going to
all TCP ports on host 10.1.1.2. Later in the ACL, the permit udp any host 10.1.1.2 eq 69 entry allows
clients to connect to the TFTP server 10.1.1.2. The system automatically installs a permit for all
fragments of udp traffic to host 10.1.1.2 ACE; otherwise, fragments would be denied by the entry deny
ip any host 10.1.1.2.
1. deny tcp any host 10.1.1.2 fragment
permit tcp any host 10.1.1.2 eq www
2.
permit udp any host 10.1.1.2 eq 69
3.
permit udp any gt 1023 10.1.1.2 gt 1023
4.
deny ip any host 10.1.1.2
5.
permit ip any any
6.
If you explicitly want to stop fragmented UDP traffic to host 10.1.1.2, enter deny udp any host 10.1.1.2
fragment before entry number 3 as shown in this example:
[...]
deny udp any host 10.1.1.2 fragment
3.
permit udp any host 10.1.1.2 eq 69
4.
permit udp any gt 1023 10.1.1.2 gt 1023
5.
[...]
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
16-6
Chapter 16 Configuring Access Control
78-13315-02