Note the following when configuring ACLs with the
When an ACL filters packets, it looks at the fragment offset (FO) to determine whether or not it is a fragment.
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is permitted.
•If a packet's FO = 0, the next ACL entry is processed.
Deny ACL line with L3 information only and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is denied.
•If a packet's FO = 0, the next ACL line is processed.
Configure a Standard IP ACL
To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete
listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface Reference Guide.
To set up extended ACLs, refer to
A standard IP ACL uses the source IP address as its match criterion.
To configure a standard IP ACL, follow these steps:
Step
Command Syntax
1
ip access-list standard access-listname
2
seq sequence-number {deny | permit} {source
[mask]
|
any | host ip-address} [count [byte]]
[order] [fragments]
Note: When assigning sequence numbers to filters, you might need to insert a new filter. To
prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another
number.
To view the rules of a particular ACL configured on a particular interface, use the
access-list ACL-name interface interface
76
|
Access Control Lists (ACLs)
fragments
Configure an Extended IP ACL.
Command Mode
CONFIGURATION
CONFIG-STD-NACL
command in EXEC Privilege mode
keyword.
Purpose
Enter IP ACCESS LIST mode by
naming a standard IP access list.
Configure a drop or forward filter.
show ip accounting
(Figure
5-6).