74 | Access Control Lists (ACLs)w w w . d e l l . c o m | s u p p o r t . d e l l . c o m Figure 5-1. Using the Order Keyword in ACLsIP Fragment HandlingFTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second andsubsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp).• Both standard and extended ACLs support IP fragments.• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to thesefragments. If the packet is to be denied eventually, the first fragment would be denied and hence thepacket as a whole cannot be reassembled.• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.• For IP ACL, FTOS always applies implicit deny. You do not have to configure it.• For IP ACL, FTOS applies implicit permit for second and subsequent fragments just prior to theimplicit deny.• If an explicit deny is configured, the second and subsequent fragments do not hit the implicit permitrule for fragments.IP Fragments ACL ExamplesThe following configuration permits all packets (both fragmented & non-fragmented) with destination IP10.1.1.1. The second rule does not get hit at all (Figure 5-2).Figure 5-2. Permit All PacketsFTOS(conf)#ip access-list standard acl1FTOS(conf-std-nacl)#permit 20.0.0.0/8FTOS(conf-std-nacl)#exitFTOS(conf)#ip access-list standard acl2FTOS(conf-std-nacl)#permit 20.1.1.0/24 order 0FTOS(conf-std-nacl)#exitFTOS(conf)#class-map match-all cmap1FTOS(conf-class-map)#match ip access-group acl1FTOS(conf-class-map)#exitFTOS(conf)#class-map match-all cmap2FTOS(conf-class-map)#match ip access-group acl2FTOS(conf-class-map)#exitFTOS(conf)#policy-map-input pmapFTOS(conf-policy-map-in)#service-queue 3 class-map cmap1FTOS(conf-policy-map-in)#service-queue 1 class-map cmap2FTOS(conf-policy-map-in)#exitFTOS(conf)#interface tengig 1/0FTOS(conf-if-ti-1/0)#service-policy input pmapFTOS(conf)#ip access-list extended ABCFTOS(conf-ext-nacl)#permit ip any 10.1.1.1/32FTOS(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragmentsFTOS(conf-ext-nacl)