Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)Layer 4 ACL Rules ExamplesThe following examples show the ACL commands for Layer 4 packet filtering.Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3information matches the L3 information in the ACL line, the packet's FO is checked.• If a packet's FO > 0, the packet is permitted.• If a packet's FO = 0, the next ACL entry is processed.Deny ACL line with L3 information only, and the fragments keyword is present:If a packet's L3information does match the L3 information in the ACL line, the packet's FO is checked.• If a packet's FO > 0, the packet is denied.• If a packet's FO = 0, the next ACL line is processed.Example of Permitting All Packets from a Specified HostIn this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.All others are denied.Dell(conf)#ip access-list extended ABCDell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24Dell(conf-ext-nacl)#deny ip any any fragmentDell(conf-ext-nacl)Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified HostIn the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied.Dell(conf)#ip access-list extended ABCDell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragmentDell(conf-ext-nacl)#deny ip any any fragmentDell(conf-ext-nacl)Example of Logging Denied PacketsTo log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/UDP fragments, use a configuration similar to the following.Dell(conf)#ip access-list extended ABCDell(conf-ext-nacl)#permit tcp any any fragmentDell(conf-ext-nacl)#permit udp any any fragmentDell(conf-ext-nacl)#deny ip any any logDell(conf-ext-nacl)When configuring ACLs with the fragments keyword, be aware of the following.When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment.• FO = 0 means it is either the first fragment or the packet is a non-fragment.• FO > 0 means it is dealing with the fragments of the original packet.Access Control Lists (ACLs) 107