Reference Guide
Permit all packets on interface
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32
OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments
L3 ACL rules
Use ACL commands for L3 packet ltering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all
others are denied.
TCP packets that are rst fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all
TCP non-rst fragments from host 10.1.1.1 are permitted. All other IP packets that are non-rst fragments are denied.
Permit ACL with L3 information only
If a packet’s L3 information matches the information in the ACL, the packet's fragment oset (FO) is checked:
• If a packet's FO > 0, the packet is permitted
• If a packet's FO = 0, the next ACL entry processes
Deny ACL with L3 information only
If a packet's L3 information does not match the L3 information in the ACL, the packet's FO is checked:
• If a packet's FO > 0, the packet is denied
• If a packet's FO = 0, the next ACL line processes
Permit all packets from host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# deny ip any any fragment
Permit only rst fragments and non-fragmented packets from
host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment
OS10(conf-ipv4-acl)# deny ip any any fragment
To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar
conguration. When an ACL lters packets, it looks at the FO to determine whether it is a fragment:
• FO = 0 means it is either the rst fragment or the packet is a non-fragment
• FO > 0 means it is the fragments of the original packet
490
Access Control Lists