Permit Layer 4 Fragmented Packet Behavior

In filtering traffic a packet is tested against each rule in the ACL. A rule in an extended ACL may specify layer four information such as TCP/UDP ports or ICMP type, code, or TCP flags for an established connection. If packets are sent as a series of fragments, Layer 4 information is present in the initial fragment, but is not present in subsequent fragments. Although a subsequent fragment should match the same rule matched by the initial fragment, all the information is not available at the time the rule is tested.

To deal with this problem for subsequent fragments, permit rules are handled differently than deny rules. The philosophy is that is better to leak fragments that should be dropped than to drop fragments that should be forwarded, as the latter would break a receiving application.

Consider a subsequent fragment that matches all the values specified in a rule, except for the Layer 4 information. If it is a permit rule it is considered to match the rule; that fragment is forwarded and no further ACL rules are checked. If a deny rule, the fragment is considered to not match and its fate depends on later rules. For example, it would be dropped if it got all the way to the implicit deny or it would be forwarded if it matched a later permit rule that specified only the same layer three information.