Fragmented Packet Handling

Two keywords are used to support fragmentation in ACLs:

Policy file syntax checker

The fragments keyword cannot be used in a rule with L4 information. The syntax checker will reject such policy files.

The following rules are used to evaluate fragmented packets or rules that use the fragments or first-fragments keywords.

With no keyword specified, processing proceeds as follows:
  • An L3-only rule that does not contain either the fragments or first-fragments keyword matches any IP packets.
  • An L4 rule that does not contain either the fragments or first-fragments keyword matches non-fragmented or initial-fragment packets.
With the fragments keyword specified:
  • An L3-only rule with the fragments keyword only matches fragmented packets.
  • An L4 rule with the fragments keyword is not valid (see above).
With the first-fragments keyword specified:
  • An L3-only rule with the first-fragments keyword matches initial fragment packets.
  • An L4 rule with the first-fragments keyword matches initial fragment packets.