Administrator Guide
IP Fragment Handling
The Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, especially
second and subsequent packets.
It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to
all Layer protocols (permit/deny ip/tcp/udp/icmp).
• Both standard and extended ACLs support IP fragments.
• Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these
fragments. If the packet is to be denied eventually, the first fragment would be denied and hence the
packet as a whole cannot be reassembled.
• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry.
• For IP ACL, the system always applies implicit deny. You do not have to configure it.
• For IP ACL, the system applies implicit permit for second and subsequent fragment prior to the implicit
deny.
• If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit
rule for fragments.
IP Fragments ACL Examples
The following examples show how you can use ACL commands with the fragment keyword to filter
fragmented packets.
Example of Permitting All Packets on an Interface
Example of Denying Second and Subsequent Fragments
The following configuration permits all packets (both fragmented and non-fragmented) with destination IP
10.1.1.1. The second rule does not get hit at all.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments
Dell(conf-ext-nacl)
To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all
second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and non-
fragmented packets with destination IP 10.1.1.1.
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments
Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32
Dell(conf-ext-nacl)
Access Control Lists (ACLs) 130