Reference Guide
Access Control Lists (ACLs) | 121
Layer 4 ACL Rules Examples
In Figure 7-5, first fragments or non-fragmented TCP packets from 10.1.1.1 with TCP destination port
equal to 24 are permitted. All other fragments are denied.
Figure 7-5. Layer 4 ACL Rules
In (Figure 7-6), TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
Figure 7-6. TCP Packets
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
Figure 7-7. UDP Packets
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Dell(conf)#ip access-list extended ABC
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
Dell(conf-ext-nacl)#deny ip any any fragment
Dell(conf-ext-nacl)
Dell (conf)#ip access-list extended ABC
Dell (conf-ext-nacl)#permit tcp any any fragment
Dell (conf-ext-nacl)#permit udp any any fragment
Dell (conf-ext-nacl)#deny ip any any log
Dell (conf-ext-nacl)