In an access control list, you can define global rules for packets that contain IP fragments and IP options. These rules apply to all packets. This is in contrast to individual rules, which apply to packets that match certain defined criteria. See Policy rule configuration.
The Branch Gateway applies global rules before applying individual rules.
Procedure
Enter the context of the access control list in which you want to define the rule.
Enter one of the following commands, followed by the name of a composite command:
ip-fragments-in. Applies to incoming packets that contain IP fragments
ip-option-in. Applies to incoming packets that contain IP options
Result
The composite command can be any command defined in the composite operation list. These commands are case-sensitive. To view the composite operation list for the access control list you are working with, use the command show composite-operation in the context of the access control list.
Example
The following example defines a rule in access control list 301 that denies access to all incoming packets that contain IP fragments:
Gxxx-001(super)# ip access-control-list 301
Gxxx-001(super/ACL 301)# ip-fragments-in Deny
Done!
