can anybody help me to understand the cretiria chossing IP or TCP protocol for an extended ACE .If u want to block HTTP traffic for example using TCP protocol, what if the traffic is fragmented. will it block all the fragments or only the first? Using IP protocol for block HTTP will be blocked and other traffic ?
I will like to add more points to arun's statements:
The default behaviour (without fragment keyword) of an access-list depends on whether the packet contains L3 or L3&L4 info.
The default for entries that contain L3 is to aplly the entry to all non-fragmented/intial or non-initial fragments of packets.
For entries that contain L3 & L4 info, the entry is applied to nonfragments & initial fragments.
The entry is also applied to non-intial fragments as follows:
If the non-initial fragments L3 info matches the entry & is a permit statement, the fragment is permitted.If the deny statement then the next entry is proccessed.
If the fragment keyword is used the entry is applied to only nonintial fragments.
The fragments keyword CAN NOT be configured for entries that contain L4 info such as TCP/UDP port no.s
For a fragmented packet only initial fragmented packets contains L4 and L3 info and non-initial fragments have L3 info.
Some ACL are not capable of checking L4 info.For them access-list behaviour is as follows
1.The "permit" ACL is checked evenif no L4 info
2.The "deny" ACL is never checked if no L4 data..
This can cause problems to non-initial fragment packets as they contain mainly L3 info only..Hence to manipulate the behaviour towards non-initial fragment packets "fragment" keyword is used,by which ACL can be defined with only L3 info for non-initial fragments.
If ur access-list have "fragment" key word it means the access-list will be applied only for noninitial fragment packets.So u should have a seperate ACL for initial fragments,without "fragment" keyword.