Hi Ben, I'd say it depends on how you define your ACL whether you have layer 3 or layer 4 information. I'm almost sure you have come across this document: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Ben Shaw Sent: Thursday, June 07, 2012 6:26 PM To: [email protected] Subject: [OSL | CCIE_Security] Should Fragments be blocked in ACLs? Hi All I am familiar with the way ACLs treat fragments and I was wondering what is the consensus - should fragments be explicitly denied on ACLs? Should PMTUD work to the point that legitimate traffic is rarely if ever fragmented and therefore layer 3 ACLs should be duplicated to a point that a second entry exists for fragments also? I know that without the intial fragment, non-initial fragments can't be reassembled on the inside host but who needs these fragments on their network to begin with causing additional overhead? Your thoughts? Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
