The link 'http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800ebabd.html'
says: "IP fragments that have an offset other than 0 miss the Layer 4 port information and cannot be filtered." But there is the 'fragment keyword'. On IOS ACL, if not using the fragment keyword, when the fragment with FO>0 and a match on layer 3 information, the fragment is allowed; with the fragment keyword, when the fragment with F0>0 and a match on layer 3 information, the fragment follow the ACL action (can be denied). 'http://www.cisco.com/warp/public/105/acl_wp.html' Is it the same for VACLs on Catalyst 6000? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65429&t=65429 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]