On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote: > Likewise with the acl I have the property that the initial packet has > all the info in it while the fragment does not.
For iACLs, just filter non-initial fragments directed to infrastructure IPs. Cisco & Juniper ACLs have ACL matching criteria for non-initial fragments. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
