Refer to the exhibit.
A packet sourced from host 10.2.2.2, port 65001, is going to host 10.1.1.2 on the Telnet port. Assuming that this ACL is properly applied on the switch, if this packet is fragmented, which of the following conditions will result, based upon the access list shown in the exhibit?
A.
Because the first fragment is denied, host 10.1.1.2 cannot reassemble a complete packet, and a TCP reset is sent to the source host, informing the host to stop sending additional traffic.
B.
All fragments will be denied due to the Layer 4 requirement of the ACE.
C.
The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information. Instead, they match the third ACE (a permit).
D.
The source host on 10.2.2.2 will not receive an acknowledgement reply to the initial Telnet packet from host 10.1.1.2. Therefore, the host will abort the attempted Telnet session.
I don’t understand why the answer is C, at least accdg to this white paper:
“http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml”
Remaining fragments = non-initial fragment
So if L4 is missing, then only L3 info is available, which should force it to process the ACL (deny).
I found a better explanation – ccie practical study.
For non-initial fragments, if L3 info matches a permit ACL, the fragment is permitted. If the L3 info matches a deny ACL, the next ACL is processed.”
That diagram on the link you provided is clear. If ACL lie has both L3 and L4 and contains DENY rule then non-initial fragment will continue to the next ACL line.
*If ACL line