Hi Petronio ,

Traditionally, packet filters like ACLs are applied to the non-fragments and the initial fragment of an IP packet because they contain both Layer 3 and 4 information that the ACLs can match against for a permit or deny decision. Non-initial fragments are traditionally allowed through the ACL because they can be blocked based on Layer 3 information in the packets; however, because these packets do not contain Layer 4 information, they do not match the Layer 4 information in the ACL entry, if it exists. Allowing the non-initial fragments of an IP datagram through is acceptable because the host receiving the fragments is not able to reassemble the original IP datagram without the initial fragment.

Types of ACL Entries

There are six different types of ACL lines, and each has a consequence if a packet does or does not match. In the following list, FO = 0 indicates a non-fragment or an initial fragment in a TCP flow, FO > 0 indicates that the packet is a non-initial fragment, L3 means Layer 3, and L4 means Layer 4.

Note: When there is both Layer 3 and Layer 4 information in the ACL line and the fragments keyword is present, the ACL action is conservative for both permit and deny actions. The actions are conservative because you do not want to accidentally deny a fragmented portion of a flow because the fragments do not contain sufficient information to match all of the filter attributes. In the deny case, instead of denying a non-initial fragment, the next ACL entry is processed. In the permit case, it is assumed that the Layer 4 information in the packet, if available, matches the Layer 4 information in the ACL line.

please checkout the below link for more info..

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

Thanks,

satish