Fragments filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.

To avoid the risks, the Hewlett Packard Enterprise ACL implementation does the following:

• Filters all fragments by default, including non-first fragments.

• Allows for matching criteria modification, for example, filters non-first fragments only.