Fragments filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid the risks, the Hewlett Packard Enterprise ACL implementation does the following:
Filters all fragments by default, including non-first fragments.
Allows for matching criteria modification, for example, filters non-first fragments only.