[原文]Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not handle the "fragment" keyword in a compiled ACL (Turbo ACL) for packets that are sent to the router, which allows remote attackers to cause a denial of service via a flood of fragments.
Cisco 12000 Series Router Fragment Keyword Ignored in Outbound ACL
Cisco IOS on 12000 series routers contains a flaw that may allow a malicious user to bypass access control lists. The issue is triggered by lack of support for the "fragment" keyword by outbound ACLs. It is possible that the flaw may allow unauthorized traffic to traverse the network.
Upgrade to version indicated in Cisco product matrix, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.