I have a production PIX box that I wish we could use those ACLs on.

As you fellas know, fragmentation has to happen when bouncing across multiple routers and switches. Unfortunately, in a production scenario, fragmentation attacks can happen to Cisco hardware (or any other manufacturer). I also found out that a PIX box cannot handle more than 140 thousand simultanious connections (We can hit as muany as 170K). The box just locks (runs out of RAM) which I have to say is much better than having it overwrite memory space then crash to a wide open firewall.

Anyway, my two cents :-)