Configuring The High And Low Watermarks For Fragment Inspection; Configuring Packet Filtering On An Interface - 3Com MSR 50 Series Configuration Manual

Configuring the High
and Low Watermarks for
Fragment Inspection
Configuring Packet
Filtering on an Interface
2 Enable the IPv6 fragment inspection function
After this function is enabled, if the first fragment is discarded when the IPv6
fragments of all interfaces match against IPv6 ACL, all the non-first fragments will
be discarded too. If not, the protocol information carried in the first fragment will
be added into the non-first fragments before the matching procedure starts.
Follow these steps to enable the IPv6 fragment inspection function of the firewall:
To do...
Enter system view
Enable IPv6 fragment
inspection
If fragment inspection is enabled and exact match is applied, the efficiency of
packet filtering may reduce, especially when matching items are numerous.
Therefore, it is necessary to set the high and low watermark values for fragment
inspection. Thus, when the number of fragment status recorded reaches the upper
limit, earlier items can be deleted (from the earliest) until the number reduces to
the lower limit.
Follow these steps to configure the high and low watermarks for fragment
inspection:
To do...
Enter system view
Configure the high
and low watermarks
for fragment
inspection
When an ACL is applied to an interface, the time range-based filtering will also
work at the same time. In addition, you can specify separate access rules for
inbound and outbound packets.
The effective range for basic ACL numbers is 2000 to 2999. A basic ACL defines
rules based on the Layer 3 source IP addresses only to analyze and process data
packets.
The effective range for advanced ACL numbers is 3000 to 3999. An advanced ACL
defines rules according to the source and destination IP addresses of packets, the
type of protocol over IP, TCP/UDP source and destination ports, and so on.
An advanced ACL supports two match modes: normal match and exact match.
Normal match refers to match of Layer 3 information. In this type of match, the
information out of Layer 3 is ignored. Whereas in exact match, all advanced ACL
rules are matched. For this reason, the firewall must record the status of the first
Use the command...
system-view
firewall ipv6
fragments-inspect
Use the command...
system-view
firewall
fragments-inspect
[ high | low ] { number |
default }
Configuring a Packet Filter Firewall
Remarks
-
Required
Disabled by default
Remarks
-
Optional
By default, the high watermark value of
the number of fragment status records is
2,000, and the low watermark value of
the number of fragment status records is
1,500.
1795