Introduction To Ipv6 Acl; Ip Fragments Filtering With Ipv4 Acl - 3Com S7906E Configuration Manual

A referenced time range can be one that has not been created yet. The rule, however, can take effect
only after the time range is defined and comes active.

IP Fragments Filtering with IPv4 ACL

Traditional packet filtering performs match operation on, rather than all IP fragments, the first ones only.
All subsequent non-first fragments are handled in the way the first fragments are handled. This causes
security risk as attackers may fabricate non-first fragments to attack your network.
A rule defined with the fragment keyword applies to only IP fragments. Note that a rule defined with the
fragment keyword matches non-last IP fragments on an SA or EA Series LPUs while matching non-first
IP fragments on an SC, EB, or SD Series LPUs. For detailed information about types of LPUs, refer to
the 3Com S7900E Family Getting Started Guide.

Introduction to IPv6 ACL

This section covers these topics:
IPv6 ACL Classification
IPv6 ACL Naming
IPv6 ACL Match Order
IPv6 ACL Step
Effective Period of an IPv6 ACL
IPv6 ACL Classification
IPv6 ACLs, identified by ACL numbers, fall into three categories, as show in
Table 1-2 IPv6 ACL categories
Category
Basic IPv6 ACL
Advanced IPv6 ACL
IPv6 ACL Naming
When creating an IPv6 ACL, you can specify a unique name for it. Afterwards, you can identify the IPv6
ACL by its name.
An IPv6 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating
an ACL, you cannot specify a name for it, nor can you change or remove the name of the ACL.
ACL number
2000 to 2999
3000 to 3999
1-5
Table 1-2.
Matching criteria
Source IPv6 address
Source IPv6 address, destination
IPv6 address, protocol carried on
IPv6, and other Layer 3 or Layer 4
protocol header fields