Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
Note:
The matching of non-first-fragments depends on how the first fragment is processed.
Only when the first fragment of a packet is "permitted" by the ACL, does the router
records the extension information of the packet. If the first fragment of a packet is
"denied" by the ACL, the router does not record any information about the packet.
Therefore, the extension information in the ACL affects non-first-fragments only when
the first fragment is "permitted".
II. Enabling packet filter fragment inspection
This command is required for exact matching. Only when fragment inspection is
enabled, does the packet filter records the status of the fragments and performs exact
matching based on extension information in the advance ACL.
Perform the following configuration in system view.
Table 6-4 Enable fragment inspection
Enable fragment inspection
Disable fragment inspection
Note:
If you want the router to filter fragments based on only layer 3 information, you do not
need to enable the fragment inspection.
III. Configuring upper/lower threshold of fragment inspection (optional)
Perform the following configuration in system view.
Table 6-5 Configure upper/lower threshold of fragment inspection
Specify number of upper/lower threshold
fragment state records
Restore
upper/lower threshold fragment state
records
Operation
Operation
the
default
number
3Com Corporation
Chapter 6 Firewall Configuration
firewall fragments-inspect
undo firewall fragments-inspect
firewall fragments-inspect { high |
low } { default | number }
of
undo
firewall
{ high | low }
6-8
Command
Command
fragments-inspect
Advertisement
Chapters
Table of Contents
Troubleshooting
