Table of Contents
Advertisement
•
Absolute time range—Represents only a period of time and does not recur.
IPv4 fragments filtering with ACLs
Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To improve network security, ACL filters all packets by default, including fragments and
non-fragmented packets. Meanwhile, to improve match efficiency, you can modify ACL rules. For
example, you can configure ACL rules to filter non-first fragments only.
Configuration guidelines
When you configure an ACL, follow these guidelines:
•
You cannot add a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
•
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you can choose to change just some of the settings, in which
case the other settings remain the same.
Recommend ACL configuration procedures
Recommended IPv4 ACL configuration procedure
Step
Configuring a time
1.
Adding an IPv4
2.
Configuring a rule for a basic IPv4
3.
Configuring a rule for an advanced IPv4
4.
Configuring a rule for an Ethernet frame header
5.
ACL.
Recommended IPv6 ACL configuration procedure
Step
Configuring a time
1.
Adding an IPv6
2.
Configuring a rule for a basic IPv6
3.
range.
ACL.
ACL.
range.
ACL.
ACL.
Remarks
Optional.
Add a time range. A rule referencing a time range
takes effect only during the specified time range.
Required.
Add an IPv4 ACL. The category of the added
ACL depends on the ACL number that you
specify.
Required.
ACL.
Complete one of the following tasks according to
the ACL category.
Remarks
Optional.
Add a time range. A rule referencing a time range takes
effect only during the specified time range.
Required.
Add an IPv6 ACL. The category of the added IPv6 ACL
depends on the ACL number that you specify.
Required.
385
Hide quick links:
Advertisement
Table of Contents
