Fragment Filtering With Acls; Command And Hardware Compatibility; Configuration Restrictions And Guidelines - HP FlexNetwork MSR Series Configuration Manuals

For example, if the step is 5, and there are five rules numbered 0, 5, 9, 10, and 12, the newly defined
rule is numbered 15. If the ACL does not contain a rule, the first rule is numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, changing the
step from 5 to 2 renumbers rules 5, 10, 13, and 15 as rules 0, 2, 4, and 6.

Fragment filtering with ACLs

Traditional packet filtering matches only first fragments of packets, and allows all subsequent
non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
•
Filters all fragments by default, including non-first fragments.
•
Allows for matching criteria modification for efficiency. For example, you can configure the ACL
to filter only non-first fragments.

Command and hardware compatibility

Commands and descriptions for centralized devices apply to the following routers:
•
MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).
•
MSR958 (JH300A/JH301A).
•
MSR1002-4/1003-8S.
•
MSR2003.
•
MSR2004-24/2004-48.
•
MSR3012/3024/3044/3064.
Commands and descriptions for distributed devices apply to MSR4060 and MSR4080 routers.

Configuration restrictions and guidelines

Matching packets are forwarded through slow forwarding if an ACL rule contains match criteria or
has functions enabled in addition to the following match criteria and functions:
•
Source and destination IP addresses.
•
Source and destination ports.
•
Transport layer protocol.
•
ICMP or ICMPv6 message type, message code, and message name.
•
VPN instance.
•
Logging.
•
Time range.
Slow forwarding requires packets to be sent to the control plane for forwarding entry calculation,
which affects the device forwarding performance.
8