Ip Fragments Filtering With Ipv4 Acl; Ipv4 Acl Creation - H3C S5500-SI Series Operation Manual
Hide thumbs
Also See for S5500-SI Series:
- Operation manual (1217 pages) ,
- Configuration manual (130 pages) ,
- Installation manual (86 pages)
Table of Contents
Advertisement
Operation Manual – ACL
H3C S5500-SI Series Ethernet Switches
3)
If the numbers of zeros in the destination IP address wildcards are the same,
compare packets against the rule configured first prior to the other.
For example, the rule with the source IP address wildcard 0.0.0.255 is compared prior
to the rule with the source IP address wildcard 0.0.255.255.
III. Depth-first match for an Ethernet frame header IPv4 ACL
The following shows how your device performs depth-first match in an Ethernet frame
header ACL:
1)
Sort rules by source MAC address mask first and compare packets against the
rule configured with more ones in the source MAC address mask prior to other
rules.
2)
If two rules are present with the same number of ones in their source MAC
address masks, look at the destination MAC address masks. Then, compare
packets against the rule configured with more ones in the destination MAC
address mask prior to the other.
3)
If the numbers of ones in the destination MAC address masks are the same, the
one configured first is compared prior to the other.
For example, the rule with source MAC address mask FFFF-FFFF-0000 is compared
prior to the rule with source MAC address mask FFFF-0000-0000.
The comparison of a packet against an ACL stops once a match is found. The packet is
then processed as per the rule.
1.3.3 IP Fragments Filtering with IPv4 ACL
Traditionally, ACL does not check all IP fragments but first ones. All non-first fragments
are handled the way the first fragments are handled. This causes security risk as
attackers may fabricate non-first fragments to attack your network.
As for the configuration of a rule of an IPv4 ACL, the fragment keyword specifies that
the rule applies to non-first fragment packets only, and does not apply to non-fragment
packets or the first fragment packets. ACL rules that do not contain this keyword is
applicable to both non-fragment packets and fragment packets.
1.3.4 IPv4 ACL Creation
An IPv4 ACL consists of a set of rules. Before you can configure ACL rules, you must
first create an IPv4 ACL.
When creating an IPv4 ACL:
You must specify an ACL number (numeric type), and
You can optionally specify the match order of the IPv4 ACL.
After an IPv4 ACL is created, the IPv4 ACL view is displayed.
1-3
Chapter 1 ACL Overview
Advertisement
Table of Contents
