Acl Supporting Fragment - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
type-mask represents the protocol type mask. For type-code values, refer to the
chapter that discusses bridge configuration in the link layer protocol part of this
manual.
lsap-code is a hexadecimal number in the format of xxxx, used for matching the
encapsulation format of bridged packet on an interface. lsap-wildcard represents
the wildcard (mask) of protocol type.
sour-addr represents the source MAC address of a data frame in the format of
xxxx-xxxx-xxxx. sour-mask represents the mask of the source MAC address.
dest-addr represents the destination MAC address in the format of xxxx-xxxx-xxxx.
dest-mask represents the mask of the destination MAC address.
The following command can be used to delete a MAC-based ACL rule:
undo rule rule-id [ comment text ]
The parameters are described as follows:
rule-id: ACL rule number, which must exist already.
comment text: Specifies a comment for each rule.

5.1.9 ACL Supporting Fragment

Traditional packet filtering does not process all IP packet fragments. Rather, it only
performs matching processing on the first fragment and releases all the follow-up
fragments. Thus, security dormant trouble exists, which makes attackers able to
construct follow-up segments to realize traffic attack.
Packet filtering of 3Com router provides fragment filtering function, including:
performing Layer3 (IP Layer) matching filtering on all fragments; at the same time,
providing two kinds of matching, normal matching and exact matching, for ACL rule
entries containing extension information (such as TCP/UDP port number and ICMP
type). Normal matching is the matching of Layer3 information and it omits non-Layer3
information. Exact matching matches all ACL entries, which requires firewall should
record the state of first fragment so as to obtain complete matching information of
follow-up fragments. The default function mode is normal matching.
The keyword fragment is used in the configuration entry of ACL rule to identify that the
ACL rule is only valid for non-first fragments. For non-fragments and first fragment, this
rule is omitted. In contrast, the configuration rule entry not containing this keyword is
valid for all packets.
For example:
[3Com-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment
[3Com-basic-2000] rule permit source 202.101.2.0 0.0.0.255
[3Com-adv-3001] rule permit ip destination 171.16.23.1 0 fragment
[3Com-adv-3001] rule deny ip destination 171.16.23.2 0
3Com Corporation
5-13
Chapter 5 ACL Configuration